Difference between revisions of "Carrier IQ"

From SI410
Jump to: navigation, search
Line 133: Line 133:
 
The initial report of the existence of Carrier IQ software on millions of smartphones placed an extreme bias on the understanding that prior to the breakthrough, [http://www.http://trevoreckhart.com/ Trevor Eckhart] had been just an innocent [[Android]] developer.  This bias also persecuted the general practice of using covert software on mobile devices to record data unbeknownst to the user.  However, recent research has concluded that Eckhart may have in fact published his story about CIQ software because the company he works for, [http://ecat.giscafe.com/corpprofile.php?vendor_id=9002313 InterGis LLC], is a potential rival to Carrier IQ.<ref name="DT">http://www.dailytech.com/Carrier+IQ+Whistleblower+Trevor+Eckhart+Works+for+Tracking+Firm/article23511.htm</ref>
 
The initial report of the existence of Carrier IQ software on millions of smartphones placed an extreme bias on the understanding that prior to the breakthrough, [http://www.http://trevoreckhart.com/ Trevor Eckhart] had been just an innocent [[Android]] developer.  This bias also persecuted the general practice of using covert software on mobile devices to record data unbeknownst to the user.  However, recent research has concluded that Eckhart may have in fact published his story about CIQ software because the company he works for, [http://ecat.giscafe.com/corpprofile.php?vendor_id=9002313 InterGis LLC], is a potential rival to Carrier IQ.<ref name="DT">http://www.dailytech.com/Carrier+IQ+Whistleblower+Trevor+Eckhart+Works+for+Tracking+Firm/article23511.htm</ref>
  
After comparing the services provided by both [http://www.carrieriq.com Carrier IQ] and [http://ecat.giscafe.com/corpprofile.php?vendor_id=9002313 InterGis LLC], [http://www.dailytech.com DailyTech] finds them very similar:
+
After comparing services provided by both [http://www.carrieriq.com Carrier IQ] and [http://ecat.giscafe.com/corpprofile.php?vendor_id=9002313 InterGis LLC], [http://www.dailytech.com DailyTech] finds them very similar:
 
<blockquote>"Intergis makes tracking and telemetry products, remarkably similar to Carrier IQ, although currently targeting corporate users.  The company's product gives businesses a way to GPS tracking to secure their mobile device fleet or coordinate employee travel."<ref name="DT"/></blockquote>
 
<blockquote>"Intergis makes tracking and telemetry products, remarkably similar to Carrier IQ, although currently targeting corporate users.  The company's product gives businesses a way to GPS tracking to secure their mobile device fleet or coordinate employee travel."<ref name="DT"/></blockquote>
  

Revision as of 04:06, 19 December 2011

(back to index)

Carrier IQ Logo
Carrier IQ is a provider of mobile service intelligence solutions to the wireless industry [1]. Carrier IQ has analytic software embedded in 141 million devices, giving wireless carriers and handset manufacturers insight into customers' actions on their wireless devices including keystrokes, geographical location, and web useage[2]. Among Carrier IQ's customers are Sprint, AT&T, and T-Mobile, three of the nation's four largest wireless carriers [3].

Function

Carrier IQ's "ecosystem" as marketed by the company
Carrier IQ works by tracking metrics from a device and sending the information to its customers [4]. Metrics are information points from the mobile devices, including dropped calls, sets of data that relate to a usage history of the device, an end user's interaction with the device, and interaction with the device comprises the end user's pressing of keys on the device[5]. According to the patent;
Qualifying characteristics may include device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, usage statistics, including those that characterize a user's interaction with a device, and the profile of the customer. The data collection profile is then provided to the SQC on the target wireless devices.[5]
The data is then logged and sent to customers such as wireless carriers. The data collected is intended to be used to improve things like coverage, battery life, and other user experiences. The presence of Carrier IQ on a phone depends on a carrier, and not the operating system[6].

Ambiguity

When the initial rumors of CIQ's existence began to go viral, it was reported that the software logged all functions executed by the user, including keystrokes. Additional rumors began to surface mentioning the widespread audience collecting the information including various government affiliated tracking agencies. Fears of widespread security breaches quickly resulted from these rumors due to the large liability created by transmitting the personal information of millions of mobile device users, either encrypted or not.

