Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Android Cellphones Electronic Frontier Foundation Privacy Security

Carrier IQ Responds To FBI Drama, EFF Wants More Information 140

New submitter realized writes "Yesterday Carrier IQ released a report (PDF) which tries to answer some questions about how their system operates. Also, after reports of the FBI using Carrier IQ data, the company responded by saying, 'Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators.' Additionally, the EFF just released a report which says they believe keystroke data 'is in fact being inadvertently transmitted to some third parties,' but they would like to study carrier profiles to verify information." Reader Trailrunner7 adds that Carrier IQ's report indicates "under some limited circumstances its software will log the contents of SMS messages sent to a user's phone, but that that the contents of those messages would not be human readable. Instead, they would be in an encoded form that could not be decoded without special software and the carriers don't have access to the contents of the messages either. The company said it has worked on a fix for the bug, which affected devices running the embedded version of the Carrier IQ agent."
This discussion has been archived. No new comments can be posted.

Carrier IQ Responds To FBI Drama, EFF Wants More Information

Comments Filter:
  • I've got the iPhone, how do I crib smother this Carrier IQ parasite?
    • by VortexCortex ( 1117377 ) <VortexCortex@pro ... m ['jec' in gap]> on Tuesday December 13, 2011 @08:23PM (#38364656)
      Install gentoo.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      Step 1: Buy an Android phone
      Step 2: Run one of the numerous CIQ detection apps
      Step 3: If found, install an AOSP ROM like CM7

      • Re: (Score:3, Informative)

        by PNutts ( 199112 )

        Step 1: Buy an Android phone
        Step 2: Run one of the numerous CIQ detection apps
        Step 3: If found, install an AOSP ROM like CM7

        Yes, much simpler than turning off a single option in the iPhone's preferences (after you've turned it on because it's off by default). Or don't turn it off because you can see what it sends in clear text and it doesn't log anything except diagnostic information.

        • Re: (Score:1, Troll)

          by bruno.fatia ( 989391 )

          Do you really trust this company that their software will indeed work as informed (sending ONLY if allowed, not logging user habits, etc)? After numerous times saying that their software is harmless to the users and each and everyday being proven wrong by security specialists I wouldn't trust it even with these settings turned off.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            Well, security researches have shown that on the iPhone it does in fact start up, check the user's option to have it enabled (which is off by default), then exit immediately if it is disabled.

            With the fact that Apple is very open about how it gets turned on, leaves it disabled by default and even makes you accept a new privacy policy to enable it, and all of that has not been disputed by researchers, I will say "Yes, I can trust them"

            Enjoy your spyware riddled Android device.

            • Re: (Score:2, Funny)

              by Anonymous Coward

              And by spyware riddled you mean perfectly clean, I suppose. Small typo.

            • by RubberMallet ( 2499906 ) on Wednesday December 14, 2011 @02:53AM (#38367118)
              There's nothing to turn off on my Android... CarrierIQ isn't even installed... wasn't installed from the beginning. So.. who has the spyware riddle device now? The iPhone which actually has the software installed, or the Android where it isn't? Hmmmmm
        • If it's a troubleshooting tool then it would benefit from remote activation. If it's a spy tool then it needs remote activation. Removing the software isn't the same as not having it (currently) running.
        • by Stalks ( 802193 ) *

          Actually its easier than this.

          Step 1: Buy an Android Phone

          Don't buy it from a carrier and it doesn't have this crud installed.

      • by shutdown -p now ( 807394 ) on Wednesday December 14, 2011 @02:01AM (#38366924) Journal

        Step 1: Buy a Nexus phone.
        There is no step two.

        FTFY.

        • Unless you just really like its pre-installed single-player game, I think there's a Step 2 where you have to connect it to the telecom network.

    • by andydread ( 758754 ) on Tuesday December 13, 2011 @08:38PM (#38364784)
      Install Cyanogen Mod.
    • by Anonymous Coward on Tuesday December 13, 2011 @08:38PM (#38364786)

      Apple has said that they are almost done using Carrier IQ for other methods of data collection.
      http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/

      The quote is:
      “We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”

      And for the Fanboys out there I say Other methods since they will still get "diagnostic data sent to them".

