• Carrier IQ: A privacy tempest of what size?

    Home » Forums » Newsletter and Homepage topics » Carrier IQ: A privacy tempest of what size?

    Author
    Topic
    #480397


    TOP STORY

    Carrier IQ: A privacy tempest of what size?

    By Woody Leonhard

    A YouTube video by Trevor Eckhart documents a litany of privacy-busting transgressions made by Carrier IQ, a software program factory-installed on mobile phones.
    Almost every news outlet in the U.S. seems to have run the story about Carrier IQ as if 1984 had finally arrived, with Big Brother (in large, corporate form) working the phones — our smartphones in this case. But is that view accurate?


    The full text of this column is posted at WindowsSecrets.com/top-story/carrier-iq-a-privacy-tempest-of-what-size/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

    [/tr][/tbl]

    Viewing 9 reply threads
    Author
    Replies
    • #1309593

      Hi Woody
      Re: Carrier IQ: Some people have forgotten that cell phone or other mobile networks are not secure. Sending sensitive info or conversation using these networks is a risk. Even landline phones are not secure. We hear regularly about government officers both US and UK, complaining that their sensitive conversations have been overheard, when using cell phones. The general rule should be, ‘no sensitive messages over cell phone networks’. To do otherwise is to jeopardise your security.

      • #1309635

        What does this have to do with Windows? It’s the Windows stuff I contribute to Windows Secrets for, and this garbage should be on some other “Toy Phone Users Secrets” column.

    • #1309672

      I tend to pay attention to Bruce Schneier’s perspective given his renowned knowledge on the topic of security. Last year at the EWI Cybersecurity Summit, Bruce delivered a compelling message of insight all would do well to watch: http://youtu.be/I6ZkU2fUM5w This is not to say Woody Leonhard is mistaken in specific but rather that there is a much larger issue many have not considered.

    • #1309731

      Woody. What a fantastic article. You got everything from all angles and cut through the feldercarb to the real issues.

      Thank you.

      Great link over at infoworld also.

      BTW: Why can’t I post your article at Digg.com when using the complimentary link? I was so impressed with the article I tried to post it (but using the complimentary link where I clicked on story 2, but it wouldn’t post to Digg. Sigh…was able to post it to technology on Reddit though. 😉

    • #1309782

      After reading the article, I’m inclined to agree that this is a tempest in a teapot. At the same time, I fully understand why people are up in arms. Every year, companies more and more show their utter disrespect for their clients and their privacy, all in the name of making a buck. As far as I’m concerned, no marketer has a *right* to know anything about me that I don’t explicitly choose to reveal. I opt out of every data-sharing plan I can, and I resent companies that reserve the “right” to share data with their marketing partners when I don’t even know who those partners are. It’s gotten to the point that consumers are justifiably paranoid about their information being revealed and shared.

    • #1309789

      But why would a phone company want to monitor your keystrokes, your mail, your SMS texts, or your location using a program inside your phone? It doesn’t make any sense.

      On the contrary, isn’t this the entire premise behind Google? Watching over every word, every contact, and then using that information to tailor advertising specifically for the user?

      It makes perfect sense for the cell phone carriers to be data mining so they can monetize the accumulated data in exactly the same way that Google and other companies do. Maybe next year’s SmartPhone will offer me free data–in exchange for having an ad window at the bottom of each screen. Are the cell companies planing ahead for something like that? Perhaps. We know they certainly wouldn’t tell us their plans, but it might just be good business sense to try deploying this software, this ability, to their entire user base before they tried to act on it.

      Remember, these are the clever folks who sell SMS messages as “text” at a thousand percent profit. There’s very little they do by accident, and even less they will discuss with the public.

      That doesn’t make it right or wrong, or touch the invasion of privacy issues. I’m just saying, Google has built a financial giant by data mining, the potential here should be clear. The secrecy? Well now, that’s very different. Very cellular company style. And very wrong. I didn’t rent or lease or borrow my phone, I bought it. It belongs to me. I’m entitled to know what it is doing, and what software is running on it. If someone is running software without my knowledge or consent–then that’s theft and tampering, even if it is the cellular company.

      Redd

      • #1309792

        the fact that software that COULD be used for nefarious purposes, whether is currently is or not, was HIDDEN on the phones, and there is no way to turn it off. This is once again a sign of company’s total disregard for the security and privacy of their customers. So my question is, when (no if) this information that no one is supposed collecting, is released to the public by a hacker who has gained access to it from either CarrierIQ or a carrier, who will be responsible:?

    • #1309801

      It is the POTENTIAL for abuse that bothers me. I don’t do anything I really need to protect, but imagine a future with neo nazis or foreign (or even home grown) terrorists having access to all American’s locations, who they are contacting, and what they are looking at on the web. No way to “Opt out” except ditch your phone. No lifelines…It might bring CBs and walkie talkies back. Oh wait, they’ve all been collected by the big “Recycling drives”.

      • #1309820

        OK some of us can put up with the spin. But there are other issues here to be addressed. This video has clearly shown that if you sell your phone to someone else you are not pre equiped to wipe it clean and therefore this company is facilitating in data transmittal. There should be a big warning that even though your tele contract forces you to accept data transferrence, this action will be carried out if you sell your phone to someone that has the ap, all without you agreeing to this embedded gem.

        So will say T-Mobile or ATT provide free wiping services? Yah right! That was a quick thought. How about theft? Oh now we are on a roll. IQ Setup Inc. has a real problem on their table. I’ll wait to buy in on this one.

