Welcome to Esato.com




"Carrier IQ" logging *everything* on your phone?


Click to view updated thread with images




Posted by anonymuser
This looks like a big one - an Android dev has demonstrated how software pre-installed on millions of Android phones, along with some Nokia and Blackberry models, is secretly logging everything the user does, including all their keystrokes, even on secure sites - http://www.theregister.co.uk/2011/11/30/smartphone_spying_app/

The makers of the Carrier IQ software admit the app transmits data back to them but have previously denied the app logs as much as it obviously does. It seems to have been built into various ROMs from HTC and the like, runs in a "hidden" way and is very difficult/impossible to kill without rooting.

Interesting times!


Posted by anonymuser
An interesting take on this from CNN - http://tech.fortune.cnn.com/2[....]-best-reason-to-buy-an-iphone/

It has to be said, if this was an Apple product caught behaving like this, you wouldn't be able to hear yourself around here for uproar...

Posted by Bonovox
Yes but didn't this happen with Apple not long back as I recall??

Posted by anonymuser
No, nothing like it!

There was the so-called "location-gate", but all that consisted of was a file on the phone which locally cached location data. A bug in the software meant it wasn't clearing out old entries; a patch fixed that and also encrypted the file so it couldnt be snooped on by anyone maliciously.

This thing is logging EVERYTHING - location, keystrokes, the content of text messages, the works - and it's doing it by design so it can share it with a third party that the user has no relationship with at all. Not the same thing!

Posted by laffen
this thing is logging EVERYTHING - location, keystrokes, the content of text messages


No, it does not log everything. It is a service running in the background which HTC, Nokia, RIM and some operators has paid money to have installed on the device. The sad part is that the EULA seldom inform the customer of this "feature" and that it, on some devices is impossible to turn off if you want to. You can turn if of on Samsung devices.

A statement from Carrier IQ about the issue:

We would like to take this opportunity to reiterate the functionality of Carrier IQ’s software, what it does not do and what it does:
- Does not record your keystrokes.
- Does not provide tracking tools.
- Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
- Does not provide real-time data reporting to any customer.
- Finally, we do not sell Carrier IQ data to third parties.

Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain.

Here's what our software does:
- Our software makes your phone work better by identifying dropped calls and poor service.
- Our software identifies problems that impede a phone’s battery life.
- Our software makes customer service quicker, more accurate, and more efficient.
- Our software helps quickly identify trending problems to help mobile networks prevent them from becoming more widespread.

This is quite interesting reading for those interested in the functionality of the Carrier IQ software:
http://androidsecuritytest.co[....]nd-services/loggers/carrieriq/
[ This Message was edited by: laffen on 2011-12-01 01:05 ]


Posted by anonymuser
With respect Laffen, that's nothing more than your opinion, backed up by a week old press release from the company in question. I can see why you'd love to believe that press release, but if you actually read the article I linked to and watch the video (made by Mr Eckhart *after* he was named in that press release, and who Carrier IQ we're tryin to silence legally until very recently) you'll see hard evidence that the software DOES do everything they claim it doesn't, including key logging.

Interestingly there have now been references to CIQ found in IOS, but the analysis suggests it's old code, disabled by default, which genuinely seems related to only network performance monitoring. That seems to have been the original aim of CIQ but the version now in operation on many android handsets is clearly far, far more involved.

Posted by laffen
What is my opinion? Please elaborate.

To me it seems like the Carrier IQ software is hooked up to hardware interrupts just like any other third party keyboard apps for example, but it does not mean that the key strokes are sent away to some kind of harvesting server. The Carrier IQ could in theory be logging key strokes, but I haven't seen any of these hard evidence you are talking about.

You might know that most OS has similar error reporting system. Mac OS has Crash Reporter and Windows has Windows Error Reporting. The problem is not that things are logged on the device itself, but that any data could be sent away to a third party company such as Carrier IQ without the user being informed about this. On some Samsung devices, it is possible to turn off this IQ agent while on HTC phones, it's hidden and on by default. In Apple iOS the IQ agent is turned off by default and the Carrier IQ software may only be active when the iPhone is in diagnostic mode. The agent should of course be more transparent and be an opt-in service.




Posted by Bonovox
Sony Ericsson also has the Usage Info which can be turned off. Same with HTC it can be disabled.

Posted by aka Dus
What's more interesting than whether Android or Apple are more responsible with user info is how to find out if this crap is on my SIM free Arc and if so, will any of the brilliant devs be able to figure out a way to turn it off or uninstall it.