      • by jesseck ( 942036 ) on Tuesday December 13, 2011 @08:50PM (#38364866)
        That just means they have a replacement that will do the same.
        • Very good point. You can count on it. And the replacement is most likely not so easy to detect or understand. Perhaps they can switch it on or off and collect the data as a pool at opportune times when it may not be so easily noticed. As long as they have the source code and you don't, there is no way for you to understand how the device works, for or against your wishes. If you are not permitted to rebuild it, then you will never understand how it truly works. ...I guess the poor unwary consumer will just

    • I would not be surprised if any cell phone, even the dumb ones, could be remotely enabled to log keys and other private information at the drop of a hat with order from proper authority. I could see the big corporations and government interesting lying somewhere along the lines of "The technology is capable of it, why not include the feature for the sake of public "security"? Same goes for any of the cloud connected network devices, such as the Kindle. Remember, when you are in the cloud you are in another

      • "Show me the source code, and let me rebuild it" is the only way to be sure.

        Are you certain? Really? [wikipedia.org]

        • Clearly he meant "show me the source code for everything from the assembler to the final application and I'll hand translate the assembler to machine code and then bootstrap the compiler with it, running on my discrete transistor processor that I designed and hand-assembled from individual parts."
        • by zman58 ( 1753390 )

          Stuckmud,
          Excerpt from your link above,
          "A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job."

          You don't have to just trust the compiler because it also is GPL and open to inspection and rebuilding and calling out anything unusual. The *entire* solution is GPL, including the means to build it. So yes, I stand by my original post. If there are NO secrets, then honesty will "generally" prevail. The more secrets you have, as in proprieta

    • by Black Parrot ( 19622 ) on Tuesday December 13, 2011 @09:52PM (#38365308)

      I've got the iPhone, how do I crib smother this Carrier IQ parasite?

      Next time you drive across a bridge, toss it out the window.

      • by Anonymous Coward

        How am I supposed to throw a bridge out the window? A bridge I'm driving on, no less!

      • by bickle ( 101226 )

        Ah, so you must be the proverbial troll living under the bridge.

        Sorry, you can't have my phone.

    • When it asks you if you want to send diagnostics. Say no.

      If you were stupid enough to say yes in the past, you can change it in settings -> general -> about -> diagnostics.

    • Re: (Score:2, Informative)

      by dissy ( 172727 )

      I've got the iPhone, how do I crib smother this Carrier IQ parasite?

      Open Settings, go to General, then About, then Diagnostics & Usage
      See where it reads "Help Apple improve its products and services by automatically sending daily diagnostic and usage data, including location information." ?

      It will have "Don't Send" with a check mark. Simply never click "Automatically Send", as that option will enable CarrierIQ.

      There is also a button below to display the raw data it will send, and the word "Never" which is presumably the time it last sent data out.

      If you've upgraded to

  • The more you know... (Score:2, Interesting)

    by Anonymous Coward

    http://en.wikipedia.org/wiki/COINTELPRO [wikipedia.org]
    http://en.wikipedia.org/wiki/Citizens'_Commission_to_Investigate_the_FBI [wikipedia.org]

    I suspect COINTELPRO has been updated and perfected by now.

    • by cosm ( 1072588 ) <thecosm3 AT gmail DOT com> on Tuesday December 13, 2011 @08:29PM (#38364712)
      And we give you more shiny toys...
      All the better to track you my dearie!

      And we give you better airport security...
      All the better to control you my dearie!

      And we give you more in store free membership cards...
      All the better to know your every purchasing move my dearie!

      And we give you more places to report SSNs...
      All for the illusion of importance and identification my dearie

      And we give you traffic and overhead cameras...
      All the better to make sure your driving safe dearie!

      And we give you more more social networks...
      All the better to keep you and our friends close, so we can keep you our enemy closer!

