Carrier IQ snooping reports are "mostly exaggerated", says researcher

Carrier IQ snooping reports are "mostly exaggerated", says researcher

Summary: According to one researcher, the accusations against Carrier IQ don't hold enough water.

TOPICS: Security

It's no secret that there are a lot of questions surrounding Carrier IQ and its software this week, but has popular reaction to the news been overblown?

That's the argument being made by Virtual Security Research senior consultant Dan Rosenberg, who says that the accusations aimed at Carrier IQ are based on incomplete evidence.

"People need to recognize that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn't happen)," Rosenberg wrote in a post published on PasteBin.

Other experts have echoed that skepticism. "I don’t think that any carrier is using it to snoop on what users are doing,"a network engineer from a major UK operator told ZDNet. "Carriers already have access to a lot of information on what its subscribers are doing simply because it’s their network being used," the researcher said, noting that that information is what carriers use to bill their customers in the first place.

Sprint, which admitted to using the Carrier IQ software, said in a statement that it collects the information to address network problems, not track the behavior of its subscribers.

"We do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint," the company said.

Carrier IQ defended itself on similar grounds. “[Our] software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company said in a statement. "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.”

The Carrier IQ situation mirrors that of the so-called "Location Gate" scandal that hit Apple and its iPhone earlier this year. In that scandal, an unencrypted database of Wi-Fi hotspots and cell towers was discovered tucked away on users' devices, prompting outrage from users and a measured response from Apple. As with the current Carrier IQ situation, Apple said that the purpose of the database was to improve device and network performance, not track the precise locations of its customers.

It took Apple almost a week to respond to the allegations, and while Carrier IQ has defended itself more rapidly the company still has many questions to answer. Clearly, transparency, not data snooping, is its biggest problem.

In spite of this, researcher Dan Rosenberg isn't too concerned. "Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes," he wrote.

His defense of CIQ, however, only goes so far. While Rosenberg doesn't seen any nefarious practices with Carrier IQ software, some of the possibilities embedded in it should raise some concern.

"The fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur," he wrote.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Carrier IQ snooping reports are

    Whether or not that these applications collect information is bad enough, or what is being done with that information, or what future possible motives that are available for expansion of these apps to collect and report more data.....the real concern is that these apps were deliberately developed to perform these functions without the permissions or consent of the users who are paying lots of money to use the carriers services!

    This is, in reality, wiretapping a phone and should be treated as such with all appropriate legal penalties. If the user wants to opt in with full understanding of the consequences, then I have no issues with that. However, we have not been asked, making this a criminal act.

    Contact your carriers and demand that they remove these types of applications from you devices, or find a carrier that does not use them.

    Remember, ???Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one.???.....Ben Franklin.

    So as long as you put up with these actions, you a giving them approval to continue to erode away your rights and freedoms.
    linux for me
    • RE: Carrier IQ snooping reports are

      @linux for me
      I agree. And who is this guy making comments about what he's seen, when the rest of us have watched videos of the low-level software recording every single touch of the device!? We know the data is going home to CarrierIQ, we've seen it. Whether or not the Carriers get that data is irreverent! We KNOW the carriers see what we do, because it's THEIR network! We DO NOT have to accept CarrierIQ stockpiling what is between us and the network operator.
      • RE: Carrier IQ snooping reports are


        Oh really? You've seen it where, exactly? What you've "seen" is the data being stored in a transient data buffer INSIDE THE PHONE. What you have not seen, EVER, is that data being transmitted by the device, to anyone, not the carrier, not CarrierIQ, not the gov't. No one.

        But go ahead, join the slavering mob, parading your ignorance for all to see.
    • RE: Carrier IQ snooping reports are

      @linux for me Just the fact that CIQ on our smartphones causes extra tasks to be run and in turn drains more battery pisses me off. I want them to offer an opt out which I will surely take when offered.
      • RE: Carrier IQ snooping reports are

        @fpineda101: Opt-out? I want them to offer it as an opt-in, if at all. Having something like this on by default is a violation of the phone owner's rights.
    • RE: Carrier IQ snooping reports are

      @linux for me
      Exactly what "freedoms" are you giving up? The freedom to have a less reliable and lower quality service, I guess? That is one I will readily give up as long as I can read whatever I want, express whatever opinion I want, practice whatever religion I want, or not practice one if I choose, go where I want, gather together in a public place etc. etc..
    • RE: Carrier IQ snooping reports are

      @linux for me "the real concern is that these apps were deliberately developed to perform these functions without the permissions or consent of the users who are paying lots of money to use the carriers services!"

      While this statement is true, what bothers me even more is that this is being done, without the user even knowing its being done. At the very least, IMO, this is information that should be told to every user that has this "service" on their phone, at the time they purchase their phone.
      Rapid Rec
  • Ricardo, notice how no one of these 'sceptics' discusses the fact that what

    Carrier IQ service does and what their customers, such as HTC, Samsung, LG, et cetera, receive is not the same thing.<br><br>These customers do not receive the same amount of data as Carrier IQ does. No one of these customers receive any data directly from users' devices -- it all goes to Carrier IQ servers and only then their customers can look at the data.

    So privacy concerns about this obviously criminal service are very well real and not exaggerated. Carrier IQ should be investigated.
    • RE: Carrier IQ snooping reports are

      You don't have a single shred of evidence that the data in question, that is stored in the internal RAM buffer, is sent to CarrierIQ. You won't get that evidence, either, because it DOESN'T HAPPEN. This is locationgate all over again, people over-reacting, and then simply making up facts to fit their paranoid agenda.
      You are woefully misinformed on this matter.
      • RE: Carrier IQ snooping reports are

        @deusexmachina???? @dderss
        Yeah, dderss, just because someone breaks into a bank and installs webcams, and microphones all around to watch and listen to everything that goes on doesn't mean they stole any money or are stealing bank account numbers. How can you have a problem with that?
      • RE: Carrier IQ snooping reports are

        @deusexmachina???? Did you read TrevE's initial findings?