With the passing of each day since the initial discovery of the software, many contradicting statements have been made regarding the actual functionality of the software, and how it is currently being utilized.

Contradicting reports of keyloggers

Initial findings suggest that the CIQ software logs all possible metrics regarding the data being used by smartphones. This is believed to include keystrokes, SMS messages, and emails.[7]

  • In direct contradiction to Eckhart's Report, Dan Rosenberg claims that CIQ in fact does not have the capability to be used as a keylogger. However, Rosenberg concludes that the only keystrokes that are recorded are thse used to initial make a phone call, and any subsequent keystrokes made during that call.[8]

Usage

Phone Providers Utilizing Carrier IQ

In direct response to a request by US Senator Al Franken, Samsung, HTC, Sprint, and AT&T have all released lists containing each model of their mobile phones that currently have the CIQ software installed.[9] The contents of these lists can be referenced below:

T-Mobile

  • T989 (Samsung Hercules)
  • T679 (Samsung Galaxy W)
  • Amaze 4G

Cricket

  • SCH-R500 (Samsung Hue)
  • SCH-R631 (Samsung Messager Touch)
  • SCH-R261 (Samsung Chrono)
  • SCH-R380 (Samsung Freeform III)

HTC

  • Sprint
  • Snap
  • Touch Pro 2
  • Hero
  • EVO 4G
  • EVO Shift 4G
  • EVO Design

AT&T

AT&T claims that approximately 900,000 of their customers currently have a smartphone with CIQ installed. Such models include:

  • Motorola Atrix 2
  • Motorola Bravo
  • Pantech Pursuit II
  • Pantech Breeze 3
  • Pantech P5000 (Link 2)
  • Pantech Pocket
  • Sierra Wireless Shockwave
  • LG Thrill
  • ZTE Avail
  • ZTE Z331
  • SEMC Xperia Play
  • HTC Vivid
  • LG Nitro
  • Samsung Skyrocket
  • Vivid
  • SGH-i727 (Samsung Galaxy S II Skyrocket)

Sprint

Approximately 26 million Sprint users have a CIQ enabled phone.

  • Audiovox
  • Franklin
  • HTC
  • Huawei
  • Kyocera
  • LG
  • Motorola
  • Novatel
  • Palmone
  • Samsung
  • Sanyo
  • Sierra Wireless
  • SPH-M800 (Samsung Instinct)
  • SPH-M540 (Samsung Rant)
  • SPH-M630 (Samsung Highnote)
  • SPH-M810 (Samsung Instinct s30)
  • SPH-M550 (Samsung Exclaim)
  • SPH-M560 (Samsung Reclaim)
  • SPH-M850 (Samsung Instinct HD)
  • SPH-I350 (Samsung Intrepid)
  • SPH-M900 (Samsung Moment)
  • SPH-M350 (Samsung Seek)
  • SPH-M570 (Samsung Restore)
  • SPH-D700 (Samsung Epic 4G)
  • SPH-M910 (Samsung Intercept)
  • SPH-M920 (Samsung Transform)
  • SPH-M260 (Samsung Factor)
  • SPH-M380 (Samsung Trender)
  • SPH-M820 (Samsung Galaxy Prevail)
  • SPH-M580 (Samsung Replenish)
  • SPH-D600 (Samsung Conquer 4G)
  • SPH-M930 (Samsung Transform Ultra)
  • SPH-D710 (Samsung Epic 4G Touch)
  • SPH-M220
  • SPH-M240
  • SPH-M320
  • SPH-M330
  • SPH-M360
  • SPH-P100
  • SPH-Z400


A source at [Geek.com] was notified on December 16, 2011 that Sprint would be removing Carrier IQ from Sprint devices as soon as possible [10]. Sprint has ordered that all of their hardware partners remove the Carrier IQ software in order to distance themselves from the controversy with Carrier IQ [10]. On December 13, 2011, the first of the Samsung-made firmware updates for Sprint devices was leaked to the XDA Developers Forum, and contained the same Android software, only without Carrier IQ software embedded in it [10]. Sprint has been criticized for waiting until lawsuits began coming in before taking action against the software, saying it was too little, too late [10].

