Secret app on millions of phones logs key taps

There are a handful of comments here giving CarrierIQ the benefit of the doubt, because the video did not show CarrierIQ sending the logged data over the network.<p>If you're still inclined to give them the benefit of the doubt, just read the CarrierIQ website. Their ENTIRE BUSINESS MODEL is based on collecting data about mobile phone users!! Here's a choice excerptI found on their website after browsing their site for 30 seconds[1]:<p><i>Carrier IQ's Mobile Service Intelligence Platform (MSIP)...receives raw data (known as Metrics) from phones and converts them into reliable, repeatable Measures which feed into analytic applications.</i><p>Or you can read this comment from a discussion last week where a CarrierIQ recruiter told an HN member that they collect 10s of gigabytes of data PER DAY.[2]<p>These guys are indeed collecting RAW DATA from actions on your phone. There are tremendous opportunities for abuse here, should CarrierIQ decide to do so. CarrierIQ in blatant violation of privacy norms and could do enormous damage to national security of many countries, conduct corporate espionage, or simply violate the citizens' expectation of privacy when using their phone.<p>This is dangerous and should be stopped immediately.<p>1. <a href="http://www.carrieriq.com/overview/mobileservice/index.htm" rel="nofollow">http://www.carrieriq.com/overview/mobileservice/index.htm</a> 2. <a href="http://news.ycombinator.com/item?id=3264264" rel="nofollow">http://news.ycombinator.com/item?id=3264264</a>

Its much easier to invade privacy in the name of providing a better product than to actually figure out what the customer wants. Collecting huge swaths of data allows product to be tweaked to find a local maximum of profitability. Its an easier and safer alternative than to actually understand one's own product from a consumer perspective.<p>I fear this is where we're going in all corners of tech. Even moreso because we're already quickly eroding at any expectation that one should provide privacy to their users. All the while users are ignorant enough about tech in general and have no idea that their privacy can and is flying out the door. Software exists in such a way that the lay user can't ever understand the boundaries or capabilities of software to do things that they are completely unaware of. The numbers of people who do understand what is going on is so small that they are neither a significant portion of the market, nor a "reasonable person" in the eyes of courts.<p>Privacy will be dead before anyone even notices.

It should be noted that there's no evidence (yet) of what is sent to other entities, only what is captured by the software on the device.<p>This is bad enough, though. But, let's keep our head about this and calmly demand an explanation from HTC. Why them? Because they signed the binaries with their certificate, presumably at the request of carriers, but HTC is the first in line.<p>And don't believe the response from CarrierIQ. Just prior to that response, they still had very informative high resolution screenshots of their "Device Analyzer" product which showed a scary level of data mining of end user devices. They were probably great eye candy for their customers (carriers), but creepy for anyone valuing their privacy.<p>I agree that this information is likely for improved QoS, but what can (has) it been mis-used for? Employees can't be trusted, and the government can't be trusted. An end user can't even opt out of it.<p>Edit: According to Google Image Search, others are mirroring some of the prior shots. Note that nothing is anonymized in the least (nevermind that anonymizing data is practically a myth).<p>I'll try and tack the URLs below.<p><a href="http://androidsecuritytest.com/wp-content/uploads/2011/11/ciqdevicelist.png" rel="nofollow">http://androidsecuritytest.com/wp-content/uploads/2011/11/ci...</a><p><a href="http://www.xda-developers.com/wp-content/uploads/2011/11/metrics.png?139d23" rel="nofollow">http://www.xda-developers.com/wp-content/uploads/2011/11/met...</a><p><a href="http://androidsecuritytest.com/wp-content/uploads/2011/11/metric_categories1.png" rel="nofollow">http://androidsecuritytest.com/wp-content/uploads/2011/11/me...</a><p><a href="http://androidsecuritytest.com/wp-content/uploads/2011/11/trigger_references.png" rel="nofollow">http://androidsecuritytest.com/wp-content/uploads/2011/11/tr...</a><p><a href="http://androidsecuritytest.com/wp-content/uploads/2011/11/CIQoverview.png" rel="nofollow">http://androidsecuritytest.com/wp-content/uploads/2011/11/CI...</a><p><a href="http://androidsecuritytest.com/wp-content/uploads/2011/11/singledevice.png" rel="nofollow">http://androidsecuritytest.com/wp-content/uploads/2011/11/si...</a><p><a href="http://www.carrieriq.com/overview/IQInsightDeviceAnalyzer/DeviceAnalyzer.datasheet.pdf" rel="nofollow">http://www.carrieriq.com/overview/IQInsightDeviceAnalyzer/De...</a><p>This one doesn't need to be big to get the jist:<p><a href="http://www.carrieriq.com/overview/IQInsightServiceAnalyzer/image001.jpg" rel="nofollow">http://www.carrieriq.com/overview/IQInsightServiceAnalyzer/i...</a>