Posted by anonymuser
@bonovox - this is *not* the same as HTC (or Samsung, or Apple for that matter) error reporting that can be switched off. This is separate. If you watch the Eckhart video you can see how these services are unrelated, and how CIQ has no such option - on the HTC at least.

@laffen - you stated as fact that CIQ doesn't log "everything" and then backed that up with CIQ's own press release - I'd suggest to you that what you were actually stating was an opinion based on stale, biased information that you chose to believe over the report and evidence in question.


Posted by laffen
@Boinng
So Carrier IQ's press release is a lie then? I didn't know that.

I guess many hobby hackers out there are trying to figure out what the IQ Agent daemon does. We will most likely have the answer to that in a couple of days

Posted by aka Dus
Not for me mate, I am SIM free and just have:

Connectivity
Facebook Inside Xperia
Internet Settings

Under settings > Sony Ericsson



Posted by anonymuser
Laffen - that's the implication of eckhart's evidence in the video, which was produced in response to that press release and the claims CIQ were making..

Tellingly, Carrier IQ have yet to respond to the video or make any more recent statement, despite it now being big news across mainstream media.
[ This Message was edited by: Boinng on 2011-12-01 12:24 ]


Posted by Bonovox
Seems to me that this thread although reporting on this topic. You are just also trying to say to everyone hey look how incredible this is how it happens to Android but oh Apple is so amazing it could never happen to them. That's what you seem to be pointing out in your thread Boiing. You point out the great reasons to buy Apple cos Android is doomed cos of this issue. I think you need to get out more mate

Posted by anonymuser
Lol - if you're going to shoot the messenger, try to aim higher than your own foot!

If you can read all of that into this thread, and get that upset about someone bringing an issue to your attention, I guess that probably says more about you than me. I didn't make the video and I didn't write the article on CNN or the Register, this really isn't about the iPhone either, it's about the android phone in your pocket, and many others. If you want to stick your fingers in your ears that's really up to you
[ This Message was edited by: Boinng on 2011-12-01 12:48 ]


Posted by admad
If anyone wants to check their phone, here's a an app that can tell if You have any logging app installed http://forum.xda-developers.c[....]t.php?p=17612559&postcount=110

Posted by laffen
Seems like Mr Eckhart was wrong about at least one thing. Nokia denies that any of their devices has Carrier IQ installed.

Posted by Bonovox
Boiing I would hardly call myself upset it's hardly something I cry about is it??

Posted by anonymuser
You're upset enough to have a silly pop at me about it.

Posted by Bonovox
I would call it more stating what I think not crying

Posted by anonymuser
Ok bonovox, we've established you're not crying. Mind you, I never said you were!

Posted by anonymuser
Apple have now weighed in with a statement on this - http://allthingsd.com/2011120[....]pporting-carrieriq-with-ios-5/

Basically confirms previous analysis, they did use it in the past for diagnostics only, personal info was never recorded, and it's already disabled in iOS5 with a view to removing the code altogether, presumably because it's been replaced by Apple's own reporting tools.

Posted by laffen
Yes, it's been replaced by Siri, so they don't need to rely on third-party apps any more. When you use Siri, the things you say will be recorded and sent to Apple to process your requests. Your device will also send Apple other information, such as your first name and nickname; the names, nicknames, and relationship with you (e.g., "my dad") of your address book contacts; and song names in your collection (collectively, your "User Data"). If you have Location Services turned on, the location of your iPhone 4S at the time you make a request will also be sent to Apple.

Posted by anonymuser
Hmm. While all the above is true, and obvious when you think about it, I was thinking more about the well-flagged diagnostic options baked into ios5. New to that version is the ability to inspect all the crash reports etc and choose upfront whether to send these to apple, or to allow location info to be recorded for diagnostic purposes.

Siri is Siri - they don't hide the fact that the commands are processed off the phone - if you're worried about apple hearing you then you don't use it..

Posted by tranced
At least I won't be worried about it. See why:

CyanogenMod will never have Carrier IQ

Posted by aka Dus
I have no problem with my service providers taking a bunch of my usage activity for analysis to improve their service. I just want them to make it easy for me to turn it off if I want.

Cool that the dev community have already come up with an app to scan the handset to find the spyware (mine doesn't have it so far) and even if it's a work in progress that's a great testament to the efficacy of the open source model that even when something nasty like this pops up, we can get crowdsourced solutions very quickly.



