The Carrier IQ Saga (So Far) — And Some Questions That Need Answers
from the answers-we-may-never-get dept
The story so far: security researcher Trevor Eckhart exposed some very disturbing information about the “Carrier IQ” application here. This set off a small firestorm, which quickly got much bigger when Carrier IQ responded by attempting to bully and threaten him into silence. This did not go over well. After he refused to back down, they retracted the threats and apologized.
Eckhart followed up by posting part two of his research, demonstrating some of his findings on video. Considerable discussion of that demonstration ensued, for example here and here and here. Some critics of Eckhart’s research have opined that it’s overblown or not rigorous enough. But further analysis and commentary suggests that the problem could well be worse than we currently know. Stephen Wicker of Cornell University has explored some of the implications, and his comments seem especially apropos given that Carrier IQ has publicly admitted holding a treasure trove of data. Dan Rosenberg has done further in-depth research on the detailed workings of Carrier IQ, leading to rather a lot of discussion about Carrier IQ’s capabilities — there’s some disagreement among researchers over what Carrier IQ is doing versus what it could be doing, e.g.: Is Carrier IQ’s Data-Logging Phone Software Helpful or a Hacker’s Goldmine?
Meanwhile, the scandal grew, questions were raised about whether it violated federal wiretap laws, a least one US Senator noticed, and Carrier IQ issued an inept press release. Phone vendors and carriers have been begun backing away from Carrier IQ as quickly as possible; there were denials from Verizon and Apple . T-Mobile has posted internal and external quick guides about Carrier IQ.
Some of the denials were more credible than others. There has been some skepticism about Carrier IQ’s statements, given their own marketing claims and the non-answers to some questions. There’s also been discussion about the claims made in Carrier IQ’s patent.
Then the lawsuits started, see Hagens Berman and Sianna & Straite and 8 companies hit with lawsuit for some details on three of them.
Attempts to figure out which phones are infected with Carrier IQ are ongoing. For example, the Google Nexus Android phones and original Xoom tablet seem to not be infected, nor do phones used on UK-based mobile networks, but traces of are present in some versions of iOS, although their function isn’t entirely clear. A preliminary/beta application that tries to detect it is now available. Methods for removing it have been discussed.
Meanhile, A Freedom of Information Act request’s response has indicated (per the FBI) that Carrier IQ files have been used for “law enforcement purposes”, but Carrier IQ has denied this. And there seems to be a growing realization that all of this has somehow become standard practice; as Dennis Fisher astutely observes, With Mobile Devices, Users Are the Product, Not the Buyer.
Those are the details; now what about the implications?
Debate continues about whether Carrier’s IQ is a rootkit and/or spyware. Some have observed that if it’s a rootkit, it’s a rather poorly-concealed one. But it’s been made unkillable, and it harvests keystrokes — two properties most often associated with malicious software. And there’s no question that Carrier IQ really did attempt to suppress Eckhart’s publication of his findings.
But even if we grant, for the purpose of argument, that it’s not a rootkit and not spyware, it still has an impact on the aggregate system security of the phone: it provides a good deal of pre-existing functionality that any attacker can leverage. In other words, intruding malware doesn’t need to implement the vast array of functions that Carrier IQ already has; it just has to activate and tap into them.
Which brings me to a set of questions that probably should have been publicly debated and answered before software like this was installed on an estimated 150 million phones. I’m not talking about the questions that involve the details of Carrier IQ — because I think we’ll get answers to those from researchers and from legal proceedings. I’m talking about larger questions that apply to all phones — indeed, to all mobile devices — such as:
- What kind of debugging or performance-monitoring software should be included?
- Who should be responsible for that software’s installation? Its maintenance?
- Should the source code for that software be published so that we can all see exactly what it does?
- Should device owners be allowed to turn it off/deinstall it — or, should they be asked for permission to install it/turn it on?
- Will carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
- Should carriers or manufacturers pay phone owners for access to the device owners’ data?
- Where’s the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
- Will data transmission be encrypted? How?
- Will data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
- What data will be sent — and will device owners be able to exert some fine-grained control over what and when?
- Who is is responsible for the security of the data gathered?
- Who will have access to that data?
- When will that data be destroyed?
- Who will be accountable if/when security on the data repository is breached?
- What are the privacy implications of such a large collection of diverse data?
-
Will it be available to law enforcement agencies?
(Actually, I think I can answer that one: “yes”. I think it’s a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See “FBI”, above, for a case in point.)
Lots of questions, I know. Perhaps I could summarize that list by asking these three instead: (1) Who owns your mobile device? (2) Who owns the software installed on your mobile device? and (3) Who owns your data?
