The Saga Continues: Latest on the Carrier IQ Uproar
Carriers and manufacturers are denying the use of Carrier IQ left and right. Meanwhile, the company is facing two class-action lawsuits and investigations from international groups.
Shortly after our article about Carrier IQ went live, HP sent over a statement claiming that the company does not install nor authorize its partners to embed Carrier IQ on its webOS devices. Other companies also came forth with their statements, some denying use of the supposed spying rootkit and others openly admitting to its use.
So who is using Carrier IQ and who isn't?
Out of the twenty that have come forth and responded with a statement, only six actually admit to using the software: AT&T, HTC, Samsung, Sprint, T-Mobile USA and Motorola (who reportedly only does so if requested by the carrier). Companies who claim no part in Carrier IQ's shenanigans include Google, Microsoft, Nokia, RIM, Sony Ericsson, Verizon and more.
"T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience," T-Mobile USA stated. "T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes."
"The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used," Sprint admitted. "Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance."
"Some Samsung mobile phones do include Carrier IQ, but it's very important to note that it's up to the carrier to request that Samsung include that software on devices," Samsung said. "One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ."
"In-line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance," AT&T reports.
Apple even pleaded guilty to some degree, stating that it stopped supporting Carrier IQ with iOS 5, and will remove it completely in future updates. "With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information," the company claims. "We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."
All major carriers in Canada said that they do not use Carrier IQ.
Carrier IQ's statement
On Thursday, Carrier IQ released a public statement explaining that carriers only use its software to diagnose operational problems on networks and mobile devices.
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company stated. "Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile Operators. Carrier IQ does not gather any other data from devices."
The company's public statement also quoted security expert Rebecca Bace of Infidel Inc. who said that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous. Her conclusion is based on her own hands-on with the software, and joins a similar conclusion offered by Security consultant Dan Rosenberg. He agrees with her assessment in that there's no foul play involved with Carrier IQ.
In speaking with CNET, Rosenberg claims to have extracted Carrier IQ from his own Android smartphones and analyzed the assembly language code with a debugger. "The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His investigation showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."
Lawsuits
Despite Carrier IQ's claim of innocence, the company -- along with HTC and Samsung -- is now facing two class action lawsuits, just one day after the Senate began investigating the privacy scandal. All three are accused on violating the Federal Wiretap Act for allegedly gathering private information from consumer devices without obtaining prior consent. The class action lawsuits were filed in Chicago and St. Louis on behalf of all U.S. residents who had mobile phones containing the software. The penalty is $100 per day for each violation and for Carrier IQ, who claims to have its software on 140 million phones, the total sum could be devastating.
"Plaintiff, Erin Janek owns an HTC Android phone using the Sprint network," reads the lawsuit filed in St. Louis against HTC. "At all relevant times Plaintiff used her phone to electronically send over her cell phone network various types of private data. This data was not readily accessible to the general public. She did not know that Defendants were surreptitiously monitoring and collecting this data, nor did she give them permission to do so."
Meanwhile, Andrew Coward, Carrier IQ's VP of marketing, admitted to Business Insider in an interview that the software can take URLs the user visits on their phone and report that information to their carrier, but it's up to the carrier to decide whether or not it wants that information. The software can also see the apps on the device and determine how they perform, it can provide the user's location, and it can be added after market as an update from carriers or manufacturers.
Coward denies claims that the software retrieves personal information like keyboard strokes, test message content and so on. He also denies claims that the software controls data gathered on the device -- all that information supposedly goes straight to carriers or the device manufacturers, whichever party has a contract with Carrier IQ. He does admit, unsurpringly, that wireless carriers are the company's biggest customers.
Meanwhile, over in Europe
The Carrier IQ situation has also caught the attention of wireless carriers and device manufacturers abroad. Bloomberg reports that regulators in France, Ireland, Italy and the UK are currently reviewing whether Carrier IQ is in use in their jurisdictions. Germany’s Bavarian State Authority for Data Protection has also reached out to Apple in a letter to determine the company's stance on the situation.
"We read in the press about the privacy concerns the software may pose and decided to ask Apple about the details," said Thomas Kranig, head of the Bavarian agency. "If Apple decided to cease the use, all the better."
Georg Albrecht, a spokesman for Apple in Germany, declined to comment on the Bavarian agency’s letter. But as previously reported, Apple halted use of Carrier IQ as of iOS 5, and intends to completely remove it from the code in future updates.
