In defense of CarrierIQ

Over the last month or two, I have been highly critical of CarrierIQ and the sneaky way they gather smart-phone user information without informing the user they are doing so, much less providing an opt-out choice.

CarrierIQ has taken a lot of heat from a lot of places over this.  Now, they are defending themselves:  in the name of fairness, I think it is important to bring this defense to your attention.

The full document can be read here.

In the first few lines. they thank Trevor Eckhart for “for sharing his findings with us”.  That is quite a change from their initial response, when they threatened to sue him if he continued to expose their practices…until the Electronic Frontier Foundation stood up for him, that is.  It’s nice to see that, deep down inside, they are really swell guys and gals who care…

Reading ‘between the lines’, here are a few excerpts from CarrierIQ’s statement:

“…Carrier IQ software automatically passes the hardware serial number and the subscriber serial number (e.g. IMEI/IMSI) to the Network Operator who can then match to their customer records…”

i.e.  CarrierIQ matches the phone and user information in their database, making it possible to identify individual user’s phone habits as opposed to just collecting  ‘anonymous operational data’ that could be used to analyze network performance without compromising user privacy.

*   *   *

“Q. “Why is my battery only lasting 3 hours and my phone keeps crashing?”

 A. Because you have loaded a new application abcxyz and this is draining the battery quickly and making your phone unstable.”

i.e. CarrierIQ monitors what applications are on your phone.

*   *   *

“Q. “Why does my phone drop calls when I drive on Interstate 80?”

 A. It looks like you were dropping calls between exit 34 and exit 35 and we are upgrading our towers to improve performance at that section of the highway.”

i.e.  CarrierIQ records your location with respect to phone usage.

*   *   *

“The Carrier IQ software installed on the mobile device is called the IQ Agent.

. . .

The IQ Agent has been implemented on feature phones, smart phones, data modems and tablets.”

Nice to know…  I guess I’ll pass on that tablet computer and put my IT guys to hacking the modem:  if it is doing what the smart phones are doing, it’s time for a jail-break!

*   *   *

“In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used.

. . .

Network Operators who are Carrier IQ customers do not charge consumers for this upload nor does it show up as usage of consumer data plans.”

In other words, you are not given any clue that one corporation is beaming data from your phone or tablet and selling it to another corporation.  Nice!

Well, at least they don’t make you pay for it…

*    *    *

” [Preload] version of the IQ Agent cannot typically be deleted by an end user but only gathers and forwards metrics from the device if it is enabled with a profile …”

My emphasis.

*   *   *

“Network Operators typically prefer the embedded version of the software as it provides the most comprehensive diagnostic set. This embedded information is used to understand which control signals are passed between the mobile device and the handset…”

Again, the emphasis is mine.

*   *   *

I think this ought to be sufficient for a Q.E.D. – but the document goes on:

“Network Operators and handset manufacturers determine whether and how they deploy Carrier IQ software and what metrics that software will gather and forward to the Network Operator.”

Translation:  “All of your data is belongs to us, you puny little humans!  Mu-ha-haaaaa!!!!!”  

OK, let’s not go overboard here.

Let’s be fair!

Carrier IQ suggests that they themselves do not make the call about just how much data to collect about you – they will only collect and pass on the data which their customers, the Network Operators and handset manufacturers, will pay them to collect about you! 

Mu-ha-haaaaa!!!!!

*   *   *

“An embedded version of the IQ Agent cannot be deleted by consumers through any method provided by Carrier IQ.”

Is there an echo in here?  Mu-ha-haaaaa!!!!

*   *   *

“A new profile can be downloaded to a mobile device when it periodically checks-in with the network server. After receiving the new profile from the network server, the device will begin gathering the metrics and pre-processing according to these instructions.”

Translation:  you complain – we’ll ferret out your secrets!

*   *   *

And that is just the first half of the document…

In the rest of the document, to the best of my reading, they assure us they are working on a ‘fix’ that would make it less possible for us to find and remove the IQ Agent, they admit to (at times) collecting SMS messages (but that was a mistake and they don’t do it any more), collecting phone call data, URL information, collecting keystroke data (but only under ‘specific conditions’ and when the ‘collector’ wants it – not for themselves, not at all….plus it’s not ‘on purpose’, just a by-product of other functions), and so on.

And then there is IQ Insight…  This is the bit that collects all the location information:  letting ‘operators’ to really drill down through your data!

Oh – and they say they only sell your information once…

But, don’t take my word for it:  I am sure my reading of this document is highly flawed and imperfect, as what they say in their ‘conclusion’ does not, in my never-humble-opinion, match up fully with what they say in the body of the text.  Obviously, it must be my understanding which is flawed.

It would be much better if you were to read the document for yourself and form your own opinion about CarrierIQ’s most illuminating explanations.

And, if these do not send you screaming for a throw-away phone, I have this lovely medieval bridge in Prague I’d love to sell you!

Clay and Water: Illustrated biography of Mohammad

Clay and Water is running a special feature:  an illustrated biography of Mohammad, with references from the Koran and the Hadith.

Check it out.

FOI request for FBI use of data secretly collected from smart phones: denied!

A while back, I  posted about CarrierIQ and its ‘rootkit of all evil’.

In it are links which demonstrate how CarrierIQ has embedded code into smart phones which runs in the background and is not easily accessible to the phone’s user (with no notification to the user that it is running, much less choices to ‘opt out’).  This code records everything the phone is used for and reports this information back to CarrierIQ – even if the user is not in any contract with the company, or has indeed ever heard of its existence.  This information contains:

  • GPS information
  • incoming and outgoing phone calls
  • details of internet access and use, including encrypted data (like passwords)
  • all keystroke information

In another post, I have written about INDECT:  the EU’s proposed regime of continuous surveillance of member states’ citizenry for the purpose of identifying ‘unusual behaviour’, which would then be brought to the attention of police for ‘follow up’.  ‘Unusual behaviour’ would include (but not be limited to):

  • lingering too long in public areas
  • abnormal transit system use
  • internet habits that include visiting potentially ‘antisocial websites’
  • associating with ‘antisocial elements’
  • abnormal shopping habits

(In that post, I also provide a link to an article about CarrierIQ’s attempt to silence the researcher who first published information about its surveillance practices.)

The potential for abuse is so strong, it is difficult to overstate it…it seems that, increasingly, legislation is being drafted and passed all around the world not to safeguard against it, but to take advantage of it.

Here is an analysis (by a lawyer) of SOPA, just one such proposed pieces of legislation (in the USA) and the ways in which it breaches the constitution.

But if you are still not convinced that police agencies are warrantlessly accessing vast amounts of private data collected about citizens without their permission or knowledge, here is another piece of information you should consider:

‘A recent FOIA request to the Federal Bureau of Investigation for “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ” was met with a telling denial. In it, the FBI stated it did have responsive documents – but they were exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation.’

Indeed.

Our constitutions were written with the specific purpose of protecting the civil rights of citizens from their governments.  Most of us have forgotten this:  and our governments are increasingly passing laws which circumvent (if not directly breech) our unalienable rights which all written constitutions (starting with the Magna Carta) are but imperfect expressions of.

We need to wake up and oppose this passive tolerance of the increasingly corrupt and oppressive surveillance society – before it is too late!

H/T:  Tyr