Carrier IQ 'may have' collected text messages
Summary: This is why software like Carrier IQ is a bad idea.
The Carrier IQ story just won't go away.
Earlier this month the tech world became aware of Carrier IQ - software installed onto millions of handsets designed to send usage and diagnostic data back to the carriers. Initially the company denied that there was anything sinister about the logging software, but it has now admitted that a bug in the software meant that SMS messages 'may have' been captured.
Here is the company's explanation:
Carrier IQ has discovered that, due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.
A couple of points worth making.
- Saying that the captured SMS messages were 'not human readable' is invoking weasel words to try to downplay the severity of the matter. Binary is not human readable, but it's not hard to make it human readable. No mention is made of whether the diagnostic data was encrypted, so we can assume not.
- Software bugs are a fact of life. They're not going to go away. However, what's worrying here is that this bug (and from a privacy standpoint, it's a pretty serious bug) went unnoticed until public attention was focused on Carrier IQ. No mention is made of how long this bug was in place.
And there are more weasel words from Carrier IQ:
Carrier IQ customers who have deployed the embedded version of the IQ Agent have been informed of this bug, and Carrier IQ has worked with customers to fix it and ensure that this information is no longer captured. Only embedded versions of our software are affected by this bug.
'Customers' here are not people like you and me. They're the handset makers and network operators. Also, no mention is made of how many actual 'users' were affected by this bug, for how long they were affected, and how many handsets have been patched so far.
And this is why software like Carrier IQ is a bad idea. In principle, I'm not opposed to software installed onto devices for diagnostic and telemetry reasons because this serves a valuable purpose. But I do have a problem when users are not informed about the existence of this software and are not given the opportunity to opt-out.
Data leakage, whether that be deliberate or accidental, is a serious matter. It represents a breach of trust between consumer and service provider. While I can see the benefits that a tool like Carrier IQ bring to the networks and handset makers, we can't lightly abandon privacy for the sake of a better service.
Related:
- Carrier IQ - The FBI connection
- So, there’s a rootkit hidden in millions of cellphones
- Carrier IQ patent outlines keylogging and ability to target individual devices
- Android bloatware results in serious security flaws
- Check your Android handset for Carrier IQ rootkit
- How to disable the Carrier IQ ‘rootkit’ on your iPhone
- CarrierIQ: Follow the money and it is the carriers behind it
- Finding and cleaning out your smartphone’s Carrier IQ poison
- Which phones, networks run Carrier IQ mobile tracking software?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Carrier IQ 'may have' collected text messages
This is pure speculation, but in light of SOPA/PROTECT IP, there could be merit to it.
What is the real agenda here?
RE: Carrier IQ 'may have' collected text messages
'Small company' yet oddly every carrier knows of its existence and insists that their software be installed?
smoke meet fire
RE: Carrier IQ 'may have' collected text messages
Mean-spirited attack? Someone's installed spy software on your system without your knowledge, using your data plan without your knowledge, transferring your communications to an unknown third party without your knowledge, and you think it's mean-spirited to be unhappy about that? What if someone put a back door into this system? What if hackers learn how to alter it to send data to them rather than Carrier IQ? An Internet-facing program capable of recording and transferring all communication data on the device, down to every keystroke, is a ***HUGE*** security risk, even if we knew who was at the controls and how their internal security works to prevent breaches (but we don't). Who has access to this data? Could you imagine employees of Carrier IQ with access to this using the system to spy on potentially cheating spouses of friends and family, read the text messages of celebrities, collecting information about company A and selling it to company B, etc? We have no idea if that's possible because we have no idea of the security practices of Carrier IQ.
Only 1 OS manufacturer embedded CarrierIQ deep into its kernel: Apple
RE: Carrier IQ 'may have' collected text messages
You make me
Laugh!
Apple made a statement about what they do, not about what CarrierIQ does. They used to use CIQ and have abandoned it. Perhaps to provide a diagnostic tool that aligns with their policies better? You know, the policies where they collect no private data?
Finally, I will point out AGAIN, that every single iPhone ever manufactured has REQUIRED you to expressly OPT-IN before any diagnostic information could be sent to Apple. Every other carrier makes you opt-out and then doesn't bother to tell you that (a) you can opt-out, and (b) there is anything to opt-out OF!
Thanks for dragging Apple into another discussion about someone else. It makes me re-think what they do and *in this case* I find them the far "lesser of the evils".
Where do you turn this on or off?!
RE: Carrier IQ 'may have' collected text messages
RE: Carrier IQ 'may have' collected text messages
I am very suspicious, however, about Apple and CarrierIQ both blaming their spyware on "bugs".
By the way ZDNET, why could I not respond to his comment below? Two levels of response does not seem excessive (nor do 3,4 or 5 ... levels). Why not allow them?
RE: Carrier IQ 'may have' collected text messages
Regardless of who does it, it is still WRONG!!!!!! 'Nough said!!
People like macadam will not stand to have the truth publicized
He would rather lie about Apple's partnership with Carrier IQ. Google did not embed Carrier IQ in its OS. Microsoft did not embed Carrier IQ in its OS. Apple did.
True (about Apple, lies bout me)
Compare Apple to Microsoft, Google, and RIM and it is clear who
Of the major mobile OS manufacturers, only Apple went to bed with Carrier IQ. If you want to start bringing in other companies like hardware OEMs and telcos then fine, they are just as bad as Apple, I agree. But of the mobile OS manufacturers, only Apple's name has been tarnished by this scandal.
You can be proud of Apple for walking away from Carrier IQ but that is kind of like being proud of someone for stopping their extramarital affairs. While Microsoft, Google, and RIM get no credit for walking away from Carrier IQ, it is only because they refused to have anything to do with Carrier IQ to begin with. Quite frankly, I have more respect for someone who has never cheated on their spouse than for someone who has stopped cheating on their spouse. Your values, of course, may be different.
You don't get it
The reason I bring in hardware manufacturers is that this is what Apple is. Apple installed a piece of software to enable problem logging and assist troubleshooting with their device just as HTC and Samsung, et al... did.
You insist on ONLY looking at Apple as an OS vendor when that is simplistic and naive at best. Why did Apple use CarrierIQ? The same reason HTC did. They did it in order to provide diagnostics of both the hardware and the carrier's network. Comparing them to Google, Microsoft, and RIM as makers of the OS is disingenuous. The CarrierIQ software is about the handset and the network so the only equal comparison is with other hardware manufacturers who either did, or did not, include the software.
I notice that you are still avoiding the most important difference between the entities who install CarrierIQ software. Of all the companies who do the actual installation only one made it an OPT-IN feature. On any iPhone ever sold you are required to agree before any diagnostic information leaves your device. You also retain the option to change your mind at any time. Of course, that is something that makes Apple look like they care about the customer (which they do) so I expect you to ignore it.
RE: Carrier IQ 'may have' collected text messages
People make mistakes
and software bugs are, indeed, a fact of life. No one is absolving CarrierIQ, in fact this disclosure can only bring pressure to fix the bug.
If you don't understand this, and if you really do think the world is out to get you (as it appears), then I suggest you unplug and move to a cabin in the woods somewhere. Appalachia is beautiful country.
RE: Carrier IQ 'may have' collected text messages
But seriously, if you are dumb enough to not read the fine print of your "smart" phone user agreement, and actually believe in the concept of privacy, then you have no business complaining when something like this happens. When you agree, you essentially hand over any and all rights to the mobile carriers, by design - screw all consumer protection laws (right, Verizon & ATT?).