      And we give you internet shaping and monitoring...
      All the better to provide better content delivery my dearie!

      And we give you more child porn laws and content ratings...
      All the better to protect your eyes my dearie!

      And we give you more drug laws and consensual restrictions...
      All the better to keep you safe my dearie!

      And we invade other countries and install governments...
      All the better to ensure your security my dearie!

      And I give you the slow erosion of all that is personal responsibility, hard work, civil liberties, freedoms, independence, free speech, and everything America ever once strived at standing for...
      All the better to own you my dearie!
      • by Tooke ( 1961582 )

        All the better to make sure your driving safe dearie!

        And we give you apostrophes for clearer communication... Dearie.

  • by T5 ( 308759 ) on Tuesday December 13, 2011 @08:16PM (#38364610)

    The fix is to not install spyware on the phones in the first place. How hard is this to understand?

    • by Sponge Bath ( 413667 ) on Tuesday December 13, 2011 @08:21PM (#38364646)
      It is well understood, but perceived to be less profitable so is dismissed as an option. Same as it ever was.
    • Re: (Score:1, Interesting)

      by artor3 ( 1344997 )

      It's not spyware. Carriers want info on how people use their phones so that they can fix bugs and make better phones. It's no different from software that occasionally reports home with usage statistics. Everyone does it, and it's a good thing. The only problem is that a few OEMs and carriers disabled the user's ability to opt out.

      CarrierIQ makes a legal, useful, morally-sound product. Some companies go on to use that product in a legal, useful, but less moral manner. But some asshole of a security res

      • by Rennt ( 582550 ) on Tuesday December 13, 2011 @10:44PM (#38365710)
        Legal, useful, and morally-sound? Yeah, that doesn't sound like a paid comment. It IS a rootkit, by definition (does it hide from your process list, can you remove it?). The EFF thinks it HAS been used as a keylogger, even if unintentionally. No matter what the customer agreed this functionality is morally reprehensible. If anything, the carriers deserve some credit for showing restraint in the use of this application, but CarrierIQ itself deserves all the criticism it is getting.
      • by Wolfier ( 94144 ) on Tuesday December 13, 2011 @11:36PM (#38366056)

        It's not spyware. Carriers want info on how people use their phones so that they can fix bugs and make better phones. It's no different from software that occasionally reports home with usage statistics. Everyone does it, and it's a good thing. The only problem is that a few OEMs and carriers disabled the user's ability to opt out.

        CarrierIQ makes a legal, useful, morally-sound product. Some companies go on to use that product in a legal, useful, but less moral manner. But some asshole of a security researcher figured out (correctly!) that he'd get way more hits on his webpage if he accused them of making a rootkit and keylogger. And now all the innocent, hardworking developers at this small business will be out on the streets, because the rage-a-holics want something to scream about, and the media is more than happy to manufacture controversy if it means good ratings.

        So congrats. You're going to destroy the lives of some innocent people over the tiniest of slights. I'm sure you're very proud.

        Not so fast. I suspect if CarrierIQ didn't attempt to SLAPP the researcher, none of its PR disaster would have happened.
        Don't act as if CarrierIQ is totally in the right, because it is not. The moment they decided to unleash a lawyer first, and then an honest disclosure when necessary, their fate was sealed.

        • by cHiphead ( 17854 )

          Its pretty obvious what's going on, CIQ is essentially an NSA (or other intelligence sponsored) front that can be used for, apparently, an insane amount of intelligence gathering with minimal need to work with different providers and other corporations at the same time. Makes perfect sense from their intelligence perspective to have that extra 'last mile' intelligence capability on individual cell phones. They're also playing it smart by letting CIQ pretend to be 'open' to discussion and pushing a network

      • Comment removed based on user account deletion
      • by L4t3r4lu5 ( 1216702 ) on Wednesday December 14, 2011 @04:12AM (#38367468)

        It's no different from software that occasionally reports home with usage statistics.