Filed Under: mobile, privacy, rootkit, spying
Companies: carrieriq, sprint, verizon wireless
Comments on “The Carrier IQ Saga (So Far) — And Some Questions That Need Answers”
1) Physically? You. In all other ways? Someone else.
2) That would be software you have licensed for use on your phone? I think we’re all familiar with this one by now…
3) Well, if the data isn’t actively deleted and/or copied by an outside source without your knowledge and consent, I suppose you might be legally allowed to access the data stored on a device you physically possess and which you paid money to acquire, if someone doesn’t decide that accessing that data would breach their data-access-methods copyright, or that they’d taken reasonable steps to encrypt the data stored on your device and that your actions to access that encrypted data thus violated the terms of the DMCA…
Re: Re:
Carrier IQ is the outside source.
Re: Re:
1) Physically? You. In all other ways? Someone else.
I’m not familiar with this distinction between physically owning something, and some other way to own it. Unless you’re talking about the difference between possession and ownership. Are you saying I possess the phone, but I don’t own it?
quis custodiet ipsos custodes?
I own my own mobile and data.
However Google and the UK government own me, along with minority interests from HTC, T-Mobile, Facebook, Blizzard Activision and Techdirt …
Read Lawrence Latifs' Analysis
Nice article Richard. You’ve dug up most of the pieces, but you haven’t quite put them together properly. Carrier IQ is only the tip of the data mining iceberg. They are probably one of the more benign players, in that they seem only interested in technical issues. The telcos as well as Apple and Google are gathering enormous amounts of user info from smart phone in order to, directly or indirectly, serve targeted ads.
Re: Read Lawrence Latifs' Analysis
you are assuming that CIQ is only interested in technical issues. there is little beyond the pr spins going on now that indicate that to be true.
your comment about the carriers gathering data for targeted ads is correct, but someone has to do the tech work in order to gather that information… do you seriously think *ANY* company is going to publicly say “oh yeah, we made this cool rootkit that gathers all your data which can be used to target ads, serve as evidence to law enforcement and best of all, you wont even see it on your phone… it will never get in your way!”
im thinking no…. no they would not.
Carrier IQ is toast.
They will be thoroughly hammered in the courts. The legal process is moving very slowly now, but will snowball. There is no legal defense for Carrier IQ actions, under contract law principles.
(And politicians, judges, lawyers don’t want their private communications secretly recorded… anymore than Joe-Sixpack)
Private data input to commercial consumer electronic products is legally ‘private’, absent express contractual permission from consumers to release that data under specified conditions.
Imagine if all Xerox copying machines were recording every personal, business, and government document passing thru them– for secret transmission back to Xerox Headquarters (for alleged “maintenance” & “Quality Control” purposes) … there would be no question of severe, immediate criminal & civil charges against Xerox executives.
Agonizing over supposed fine points of hardware/software/data ‘ownership’ is silly — the legal context is very, very clear.
Carrier IQ and its business partners are toast.
So lets see......
….you can go to prison for decades for “wire tapping” by making a video of a cop beating hell out of somebody while standing on your front porch. But if you record every keystroke from every phone without telling the phone owners, it’s ok.
Reminds me of James Coburns line in the old movie Presidents Analyst; “You mean every phone in the country is tapped!?” And the answer was “Yes”.
At least it’s legal to jailbreak smartphones. No CarrierIQ in CyanogenMod, right?
Re: Re:
For now, until PIPA and SOPA pass.
Re: Re: Re:
You forgot to mention that SOPA and PIPA will harm the children and poison our waterways, and spray meth dust over our schools.
Re: Re: Re: Re:
Nah, that’s what’ll happen when the pigs start shitting heroin in response to being DNS blocked.
Well, it's comforting to know that there are hackers out there
who find out slimy crap like this. CIQ’s feeble attempts at denial and deflection will ultimately avail them nothing, and they will literally be sued and prosecuted out of existence. The only problem, of course, is that there will be no shortage of successors, who will go to even greater lengths to mask their activities. Hopefully, the hackers will be one step ahead of them again. The moment they get the CIQ executives under oath in court – game over.
Not only is this post well-written, but I love the format. I’m so glad I’ve been using Cyanogenmod and now Koush’s ICS Alpha almost since I’ve used Android. Before that, I jailbroke my iPhone as soon as I knew how. I really like having the ability to research and control what goes into my smartphones and my Nook Color.
Kudos to Rich
Well written article. It’s balanced and even-handed. I hope to read more articles from this author.
Someone should send CNN and Faux “news” a link to this. See if anyone over there will take this and run with it.
