CarrierIQ scandal: Is everyone spying on your phone usage?
You may have heard in the news of a dangerous virus that is installed on every mobile device and could be stealing everything about you. It might even be in your microwave steeling your food and in your car driving it when your not watching. The news agencies are hyping this one to be the unblinking eye of Mordor. All kidding aside, it's definitely a little scary, but I woudn't start freaking out. I wouldn't stop using your mobile phone any time soon, but read this article and make sure you're aware of the information. The problem with this story is not that companies are tracking your phone usage, it's the fact they are doing it without your explicit knowledge. Almost all companies track their products to know metrics of how to make it better, cell phone manufacturer and data providers are no different. The GPS on your phone is available to EMS and google maps, but at least you know that fact, when you install the application. The type of information tracked and what is done with that information should be made aware to the customer up front. The user should have the ability to opt out or control that information.
I have compiled a guide to CarrierIQ. You can read more in depth but hopefully this will give you the intel to find out how you can be affected and to possibly prevent any future privacy concerns.
What is CarrierIQ?
Taken from their website:
Carrier IQ is the leading provider of Mobile Service Intelligence Solutions to the Wireless Industry. As the only embedded analytics company to support millions of devices simultaneously, we give Wireless Carriers and Handset Manufacturers unprecedented insight into their customers' mobile experience.
Carrier IQs statement on their security models
In providing our products and services, Carrier IQ enables our customers to gather information on Mobile User Experiences. Carrier IQ's products were developed from inception to respect and protect user privacy and security. We have established "Best Practices" approach to privacy and security. Our products are designed and configured to work within the privacy policies of our end customers and include functions such as anonymization and encryption. When Carrier IQ's products are deployed, data gathering is done in a way where the end user is informed or involved.
Carrier IQ software, which consists of embedded software on mobile devices and server-side analytics applications, enables mobile operators and device OEMs to understand in detail a wide range of performance and usage characteristics of mobile services and devices. These include both network-facing services such as core voice and data offerings, as well as non-network-facing capabilities such as music players, cameras and other side loaded media, in order to assist with product and service development and roll-out. (From http://www.carrieriq.com/company/PR.CIQ-SeriesC.2009-01-27.pdf )
In a nutshell CarrierIQ's software enables phone providers to gather any information they want, it's then up to the developer to secure that data and use that data responsibly. CarrierIQ provides an ability for them to facilitate security and responsibility, but we will learn that companies may not be using it. User traking software is usually not a problem and are in 99% of all software out there. The problem here is the fact that phone manufacturers or carriers do not provide a great way for you to opt out, or tell you where your information is going. They are either taking the provided feature out of CarrierIQ or CarrierIQ is not including it. Now this isn't the case in ALL instances, but more on that later.
If you want to get technical, check out more at Android security test
Everyone can see my info on Facebook, Whats the the big deal?
This program has the potential to capture anything and everything you do on your mobile device. The software is installed on your phone without you knowing and without the ability to disable it. This is potentially super bad stuff. This has now been classified as a "root-kit." This is the definition of a root-kit from wikipedia
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.[1]
Almost all of us have gone through the privacy fiasco of facebook. In that instance it was information we readily provided, it's sickening, to not know the ins and out of this potentially damaging software. We need to know what they are collecting and how this information is being used. Best bet is that sensitive information is being collected according the respective company's privacy policies. Either way this software has the potential to cause massive harm and is pretty powerful stuff to be on every phone without a persons knowledge. Until we know more this is bit of a pandora's box.
How did this come to light?
25-year-old XDA Recognized Developer and IT Director Trevor "TrevE" Eckhart went public with his discovery of Carrier IQ in a video released on Tuesday November 22. You can see it here and also on my YouTube channel http://www.youtube.com/user/bsteimel
While researching security holes in mobile devices he found this root-kit installed on multiple phones from multiple carriers. Apparently the stock version of Carrier IQ comes with a survey and clearly put it's name in front of the user. As you can tell from using your phone these surveys and all other mentioning of CarrierIQ in the user interface are gone on almost all phones. The software is used to query for metrics which can include a dropped call, but metrics are pretty broad term and can include a lot more then that. The opt-out feature of CarrierIQ, which comes by default, is also removed form production versions by either the carrier or manufacturers. Eckhart was presented with a cease and desist order from CarrierIQ with a possible copyright penalty but he has since ignored it. their are more then a few laws to protect him, whistle blower for one. The Electronic Frontier Foundation has come to Eckhart's aid and has provided legal guidance and backing. Good work Eckhart, you are a hero among men.