FBI Usage

The FBI disclosed on the weekend of December 10, 2011 that it uses data gathered from Carrier IQ sources[11]. Michael Morisy from Muckrock.com used a Freedom of Information Act request to see if the FBI had relevant records with Carrier IQ. The response from the FBI was that it could not reveal their usage of Carrier IQ due to interference with pending or prospective law enforcement proceedings[11]. Their response means one of two things, explained by Muckruck's Morisy:
"What is still unclear is whether the FBI used Carrier IQ's software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both."[11]
This means that the FBI could be using Carrier IQ's technology to track users of mobile devices, which would be an ethical problem if Carrier IQ did not reveal to users of the software that they allowed this to happen.

Opposition

Although new information surfaces daily regarding the truth of the functionality and implementation of CIQ, no openly publicized option of disabling or opting-out of the CIQ software currently exists. In a rush to cleanse valuable reputations Sprint, Apple, and CIQ, among others have all released statements since awareness of the software initially occurred in late November.

On December 1, 2011 it was reported that Apple released a statement declaring that it had already stopped supporting CIQ in it's iOS5 update, which became publicly available long before concerns about the software arose.[12]

“We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”[12]

As of December 16, 2011 it is rumored that Sprint officially plans to sever ties completely with Carrier IQ. According to Mobile Burn, Sprint has requested all of their phone manufacturers discontinue including the software in future production.[13]

"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," said Sprint in an email to Mobile Burn. "We are further evaluating options regarding this diagnostic software as well as Sprint's diagnostic needs."[13]

Ethical Issues

Carrier IQ Diagram

Initial Press Release

On November 23, 2011, Carrier IQ sent out a press release in response to 17-minute video posted on YouTube and a post to androidsecuritytest.com by security researcher named Trevor Eckhart[14]. The press release stated that they did not provide tracking tools, record keystrokes, inspect or report on the content of your communications, such as the content of emails and SMSs, or sell any information to outside parties [15]. It stated that Carrier IQ software instead makes your phone work better by identifying dropped calls and poor service, identifies problems that impede a phone’s battery life, and makes customer service quicker, more accurate, and more efficient. The claims by Eckhart were that the software worked in ways that users of mobile devices were unaware of. He stated that Carrier IQ could work by being completely hidden to the user [16]. Metrics can be called getting information when a user installs or opens an application, he stated, and information can be when a user browses a webpage, or CarrierIQ can log keypresses made on that webpage.[16]. The software does not have an opt out feature when used with some carriers such as Sprint. Eckhart stated at the end of his writeup, “The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ”.[16]

In a follow up response on December 1, 2011, Carrier IQ conceded that their software does keep a log of some phone activity. However, they maintained that the data is kept for debugging purposes only, and that no personal data is recorded or stored[17]. Regardless of whether or not Carrier IQ uses the information stored by its software, storing so much information on a phone is poor security practice. For example, a stolen phone could hold a lot of personal information that, although Carrier IQ may not use, a malicious hacker could easily find and take advantage of. Other researchers have stated that the information Carrier IQ collects is clearly just for diagnostic purposes, but what information is collected can also vary from carrier to carrier [18].

Eckhart's Motivation

The initial report of the existence of Carrier IQ software on millions of smartphones placed an extreme bias on the understanding that prior to the breakthrough, Trevor Eckhart had been just an innocent Android developer. This bias also persecuted the general practice of using covert software on mobile devices to record data unbeknownst to the user. However, recent research has concluded that Eckhart may have in fact published his story about CIQ software because the company he works for, InterGis LLC, is a potential rival to Carrier IQ.[19]

After comparing services provided by both Carrier IQ and InterGis LLC, DailyTech finds them very similar:

"Intergis makes tracking and telemetry products, remarkably similar to Carrier IQ, although currently targeting corporate users. The company's product gives businesses a way to GPS tracking to secure their mobile device fleet or coordinate employee travel."[19]