        • #1310111

          My concern is not with the carriers but with malware writers who could easily use Carrier IQ as a keylogger to gather information. They might then download the information for other purposes. The most serious issue is the ability of Carrier IQ to record in clear text usernames and passwords that the user assumes are only being transmitted in encrypted form. Although carriers are required by federal law to provide an easy means for law enforcement to monitor voice communications with appropriate judicial approval, I am unaware of a similar capability requirement for monitoriing usermnames and passwords transmitted during an https connection.

    • #1310159

      I have been reading Windows Secrets for several years and I often find useful info to help me keep my XP and W7 machines as safe as possible. However, I am flabbergasted at the comments by Woody Leonard on the carrier IQ issue.

      In the middle of the article Woody espouses:
      “But why would a phone company want to monitor your keystrokes, your mail, your SMS texts, or your location using a program inside your phone? It doesn’t make any sense. Working on data generated inside the phone is enormously inefficient and expensive as well as intrusive; it’s difficult, both technically and legally, to make a case for it.”

      I find this opinion mind boggling.
      Every outlet including WS has long known and pointed out that google and facebook have clearly defined the next generation of advertising tactics, and it’s inconceivable to imagine that every large company in the world isn’t clamoring to get on-board.
      Gathering info about you and your buying habits is the gold rush of the 21st century.
      Smaller companies pay unbelievably large fees to both of these entities and to independent companies that deal in personal information.
      Why wouldn’t the players in the communications market embrace this also?
      If you have no use for the information, it certainly has value to another conglomerate who will gladly pay you for it.
      Perhaps in the future sticking to windows topics would be best.

      • #1310429

        Great article. It takes a look at both sides. I find it unbeleivable that the CEO would try to squash Trevor’s right to Free Speech and even give him a retraction prepared by CIQ.

        My ‘Mother in Law’ used to complain about the errosion of our privacy well over 20 years ago and she was connected in Washington D.C. born and lived in Virginia most of her life. Her family truly goes back as far as the civil war. Now Twenty years later I find that she was absolutley correct.

        The bottom line is that the errossion of our privacy has been going on ever since our government went on a solid campaign against communisum and every threat since then has caused further errosion. Take for example “The Patriot Act” the threat of a terroist in your backyard and the NSA policy of listening in on all calls for keywords with the participation of major telecom carriers. If it is not CIQ it will be something else and so on and so on. The only thing you can do is to make yourself a “Ghost” if you wish the real you to have privacy. Would it make us feel any better if the Senate passed a law and inspected all phones like the USDA does the beef. This whole thing is kind of “Matrixey”.

    • #1310464

      PC Worldhas an article about an answer to some questions from Carrier IQ that is worth a read. CNet has also posted a similar article.

    • #1311053
      • #1311923

        I forwarded Woody’s article to a friend much more knowledgeable than I, since he had just shared his concern with me on Google+. He sent me a detailed reply to Woody’s article. Here it is. [INDENT]I don’t agree with Mr Leonhard. It seems to me that this discussion has three main points;

        1: What data is being captured by the app? CarrierIQ clearly lied about what they were capturing, at least initially. At this point, it seems clear that the app captures all keystrokes on the handset. So, potentially, they could do a substantial amount of invasive discovery.

        2: What is done with the data that is captured at this time? This is the point that both the company and the carriers have focused on in their responses, and is what it repeated by Mr Leonhard. The defense has two basic arguments. First, that the data capture is necessary to provide the level of service and support that customers expect. Second, that the data is not misused for any illegal purpose.

        However, read the interview in Wired with the CarrierIQ CMO.

        http://www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/

        As he states, both the amount and type of information gathered are set by the carriers, and in some cases at least clearly contain what most of us would think of as “sensitive”, such as search terms in the URL. Think about what is collected in terms of SOPA, for example. (Which, notice, would be entirely ‘legal’)

        At this point, I think Mr Leonhard really drops the ball. He says that phone companies have been tracking cell phones all along — certainly true and necessary — and then goes on to say, essentially, “yes, they could do a lot of other nasty things, but they haven’t yet and I don’t see any reason why they would.” Well, yes, I sure trust them to just “do the right thing”, don’t you?

        He further says “…giving them at least the theoretical ability to keep copies of SMS messages, e-mail, Internet traffic (such as websites visited), and the content of files uploaded and downloaded.” Apparently he is not quite the “technical wizard” he purports to be. If I have an HTTPS connection to a site, once the data leaves my device it is highly encrypted, and tracking and decoding it becomes very, very difficult indeed. But when I’m typing it in, it’s just raw data, and can be intercepted at that point and analyzed with little difficulty. That, in fact, is exactly what the Egyptian security police did to many of the cell phones being used during the Arab Spring revolt, allowing them to track, seize and torture a number of vocal critics. So placement of the recording ability is a major security hole for the users.

        3: What could be done with the data being captured now? CarrierIQ collects a goodly chunk of this data and stores it on their servers, whence the appropriate subset is sent to the carriers according to whatever agreement has been made. However, in their patent application, they seem (to me anyway) to be clearly looking to market this “treasure trove” of consumer data at some point in the future. See the abstracts posted here:

        http://www.zdnet.com/blog/hardware/carrier-iq-patent-outlines-keylogging-and-ability-to-target-individual-devices/16869

        And all of this was done without the consent of the individuals being monitored.

        So, all in all, I really don’t think this is “…mostly sound and fury, signifying very little.”

        Hence the post.
        [/INDENT]

        I just thought you might be interested in his thoughts.

    • #1311938
    Viewing 9 reply threads
    Reply To: Carrier IQ: A privacy tempest of what size?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: