The Carrier IQ Saga (So Far) -- And Some Questions That Need Answers

from the answers-we-may-never-get dept

The story so far: security researcher Trevor Eckhart exposed some very disturbing information about the "Carrier IQ" application here. This set off a small firestorm, which quickly got much bigger when Carrier IQ responded by attempting to bully and threaten him into silence. This did not go over well. After he refused to back down, they retracted the threats and apologized.

Eckhart followed up by posting part two of his research, demonstrating some of his findings on video. Considerable discussion of that demonstration ensued, for example here and here and here. Some critics of Eckhart's research have opined that it's overblown or not rigorous enough. But further analysis and commentary suggests that the problem could well be worse than we currently know. Stephen Wicker of Cornell University has explored some of the implications, and his comments seem especially apropos given that Carrier IQ has publicly admitted holding a treasure trove of data. Dan Rosenberg has done further in-depth research on the detailed workings of Carrier IQ, leading to rather a lot of discussion about Carrier IQ's capabilities -- there's some disagreement among researchers over what Carrier IQ is doing versus what it could be doing, e.g.: Is Carrier IQ's Data-Logging Phone Software Helpful or a Hacker's Goldmine?

Meanwhile, the scandal grew, questions were raised about whether it violated federal wiretap laws, a least one US Senator noticed, and Carrier IQ issued an inept press release. Phone vendors and carriers have been begun backing away from Carrier IQ as quickly as possible; there were denials from Verizon and Apple . T-Mobile has posted internal and external quick guides about Carrier IQ. Some of the denials were more credible than others. There has been some skepticism about Carrier IQ's statements, given their own marketing claims and the non-answers to some questions. There's also been discussion about the claims made in Carrier IQ's patent.

Then the lawsuits started, see Hagens Berman and Sianna & Straite and 8 companies hit with lawsuit for some details on three of them.

Attempts to figure out which phones are infected with Carrier IQ are ongoing. For example, the Google Nexus Android phones and original Xoom tablet seem to not be infected, nor do phones used on UK-based mobile networks, but traces of are present in some versions of iOS, although their function isn't entirely clear. A preliminary/beta application that tries to detect it is now available. Methods for removing it have been discussed.

Meanhile, A Freedom of Information Act request's response has indicated (per the FBI) that Carrier IQ files have been used for "law enforcement purposes", but Carrier IQ has denied this. And there seems to be a growing realization that all of this has somehow become standard practice; as Dennis Fisher astutely observes, With Mobile Devices, Users Are the Product, Not the Buyer.

Those are the details; now what about the implications?

Debate continues about whether Carrier's IQ is a rootkit and/or spyware. Some have observed that if it's a rootkit, it's a rather poorly-concealed one. But it's been made unkillable, and it harvests keystrokes -- two properties most often associated with malicious software. And there's no question that Carrier IQ really did attempt to suppress Eckhart's publication of his findings.

But even if we grant, for the purpose of argument, that it's not a rootkit and not spyware, it still has an impact on the aggregate system security of the phone: it provides a good deal of pre-existing functionality that any attacker can leverage. In other words, intruding malware doesn't need to implement the vast array of functions that Carrier IQ already has; it just has to activate and tap into them.

Which brings me to a set of questions that probably should have been publicly debated and answered before software like this was installed on an estimated 150 million phones. I'm not talking about the questions that involve the details of Carrier IQ -- because I think we'll get answers to those from researchers and from legal proceedings. I'm talking about larger questions that apply to all phones -- indeed, to all mobile devices -- such as:

  • What kind of debugging or performance-monitoring software should be included?
  • Who should be responsible for that software's installation? Its maintenance?
  • Should the source code for that software be published so that we can all see exactly what it does?
  • Should device owners be allowed to turn it off/deinstall it -- or, should they be asked for permission to install it/turn it on?
  • Will carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
  • Should carriers or manufacturers pay phone owners for access to the device owners' data?
  • Where's the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
  • Will data transmission be encrypted? How?
  • Will data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
  • What data will be sent -- and will device owners be able to exert some fine-grained control over what and when?
  • Who is is responsible for the security of the data gathered?
  • Who will have access to that data?
  • When will that data be destroyed?
  • Who will be accountable if/when security on the data repository is breached?
  • What are the privacy implications of such a large collection of diverse data?
  • Will it be available to law enforcement agencies? (Actually, I think I can answer that one: "yes". I think it's a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See "FBI", above, for a case in point.)

