CarrierIQ Tries To Silence Security Researcher

phaedrus5001 sends this quote from a story at Wired: "A data-logging software company is seeking to squash an Android developer's critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company's training manuals from his website. Though the software is installed on millions of Android, Blackberry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user's phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent." The EFF is hosting PDFs of CarrierIQ's C&D letter, as well as their response on Eckhart's behalf.

Carrier IQ's PA on the matter

[RetailResTech]

Looks like CarrierIQ is trying to save face in their PA http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf [carrieriq.com] I wonder, I'm not entering a contract with CarrierIQ, are they collecting this data to their own servers then sending the data to the carriers or are the carriers collecting the data?

Re:Why blame CIQ?

[saihung]

Did you read any of the linked documents? The criticism against CarrierIQ is not necessarily about what they're making, but that they are trying to shut this man up for telling the truth about their products under the guise of copyright claims. That deserves criticism, and lots of it.

Re:Most importantly...

[TheyTookOurJobs]

Root your phone and load a custom rom, that will take care of a few problems. CIQ, Bloatware, and you can freely tether your internet.

Streisand effect?

[sdavid]

They'd better watch out for the Streisand Effect [wikipedia.org].

Re:Does rooting and CM7 get rid of it?

[Anonymous Coward]

Hypervisors aren't that stealthy, and can be made to reveal themselves quite easily once you perform a trapped instruction. Aside from the massive research cost in coming up with some kind of truly stealthy hypervisor, it would also significantly increase unit costs. So no, there's no hypervisor.

Re:He should remove it.

[LordLimecat]

His high UID combined with a clearly trollish statement means he might not be the idiot here. Yall are postin in a troll thread.

Re:does this really matter?

[exomondo]

As I understand the article this only tracks:

key presses on the dialing pad. So they can see what phone number you called, but not what you type in general. When a text is received, not the content of the text

FTFA:
“We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

You might want to send something like this to them

[Tuxedo Jack]

Ms. Woods,

I possess and use an HTC EVO 3D smartphone in line with my daily duties for my employer and various clients. This phone contains your employer's software (CarrierIQ for Sprint), which was bundled with the device and zero disclosure that it was installed or of its capabilities.

My device contains HIPPA-protected data (specifically relating to EMR software and the data contained therein) as well as PCI-DSS related information for my company's various clients. As such, it is protected by all manner of privacy laws, the breach of which results in severe penalties under United States law.

After reading Trevor Eckhart's research and doing some of my own, I am curious as to specifically what data your organization is capturing on Sprint's behalf, as well as to what extent they have customized their build of your software, and what its capabilities with their modifications are.

If the software, either in its original form or modified, does indeed capture data from a phone, including the ability to take screenshots or access the contents of e-mail accounts or SMS messages, this could potentially be in violation of all manner of privacy acts, depending on what data is being harvested and whether your client has the option to turn such collection on or not.

Please note that, among other techniques, I will be disassembling the binaries that I possess on my device and will be comparing it against the original ROM image that HTC has issued for this device in order to differentiate what, if any, changes are pushed out through over-the-air updates in order to determine the capabilities of the software as best I can.

To the best of my knowledge, I have never accepted any license agreements or restrictions regarding the software on my device, and as such, I am not bound to refrain from analyzing the software as I see fit, nor from having the results peer-reviewed and published once completed.

If your department is unable to answer my questions, please relay this to someone else inside your organization as you see fit.

I remain,

INSERT_NAME_HERE

RTFP!

[Virtucon]

Read the F*ing Find Print people! Your wireless carrier can do whatever they want with devices provisioned on their network. You therefore cannot be "surprised" when a third party comes along and offers them "services" to track customer usage patterns.

From AT&T Wireless Terms and Conditions [att.com]

You acknowledge that every business or personal decision, to some degree or another, represents an assumption of risk, and that neither AT&T nor its content and service providers or suppliers, in providing information, applications or other content or services, or access to information, applications, or other content underwrites, can underwrite, or assumes your risk in any manner whatsoever.

.... and ....

From 3.1 "My Device"

You are responsible for all phones and other devices containing a SIM assigned to your account ("Devices"). Your Device must be compatible with, and not interfere with, our Services and must comply with all applicable laws, rules, and regulations. We may periodically program your Device remotely with system settings for roaming service, to direct your Device to use network services most appropriate for your typical usage, and other features that cannot be changed manually.

Devices purchased for use on AT&T's system are designed for use exclusively on AT&T's system ("Equipment"). You agree that you won't make any modifications to the Equipment or programming to enable the Equipment to operate on any other system. AT&T may, at its sole and absolute discretion, modify the programming to enable the operation of the Equipment on other systems.

Re:RTFP!

[quixote9]

Actually, no. EULAs, TOS, whatever, which contravene actual laws, are invalid. You couldn't, for instance, bury a clause in a sale contract stipulating that by signing the buyer had agreed to be your slave. Or, you could, but it wouldn't hold up in court.

And that's the problem. Very few of us have the money, energy, or time to fight all the bullshit contracts we have to sign. So they haven't (yet) been thrown out of court. That doesn't change the fact that they're garbage.

Re:Streisand effect?

[mrogers]

Looks like someone already created a torrent [monova.org].