As a WP7 user, I emailed HTC yesterday asking whether or not this software (or similar products) are used on their WP7 devices. Here's the response I got:<p>"Dear Kevin Jacobs,<p>I understand you would like more information about the Carrier IQ software, or any software of this nature on your device. I understand your concerns about this issue and protecting my privacy is definitely one of my top priorities as well.<p>We have not had any reports of any kind of software like this on any Windows Phone 7 device. This type of software has been used on Android devices, but since Microsoft developed this operating system I am sure they did not include any software of this kind.<p>Let me know if I have successfully answered your question, please click here to complete this.<p>To send a reply to this message, please click here.<p>Sincerely,<p>Kathleen<p>HTC"

Does it really?<p><a href="http://blog.jgc.org/2011/11/getting-little-tired-of-security.html" rel="nofollow">http://blog.jgc.org/2011/11/getting-little-tired-of-security...</a><p>There's no evidence that it sends this information to the company and no evidence that it actually logs it. Only that APIs are called containing it.

Remember when people were up in arms about how much location data iPhones stored locally?<p>This is 1000 times worse.

I think this is a good case study in support of "never trust an internet-connected electronic device directly from a vendor". There should be a universal policy to unlock, root, or blow away any software that exists and replace it with "known good" software, like CyanogenMod, Ubuntu, or a new copy of Windows.

I am surprised the internet took this long to respond, considering that the HN discussion on this was started almost a week ago[1][2]. That said, after watching the video I'm all kinds of sceptical about the dude's claim.<p>[1] <a href="http://news.ycombinator.com/item?id=3263955" rel="nofollow">http://news.ycombinator.com/item?id=3263955</a> [2] <a href="http://news.ycombinator.com/item?id=3273416" rel="nofollow">http://news.ycombinator.com/item?id=3273416</a>

Can somebody clarify this story for me? What are the facts here?<p>* Did they implemented key-logger? Yes/No<p>* Do they write keys into some local log? Yes/No<p>* If they have key-logger, then why do they have key-logger? (Company statement - please)<p>* If they write key strokes to some log file, is that log file related to logs which are send to "mother ship"?

From a Wired article on this: "it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ."

First of all, it is excellent to see this type of hacking and reverse engineering.<p>This is rather brash. I am surprised to see this on a such an open platform as Android. Even as some of the comments are suggesting they are not sending the data in non crash situations, keeping it logged is rather brazen.<p>On the flip side though, I have to wonder how would one determine crash behavior before the phone crashes? It seems to me that the phone would need to preemptively log some behavior that would then be indicative as to what caused the crash.

CarrierIQ provides a valuable service for all us. They relay data that optimizes carrier networks, so that we can call, text, get data, etc more reliably.<p>The problem this thread highlights is poor marketing and transparency. No one at CarrierIQ gives a damn what we text. Breaking those basic privacy tenants would destroy their business, which seems to be going nicely if their software is on &#62;100M devices.<p>The company just does a crappy job explaining what their technology does and how it helps consumers. Uncertainty around our private information spooks people, which leads to distrust and conspiracy theories. Let this be a valuable lesson for entrepreneurs who touch consumer data, even B2B solutions.<p>Gmail and Bluekai provide excellent counter-examples of ways to squash these concerns: -Gmail -remember the ruckus about Google reading your email for ads? Google publicly explained this and now no one cares. -Bluekai -the company tracks data for online ads. Touch subject. But they're transparent and lay everything out on their website, including an opt-out: <a href="http://bluekai.com/consumers.php" rel="nofollow">http://bluekai.com/consumers.php</a><p>CarrierIQ clearly needs to address these issues. Let's call on them to do that. In the meantime, take a moment to imagine how much more we'd hate carriers if reception was even spottier (cough...AT&#38;T iphone...)

