Full update and round-up of Carrier IQ tracking software scandal

By Lee Kaelin on December 2, 2011, 8:41 AM

Update: Two new updates worth mentioning before the new week. Just a day after the Senate launched an investigation, Carrier IQ and some involved parties including Samsung and HTC are now facing a a class action lawsuit.

From the other side of the fence, Carrier IQ have started to defend themselves with a number of security experts siding with them. Dan Rosenberg, a security consultant who has discovered more than 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, reverse engineered Carrier IQ's code and analyzed the tracking data collected by the company.

His conclusion in brief: "The application does not record and transmit keystroke data back to carriers... there is no code in Carrier IQ that actually records keystrokes for data collection purposes." Meaning there should be fewer privacy concerns than originally imagined. Read more here.

--- The original story is below ---

On Wednesday, news broke about a hidden application installed on most popular smartphone handsets that logs nearly everything the user does. Accompanying the news article was a 17-minute long video of developer Trevor Eckhart demonstrating how his HTC Evo 3D was tracking his key presses and even the content of his text messages.

The controversial claims resulted in the producer of the software, Carrier IQ, sending Eckhart a cease and desist letter. Digital rights group EFF jumped to his defence resulting in the company retracting its letter and issuing a formal apology.

Handset manufacturers and carriers were extremely quick to address the mounting criticism and anger from customers at the logging software, with a flurry of press statements clarifying their stance -- here is what is known so far:

Apple does use the logging software, though in an official statement to AllThingsD the company said it "stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update." They also reiterated that users must actively opt-in to share any information, and should they do so, it would be sent anonymously, encrypted and would not include any personal information. "We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so." More information on how Carrier IQ works on iOS is available in a blog post by iPhone jailbreaker Grant Paul.

Blackberry manufacturer Research in Motion said it "does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution." The Canadian firm added that they do not develop, or comission the development or distribution of the app, but promised to investigate reports and speculation related to Carrier IQ.

HTC outright pointed the blame in the direction of phone carriers: "Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we’d advise them to contact their carrier." The company also said that they were investigating the possibility of adding the option for users to opt-out of data collection by the software.

In the same vein, Samsung released a statement saying carriers were responsible for the installation of CIQ software and it had nothing to do with them. When speaking to Engadget, they further pointed out that "Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ."

Microsoft's Windows Phone 7 platform is seemingly clear of any known traces of the software. Joe Belfiore, who oversees Windows Phone Program Management, confirmed as much in a Twitter message on Thursday. It's flagship handset partner Nokia also stepped up to the hot plate, releasing a statement denying the company has shipped any products with Carrier IQ's software installed.

Google also made it perfectly clear to everyone that it had nothing to do with Carrier IQ, and insisted its new Google Nexus phones were free of the tracking software, according to a reliable source as quoted by the Verge. Questions have been raised about how Carrier IQ's software was able to make its way on Android devices given the various compatibility tests required in order to use Google's Android OS, though.

U.S. network carriers Sprint and AT&T have come clean, admitting they use the software in devices they sell. The official word from Sprint is that it helps "analyze network performance and identify where we should be improving service," claiming it is an integral part of the Sprint service. Similarly, AT&T's offical line is, "we solely use CIQ software data to improve wireless network and service performance," according to the Huffington Post.

T-Mobile also confirmed it uses the Carrier IQ "diagnostic tool" to troubleshoot device and network performance with the goal of enhancing network reliability. Meanwhile, Verizon, the largest U.S. carrier clarified they don't use Carrier IQ's software, and according to an email addressed to Gigaom from Verizon spokesperson Jeffrey Nelson, any statement saying otherwise is false. 

Users in Canada, as well as Europe and elsewhere across the world so far appear to be unaffected.




User Comments: 16

Got something to say? Post a comment
Guest said:

I wonder about some of the companies that say the don't use Carrier IQ, if they do use some other method of doing the same or simular things.

ramonsterns said:

This thing is like a virus. I can't uninstall it and I can't kill the process.

lchu12 lchu12 said:

Guest said:

I wonder about some of the companies that say the don't use Carrier IQ, if they do use some other method of doing the same or simular things.

Yeah, good luck having them come clean by themselves.