Way too many links to make the story work out. I would have had to spend hours to read all the links, and in the end, I wouldn’t be all that much better informed than I already am.
Perhaps you can work on highlighting just a couple of articles, perhaps quoting from others rather than providing a near endless amount of links. It makes it hard to get the flow of your work.
Re: Re:
Think of it like an index page. That should solve your problems.
Re: Re:
You make a good point — I recognize that the writeup is rather link-heavy, although I’d hoped that by putting them in narrative form I could provide a cogent overview of the issue.
There are two reasons I chose that form: first, the software involved isn’t within my areas of expertise, so I thought it best to defer to the researchers who are intimately familiar with it. Second, there seems to be a lot of he-said she-said going on, and it’s not clear who to believe — so I thought citing original articles might be better than attempting to rephrase others’ statements.
That said, I’ll keep your comment in mind in the future, and try for a bit more exposition/a few less links.
Re: Re:
Second this. While a good read, at the back of my mind I was thinking “far too much of this text is blue”.
Re: Re: Re:
Agreed. The first few paragraphs set the Guinness World Record for number of hyper-links.
An interesting tangent that is not as evil as the whole what it might do thing is, the software actually makes phones work worse. Nearly everyone who is running modded roms that have this removed have pointed out that the battery lasts longer, and the phone runs better.
So while everyone is pointing fingers around looking for someone with deep pockets to blame, the question in my mind is why would handset makers put something into their phones that actually makes them less good? Why would you pour money into development and then include software to kill any possible gains you made?
Why is it everyone wants the newest phone for $99 or free, but don’t seem to understand they are paying way more for the phone in the end than if they had bought it unlocked outright from the maker? It seems to be a sort of blindness we have to the long term costs of the short term win, see Congress for a prime example.
Some of the questions are the wrong questions
The debate about the difference between what CarrierIQ is capable of doing and what they are really doing is irrelevant. If the capability is there, and they haven’t told me about it, then there is intent to use. It was intentionally designed, produced and distributed. Now it may be due to stupidity instead of malice. I truly believe that stupidity ought to be legal, and that stupid actions should be punished accordingly. It helps thin the herd.
On the issue of whether the monitoring ought to be there:
As a Data Center Manager, NOBODY had permission to monitor any system in my Data Center without express permission, which usually required someone local to connect a physical cable. If projects were not going according to plan, I had the power to tell them to back off to the original configuration, and DID exercise that power. It’s my Data Center, not yours.
The same thing applies to my phone. Yes, it is subsidized over the course of the contract. That is a financing scheme, not an ownership plan. Nowhere in the contract does it say that I have to return the phone at the end of the contract.
As others have commented: I really get sick of large corporations getting away with things that an individual would get thrown in the pokey for. It’s time to level the playing field.
One minor little detail
The CarrierIQ software is supposed to be needed so that operators of cellular and mobile phones can better diagnose their networks and why and when things fail.
Yet 90% or more of what CarrierIQ claims to do is already available to the carriers from data collected in and by their switches and other network devices should they want to look at it. And look at it the carriers do. Even then CarrierIQ doing what the company says it does and only that already have better data and better diagnostics available to them to analyze their networks from switches to antennas, to switch to switch connections through backbones and other routing devices all under pretty much constant surveillance. And that’s been there from the days of electromechanical switching. All CarrierIQ can give them is a “phone’s eye” view which is largely useless anyway.
So pardon me if I feel that the “law enforcement” angle is the end goal here rather than network improvement as I don’t see a thing in CarrierIQ’s claims that would be of much use in network improvement than what’s already there.
Network improvement in whole or in part has been part of my craft/trade/profession for 35+ years and all I see there is something that I’d be better served by ignoring it completely. I’ll get to the problem faster if I do, I guarantee that. Too much useless data is worse than none at all. Particularly when I already have better data available than can possibly come from the “phone eye” view at all.
And certainly from capturing any keystroke presses from the phone itself because, from a diagnostic perspective, that tells me nothing at all outside of the less than trivial fact that the switch received and passed on the message the keystrokes sent. If I want, I can find that anyway, something by law I can’t share with anyone outside the business, even the cops unless they have a valid court order that forces me to. But as a diagnostic tool it’s useless or worse 99.9999999% of the time.
Oh well. IF it’s for network improvement it’s for the call centre fools in the Philippines who won’t understand it and I’ll get a trouble ticket reading “such and such doesn’t work” as usual before calling them back and asking “just WHAT THE HELL isn’t working????” Well, why didn’t you just say too many dropped calls or a sudden increase in dropped calls? Oh, nothing on the computer form for that? OK, thanks, I’ll get up there the moment the Force 10 gale blows over.”