Lots of questions, I know. Perhaps I could summarize that list by asking these three instead: (1) Who owns your mobile device? (2) Who owns the software installed on your mobile device? and (3) Who owns your data?

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone窶冱 attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: mobile, privacy, rootkit, spying
Companies: carrieriq, sprint, verizon wireless


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    superuberputeruser, 21 Dec 2011 @ 3:07pm

    people are driven by FUD

    To be as constructive as possible I have tried to answer your questions raised here by what I have read through other articles or media outlets. Hope this helps or at least defines follow up questions.
    As a personal opinion I think that network monitoring is not going away, like TtfnJohn stated above they can get a lot more information via other means. Using a single source for execs, and others to evaluate network health and performance over time I think is where this software is playing a role. From a network operator stand point as TtfnJohn appears to be, going right to the firewalls, switches, and other interfaces is much more direct and detailed, but to TtfnJohn I don't really want my execs or anyone else logging into my devices to try and pull data.

    標hat kind of debugging or performance-monitoring software should be included?
    This would be at the discretion of the carrier, and depends on what they need or want to see.
    標ho should be responsible for that software's installation? Its maintenance?
    This would probably be done at the carrier level, they would direct the manufacture to install it for them. This is what is done now.
    百hould the source code for that software be published so that we can all see exactly what it does?
    Good question but since Carrier IQ in this case is a private company, the answer would be no. Microsoft doesn't publish it's source code, so I doubt anyone else will either.
    百hould device owners be allowed to turn it off/deinstall it -- or, should they be asked for permission to install it/turn it on?
    From my understanding the Carriers are the customer for Carrier IQ. You signed the EULA, which included the verbiage. Now if there is an opt out line then they would run and update and turn it off. I think that is a good compromise.
    標ill carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
    My understanding from other articles is yes they pay for the diagnostics transmissions now even with Carrier IQ.
    百hould carriers or manufacturers pay phone owners for access to the device owners' data?
    Well one could say you are getting the $500 phone for $300 so in a way they are paying you.
    標here's the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
    This is a good question. Given that there are text servers, email server, firewalls, switches, getting very detailed information far beyond performance metrics is not hard to do. I think the question becomes how much control do carriers have over their own networks? To be honest if they did nothing at all and there were rogue devices on the network that wouldn't be good for anyone. But I do believe this is a critical question that us as end users will need to understand fully.
    標ill data transmission be encrypted? How?
    My understanding from other articles is the current software from Carrier IQ is sent in Compressed binary format. How other data collection is done I don't know. then again is your text messages encrypted, what about voice streams? That is a phone network question.
    標ill data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
    If you look at Carrier IQ's website there is a listing of all metrics available. Based on that the amount of detailed information they could get would not be beyond what you see in your itemized phone bill every month.
    標hat data will be sent -- and will device owners be able to exert some fine-grained control over what and when?
    I believe that the user can initiate a device send if they are on the phone with support. Beyond that I think it is up to the carriers based on what information they need and when.
    標ho is is responsible for the security of the data gathered?
    Based on reading this is the carriers or the software company given that they provide a SAAS model.
    標ho will have access to that data?
    By contract only the carriers according to statements in the press.
    標hen will that data be destroyed?
    I read an article that it is about 30 or so.
    標ho will be accountable if/when security on the data repository is breached?
    I think that depends. Carrier IQ has stated sometimes it is held on site at the carrier and other times at their secured location. So I guess it depends on who is watching the house.
    標hat are the privacy implications of such a large collection of diverse data?
    Well I think the idea is better service, and feedback to manufacturers about phones, and how they perform. When you look at that much data it isn't personal, it is very wide ranging. Think line graphs and heat maps for phone usage, dropped calls, signal strength. It is a anonymous as you can get.
    標ill it be available to law enforcement agencies? (Actually, I think I can answer that one: "yes". I think it's a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See "FBI", above, for a case in point.)
    The director of the FBI stated that they do not use Carrier IQ data. For the reasons stated above. It isn't detailed enough to be of any use. To that end if a hacker got in and pulled the information wow he found out that route 66 had a few dead spots. I just don't think based on the documentation released we are talking about anything important to anyone other than the carriers and device manufactures. Do I care if you called 555-555-5555? honestly no. So I think that if law enforcement needs to get you they would go through their normal procedures and tap your phone. In those cases they get every phone call, websites "with contents" pictures, videos, location data, and text messages.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.