Federal Investigation

As of December 14, 2011 it is reported that CarrierIQ is currently under investigation by both the FTC and the FCC about the alleged uses of it's software.[20] As reported by Gizmodo,
"Both agencies are probing the carrier over allegations that its tracking software was installed on more than 150 million smartphones without user knowledge."[20]
Although it is still very early for any sort of charges to be formally pressed against the recently-outed company, the primary focus of the investigation is to determine whether or not the company is guilty of any sort of wrongdoing. It has been reported that CarrierIQ intends to give full cooperation in the investigation.[20]

Security Concerns

Despite the recent clarifications that the Carrier IQ software does not, in fact, log keystrokes or record and messages sent or received, CIQ admits that a software bug can cause encrypted message to be recorded if they are received while a phone call is in progress.[21]

Other concerns stem from the immense liability created when large quantities of encrypted URLs are transmitted though wireless signals. Many smartphone users exhibit anxiety about having their personal information handled by software that has already proven to suffer from several serious bugs.[22]

General Ethical Issues

Image circulated following the initial rumors surrounding CIQ

Ethical issues arise when the software invades a person's privacy without their full knowledge and consent of it occurring. If the software could track, record keystrokes, and report on content of communications on mobile devices, it should be made known to users what the software is capable of. In addition, there should be a way that users can opt out of being tracked. Ethical behavior on the side of Carrier IQ would be informing the users of the capabilities, and only using the information that they say the will, and use it to make the devices better. Another possible implication could arise if Carrier IQ sold users' information to third parties without the knowledge of the owners of the devices. A major point stressed in Eckhart's video is that users are generally unaware of the existence or function of this software on their phones. This raises another ethical issue, regarding who is responsible for the security of the information logged onto the phone. Since users are not made aware of this software, ethically either Carrier IQ or its customers should implement better security to protect such data.

An additional question raised from this issue is how carriers' collection of data is regulated, and by whom.

See Also

References

  1. http://www.carrieriq.com/index.htm
  2. http://www.chicagotribune.com/sns-ap-us-fbi-phone-tracking-software,0,7635930.story
  3. http://www.pcmag.com/article2/0,2817,2397141,00.asp
  4. http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/
  5. 5.0 5.1 http://www.faqs.org/patents/app/20110106942
  6. http://www.pcworld.com/article/245907/googles_schmidt_slams_carrier_iq.html
  7. http://gizmodo.com/5863849/your-android-phone-is-secretly-recording-everything-you-do
  8. http://news.cnet.com/8301-31921_3-57336801-281/carrier-iq-analysis-finds-no-evidence-of-keylogger/
  9. http://gizmodo.com/5868732/the-complete-list-of-all-the-phones-with-carrier-iq-spyware-installed?tag=carrieriq
  10. 10.0 10.1 10.2 10.3 http://www.geek.com/articles/mobile/sprint-orders-all-oems-to-strip-carrier-iq-from-their-hardware-20111216/
  11. 11.0 11.1 11.2 http://boingboing.net/2011/12/12/fbi-says-it-uses-carrier-iq-fo.html?utm_source=dlvr.it&utm_medium=twitter&dlvrit=36761
  12. 12.0 12.1 http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/
  13. 13.0 13.1 http://www.mobileburn.com/17957/news/sprint-carrier-iq-has-been-disabled-on-our-devices
  14. http://www.huffingtonpost.com/2011/11/30/carrier-iq-trevor-eckhart_n_1120727.html
  15. http://www.carrieriq.com/company/PR.EckhartStatement.pdf
  16. 16.0 16.1 16.2 http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/
  17. http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/
  18. http://www.pcworld.com/article/245492/carrier_iqs_cell_phone_snooping_overstated.html
  19. 19.0 19.1 http://www.dailytech.com/Carrier+IQ+Whistleblower+Trevor+Eckhart+Works+for+Tracking+Firm/article23511.htm
  20. 20.0 20.1 20.2 http://gizmodo.com/5868166/feds-investigate-carrier-iq-for-tracking-you
  21. http://www.theverge.com/2011/12/13/2632410/carrier-iq-says-it-unintentionally-collected-encrypted-sms-is-working
  22. http://gizmodo.com/5865238/carrier-iq-software-may-not-be-recording-some-keystrokes?tag=carrieriq

External Links

(back to index)