        The difference here is that I wasn't asked if I wanted to provide usage statistics, didn't even know that such statistics were being created, and the data being collected goes way beyond that which would be useful to any developer. Why would they need to know the content of my SMS messages to make a better app? Why do they need to know who I called and when, not just that a call was made?

        This is just too invasive. If they made it so it reported the most basic, anonymised stats there wouldn't be a problem. What they have done, however, is load devices which potentially contain sensitive personal data with remote monitoring software, with access to communications made on that device. It's too much, and they need to be called out on it.

        • Why would they need to know the content of my SMS messages to make a better app?

          Also. The ISPs are the first hop and can sniff your traffic all day long for content. They have no need for this application to give them detailed information like that. This application has to have been designed so that information can be seen by other people. I'm not saying it is designed to send content to the NSA, FBI, or OEMs because I don't have enough information. It could be argued that snarfing a message would show

        • Comment removed based on user account deletion
      • It's not spyware. Carriers want info on how people use their phones so that they can fix bugs and make better phones. It's no different from software that occasionally reports home with usage statistics.

        Well then why did it have the capability to do anything but report basic network usage statistics, like dropped calls and failed SMSes? It was shown in the debugging output that it had much more detailed capabilities (and is logging more detailed information), and now it's been found that on some phones it may be sending that information to the carriers.

  • by undeadbill ( 2490070 ) on Tuesday December 13, 2011 @08:21PM (#38364644)

    Instead, they would be in an encoded form that could not be decoded without special software and the carriers don't have access to the contents of the messages either.

    Yeah, first they say they don't sniff your traffic, then they say this, then that, then they pull the "not without our secret magic decoder ring" argument. If they are working with government agencies to use this software (and it may not be the FBI), they wouldn't even have the ability to admit to it- those kinds of agreements require the company to deny everything in perpetuity.

    First thing this new year, I'm migrating my phone over to cyanogenmod. I'd do it now, but I just don't have the time.

    • by msauve ( 701917 )
      ""not without our secret magic decoder ring"

      Everything is encoded with ROT-13. What's the problem?
    • by betterunixthanunix ( 980855 ) on Tuesday December 13, 2011 @09:01PM (#38364908)

      First thing this new year, I'm migrating my phone over to cyanogenmod

      Or, you could use your phone less, and use other devices more. The more dependent we become on our cell phones, the more power the cell phone companies will have over us.

      • by Rennt ( 582550 )

        So your answer to being beholden to mobile carriers is to remain beholden to ISPs? The same ISP's that run all the mobile services? How is a wireline going to make any difference if the provider is the same?.

        The answer, as always, is to 1) secure your shit. 2) hold carriers to a higher standard. Not to throw the baby out with the bathwater

        • So your answer to being beholden to mobile carriers is to remain beholden to ISPs? The same ISP's that run all the mobile services? How is a wireline going to make any difference if the provider is the same?

          Did your ISP install a rootkit on your PC?

          The answer, as always, is to 1) secure your shit.

          You mean when the software is being hidden from you, and when you cannot disable it without hacking your own phone? "Secure your shit" in that context means "don't use a cell phone."

          • by Rennt ( 582550 )

            Did your ISP install a rootkit on your PC?

            No. Neither did my carrier install one on my phone for that matter, but the thing is that these two services are provided by the SAME COMPANY.

            You mean when the software is being hidden from you, and when you cannot disable it without hacking your own phone? "Secure your shit" in that context means "don't use a cell phone."

            No it don't. Secure your shit means do whatever it takes to be confident you know what your phone is doing. If that means "hacking" it (and I think it does) then so be it.

      • I hear you! (can you hear me, now?)

        seriously, though, you are right. we should use mobiles as little as possible. but try getting people to drop their data-drug-of-choice.

        just try. try even asking teens to stop 'texting' (I really hate that term, btw).

        consume, consume, consume! and since we don't make things in the US anymore, selling 'data' is a way for americans to make money.

        well, some americans. I mean, some businesses. and by some, I mean less than a handful.

