Carrier IQ

From SI410
Jump to: navigation, search

(back to index)

Carrier IQ Logo
Carrier IQ is a provider of mobile service intelligence solutions to the wireless industry [1]. Carrier IQ has analytic software embedded in 180 million devices, giving wireless carriers and handset manufacturers insight into customers' actions on their wireless devices including keystrokes, geographical location, and web useage[2][3]. Among Carrier IQ's customers are Sprint, AT&T, and T-Mobile, three of the nation's four largest wireless carriers [4].

Function

Carrier IQ works by tracking metrics from a device and sending the information to its customers [5]. Metrics are information points from the mobile devices, including dropped calls, sets of data that relate to a usage history of the device, an end user's interaction with the device, and interaction with the device comprises the end user's pressing of keys on the device[6]. According to the patent;
Qualifying characteristics may include device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, usage statistics, including those that characterize a user's interaction with a device, and the profile of the customer. The data collection profile is then provided to the SQC on the target wireless devices.[6]
The data is then logged and sent to customers such as wireless carriers. The data collected is intended to be used to improve things like coverage, battery life, and other user experiences. The presence of Carrier IQ on a phone depends on a carrier, and not the operating system[7].
Carrier IQ's "ecosystem" as marketed by the company

Ambiguity

When the initial rumors of CIQ's existence began to go viral, it was reported that the software logged all functions executed by the user, including keystrokes. Additional rumors began to surface mentioning the widespread audience collecting the information including various government affiliated tracking agencies. Fears of widespread security breaches quickly resulted from these rumors due to the large liability created by transmitting the personal information of millions of mobile device users, either encrypted or not.

With the passing of each day since the initial discovery of the software, many contradicting statements have been made regarding the actual functionality of the software, and how it is currently being utilized.

Contradicting reports of keyloggers

Initial findings suggest that the CIQ software logs all possible metrics regarding the data being used by smartphones. This is believed to include keystrokes, SMS messages, and emails.[8]

  • In direct contradiction to Eckhart's Report, Dan Rosenberg claims that CIQ in fact does not have the capability to be used as a keylogger. However, Rosenberg concludes that the only keystrokes that are recorded are thse used to initial make a phone call, and any subsequent keystrokes made during that call.[9]

Usage

Phone Providers Utilizing Carrier IQ

In direct response to a request by US Senator Al Franken, Samsung, HTC, Sprint, and AT&T have all released lists containing each model of their mobile phones that currently have the CIQ software installed.[10] The contents of these lists can be referenced below:

T-Mobile

  • T989 (Samsung Hercules)
  • T679 (Samsung Galaxy W)
  • Amaze 4G

Cricket

  • SCH-R500 (Samsung Hue)
  • SCH-R631 (Samsung Messager Touch)
  • SCH-R261 (Samsung Chrono)
  • SCH-R380 (Samsung Freeform III)

HTC

  • Sprint
  • Snap
  • Touch Pro 2
  • Hero
  • EVO 4G
  • EVO Shift 4G
  • EVO Design

AT&T

AT&T claims that approximately 900,000 of their customers currently have a smartphone with CIQ installed. Such models include:

  • Motorola Atrix 2
  • Motorola Bravo
  • Pantech Pursuit II
  • Pantech Breeze 3
  • Pantech P5000 (Link 2)
  • Pantech Pocket
  • Sierra Wireless Shockwave
  • LG Thrill
  • ZTE Avail
  • ZTE Z331
  • SEMC Xperia Play
  • HTC Vivid
  • LG Nitro
  • Samsung Skyrocket
  • Vivid
  • SGH-i727 (Samsung Galaxy S II Skyrocket)

Sprint

Approximately 26 million Sprint users have a CIQ enabled phone.

  • Audiovox
  • Franklin
  • HTC
  • Huawei
  • Kyocera
  • LG
  • Motorola
  • Novatel
  • Palmone
  • Samsung
  • Sanyo
  • Sierra Wireless
  • SPH-M800 (Samsung Instinct)
  • SPH-M540 (Samsung Rant)
  • SPH-M630 (Samsung Highnote)
  • SPH-M810 (Samsung Instinct s30)
  • SPH-M550 (Samsung Exclaim)
  • SPH-M560 (Samsung Reclaim)
  • SPH-M850 (Samsung Instinct HD)
  • SPH-I350 (Samsung Intrepid)
  • SPH-M900 (Samsung Moment)
  • SPH-M350 (Samsung Seek)
  • SPH-M570 (Samsung Restore)
  • SPH-D700 (Samsung Epic 4G)
  • SPH-M910 (Samsung Intercept)
  • SPH-M920 (Samsung Transform)
  • SPH-M260 (Samsung Factor)
  • SPH-M380 (Samsung Trender)
  • SPH-M820 (Samsung Galaxy Prevail)
  • SPH-M580 (Samsung Replenish)
  • SPH-D600 (Samsung Conquer 4G)
  • SPH-M930 (Samsung Transform Ultra)
  • SPH-D710 (Samsung Epic 4G Touch)
  • SPH-M220
  • SPH-M240
  • SPH-M320
  • SPH-M330
  • SPH-M360
  • SPH-P100
  • SPH-Z400


