Recap on Carrier IQ

by Dave Michels

Excellent summary and lots of links of what we know and what occurred regarding CarrierIQgate posted on TechDirt.

The story so far: security researcher Trevor Eckhart exposed some very disturbing information about the “Carrier IQ” application here. This set off a small firestorm, which quickly got much bigger when Carrier IQ responded by attempting to bully and threaten him into silence. Thisdid not go over well. After he refused to back down, they retracted the threats andapologized.

Eckhart followed up by posting part two of his research, demonstrating some of his findings on video. Considerable discussion of that demonstration ensued, for example here and here andhere. Some critics of Eckhart’s research have opined that it’s overblown or not rigorous enough. But further analysis and commentary suggests that the problem could well be worse than we currently know. Stephen Wicker of Cornell University has explored some of the implications, and his comments seem especially apropos given that Carrier IQ has publicly admitted holding a treasure trove of data. Dan Rosenberg has done further in-depth researchon the detailed workings of Carrier IQ, leading to rather a lot of discussion about Carrier IQ’s capabilities — there’s some disagreement among researchers over what Carrier IQ is doingversus what it could be doing, e.g.: Is Carrier IQ’s Data-Logging Phone Software Helpful or a Hacker’s Goldmine?

Meanwhile, the scandal grew, questions were raised about whether it violated federal wiretap laws, a least one US Senator noticed, and Carrier IQ issued an inept press release. Phone vendors and carriers have been begun backing away from Carrier IQ as quickly as possible; there were denials from Verizon and Apple . T-Mobile has posted internal and external quick guidesabout Carrier IQ. Some of the denials were more credible than others. There has been someskepticism about Carrier IQ’s statements, given their own marketing claims and the non-answers to some questions. There’s also been discussion about the claims made in Carrier IQ’s patent.

Then the lawsuits started, see Hagens Berman and Sianna & Straite and 8 companies hit with lawsuit for some details on three of them.

Attempts to figure out which phones are infected with Carrier IQ are ongoing. For example, the Google Nexus Android phones and original Xoom tablet seem to not be infected, nor do phones used on UK-based mobile networks, but traces of are present in some versions of iOS, although their function isn’t entirely clear. A preliminary/beta application that tries to detect it is now available. Methods for removing it have been discussed.

Meanhile, A Freedom of Information Act request’s response has indicated (per the FBI) thatCarrier IQ files have been used for “law enforcement purposes”, but Carrier IQ has denied this. And there seems to be a growing realization that all of this has somehow become standard practice; as Dennis Fisher astutely observes, With Mobile Devices, Users Are the Product, Not the Buyer.

Mike then posts a number of answered questions on his site. Summarized by: (1) Who owns your mobile device? (2) Who owns the software installed on your mobile device? and (3) Who owns your data?

We have generally been seeing our personal privacy eroded on both the web and mobile fronts. But for the most part, it was an acceptable trade – we accept the free services from Google, Facebook, and many others (esp smartphone apps) in exchange for giving them a few hints of our personal likes, dislikes, location, personal networks, and more. It was an implied agreement similar to accepting free television programming with the requirement of putting-up with commercials. But CarrierIQ may be the proverbial straw – the peak amplitude of the pendulum swing.

This is like HBO (paid content) with commercials. No one accepted or implied acceptance to this exchange – it wasn’t even buried in a terms of service agreement. CarrierIQ will be an important turning point. Privacy will start to become a feature again.