      • Not true. I use my cell phone a lot but using the carrier's services is something I don't do much. If you took the SIM out of my phone that would only remove a tiny fraction of the functions I use (although an important fraction). One day I'd like to get a dumb-pipe 3G connection and replace the cellular number with a VoIP system. If everyone could migrate to open VoIP, phone calls would be as free as email, but instead we buy the same services locked-in from Vonage, MagicJack etc. If only people had a litt

    • Yeah, first they say they don't sniff your traffic, then they say this, then that, then they pull the "not without our secret magic decoder ring" argument.

      And then there are rather disingenuous "we don't know what the carriers are doing with our software" claims.

      This company has a history of providing statements that are either untruthful or less than complete. Why believe them now?

    • by WWWWolf ( 2428 )

      What I'm more concerned is the choice of words: the stuff is "encoded" and you need "special software".

      I certainly hope this is just a bad choice of words and they meant to say it's encrypted using some decent enough cipher. If it uses public key crypto, then we can assume the messages are sent in a reasonably secure manner. But who has the secret keys, by the way? How they have designed the key infrastructure? Will everyone who has access to the "special software" be able to read every message ever, or is

  • by bmo ( 77928 ) on Tuesday December 13, 2011 @08:46PM (#38364826)

    but that that the contents of those messages would not be human readable. Instead, they would be in an encoded form that could not be decoded without special software

    "We encoded it as ROT13, twice."

    --
    BMO

    • Or... "We keep a tally of the number of times you write or receive certain words or phrases, or visit certain websites."

      Doing the aggregation on the client end just saves their servers some CPU... Speaking of, how much battery has this crap eaten in aggregate?

  • First off.. CIQ are not the bad guys here.

    They make software. It does various things, and it can be used for good or evil.

    The carriers are the ones who requested the software to be placed on the handsets. The handset makers are the ones who screwed up, specifically HTC who left debug mode enabled on a production handset. The Samsung handsets do not exhibit the same issues that were shown in the video that the HTC handsets show.

    The whole FBI link, no one really knows for sure, what the deal is, other the

    • by Wolfier ( 94144 )

      First off.. CIQ are not the bad guys here.

      They make software. It does various things, and it can be used for good or evil.

      The carriers are the ones who requested the software to be placed on the handsets. The handset makers are the ones who screwed up, specifically HTC who left debug mode enabled on a production handset. The Samsung handsets do not exhibit the same issues that were shown in the video that the HTC handsets show.

      The whole FBI link, no one really knows for sure, what the deal is, other then they refused a FOIA. That could mean they utilize the data, or they are in fact investigating CIQ itself.

      Honestly, for the purposes that CIQ claim the software is for, I have no real issue with it. However they built far more capability then was needed in the software, and that I do have a major issue with.

      Mostly agreed, except that CIQ made a fatal mistake of trying to silent the researcher with a SLAPP. If they worked WITH him in the first place, I bet none of their current PR disaster would have happened.

    • Agreed, though it comes down to the whole "Do guns kill people?" question. CIQ are no more culpable than Remington or Colt. Personally I am of the opinion people kill people, so blaming CIQ directly is erroneous.
  • by klubar ( 591384 ) on Tuesday December 13, 2011 @09:22PM (#38365064) Homepage

    I read the CIQ pdf, and the part I was most impressed with was the service quality heatmaps. It would be great if the carriers made (or were required to make) this data available. This would make it much easier to evaluate a carrier in your actual area. Instead the carriers just release vague maps that show that nearly the entire US is green. Clearly they have the data.

  • by Okian Warrior ( 537106 ) on Tuesday December 13, 2011 @09:35PM (#38365160) Homepage Journal

    One thing that's bothered me about all this:

    Google's street-view car inadvertently logs SSID broadcasts, which are transmitted in the clear. They 'fess up and get washed and hung out to dry. Threats from governments, demands that they turn over the data, investigations galore.

    CarrierIQ sends your text messages and keypresses and location information (including your typed passwords) to various third parties including the FBI and carriers... and nothing. A handful of small entities are "seeking suit" against the company.