A source at [Geek.com] was notified on December 16, 2011 that Sprint would be removing Carrier IQ from Sprint devices as soon as possible [11]. Sprint has ordered that all of their hardware partners remove the Carrier IQ software in order to distance themselves from the controversy with Carrier IQ [11]. On December 13, 2011, the first of the Samsung-made firmware updates for Sprint devices was leaked to the XDA Developers Forum, and contained the same Android software, only without Carrier IQ software embedded in it [11]. Sprint has been criticized for waiting until lawsuits began coming in before taking action against the software, saying it was too little, too late [11].

FBI Usage

The FBI disclosed on the weekend of December 10, 2011 that it uses data gathered from Carrier IQ sources[12]. Michael Morisy from Muckrock.com used a Freedom of Information Act request to see if the FBI had relevant records with Carrier IQ. The response from the FBI was that it could not reveal their usage of Carrier IQ due to interference with pending or prospective law enforcement proceedings[12]. Their response means one of two things, explained by Muckruck's Morisy:
"What is still unclear is whether the FBI used Carrier IQ's software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both."[12]
This means that the FBI could be using Carrier IQ's technology to track users of mobile devices, which would be an ethical problem if Carrier IQ did not reveal to users of the software that they allowed this to happen.

Opposition

Although new information surfaces daily regarding the truth of the functionality and implementation of CIQ, no openly publicized option of disabling or opting-out of the CIQ software currently exists. In a rush to cleanse valuable reputations Sprint, Apple, and CIQ, among others have all released statements since awareness of the software initially occurred in late November.

On December 1, 2011 it was reported that Apple released a statement declaring that it had already stopped supporting CIQ in it's iOS5 update, which became publicly available long before concerns about the software arose.[13]

“We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”[13]

As of December 16, 2011 it is rumored that Sprint officially plans to sever ties completely with Carrier IQ. According to Mobile Burn, Sprint has requested all of their phone manufacturers discontinue including the software in future production.[14]

"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," said Sprint in an email to Mobile Burn. "We are further evaluating options regarding this diagnostic software as well as Sprint's diagnostic needs."[14]

Ethical Issues

Carrier IQ Diagram

Initial Press Release

On November 23, 2011, Carrier IQ sent out a press release in response to 17-minute video posted on YouTube and a post to androidsecuritytest.com by security researcher named Trevor Eckhart[15]. The press release stated that they did not provide tracking tools, record keystrokes, inspect or report on the content of your communications, such as the content of emails and SMSs, or sell any information to outside parties [16]. It stated that Carrier IQ software instead makes your phone work better by identifying dropped calls and poor service, identifies problems that impede a phone’s battery life, and makes customer service quicker, more accurate, and more efficient. The claims by Eckhart were that the software worked in ways that users of mobile devices were unaware of. He stated that Carrier IQ could work by being completely hidden to the user [5]. Metrics can be called getting information when a user installs or opens an application, he stated, and information can be when a user browses a webpage, or CarrierIQ can log keypresses made on that webpage.[5]. The software does not have an opt out feature when used with some carriers such as Sprint. Eckhart stated at the end of his writeup, “The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ”.[5]

In a follow up response on December 1, 2011, Carrier IQ conceded that their software does keep a log of some phone activity. However, they maintained that the data is kept for debugging purposes only, and that no personal data is recorded or stored[17]. Regardless of whether or not Carrier IQ uses the information stored by its software, storing so much information on a phone is poor security practice. For example, a stolen phone could hold a lot of personal information that, although Carrier IQ may not use, a malicious hacker could easily find and take advantage of. Other researchers have stated that the information Carrier IQ collects is clearly just for diagnostic purposes, but what information is collected can also vary from carrier to carrier [18].

