Carrier IQ 'may have' collected text messages

Carrier IQ 'may have' collected text messages

Summary: This is why software like Carrier IQ is a bad idea.

SHARE:

The Carrier IQ story just won't go away.

Earlier this month the tech world became aware of Carrier IQ - software installed onto millions of handsets designed to send usage and diagnostic data back to the carriers. Initially the company denied that there was anything sinister about the logging software, but it has now admitted that a bug in the software meant that SMS messages 'may have' been captured.

Here is the company's explanation:

Carrier IQ has discovered that, due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.

A couple of points worth making.

  • Saying that the captured SMS messages were 'not human readable' is invoking weasel words to try to downplay the severity of the matter. Binary is not human readable, but it's not hard to make it human readable. No mention is made of whether the diagnostic data was encrypted, so we can assume not.
  • Software bugs are a fact of life. They're not going to go away. However, what's worrying here is that this bug (and from a privacy standpoint, it's a pretty serious bug) went unnoticed until public attention was focused on Carrier IQ. No mention is made of how long this bug was in place.

And there are more weasel words from Carrier IQ:

Carrier IQ customers who have deployed the embedded version of the IQ Agent have been informed of this bug, and Carrier IQ has worked with customers to fix it and ensure that this information is no longer captured.  Only embedded versions of our software are affected by this bug.

'Customers' here are not people like you and me. They're the handset makers and network operators. Also, no mention is made of how many actual 'users' were affected by this bug, for how long they were affected, and how many handsets have been patched so far.

And this is why software like Carrier IQ is a bad idea. In principle, I'm not opposed to software installed onto devices for diagnostic and telemetry reasons because this serves a valuable purpose. But I do have a problem when users are not informed about the existence of this software and are not given the opportunity to opt-out.

Data leakage, whether that be deliberate or accidental, is a serious matter. It represents a breach of trust between consumer and service provider. While I can see the benefits that a tool like Carrier IQ bring to the networks and handset makers, we can't lightly abandon privacy for the sake of a better service.

Related:

Topics: Malware, Android, iPhone, Mobile OS, Privacy, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • RE: Carrier IQ 'may have' collected text messages

    I have to wonder what role, if any, pressure from DHS had in any of this. Not to say they directly forced carriers and/or handset makers to use carrier IQ, but it very could well have resulted in that based on pressure to be able to fulfill DHS/Patriot Act "requests" that made IQ attractive to the OEMs and carriers in the first place.

    This is pure speculation, but in light of SOPA/PROTECT IP, there could be merit to it.
    TroyMcClure
  • What is the real agenda here?

    How is any of this different from what happens in the normal course of a carrier processing a text message? In particular, how does installing CarrierIQ give the carrier any capability to peek at text messages that it didn't have anyway as a side effect of being the carrier? While we're at it, does anyone believe that the NSA needs CarrierIQ to intercept your calls and texts as they bounce around the cell and microwave towers of the world? I'm sorry, but this all strikes me as an unnecessary and mean-spirited attack on a small company to gain ad revenues, while protecting no one from anything.
    Robert Hahn
    • RE: Carrier IQ 'may have' collected text messages

      @Robert Hahn
      'Small company' yet oddly every carrier knows of its existence and insists that their software be installed?

      smoke meet fire
      Bodazapha
    • RE: Carrier IQ 'may have' collected text messages

      @Robert Hahn Carriers' policies on text messages on clear and defined and reasonably transparent. In this case, a mysterious third party is also receiving your text messages without your knowledge, and for all you know may be archived forever on an unsecure machine that everyone including the janitor has access to and may be connected to the Internet without a firewall. THAT'S the problem. A major manufacturer knows that Fedex knows how many packages it ships; it's a problem when they learn that some third party logistics firm also has that information and may or may not share that information with others (like their competitors). See the difference?

