Mobile
Commentary
12/2/2011
02:55 PM
Connect Directly
RSS
E-Mail
50%
50%

Carrier IQ Gets Scrooged For The Holidays

A tale of data collection, cease and desist, wiretap allegations, privacy questions, and potential redemption.

Imagine this scene: You're the CEO of a hot company that makes diagnostic software for smartphones. Your software is used by some of the biggest carriers in the world--including Sprint and AT&T--to maintain the quality of their subscribers' calls, improve smartphone battery life, and troubleshoot any other problems with their handsets. But your diagnostic app is always installed on handsets by manufacturers and carriers in a manner that makes it difficult to remove, if it can even be detected.

But a respected security researcher does detect your software, and with good reason. He's watching the packet traffic inside an enterprise network that he manages, and he finds something unknown exfiltrating data. Chasing down the source of the communications, he finds that employees' phones are literally phoning home over Wi-Fi, via his networks, to your company: Carrier IQ.

The researcher, Trevor Eckhart, isn't the first one to spot the Carrier IQ software and wonder what it's doing. In February, a security researcher who goes by the name "k0nane" found it on the Samsung Epic 4G and released a SyndicateRom Frozen update for the Epic 4G to remove it. Likewise, a concerned Tim Schofield of the Android Creative Syndicate team detailed what Carrier IQ seemed to be doing. This would have been a great point for you to reassure Android fans about how your software could make their lives better.

Instead, Eckhart tries to determine what's going on. He reviews your company's privacy policy, which says that your products "work within the privacy policies of our end customers." For a company that's receiving phoned-home data from smartphones operating inside his business, that lack of clarity is both suspicious and alarming to Eckhart. So he begins digging and finds publicly accessible training manuals on your website.

In the spirit of full disclosure, Eckhart then openly publishes his research on Carrier IQ, backing it up with copies of the research manuals. He also invites anyone to comment on or refute his work.

Eckhart has two big concerns: First, your app appears to be seeing everything he does, from HTTPS strings in the browser to actual keystrokes. He wonders if the app logs this sensitive data, or transmits any of it to your servers? Second, he's concerned that the data being tracked by your servers could easily identify individual handset users. Accordingly, "I would like to know exactly who has seen this data, what data has been recorded, and who has recorded it. This data should also be subject to some clear privacy policy," Eckhart says. Without that clarification, he argues, the software is simply a rootkit: unwanted, hidden, hard to delete, but running with root-level access.

But instead of embracing the spirit of full disclosure, you send Eckhart a draconian cease and desist letter, threatening him with $150,000 per count of copyright violation (for the manuals) and warning that unless he bends over backwards to take back everything he's said about your company, you'll make him pay--big time. The effort has the effect of silencing other researchers, such as k0nane, who immediately deletes the research comments he has recently added to news stories about Carrier IQ. In short, everyone moves on.

Of course, the story doesn't actually end this way. Instead, Eckhart turns to the Electronic Frontier Foundation, which quickly steps in with a reminder that Eckhart's research enjoys free-speech protections. On the eve of Thanksgiving, you issue a statement in agreement, and with an apology. On Thursday, meantime, after new questions have emerged about whether your software might break wiretap laws and lead to class action lawsuits--not to mention queries about who exactly pays for the network bandwidth consumed by the Carrier IQ app--you issue another statement, answering many, but not all, of the data-collection questions that Eckhart and others had posed.

That's the present. Now, what might happen in the future? Here's one scenario: Based on a mounting level of concern about your software--largely installed by manufacturers on behalf of carriers, but written by your company and sending data to your backend data servers--you fly out to meet Eckhart in Connecticut with your top developers in tow. You walk Eckhart through a demo of your software, the kind of demo that you give to prospective customers.

Better still, show Eckhart exactly what data you've collected from his HTC phone. Invite him to amend his research, based on what he sees. Meantime, rewrite your privacy policy to clearly detail what you're doing. Borrow from the detailed analysis of your data collection practices that Sen. Al Franken (D-Minn.) has demanded by the middle of December.

Next, let all handset owners see a copy of everything you've collected about them, and also ensure they know when your app is running on their phones. Finally, give them the freedom to deactivate it. Maybe they--or their network administrators--would choose to do so only when connected to the corporate network, or if they change carriers. But at this point in the story, it's up to you to convince smartphone users why they should trust your software.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Number 6
50%
50%
Number 6,
User Rank: Moderator
12/7/2011 | 7:44:01 PM
re: Carrier IQ Gets Scrooged For The Holidays
The article's "what might happen in the future" starts from the assumption that CIQ isn't collecting any sensitive information, and therefore has nothing to lose by showing what it's collected on Eckhart. That's not a given.
golf25radioman
50%
50%
golf25radioman,
User Rank: Apprentice
12/5/2011 | 8:53:42 PM
re: Carrier IQ Gets Scrooged For The Holidays
While I'd like to assist my phone maker in diagnostics, they should explain a bit more about the data the device is sending. I have IOS devices, which have the ability to turn off the CarrierIQ (or as it is called in my device "diagnostics"). I have done so. And I looked at the log of what it was sending and I couldn't see sensitive info. But, my wife was an IT professional and she called it a "sniffer" as used many years ago to look at data being transmitted. As far as I know, at this time the Droid OS has no turn off ability, or the ability to see exactly is being sent.