Your Privacy Is Toast
Are you carrying a mobile phone? You can be tracked at all times you have the battery in. Police/security services can listen in to both sides of any and all conversations. They can turn on the microphone at any time, without your knowledge or consent. They can log all your keystrokes and get a full list of all websites you have visited. They can read all your email. It is sort of like they are joint owners of the phone with you. No — it is their phone and you are just borrowing it.
Why put up with all this? Tell them to go to hell, do not use a mobile phone. Alas, if lots of people refused to use mobile phones because of privacy concerns, then the carriers would just lie harder, nothing would actually change. However, you can definitely protect yourself, and save your money, by not having a mobile phone. Do it.
people are driven by FUD
To be as constructive as possible I have tried to answer your questions raised here by what I have read through other articles or media outlets. Hope this helps or at least defines follow up questions.
As a personal opinion I think that network monitoring is not going away, like TtfnJohn stated above they can get a lot more information via other means. Using a single source for execs, and others to evaluate network health and performance over time I think is where this software is playing a role. From a network operator stand point as TtfnJohn appears to be, going right to the firewalls, switches, and other interfaces is much more direct and detailed, but to TtfnJohn I don’t really want my execs or anyone else logging into my devices to try and pull data.
?What kind of debugging or performance-monitoring software should be included?
This would be at the discretion of the carrier, and depends on what they need or want to see.
?Who should be responsible for that software’s installation? Its maintenance?
This would probably be done at the carrier level, they would direct the manufacture to install it for them. This is what is done now.
?Should the source code for that software be published so that we can all see exactly what it does?
Good question but since Carrier IQ in this case is a private company, the answer would be no. Microsoft doesn’t publish it’s source code, so I doubt anyone else will either.
?Should device owners be allowed to turn it off/deinstall it — or, should they be asked for permission to install it/turn it on?
From my understanding the Carriers are the customer for Carrier IQ. You signed the EULA, which included the verbiage. Now if there is an opt out line then they would run and update and turn it off. I think that is a good compromise.
?Will carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
My understanding from other articles is yes they pay for the diagnostics transmissions now even with Carrier IQ.
?Should carriers or manufacturers pay phone owners for access to the device owners’ data?
Well one could say you are getting the $500 phone for $300 so in a way they are paying you.
?Where’s the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
This is a good question. Given that there are text servers, email server, firewalls, switches, getting very detailed information far beyond performance metrics is not hard to do. I think the question becomes how much control do carriers have over their own networks? To be honest if they did nothing at all and there were rogue devices on the network that wouldn’t be good for anyone. But I do believe this is a critical question that us as end users will need to understand fully.
?Will data transmission be encrypted? How?
My understanding from other articles is the current software from Carrier IQ is sent in Compressed binary format. How other data collection is done I don’t know. then again is your text messages encrypted, what about voice streams? That is a phone network question.
?Will data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
If you look at Carrier IQ’s website there is a listing of all metrics available. Based on that the amount of detailed information they could get would not be beyond what you see in your itemized phone bill every month.
?What data will be sent — and will device owners be able to exert some fine-grained control over what and when?
I believe that the user can initiate a device send if they are on the phone with support. Beyond that I think it is up to the carriers based on what information they need and when.
?Who is is responsible for the security of the data gathered?
Based on reading this is the carriers or the software company given that they provide a SAAS model.
?Who will have access to that data?
By contract only the carriers according to statements in the press.
?When will that data be destroyed?
I read an article that it is about 30 or so.
?Who will be accountable if/when security on the data repository is breached?
I think that depends. Carrier IQ has stated sometimes it is held on site at the carrier and other times at their secured location. So I guess it depends on who is watching the house.
?What are the privacy implications of such a large collection of diverse data?
Well I think the idea is better service, and feedback to manufacturers about phones, and how they perform. When you look at that much data it isn’t personal, it is very wide ranging. Think line graphs and heat maps for phone usage, dropped calls, signal strength. It is a anonymous as you can get.
?Will it be available to law enforcement agencies? (Actually, I think I can answer that one: “yes”. I think it’s a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See “FBI”, above, for a case in point.)
The director of the FBI stated that they do not use Carrier IQ data. For the reasons stated above. It isn’t detailed enough to be of any use. To that end if a hacker got in and pulled the information wow he found out that route 66 had a few dead spots. I just don’t think based on the documentation released we are talking about anything important to anyone other than the carriers and device manufactures. Do I care if you called 555-555-5555? honestly no. So I think that if law enforcement needs to get you they would go through their normal procedures and tap your phone. In those cases they get every phone call, websites “with contents” pictures, videos, location data, and text messages.