Posted by etaab
I think im in the camp of people who dont really find it a big deal. Im sure all phone manufacturers record all sorts of data about us but to be honest, unless you're someone in a position of political power or celebrity status you've nothing to worry about. I dont think Carrier IQ would really care where i am when i text my girlfriend what i'd like for dinner tonight when im home from work.

Im mundane, boring and of no worth to these companies, unless they want to steal the very few pounds sitting in my bank account.

Posted by Bonovox
That's true and I cannot see this thing on any of my handsets or is it hidden?? I know it's different slightly but I turn off the Sony Ericsson usage info on my Play as I don't want to be using extra data on it anyway. This does not bother me either it's when people start saying oh you should be with Apple cos it won't happen with them
[ This Message was edited by: Bonovox on 2011-12-02 19:28 ]


Posted by laffen
@Bonovox
You probably won't find Carrier IQ in any of your handsets. I think it has been installed by some US network operators only. Nothing like this has been installed by UK operators. I think. Correct me if I am wrong

Posted by aka Dus
Sony Ericsson statement

Sony Ericsson does not install or support Carrier IQ on its devices. The exception is in the U.S when required by carriers. Sony Ericsson does not receive or gather any information or data collected by Carrier IQ. For questions regarding Carrier IQ, we recommend consumers to contact their operator.



Posted by tranced
You say it's not big deal, but there are lawsuits filed against HTC, Samsung and Carrier IQ.


On 2011-12-02 16:34:24, etaab wrote:
I think im in the camp of people who dont really find it a big deal...



Posted by Bonovox

On 2011-12-02 19:45:47, laffen wrote:
@Bonovox
You probably won't find Carrier IQ in any of your handsets. I think it has been installed by some US network operators only. Nothing like this has been installed by UK operators. I think. Correct me if I am wrong


OK,fair enough

Posted by laffen

On 2011-12-02 20:10:17, tranced wrote:
You say it's not big deal, but there are lawsuits filed against HTC, Samsung and Carrier IQ.


North Americans sues everyone It does not mean the defendant has done something wrong. Such as HTC and Samsung in this case. HTC and the network operators must have set up an agreement how to deal with the extra bloated/branded stuff the operators want to install into their phones.
[ This Message was edited by: laffen on 2011-12-02 22:09 ]


Posted by etaab
@ tranced - its not a big deal to me. I used to think very much the same as everyone else, i was worried about the whole big brother thing, but as the years roll on as an adult i find myself leaving a massive paper trail behind me of information, places ive been, things i purchased, where, when and the like. Theres nothing i can do about it.

More and more companies ive never heard of have my details through other companies sharing infromation it would be impossible for me to be truly private. So, i dont think this matters all that much either, its just another way of recording who we are. Only if or when a company uses that information for a truly illegal purpose, such as deducting money from your bank account without cause, then i dont think its anything to worry about because im just another number among millions.
[ This Message was edited by: etaab on 2011-12-03 08:45 ]


Posted by amawanqa
I'm bothered with it, and I'll continue to keep as much of what I do to myself, not because of any 'dodgy' stuff but I've once been a victim of ID fraud and that experience has made me a little more paranoid perhaps. It all started from an online purchase of a few hobby items from a supposedly secure site and the encrypted details of me and others that had used the website/online shop were hacked. Fortunately the bank re-embursed me after the investigation, but it's now prompted me to have a monthly 'ID Aware' service with my bank. I also still get the occasional rubbish scam call on the home phone about my Windows PC...when I have a Mac etc. LOL.

Obviously, as has already been mentioned, there are many other trails we leave, and of course 99.9% or whatever of the data may well be used for whatever analytical purposes, but privacy is privacy and it only takes a few rogue elements to have the know-how to make your life hell with all your details...

The biggest issue for me is the 'stealthy' approach of how Carrier IQ (and whatever others) has been installed without the average Joe Public's complete awareness of this and what it does... For me, there's no excuse for this, and a blatant breach of anyone's privacy, even if it's just specific data. Yes, there are various 'privacy policies' for a lot of systems that we should read carefully in terms and conditions (the onus is kinda more on us in these cases), but these don't seem to have been made apparent with the likes of Carrier IQ, unless I'm wrong?

We, the users, should ultimately have the choice to have these details submitted or not, and it made clear what details are being submitted (as is now manifesting with this whole saga..).
[ This Message was edited by: amawanqa on 2011-12-03 14:21 ]



Click to view updated thread with images


© Esato.com - From the Esato mobile phone discussion forum