        His subsequent video shows CIQ 'submit' strings in the USB debugging as well, even over WiFi. I don't think Carrier IQ, or their customers, are out to do anything malicious with the software. It's not a matter of paranoia that 'the man' is watching you. It's that the phone is recording information without the end user's knowledge.
      • RE: Carrier IQ snooping reports are


        Um, WHAT?!?
        First, no one is breaking into your phone. It is an OPT-IN service, and does NOT send user data to the carrier, or CarrierIQ. The user data is stored on the phone, where, guess what, IT ALREADY RESIDES.


        "His subsequent video shows CIQ 'submit' strings in the USB debugging as well, even over WiFi."

        Um, so what?
  • RE: Carrier IQ snooping reports are

    If you think about it, where would your cell provider store all the information gathered by Carrier IQ? And, why would they want to track each and every individual? Especially if the figure of 141 + million phones are being tracked as eluded to above. On the other hand, the carriers are claiming its a diagnostic tool. If so, why not activate it, or load it onto your smart phone when you complain of having problems and then de-activate/unload it once the problem was solved? Using it on your device without your knowledge is snooping. Cut and dried. Regardless of whether they are using the data or not. When you allow such things to continue you begin giving up your right to privacy.
    • RE: Carrier IQ snooping reports are

      It is in no way snooping. The data is not user tagged, nor is any private data being sent. Most data remains on the hand set. Also, Apple, at least specifically asks you to activate it, having an opt-in policy.
      Also, activating when there is a network problem totally misses the point. The point of CarrierIQ is to provide realtime network monitoring so that the carriers can PREVENT network issues. Activating it after the problem would provide no useful data. It would be like monitoring cancer patients after they got cancer to see what behaviours caused cancer.
    • The next Watergate

      [ul][i]why not activate it, or load it onto your smart phone when you complain of having problems and then de-activate/unload it once the problem was solved[/i]/[ul]
      That's a great idea for a whole new set of "booga-booga" scandal stories! Did you know that your phone can be downloaded with spyware?!?!? Yes, it's true! The carriers all say it's only for diagnostics, but who knows what hacker might be using that "download this" mechanism? And for what?

      Same thing if it's opt-in. How do you KNOW it's opt-in? In the story above we already have the guy saying, "Well, it doesn't actually upload any data today, but it might in the future, so BOOGA BOOGA."

      Guess what? Every time you dial a number on your cell phone, your carrier finds out what you dialed! Did this surprise you? Would you be willing to help strangle a reporter who tried to scare you with this information? Why not?
      Robert Hahn
      • RE: Carrier IQ snooping reports are

        @Robert Hahn

        You're entirely wrong on the technical facts. For decades, you could get a little plastic card and buy minutes on it. That service would then relay your call. The concept is called "routing". It is NOT safe to assume that the carriers automagically get all this data from their network equipment. Proxys, onion routing, tunneling, NAT, and encryption can make your ultimate endpoint completely opaque to your carrier's network. It's like standing next to someone with a headset. You are only privy to one side. That's all the information the carrier should require. You're only paying the carrier for your endpoint. The other side is paying the carrier for theirs.

        Gas stations should do the same thing that wireless carriers do. You should pay more for gas for a truck or SUV. It doesn't matter that you're already paying for more units of gas. Using so much more than a thrifty compact, you're straining economies of scale and pushing gas stations to the point of diminishing returns.

        Actually, that would be more legitimate. This is analogy for carriers. Everyone is rationed 20 gallons of gas. If you drive an SUV, you pay twice as much, but you still only get 20 gallons of gas. That's profit maximization plain and simple. How is this relevant? Tethering. It's NAT, and therefore opaque to the carrier. So, how does AT&T know when you're doing it? They get $20/mo of pure profit when you pay for it.
      • Need to do a bit of digging...

        @Robert Hahn
        CIQ already said they get the data, they just don't "read" any of it.

        As for the carriers getting it anyway... wrong.
        The carrier gets what was successfully executed.
        CIQ gets what the user does, successful or not.
        There is a delta.

        Think about it for a moment. :O
      • RE: Carrier IQ snooping reports are


        As usual, you have no idea what you are talking about, and obfuscate this fact by hiding it in layers of misused jargon.
        You can not reroute your calls through onion routing on pay carriers, nor is NAT even remotely relevant. Nor is i true that the carrier is "privy to only one side." The data packets go through their network, and are easily intercepted and snooped, and, in fact are, by federal law.

        You comments on tethering make it clear you just don't understand how this works.
      • RE: Carrier IQ snooping reports are


        That is just simply not how it works.
        First, CarrierIQ did NOT say they get that data. That is a complete mischaracterization of what they said.
        Second, you clearly do not know how the cell network works, as the carrier is NOT restricted to what was "successfully executed". This is just flat-out wrong. Nor does CarrierIQ get what the "user does, successful or not". Again, this is not how it works.
        Think about it for a much longer than a moment.
  • RE: Carrier IQ snooping reports are

    If you look at their job postings you might change believe that they DO have more information than they will admit in company profile "The embedded device agents are currently shipped on more than 75 million devices..." and in requirements for Architect experience with "multi-terabyte to petabyte class datasets..."