In an e-mail statement, the U.K. Information Commissioner’s Office said it "will be contacting mobile phone operators to establish if the Carrier IQ or similar software is on U.K. customers’ handsets and, if so, what steps are being taken to ensure there are no privacy implications." Francesco Pizzetti, the president of Italy’s Protection of Personal Data Guarantor, said an actual investigation is open to determine how the Carrier IQ software works, and if it's in use on Italian mobile phones.
As for Ireland, the local data-protection agency plans to contact handset operators to see if and how Carrier IQ is used in their territory. Elsa Trochet-Mace, a spokeswoman for French privacy regulator CNIL, claims that initial findings indicate that the software is not in use in France.
Letters to the U.S. Government
Back here in the States, local organization Consumer Watchdog is also up in arms, calling on the U.S. government to investigate the allegations surrounding Carrier IQ's software. On Friday, the consumer group sent letters (pdf) to U.S. Attorney General Eric Holder and U.S. Federal Communications Commission Chairman Julius Genachowski. The group wants these two agencies to investigate Google, Apple and their partner mobile carriers.
"The device many of us carry in our pockets has, simply put, been turned into a virtual spy phone," John Simpson, Consumer Watchdog's Privacy Project director, told Computerworld in an email.
How to check if you have Carrier IQ
As previously reported, Android device owners can check to see if Carrier IQ resides on their rooted phone or tablet by downloading a non-Market application. But now another app has surfaced on Google's Android Market that doesn't require the device to be rooted. Called Voodoo Carrier IQ Detector, it alerts the user if the rootkit is present, but doesn't offer any means of removal. It's developed by Supercurio and requires Android 2.1 "Eclair" or greater to use.
According to the app, my Verizon-laced Sony Ericsson Xperia Play does not show signs of Carrier IQ software.
- RIM Staff Fined $70,000 Following Drunken Antics on Flight
- Control Your Android Phone Via PC With AirDroid
- Nintendo's Wii Scores Best Black Friday Ever
- Doctor Develops Laser Procedure to Turn Brown Eyes Blue
- Rumor: iPhone 5 and iPad 3 to Use 4G LTE Technology
- Galaxy Nexus Arriving at Best Buy December 11
- Amazon Supports Internet Sales Tax (What the...?)
- Carrier IQ Spyware Discovered in Millions of Phones
- Facebook Settles With FTC on What to Do With Your Privacy
- Verizon Confirms Xoom 2 as Droid Xyboard for December
- Acer's New Iconia Tab A200 Packs Tegra 2, ICS Soon
- China to Match U.S. Oil Demand by 2040
- Augmented Reality Lets Shoppers Interact With Dinosaurs
- Researchers Prove Violent Video Games Change Your Brain
- iPhone, iPod Touch Cases Recalled Over Fire Concerns
- Google Feeding Ice Cream Dogfood to Employees' Nexus S
- Interactive EXOdesk to be Unveiled at CES 2012
- Mall Has Kids Skype Santa Instead of Visiting in Person
- Samsung Galaxy S II Burns Inside Man's Pants
"Andrew Coward, Carrier IQ's VP of marketing"
Who could live with a name like this?
I wonder if rooting your phone (to verify your personal security and privacy) can be justified to the carriers. Certainly, your carrier (if found guilty) will have to allow you to maintain your warranty after this debacle. Even those carriers who "claim" to not use this can't be trusted by there word alone - it requires independent confirmation which would require the rooting of MANY phones...
Well, sh!t definately hit the fan on this one. Good work, there aren't enough deep levels in hell for businesses like Carrier IQ and the service providers supporting them.
Burn baby burn!
Q: Great for those with Android but what about Blackberry?
A: After doing plenty of searching and reading about this in reguards to blackberry phones. Someone claimed that there is no icon for it but it IS listed in the "applications" section under blackberry options.
Here is what I found at crackberry.com:
"I can also confirm that there is no icon for this application, though it does show under "IQAgent" in the application management listing and is listed as optional.
Update:
The application and all listed modules removes easily with a delete of the application. No wipe or extreme measures needed. I do not think BlackBerry users need to be worried about this app, if its found, simply go in and uninstall it."
If this is correct then I don't have it on my Blackberry. I encourage you to check yours!
Loving my BlackBerry on Verizon...lol RIM wouldn't be able to get all the security awards and certifications if it ran crap software like that.