There are one disturbing thing here:<p>A handful of comments are saying that is ok because CarrierIQ is probably not sending all data (probably not in Europe, but probably they do in Saudi Arabia). This is disturbing because people making these kind of comments are entrepreneurs and in general great people. It seems like we are loosing our moral compas in Silly Valley. Fuck. Please please don't do things like this.

I just checked on my Motorola Atrix. I didn't see any CarrierIQ process, but the Blur framework is logging tons of stuff on ADB, such as all key inputs for the autocompletion software or every swipe movement on the home screen, but no https query appear to be logged at first glance. "Search Intent" terms on the other hand are logged. I never really trusted Blur because until the latest few versions of the ADT the LogCat console was messed up with debug messages from EON &#38; Blur and it was a pain to keep it somewhat static and readable for my own devs, but these couple reports on keylogging frameworks make me look twice at my own phone now.<p>I'd like to run wireshark to check out what's really going out of my phone when I'm on the wifi - I'm a bit of a novice in that area (network monitoring), does anyone have any pointers of things to look for?

This guy needs prison time for lies like these - or at least hauled before congress:<p><pre><code> Carrier IQ VP of Marketing Andrew Coward rejected claims the software posed a privacy threat because it never captured key presses. “Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.” Coward say[s] that Carrier IQ was a diagnostic tool designed to give network carriers and device manufacturers detailed information about the causes of dropped calls and other performance issues.</code></pre>

There is no evidence the data is being logged and sent.<p>Accessed yes, logged, well nobody has found the log yet, and sent, nobody has found any network traffic.<p>It's still bad, but the reports seem to be over-hyped by journalists looking for a scoop.

If you're worried about Carrier IQ intercepting SMS messages. Don't be. The carriers have been doing this for a number of years and even share them with government agencies:<p><a href="http://www.schneier.com/blog/archives/2009/11/leaked_911_text.html" rel="nofollow">http://www.schneier.com/blog/archives/2009/11/leaked_911_tex...</a>

Why is this whole company and all of it's employees not indicted for trespassing, breaking and entering, burglary, etc?????<p>How is stealing the most sensitive of data off my phone without my knowledge/consent ANY different then walking into my house and taking my passport??

I'm not a lawyer, but unless there is some fine print in the notifications sent to subscribers, it is quite possible that they have broken the laws regarding the interception of communication. This sounds a lot like what killed phorm in the US.

Is there any evidence that any of this is uploaded to a carrier or app maker? Can any app developer access this log from their app? It seemed essentially that the debug logs just kept a super verbose log for debugging.

I used to think I better avoid installing a custom ROM in my phone because it might contain software exactly like this one. This really upsets me. Time to check CyanogenMod out.

three words.<p>MASSIVE CLASS ACTION<p>Lawyers fire up your infomercials.

Which is why I use the ACS third party ROM, which has CarrierIQ removed, on my Sprint phone . It also runs MUCH faster than the normal Sprint ROM.