Guest said:

I live in Europe and a friend of mine has something similar to CIQ installed on his LG Optimus Black. The app is called lge.hiddenmenu or something like that so I don't think this is a problem just for the US users...

Guest said:

I see where Sprint and Tmobile stocks are going...south anyone?

negroplasty negroplasty said:

So let me get this straight... it's a surprise that the carriers are the ones using this piece of software called CARRIER IQ????

Guest said:

Hm, so it is the Carriers that want this program installed and not the manufacturers? So basically, carriers (who already logs our calls/texts/internet usage on their side) wants to install this program into our phone to log more of what we do (for diagnostic purposes?).

Why is this so blown up? The carriers have always been logging our phone usage. Even before "Carrier IQ".

MilwaukeeMike said:

Guest said:

I wonder about some of the companies that say the don't use Carrier IQ, if they do use some other method of doing the same or simular things.

As a writer/designer of software; logging is absolutely required. If a carrier isn't using Carrier IQ, then they're using something else... probably homegrown. Writing software and not keeping track of what happens when people use it would make it impossible to fix problems or improve service.

And if my info is in a database with 141 million other people... i really don't care. that's probably bigger than most of the databases all my person info (including credit cards) is stored in when I make an online purchase.

Guest said:

So, if AT&T is using this software to improve their service, why do I have so very, very many dropped calls?

Guest said:

Tell me how tracking individual number key-presses in the dial app can be used to improve network services.

How about logging of location data even after specifically opting out of it, or logging the search term used in google, or logging the unencrypted contents of text messages can improve network performance.

How about never being asked to opt in or out of this data collection for that matter. Inability to kill the process or uninstall the application at all might be an issue.

The wireless carriers and Carrier IQ got caught red-handed and anyone that defends this virus-like keylogging application is a fool.

Thank you Trevor Eckhart and EFF for your efforts.

Guest said:

To add to my previous comment let's have a look at Carrier IQ's in it's formal apology letter to Trevor Eckhart and the claims they make about the functionality of their software.

- Does not record your keystrokes. *Proven False*

- Does not provide tracking tools. *Proven False*

- Does not inspect or report on the content of your communications, such as the content of emails and SMSs. *Proven False*

- Does not provide real-time data reporting to any customer. *Unknown but it IS logged*

- Finally, we do not sell Carrier IQ data to third parties. *Unknown*

gingerbill said:

some people are talking nonsense suggesting this was done to improve the network , some of the data it gathered was clearly nothing to do with improving a network no matter how good your imagination is.

They simply got caught with there hands in the till and are now bringing out the excuses. Gathering some data is part of monitoring a network to look for improvement but not the data they were gathering.

jobeard jobeard, TS Ambassador, said:

Just to be fair

Wrongly accused?

That's what Declan McCullagh is reporting in an article on Cnet.com

The problem, which is always a risk when a public lynching takes place, is that Carrier IQ appears to be not guilty of the charges lodged against it.

Carrier IQ has given Rebecca Bace, a well-known security expert who's advised startups including Tripwire and Qualys, access to the company's engineers and internal documents. (Bace says she has no financial relationship with Carrier IQ.)

Bace told CNET that: "I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software -- to serve as a diagnostic aid for assuring quality of service and experience for mobile carriers."

See the link above for more details.

----

PS: there's another thread on the subject

Guest said:

This whole thing could have been avoided if your phone contract contained simple language to say what they log and give examples (all keystrokes are logged), instead of just saying we log anonymous data to improve your experience. Then people can make an informed decision.

Guest said:

Current IRC chatter is how to get CarrierIQ to update its profile via a SMS text message. This is going to allow hackers to hijack CIQ and have it forward all your keystrokes to their server.

Does anyone mind if hackers outside the US are able to monitor every keystroke on your phone? It's not like anyone in our Government, Police, etc. carry cell phones.

Guest said:

Ok it has been a week or so.

lets see.

Go to the company's main website and download a 19 page article read, it and read it again.

Now Trevor and Dan Rosenberg had input into this article and it pretty much blows his whole youtube video out of the water.

Now think about the fact that this researcher is a first level administrator and works for a company that does much the same thing.

your eyes bulging yet?

http://www.dailytech.com/Article.aspx?newsid=23511&red=y
737628

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.