On Thursday, Carrier IQ released a public statement explaining that carriers only use its software to diagnose operational problems on networks and mobile devices.
Um I saw the video posted on youtube and every keypress was filtered through the CIQ app.
Q: Great for those with Android but what about Blackberry? A: After doing plenty of searching and reading about this in reguards to blackberry phones. Someone claimed that there is no icon for it but it IS listed in the "applications" section under blackberry options.Here is what I found at crackberry.com:"I can also confirm that there is no icon for this application, though it does show under "IQAgent" in the application management listing and is listed as optional.Update:The application and all listed modules removes easily with a delete of the application. No wipe or extreme measures needed. I do not think BlackBerry users need to be worried about this app, if its found, simply go in and uninstall it."If this is correct then I don't have it on my Blackberry. I encourage you to check yours!
I have a BB9930, 9650 and a 9630 and that software is no where to be found.
Q: Great for those with Android but what about Blackberry? A: After doing plenty of searching and reading about this in reguards to blackberry phones. Someone claimed that there is no icon for it but it IS listed in the "applications" section under blackberry options.Here is what I found at crackberry.com:"I can also confirm that there is no icon for this application, though it does show under "IQAgent" in the application management listing and is listed as optional.Update:The application and all listed modules removes easily with a delete of the application. No wipe or extreme measures needed. I do not think BlackBerry users need to be worried about this app, if its found, simply go in and uninstall it."If this is correct then I don't have it on my Blackberry. I encourage you to check yours!
What you failed to mention though is in that article the person purposely installed CarrierIQ on his 9650 for testing purposes because it wasn't there natively. Most of my friends have various BB models and they nor I have that garbage software on our devices.
"The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used," Sprint admitted. "Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance."
Better do a change of plan then cause your crappy 3g/4g network performance is horrible. I left tmobile for sprint and I have been in cellular misery since...
Is Carrier IQ present on iPod touches? I ask this because I have an a 2nd generation iPod touch with iOS 4 as iOS 5 is not compatible with it.
Is Carrier IQ present on iPod touches? I ask this because I have an a 2nd generation iPod touch with iOS 4 as iOS 5 is not compatible with it.
iPods are not phones so I'm fairly certain that it doesn't apply.
I thought it was HTC that blamed the carriers. Motorola too?
Even bank (Chase) apps user id and passwords are clear to it.
I know Verizon said they didn't use it, but their statement wasn't strong enough to the effect that they didn't use something else.
The Senate will never let this continue. All illegal monitoring of American citizens is only to be done by the government. Of course, if these carriers are willing to share this data ...
I'm pleased to know that my phone is entirely incapable of running this software. With 9MB of storage and a processor barely capable of adding integers it would be impossible for me not to notice it on there.
i feel sorry for android, with great popularity comes great malware infection.
The Senate will never let this continue. All illegal monitoring of American citizens is only to be done by the government. Of course, if these carriers are willing to share this data ...
The government of our fine nation protecting our privacy? Been to an airline in the last decade? If not take a little stroll down to an airport after PAYING for your ticket.. you'll find out how much they value your privacy.
I doubt they'll do anything frankly, however the class action law suites are much more likely to yield results IMO.. If it is won as described above, it would nuke CarrierIQ out of existence and most likely dent the whole damned wireless industry if it spills over to carriers themselves and manufacturers.
I will say this however to the actual CarrierIQ program itself: I've not been able to spot it storing any of the clear text info past a reboot, nor have I been able to see it transmitting it, however whatever it IS transmitting is encrypted so I can't verify squat.
Even if it wasn't sending this info anywhere, the fact that it makes it SO easy for some one else to watch this info if their devices where compromised is scary. This does constitute a real security problem since I was able to replicate the guy on youtube's session and tell my buddy his full password for his bank account, what bank it was, their login URL and his Facebook login.
That said, it makes deploying a root kit real easy for some one who wants to infect phones to gain information.
Lets also not forget the marketing advantages to such information that they surely aren't selling for profit.. HAH
EPIC FAIL.
Makes me glad I've always wiped my android devices and put cyanogenmod on them square away..
Better do a change of plan then cause your crappy 3g/4g network performance is horrible. I left tmobile for sprint and I have been in cellular misery since...