    Where's the outrage? You'd think that CarrierIQ only affects geeks.

    • by bmo ( 77928 )

      Where's the outrage?

      This. Totally this.

      And you try to explain it and people either think you're wearing tinfoil haberdashery or millinery. It's like when I tried explaining the problems of using baby monitors and wireless telephones back before I gave up wasting my breath.

      --
      BMO

    • by artor3 ( 1344997 )

      CarrierIQ sends your text messages

      Completely false. It might be accidentally logging received messages, but even those aren't human readable.

      and keypresses (including your typed passwords)

      There's no evidence that this is even true.

      to various third parties

      Only in the form of OS logs for crash reports.

      including the FBI

      Baseless speculation.

      and carriers

      The only true part of the sentence!

      The whole "case" against CIQ is hugely overblown by media sources looking for ratings and people who desperately want something to be outraged over.

      • by Wolfier ( 94144 ) on Tuesday December 13, 2011 @11:49PM (#38366146)

        Only in the form of OS logs for crash reports

        Neither CarrierIQ or the Carriers have business in knowing what apps I'm using, whether they crash or not (the PDF says it reports context switches between apps, this is an INSANE invasion of my privacy) - except the crapware written by the Carriers themselves, which I need or want none of.

        The whole "case" against CIQ is hugely overblown by media sources looking for ratings and people who desperately want something to be outraged over.

        They were largely responsible for the "case" against themselves - if they worked with the researcher instead of using lawyers to threaten him, there would be no case. They should have been sensitive enough to know that there's a very fine line between what they make and a real spyware - and be aware of the possibility that EFF might join the fray before their lawyer sent that threaten letter.

      • CarrierIQ sends your text messages

        Completely false. It might be accidentally logging received messages, but even those aren't human readable.

        Except to teenagers.

        But then, I think a good argument can be made that teenagers aren't human, so I guess you're right.

    • What we learned from Google is: when you make a mistake, quickly and quietly cover it up. Definitely don't admit that you did something wrong.

      CarrierIQ's got the message and is playing it smart: divert attention by saying THEY don't give information to the FBI, when really the problem is their SOFTWARE collecting information. See? No admission of guilt. Perhaps they also pay the appropriate bribes.

      • You learned that from Google? You're late to the party, pal! ;)
      • They're not the same situations, really. Google's problems with the SSID logging / plaintext data collection weren't known outside of Google. If Google had simply removed the debugging code and deleted the data they had when they discovered the problem, that would have been the end of it right there, problem solved. But they went public instead, which didn't benefit anyone in any way. To this day I don't know what they were thinking.

        CarrierIQ's spyware was caught by an outsider on a consumer device. This co

  • by markjhood2003 ( 779923 ) on Tuesday December 13, 2011 @09:40PM (#38365200)
    Defenders of Carrier IQ insist that they're not collecting keystrokes, capturing SMS messages, or relaying personal information to the FBI, and that they're just collecting information to improve the quality of the network. The argument is irrelevant. Clearly the software has the capability of performing all these functions even if it isn't currently being used that way, and if the capability is there, it can be abused by third parties. Its existence on a personal device on anything other than an opt-in basis is unacceptable.
    • by artor3 ( 1344997 )

      A knife has the ability to kill someone, that doesn't mean we should ban knives. Intention does matter. This is extremely useful software, that a few OEMs misused. There's absolutely zero evidence that any wrongdoing even occurred. Be honest with yourself. You just want to be angry and righteous about something. It feels good, I know. But find a better issue. Perhaps one where people were actually hurt? Maybe even by a party that actually meant to do harm?

      • by grcumb ( 781340 )

        A knife has the ability to kill someone, that doesn't mean we should ban knives.

        Perhaps, but we should absolutely ban leaving the knife unsheathed in the baby's crib.

        Bear in mind that this software was first discovered because it was writing far too much data into the system log. If I understand the Android system correctly, any application at all could have accessed very detailed personal data simply by parsing the log.