      Mean-spirited attack? Someone's installed spy software on your system without your knowledge, using your data plan without your knowledge, transferring your communications to an unknown third party without your knowledge, and you think it's mean-spirited to be unhappy about that? What if someone put a back door into this system? What if hackers learn how to alter it to send data to them rather than Carrier IQ? An Internet-facing program capable of recording and transferring all communication data on the device, down to every keystroke, is a ***HUGE*** security risk, even if we knew who was at the controls and how their internal security works to prevent breaches (but we don't). Who has access to this data? Could you imagine employees of Carrier IQ with access to this using the system to spy on potentially cheating spouses of friends and family, read the text messages of celebrities, collecting information about company A and selling it to company B, etc? We have no idea if that's possible because we have no idea of the security practices of Carrier IQ.
      jgm@...
  • Only 1 OS manufacturer embedded CarrierIQ deep into its kernel: Apple

    This makes Apple's claims that they didn't collect any private data laughable.
    toddybottom
    • RE: Carrier IQ 'may have' collected text messages

      @toddybottom <br><br>Love how they call this spyware a bug! People should be outraged but nope...their addicted to an over-priced gadget which runs their life. It's like electronic crack for everyone!
      Rob.sharp
    • You make me

      @toddybottom
      Laugh!

      Apple made a statement about what they do, not about what CarrierIQ does. They used to use CIQ and have abandoned it. Perhaps to provide a diagnostic tool that aligns with their policies better? You know, the policies where they collect no private data?

      Finally, I will point out AGAIN, that every single iPhone ever manufactured has REQUIRED you to expressly OPT-IN before any diagnostic information could be sent to Apple. Every other carrier makes you opt-out and then doesn't bother to tell you that (a) you can opt-out, and (b) there is anything to opt-out OF!

      Thanks for dragging Apple into another discussion about someone else. It makes me re-think what they do and *in this case* I find them the far "lesser of the evils".
      use_what_works_4_U
      • Where do you turn this on or off?!

        @macadam: And exactly WHERE, on an iPhone 3GS running iOS 4.3.5 (or any previous versions) do you OPT-IN to sending diagnostic information? I cannot find any such opt-in or opt-out! You said 'EVERY SINGLE iPhone ever manufactured has REQUIRED you to expressly OPT-IN' but neither ZDNet nor anyone else can tell you how to turn this 'feature' off or on, on anything but iOS 5 on the iPhone 4S or 4.
        pjher
    • RE: Carrier IQ 'may have' collected text messages

      @toddybottom We already know about your anti-Apple stance but this is not Apple. This is CarrierIQ.
      THavoc
    • RE: Carrier IQ 'may have' collected text messages

      @toddybottom In response to your post below: tell us, how do MS and Google collect usage data? Do you guaranteeit is less intrusive?<br>You're like a little bulldog - reducing any argument to one point of "dogma", taking it your teeth, and never letting go!
      I am very suspicious, however, about Apple and CarrierIQ both blaming their spyware on "bugs".
      By the way ZDNET, why could I not respond to his comment below? Two levels of response does not seem excessive (nor do 3,4 or 5 ... levels). Why not allow them?
      radleym
  • RE: Carrier IQ 'may have' collected text messages

    One very simple thing is wrong here. Whether it's Carrier IQ, Google, Apple, or M$ wrong by any other name is still "WRONG!!" Stop defending your demigods and call a spade a spade!!
    Regardless of who does it, it is still WRONG!!!!!! 'Nough said!!
    Disgruntled_MS_User
    • People like macadam will not stand to have the truth publicized

      @Disgruntled M$ User
      He would rather lie about Apple's partnership with Carrier IQ. Google did not embed Carrier IQ in its OS. Microsoft did not embed Carrier IQ in its OS. Apple did.
      toddybottom
      • True (about Apple, lies bout me)