What are the companies involved saying?
Carrier IQ
They came out with an official statement on Dec 1 and they deny any wrong doing. I wouldn't expect anything less, they are loosing customers by the minute, at this point it's damage control time. Here is a sample from the press release that sums up their position. Basically sensitive information does pass through the software but they don't record it. Eckhart did partially debunk that statement. They also provide tools to let the user know when information is being sent.
While a few individuals have identified that their is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
You can read the entire statement here
AT&T and Sprint (BAD)
AT&T admitted to Computer world that they do use the Carrier IQ software. "It is being used solely to improve wireless network performance," report by computer world. Sprint and AT&T said that they used the information gatheird in accordance to their privacy policy; which does have clause for using 3rd party tools to analyze customer data.
T-Mobile (BAD)
T-Mobile has stated that they do use this tool but they do "not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' Internet activity, nor is the tool used for marketing purposes," the company said in an email statement to computer world.
Apple (MODERATLY BAD)
Apple used this product in the past but as of IOS5 no longer uses it. If you haven't upgraded yet, I would say this would be the time. However the software is installed on all of their devices and they plan to remove it with a future update. I would think this fiasco might bump up that timeline just a bit. Here is their official statement
"We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."
HTC, Samsung and Motorola (GOOD)
HTC has said that they include it in all of their handsets. They don't use the software but they include it because their carriers insist on having it included. computer world
Google, Microsoft, Sony, HP, Verrizon, Research In Motion and Nokia (GOOD)
They have gone on record saying that they do not use this software. LA Times & Toms Hardware. Although these companies to not install it on their phones it does not mean the carrier will not, with their custom pre-installed software. Verizon is the only carrier who said that it does not install it and does not use this software.
Carriers outside the USA:
All major carriers in Canada (GOOD)
Rogers, Telus, Bell, Virgin, Fido and Videotron said that they do not use this software.
Across Europe (?)
Looks like most governments and their respected departments are looking into the situation. If your carrier is not listed in this article I would call and make sure they don't use it. These countries include UK, Germany, Italy, Ireland, and France. Looks like everyone is going to have their metric software reviewed and out in the open.
Whats being done because of this?
their is a huge amount of buzz and this story is unfolding as I type it. There is now an official senate inquiry by a Senator Al Franken (D-Minn). Franken has sent a letter to Carrier IQ asking for details about the software and the company’s business practices. This is a quote from him yesterday
"[I]t appears the software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics—including who they are calling, the contents of the texts they are receiving, the contents of their searches and the websites they visit.
These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter."
This is a step in the right direction of uncovering the real story and also making other companies aware that they cannot use the same practices. You can read the actual letter on Franken's website
There is already a lawsuit filed claiming this violates the Federal wiretap act. I would expect a lot more lawsuits to be filed. Paidcontent.org. Lawyers and governments around the globe are looking into this. I would expect this to escalate over the next few weeks, more then a few experts have said there is enough evidence to be class action status. CarrierIQ, HTC and Samsung are all mentioned in lawsuits already filed.
Most importantly What can you do?
Apple
If you turn off diagnostics and usage in settings that seems like it be enough for Apple products. If you want to the know the technical details checkout this post Chpwn
Andoird
In light of the recent events a smart person has made a application to detect if CarrierIQ is installed, checkout Voodoo CarrierIQ on the android market. This application only detects the presence of the app and at this time does not remove it. It is open source and the writer is seeking to work together, if anyone is interested. The only other option includes rooting your phone, which then gives you access to a bunch of apps that will remove the program. i don't recommend rooting at this time unless you were already planning on doing it. Get the voodoo app and see if CarrierIQ is installed. if it is, call your carrier and speak your mind. Call your phone's manufacturer as well.
If you own a blackberry, webos, or a non smart device it looks like your in the clear. Remember that even if blackberry says they don't put it on their handsets, your carrier might, so double check it's not on yours.
