Sophos Cloud Optix
In an interview with AllThingsD today Carrier IQ, the company accused of creating spyware software for mobile carriers, cleared the air and explained in detail what their software does and does not do.
Carrier IQ explained the reasons behind the appearance of keystroke logging in their software. Their software is configured to monitor, not log the keystrokes looking for particular sequences that the carrier can instruct a user to enter to send diagnostic information back to the carrier.
The data the application is gathering is primarily related to battery usage, signal quality, software crashes, failed transmission of SMS messages and failed calls.
One thing that is still concerning about the application is that it does collect URLs visited by the users, which presumably includes HTTPS URLs.
According to AllThingsD:
The same is true of Web site URLs. CIQ has the ability to capture them, but not the associated content. So it might note a device having trouble accessing Facebook, but not the content on Facebook itself.
While it might seem harmless, we just raised concerns about this same situation regarding the Amazon Kindle Fire tablet and its use of the Amazon cloud logging all URLs being visited.
While websites should not assume HTTPS URLs are always encrypted, some do. This can lead to usernames, passwords and other unique identifiers being embedded in a URL and accidentally disclosed to cell phone carriers through applications like Carrier IQ.
It would be preferable from a privacy perspective if software used to assist with troubleshooting network problems and software bugs were configured not to report back URLs that are intended to be transmitted over HTTPS.
Carrier IQ also stated that the information collected is sent directly to the carriers who are their customers.
RIM released a statement today clarifying their position:
RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution.
Verizon also made a statement denying the use of Carrier IQ, despite the fact that they do collect much of the same information for marketing purposes.
So why all of the fuss? I think the community is becoming fed up with being spied upon, our personal lives and habits being invaded through secret programs and increasingly complicated and confusing privacy statements.
It is unfortunate that Carrier IQ didn’t simply disclose this information when Travis published his research. It is also sad that the mobile phone carriers involved didn’t make it possible to opt-out of sending this information.
When I purchased my current Android phone it prompted me asking if I wanted to enable location services. It proceeded to then ask if I wanted to share my location information with Google. What’s so hard about that?
>When I purchased my current Android phone it prompted me asking if I wanted to enable location services. It proceeded to then ask if I wanted to share my location information with Google. What's so hard about that?
The problem is CarrierIQ doesn't ask or disclose itself.
CIQ are clearly trying to insult our intelligence with this statement. If they only want to provide carriers with diagnostic data such as the delivery of SMS messages, why do they need to record the content of the messages? And even more worrying, why do they record it in plain text?
The post office are able to confirm the delivery of my mail but they don’t open and read my letters to do so.
I have only one thing to say to CIQ; “Joint Intelligence much?”
Wasn't there some law against stuff like this, and severe penalties? 'Computer Misuse Act' and 10 years in chokey, or something like that.
'When I purchased my current Android phone it prompted me asking if I wanted to enable location services. It proceeded to then ask if I wanted to share my location information with Google. What's so hard about that?'
As Heather pointed out, CarrierIQ didn't provide the option, and it was hidden malware. Of course, some people found it and tried to kill the process, as you'd do with a UNIX-based OS. The problem is the malware was a root process, so can't be terminated without first rooting the device.
The really annoying, and troubling thing about this statement, is why it took so long to be made after the event – it claims to be purely anodine and non-invasive data collection – if so, couldn't CarrierIQ have said this straight away?
It makes me feel they they have something to conceal and have been franitically cleaning up behind the scenes before they went public.
It amazes me that people reading this article cannot grasp the meaning of this statement and the rhetorical question that follows…
'When I purchased my current Android phone it prompted me asking if I wanted to enable location services. It proceeded to then ask if I wanted to share my location information with Google. What's so hard about that?'
The authors literary ability apparently far exceeds the comprehension level of the commenter’s…