Every area has different experiences. I left AT&T for Sprint and I can't believe I suffered with that horrid experience with AT&T for so long. Sprint is hands down, far above and away, better in every way... Here anyhow. 4G screams, even tethered, fast enough to stream HQ videos. Even 3G has smooth and fast surfing speeds. Never waiting on pictures/pages to load. But again; that's here... Where my parents live, AT&T had no signal at all, what-so-ever. Sprint is acceptable but not top notch, Verizon (what they have) is a bit stronger. That's there. Every area is different. Every company needs to better their equipment somewhere. Still, I'm overjoyed with my move to Sprint.
Still, I want CarrierIQ to die... I hate rooting my phones but just to do this alone; I'm very tempted. I'm hoping they at least are forced to include a removal method due to this so I don't have to.
As important this revelation is, I wonder what kind of smoke screen it is.
I am surprised you actually followed up on a (mobile) story, seeing how I never saw a correction to the whole "Avengers scenes shot with an iPhone4S"-story. Yeah, it wasn't true.
This has been quite a bombshell, it seems. I'm glad all carriers in Canada do not use this software, but the part about iOS containing this worries me a lot, since I use my iPod touch for a lot of blog reading and web surfing.
The fact is, I do not see a section under iOS that states I can opt in/out of information collection by Apple, which makes me think that Apple's statement is utter BS to begin with. If it's under iTunes, then it might as well consider the option not there as many users don't even know how to operate basic software.
Countries that "acknowledge" spying on it's citizens...http://wikileaks.org/The-Spyfiles-The-Map.html
And the rest of them lied and are spying too
Maybe my iphone 3G runninf iOS 4 is so slow is becuase of Carrier IQ ? the 3G is slow enough running iOS 4, but it seems to lock up and freeze like its being keylogged. If the Carried IQ program is non resposive, then the device freezes (stops responding to user requests). Anyways I don't need that thing slowing down my device, I need every percent of cpu usage free, as my device is slow as it is. Its like being kicked in hte nuts when your down.
This is indeed a terrifying situation. Imagine trusting one company with all your passwords, messages, email addresses, bank account passwords. This is precisely what the CIQ app does with your phone carrier.
No wonder we hear more and more of people secret videos, pictures, etc..., being released anonymously on the web. Essentially, when you entrust all this information you are at the mercy of the carrier's intentions, and surely a multitude of people working for the carrier have access to this information.
Surely, much dangerous information has been transmitted via smartphones by government and defense officials unaware that the information may have been logged by the carrier, in essence giving the carrier access to the secret information and backdoor access.
Talk about putting company insider information at the finger tips of the carrier. Just imagine merger and acquisitions and the explosive stock action that follow. Much of this stuff is accessible by carriers that use CIQ in their smart devices. Man this is really really sick.
I have checked 5 phones since yesterday one tmo one sprint two verizon and one att and all of them had CIQ on them. these are all various brands as well htc samsung apple (att) moto. my phone as well as my wifes are clean however both android rooted with custom roms.
In fact this was so even in airplane mode.
i feel sorry for SMARTPHONES, with great popularity comes great malware infection.
Fixed it for ya...
Where is Zonealarm for Android? OTH, MS created Security Essentials to cover their butts. I would bet that Google is going to step up to the plate with their own watchdog software.
My new Samsung Galaxy II on the Bell network (Canada) does not have Carrier IQ.
Loving my BlackBerry on Verizon...lol RIM wouldn't be able to get all the security awards and certifications if it ran crap software like that. On Thursday, Carrier IQ released a public statement explaining that carriers only use its software to diagnose operational problems on networks and mobile devices.Um I saw the video posted on youtube and every keypress was filtered through the CIQ app.
While the app does receive all actions, it does NOT mean it also sends them. It's like a policeman reading all passing license plates, but not reacting to them. Although a different policeman could read every license plate over the air, so could a possible update (or command) to the app.
So the current app does not seem to break privacy except for the https URLs.
But the youtube video shows only actions sent to the app (which is still on the phone) and not what it sent to a server (over the network). That can be done only by testing over wifi with a router capable of displaying all traffic (and of course reverse-engineering the traffic).
There is a difference between "what can do" and "what does". I don't deny the need for investigation, but the reporting was too "shocking", and I'm afraid it was the only way for the newswriters to be hooked. And now there is a wrong image of the problem (it was not proven what it does).
Note: I'm using CM7, so I did have and did not test the CarrierIQ SW.