        Intention does matter.

        That's true, and it seems that Carrier IQ actually did act in good faith.

        That does not, however, justify negligence, which seems to be the real problem here.

      • by sjames ( 1099 ) on Wednesday December 14, 2011 @01:52AM (#38366870) Homepage Journal

        If CIQ is so honorable, why have they made such an effort to embed it so deeply it cannot be turned off or removed from the phone by it's rightful owner short of extreme measures? Why isn't it's presence and operation more obvious? The deep embedding and stealth nature of the app are strong evidence that they know very well that phone owners will object to it. Those are not the actions of the innocent.

        If their intentions were honorable, they would apologize for getting it so very wrong and would have offered up a free detect and disable app for people who do not want CIQ on their phone. They have done no such thing. Instead they have been backing up slowly denying and backtracking all the way.

        You're right that we shouldn't ban knives, but you bet there will be hell to pay if someone is caught sneaking onto a plane with a knife concealed in his rectum. Claims that it was just in case he needed to peel an apple during the flight will not be accepted.

  • by ChipMonk ( 711367 ) on Tuesday December 13, 2011 @10:03PM (#38365406) Journal
    "Carriers don't have access to the contents of the [SMS] messages." Then how the hell do they get them to my phone in a human-readable format?
    • by BigJro ( 2531176 )
      They don't have access to read it from the phone, they have access to see what is sent to and from your phone. The original design of Carrier IQ is a text file that houses information that currently sends network coverage issues to the carrier. The file itself has more capabilities then just that, and the company that blew the whistle on this failed to notice what each text file is using. Instead they focused on the worse case scenario and threw that data out there and got what they wanted, attention. C
    • by Calos ( 2281322 )

      This is actually an interesting question.

      My initial reaction was "that's like asking how your ISP can possibly deliver you a webpage over an encrypted connection if they can't decrypt the webpage themselves?" But I'm not so sure this is a good analogy... unless there's a certificate system, or something built into the cell standards, or key negotiations between phones for every SMS sent... How is this secured? Is it secured at all?

      Maybe I'm just wholly ignorant on the subject...

  • by sgt scrub ( 869860 ) <saintium AT yahoo DOT com> on Wednesday December 14, 2011 @09:14AM (#38369366)

    Our client Trevor Eckhart (whose research set off the present firestorm) and his subsequent collaborator Ashkan Soltani have shown that on some phones, dialer keypresses and SMS text are being written to system logs by layer 4 code.

    It doesn't matter the intent of the developers of the software. If it exposes private information by logging plain text information to a place where an application can access it, it is bad. Trevor Eckhart exposed a VERY dangerous effect of a software exposing private information. The developers should fix their shit and shut the fuck up.

    Finally, there is an additional configuration file (called a "Profile") that controls the behavior of layer 2 and determines what information is actually sent from the phone to a carrier or other Carrier IQ client.

    If the user does not have access, or even know there is access, to controlling the "Profile" it is spyware. If it can not be disabled or removed without rooting the phone it is a rootkit.

  • if the TLAs want data, let them get a search warrant.

  • http://www.rcfp.org/can-we-tape [rcfp.org]

    So with wire tapping laws, some states require all parties involved to give concent to the recording. These are 2 party states. All other states are 1 party states, which means only one person involved in the recording has to give concent.

    Now if they are recording incoming information within a 2 party state, the sender of the SMS message has to give concent that the message can be recorded. This is reguardless of the contract of the owner of the phone has. Ultimately
  • But we can't be sure? What the hell does that mean for giant programs like Windows? Or programs that you wouldn't suspect like video drivers (a two company duopoly), msn, IE, Router Firmware?, Microsoft Word, Firefox, Linux, etc.?

    And what are our inklings of the penalties here? Can we penalize this company for doing something ferociousness when they were just following the orders of the FBI to "include a little code", or a court order not to discuss their involvement with law enforcement?

    When programs s

Some people only open up to tell you that they're closed.

Working...