After looking at the screenshots of the carrier-side it seemed to me that the Carrier IQ system allows much more interaction/control from the carrier side. Pending patent applications sometimes can tell you a lot about where a company is heading.<p>Here are a couple of quotes from Carrier IQ's pending U.S. 20090207749 USER-INITIATED REPORTING OF MOBILE COMMUNICATION SYSTEM ERRORS:<p>"...This configuration enables the system 200 to dynamically generate and download to a population of wireless devices rule-based data collection profiles. Data collection profiles may be generated manually by a network administrator, a software developer or other personnel involved in the operation of the network (hereinafter referred to as "network administrators"), created offline as a portion of a data analysis solution, or automatically generated based on network parameters or other events. Profiles define what information is to be collected on the devices in response to which conditions and events, as well as the conditions and events that cause the device to upload the collected information.<p>[0038] Conditions or events include any occurrence in the network or on the device that the device can sense, such as a call dropping or a user pressing a button on the device. Conditions and events also include the passage of time, or a request from a network administrator that the device report information back to the server. Conditions and events which cause a device to collect information or upload the collected information may generally be referred to as "triggers." "<p>and:<p>"[0080] In the exemplary embodiment, triggers may be included in the data collection directives of a data collection profile, and their inclusion causes the client to initiate, abort, and terminate data collection activity as appropriate when the associated trigger condition is invoked by the wireless device 400. A trigger invocation that matches the initiating trigger causes data collection activity to begin. A match of the terminating trigger causes the data collection activity to end, and a metrics package is then prepared for uploading. An abort trigger causes data collection activity to cease, and a metrics package is not prepared or is not uploaded. In the example used earlier, launching an application caused the client to be invoked with an "application launched" trigger event, which is matched against triggers in downloaded profiles and causes data collection activity to begin on a user's device. The user's entering of a particular key sequence, pressing of a dedicated button, or selection of a particular menu option while the application is running would cause another trigger to be activated, and the SQC would match the event to a terminating trigger in the profile, cause data collection to stop and a metrics package to be prepared and uploaded. As can be seen, the inclusion of a trigger in a profile effectively selects the condition under which a specific action associated with that profile is to be executed. The trigger is not strictly within the profile, rather it associates specific profile actions (start, stop, abort) with a specific event on the device. "<p>And the claims from their pending "USING MOBILE DEVICE TO CREATE ACTIVITY RECORD" application No. 20090210516 is quite interesting to browse:<p>1. In a communication system, a method for creating an activity record, the method comprising: recording data at a device, the data including one or more events and event-related data that describe activities of a user; uploading the data to a server, wherein the server organizes the data based the event related data; and generating an activity record using the data that can be presented to a user, wherein the activity record represents at least a partial log of the activities of the user.<p>2. The method of claim 1, wherein event-related data comprise one or more of: a time an event occurs; a date the event occurs; a location of the device when the event occurs; a filename of an event object associated with the event; a mobile device number (MDN); and a contact name.<p>3. The method of claim 2, wherein generating an activity record using the data comprises creating an entry for each of the one or more events describing where and when an event occurred.<p>4. The method of claim 3, further comprising presenting the activity record on a website, wherein the website is accessed by the device or using another device.<p>5. The method of claim 3, wherein the one or more events comprise at least one of: making or receiving a phone call; sending or receiving a message; taking a photograph; recording a device location; receiving and playing a broadcast; connecting to an 802.11 or Bluetooth access point; and using a device application.<p>6. The method of claim 5, wherein the location of the mobile device is recorded periodically and independently of other events. ....

The issue is not how many bit or bytes this is sending. The fact that you have never given permission to this and you can't switch it off tells me something about Google and their priorities. Steve Jobs fought hard to prevent any carrier pre-install apps on the iPhone. No such a leadership from google!

Before reading, I guessed that "millions of phones" meant millions of <i>Android</i> phones. Because if this was happening on iPhones, that would merit mention in the headline. Funny how that works.

Is it unreasonable for a consumer to want complete control over a device from the moment she powers on?<p>Is there a certain level beneath which it is not reasonable to give consumers (optional) access? (Should consumers be prevented from "rooting" devices? Should we allow companies to maintain control over devices, e.g. having them "phone home", after they sell them?)<p>If yes, why?<p>Maybe a rootkit should just be viewed just like the crapware that comes pre-installed on a PC. Sure it will help some company and perhaps the consumer herself, if she decides to use it. But it's _optional_.<p>Maybe they could give consumers an easy way to opt-out.

I do not want a "smartphone".<p>I want a "blank slate". With the right specs and form factor.

This cant be real right?

Is this comment i'm typing on my phone being sent to CarrierIQ? :-S

I'm so glad that my iPhone only lets Apple spy on me.