If the makers truly want info to diagnose, or make the product better, they should have been a bit more up front with it all. IMHO...
mlesnick100
50%
50%
mlesnick100,
User Rank: Apprentice
12/4/2011 | 9:43:08 AM
re: Carrier IQ Gets Scrooged For The Holidays
You cannot make this up. I went to the carrier iq site. On the main page, they have in large letters "important clarification on carrier iq software".

Guess what happens when you click on the link ?

......it tries to download a file to your machine!!

I swear I am not making this up. Go there and see for yourself.

This company's PR representatives must ne the keystone cops!
Cappii
50%
50%
Cappii,
User Rank: Apprentice
12/4/2011 | 2:40:41 AM
re: Carrier IQ Gets Scrooged For The Holidays
Very simply, I want to know who this information is going to, and for what purpose is it truly being used. Carrier IQ, AT&T, Sprint, and T-Mobile's answers seem a little too convenient for me. And it does smell a little of Federal involvement, as if this were truly a criminal company gathering information about 141 million people, the Feds would be busting down the doors, weapons drawn, and there would be several casualties involved. Nice to see Al Franken playing the part of the good-guy, but I seriously have to wonder who the top-brass are in this little (huge) scheme to spy on all of us.
mlesnick100
50%
50%
mlesnick100,
User Rank: Apprentice
12/4/2011 | 12:02:05 AM
re: Carrier IQ Gets Scrooged For The Holidays
A very important question: Was NEWS CORPORATION a CUSTOMER of CARRIER IQ? If they were, there is the US version of a PHONE HACKING SCANDAL. (Did any division of News Corp make an app and use Carrier IQ services for it)...

Also - lets read Carrier IQ's public statement this week was:

"....our software does not record, store, or transmit the contents of SMS messages, email, photographs, audio, or video..."

Notice what they DID NOT say: http websites, HTTPS websites, usernames, passwords....

So they failed to mention:
- your email location / username/password you access on the phone
- your bank account location / username/password you access on the phone
- your crm or salesforce username/password
- your corporate access

I can go on. Now with 121 million phones, this will affect:

Some Senators & Congressmen (and their staff)
White House Staff
Military Personnel
Law Enforcement Personnel
.... I can go on.

It would be gross stupidity and gross negligence if phone manufacturers did not now distance themselves from Carrier IQ. The same for networks. My Prediction: Come Monday, Carrier IQ will be on their own with no friends in this world ....they will be set up for for a serious roasting by the US government.
mlesnick100
50%
50%
mlesnick100,
User Rank: Apprentice
12/3/2011 | 11:47:25 PM
re: Carrier IQ Gets Scrooged For The Holidays
Here's the BIG Question: Was NEWS CORPORATION a CUSTOMER of CARRIER IQ? If they were, there is your PHONE HACKING SCANDAL within the USA.
PressEnter
50%
50%
PressEnter,
User Rank: Apprentice
12/3/2011 | 11:04:13 PM
re: Carrier IQ Gets Scrooged For The Holidays
My post is absolutely true and it is public knowledge that these tools are incorporated into phones and other communications systems. These apps being built into the smart phones is likely an attempt to reduce costs. In effect you spy on yourself with your own device and reduce the need for centralized and obvious infrastructure like that NSA internet room that was so embarrassingly uncovered a few years back.

"The Communications Assistance for Law Enforcement Act (CALEA), passed in 1994, took the unusual direction of requiring that networks and vendors must employ technology in order to permit and facilitate wiretaps. This makes the immediately ready for a wiretap when a tap is needed. It also means that the network ends up paying for the costs of the wiretap equipment instead of law enforcement (without CALEA, law enforcement must pay for the cost of the tap). "

http://www.cybertelecom.org/se...

http://www.askcalea.net/
SocialSmart
50%
50%
SocialSmart,
User Rank: Apprentice
12/3/2011 | 6:45:04 PM
re: Carrier IQ Gets Scrooged For The Holidays
I'm interested in knowing whether this is true. It reminds me of the news a couple of years ago of Blackberry being blackmailed to open their network to foreign intelligence services. CIQ seems like an ideal compromise.

Kudos to Mathew Schwartz and InformationWeek for this GREAT coverage. I hope you will be able to explore the allegation of a gov't connection further -- it reads like a spy novel!
japura941
50%
50%
japura941,
User Rank: Apprentice
12/3/2011 | 5:52:58 PM
re: Carrier IQ Gets Scrooged For The Holidays
That's a very good point. Network Carriers should know every app that is installed during default factory reset.

If they've included special exceptions for certain apps from being removed that they didn't develop, they are responsible for fully testing, monitoring, and knowing what it does especially when they are protecting the app from being uninstalled by users.
scottspa74
50%
50%
scottspa74,
User Rank: Apprentice
12/3/2011 | 5:46:55 PM
re: Carrier IQ Gets Scrooged For The Holidays
wow, your post just made me really think about what a rabbit hole were about to go down with this. I'm glad Sen. Franken has started action on this, but honestly, in the age of the patriot act, I'll bet this is not only perfectly legal, but likely instructed by some level of government. (I'm not generally a cinspiracy-theorist type, but in the patriot act age, the feds do demand the ability to wiretap without FISA approval).
this should get real interesting. thanks to trev and k0nane for all they've done on this. And, at the guy who said treve is in league with HTC, - NO , trev is a highly respected HTC developer (not professional/official) of custom um, stuff. Lastly, to any who fault the manufacturers for this, your reading comprehension skills are that of a 3year old.
Page 1 / 3   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.