Eckhart's Motivation

The initial report of the existence of Carrier IQ software on millions of smartphones placed an extreme bias on the understanding that prior to the breakthrough, Trevor Eckhart had been just an innocent Android developer. This bias also persecuted the general practice of using covert software on mobile devices to record data unbeknownst to the user. However, recent research has concluded that Eckhart may have in fact published his story about CIQ software because the company he works for, InterGis LLC, is a potential rival to Carrier IQ.[19]

After comparing services provided by both Carrier IQ and InterGis LLC, DailyTech finds them very similar:

"Intergis makes tracking and telemetry products, remarkably similar to Carrier IQ, although currently targeting corporate users. The company's product gives businesses a way to GPS tracking to secure their mobile device fleet or coordinate employee travel."[19]

Federal Investigation

As of December 14, 2011 it is reported that CarrierIQ is currently under investigation by both the FTC and the FCC about the alleged uses of it's software.[20] As reported by Gizmodo,
"Both agencies are probing the carrier over allegations that its tracking software was installed on more than 150 million smartphones without user knowledge."[20]
Although it is still very early for any sort of charges to be formally pressed against the recently-outed company, the primary focus of the investigation is to determine whether or not the company is guilty of any sort of wrongdoing. It has been reported that CarrierIQ intends to give full cooperation in the investigation.[20]

Security Concerns

Despite the recent clarifications that the Carrier IQ software does not, in fact, log keystrokes or record and messages sent or received, CIQ admits that a software bug can cause encrypted message to be recorded if they are received while a phone call is in progress.[21]

Other concerns stem from the immense liability created when large quantities of encrypted URLs are transmitted though wireless signals. Many smartphone users exhibit anxiety about having their personal information handled by software that has already proven to suffer from several serious bugs.[22]

General Ethical Issues

Image circulated following the initial rumors surrounding CIQ

Ethical issues arise when the software invades a person's privacy without their full knowledge and consent of it occurring. If the software could track, record keystrokes, and report on content of communications on mobile devices, it should be made known to users what the software is capable of. In addition, there should be a way that users can opt out of being tracked. Ethical behavior on the side of Carrier IQ would be informing the users of the capabilities, and only using the information that they say the will, and use it to make the devices better. Another possible implication could arise if Carrier IQ sold users' information to third parties without the knowledge of the owners of the devices. A major point stressed in Eckhart's video is that users are generally unaware of the existence or function of this software on their phones. This raises another ethical issue, regarding who is responsible for the security of the information logged onto the phone. Since users are not made aware of this software, ethically either Carrier IQ or its customers should implement better security to protect such data.

An additional question raised from this issue is how carriers' collection of data is regulated, and by whom.

See Also

External Links

References

  1. CarrierIQ
  2. Chicago Tribune: Top Galleries
  3. CarrierIQ: 31 October, 2012 - Carrier IQ Expands Leadership Team, Appoints Ben Bergeret as VP and GM of Devices
  4. PCMag: Carrier IQ 'Vigorously Disagrees' with Critics
  5. 5.0 5.1 5.2 5.3 Android Security Test: CarrierIQ
  6. 6.0 6.1 Patent Docs: Data collection associated with components and services of a wireless communication network
  7. PCWorld: Google's Schmidt Slams Carrier IQ
  8. Gizmodo: Your Android Phone Is Secretly Recording Everything You Do (Updated)
  9. CNet News: Carrier IQ analysis finds no evidence of 'keylogger'
  10. Gizmodo: The Complete List of All the Phones With Carrier IQ Spyware Installed
  11. 11.0 11.1 11.2 11.3 Geek: Sprint orders all OEMs to strip Carrier IQ from their hardware
  12. 12.0 12.1 12.2 BoingBoing: FBI says Carrier IQ files used for "law enforcement purposes"
  13. 13.0 13.1 All Things D: Apple: We Stopped Supporting Carrier IQ With iOS 5
  14. 14.0 14.1 Mobile Burn: Sprint: Carrier IQ has been disabled on our devices
  15. Huffington Post: Carrier IQ: Researcher Trevor Eckhart Outs Creepy, Hidden App Installed On Smartphones (VIDEO) (UPDATE)
  16. CarrierIQ
  17. All Things D: Carrier IQ Speaks: Our Software Ignores Your Personal Info
  18. PCWorld: Carrier IQ's Cell Phone Snooping 'Overstated'
  19. 19.0 19.1 Daily Tech: Carrier IQ Whistleblower Trevor Eckhart Works for Tracking Firm
  20. 20.0 20.1 20.2 Gizmodo: Carrier IQ Sits Down With the Feds for a Nice Long Talk
  21. The Verge: Carrier IQ collected encrypted SMS 'unintentionally,' working on fix for logging issues
  22. Gizmodo: Carrier IQ Software May Not Record Messages But It’s a Privacy Risk

(back to index)