        @toddybottom <br>And yet Apple is the only company to have walked away from CarrierIQ since then. Apple is also the only customer of CarrierIQ to require the customer opt-in to the diagnostic data program before any data leaves the handset.<br><br>Plus, although Google didn't embed CarrierIQ, all of their service providers (ATT, Verizon, Sprint) have and those providers require the manufacturers to embed CarrierIQ. In the end, what difference does it make if Apple or HTC is the one loading this software on my device? NONE! At least Apple asked my permission before sending the data off the handset. With my HTC phone on Sprint, powered by Android, I have no options. CarrierIQ was installed before the phone left HTC, and activated before I left the Sprint dealer. I was never asked to opt-in (as I was with my old iPhones) and I have NO WAY to opt-out without rooting my phone and waiving all technical support as a result.<br><br>I have never lied about Apple's relationship with CarrierIQ. Apple used to use them, now they don't. I have simply pointed out that Apple gave me the opt-in choice, unlike anyone else in the industry.
        use_what_works_4_U
      • Compare Apple to Microsoft, Google, and RIM and it is clear who

        Compare Apple to Microsoft, Google, and RIM and it is clear who "Did Evil".

        Of the major mobile OS manufacturers, only Apple went to bed with Carrier IQ. If you want to start bringing in other companies like hardware OEMs and telcos then fine, they are just as bad as Apple, I agree. But of the mobile OS manufacturers, only Apple's name has been tarnished by this scandal.

        You can be proud of Apple for walking away from Carrier IQ but that is kind of like being proud of someone for stopping their extramarital affairs. While Microsoft, Google, and RIM get no credit for walking away from Carrier IQ, it is only because they refused to have anything to do with Carrier IQ to begin with. Quite frankly, I have more respect for someone who has never cheated on their spouse than for someone who has stopped cheating on their spouse. Your values, of course, may be different.
        toddybottom
      • You don't get it

        @toddybottom
        The reason I bring in hardware manufacturers is that this is what Apple is. Apple installed a piece of software to enable problem logging and assist troubleshooting with their device just as HTC and Samsung, et al... did.

        You insist on ONLY looking at Apple as an OS vendor when that is simplistic and naive at best. Why did Apple use CarrierIQ? The same reason HTC did. They did it in order to provide diagnostics of both the hardware and the carrier's network. Comparing them to Google, Microsoft, and RIM as makers of the OS is disingenuous. The CarrierIQ software is about the handset and the network so the only equal comparison is with other hardware manufacturers who either did, or did not, include the software.

        I notice that you are still avoiding the most important difference between the entities who install CarrierIQ software. Of all the companies who do the actual installation only one made it an OPT-IN feature. On any iPhone ever sold you are required to agree before any diagnostic information leaves your device. You also retain the option to change your mind at any time. Of course, that is something that makes Apple look like they care about the customer (which they do) so I expect you to ignore it.
        use_what_works_4_U
      • RE: Carrier IQ 'may have' collected text messages

        @macadam<br><br>Why frustrate yourself with the @NonZealot troll? Apple doesn't use Carrier IQ anymore and toddytroll is having trouble accepting that. No need to ruin her bad day.<br><br>lol...
        ScorpioBlue
    • People make mistakes

      @Disgruntled M$ User
      and software bugs are, indeed, a fact of life. No one is absolving CarrierIQ, in fact this disclosure can only bring pressure to fix the bug.

      If you don't understand this, and if you really do think the world is out to get you (as it appears), then I suggest you unplug and move to a cabin in the woods somewhere. Appalachia is beautiful country.
      use_what_works_4_U
  • RE: Carrier IQ 'may have' collected text messages

    Two (three?) words - plausible deny-ability. The carriers can always say it was never their intention to do what was done.

    But seriously, if you are dumb enough to not read the fine print of your "smart" phone user agreement, and actually believe in the concept of privacy, then you have no business complaining when something like this happens. When you agree, you essentially hand over any and all rights to the mobile carriers, by design - screw all consumer protection laws (right, Verizon & ATT?).
    HackerJ