The Carrier IQ Saga (So Far) -- And Some Questions That Need Answers

from the answers-we-may-never-get dept

The story so far: security researcher Trevor Eckhart exposed some very disturbing information about the "Carrier IQ" application here. This set off a small firestorm, which quickly got much bigger when Carrier IQ responded by attempting to bully and threaten him into silence. This did not go over well. After he refused to back down, they retracted the threats and apologized.

Eckhart followed up by posting part two of his research, demonstrating some of his findings on video. Considerable discussion of that demonstration ensued, for example here and here and here. Some critics of Eckhart's research have opined that it's overblown or not rigorous enough. But further analysis and commentary suggests that the problem could well be worse than we currently know. Stephen Wicker of Cornell University has explored some of the implications, and his comments seem especially apropos given that Carrier IQ has publicly admitted holding a treasure trove of data. Dan Rosenberg has done further in-depth research on the detailed workings of Carrier IQ, leading to rather a lot of discussion about Carrier IQ's capabilities -- there's some disagreement among researchers over what Carrier IQ is doing versus what it could be doing, e.g.: Is Carrier IQ's Data-Logging Phone Software Helpful or a Hacker's Goldmine?

Meanwhile, the scandal grew, questions were raised about whether it violated federal wiretap laws, a least one US Senator noticed, and Carrier IQ issued an inept press release. Phone vendors and carriers have been begun backing away from Carrier IQ as quickly as possible; there were denials from Verizon and Apple . T-Mobile has posted internal and external quick guides about Carrier IQ. Some of the denials were more credible than others. There has been some skepticism about Carrier IQ's statements, given their own marketing claims and the non-answers to some questions. There's also been discussion about the claims made in Carrier IQ's patent.

Then the lawsuits started, see Hagens Berman and Sianna & Straite and 8 companies hit with lawsuit for some details on three of them.

Attempts to figure out which phones are infected with Carrier IQ are ongoing. For example, the Google Nexus Android phones and original Xoom tablet seem to not be infected, nor do phones used on UK-based mobile networks, but traces of are present in some versions of iOS, although their function isn't entirely clear. A preliminary/beta application that tries to detect it is now available. Methods for removing it have been discussed.

Meanhile, A Freedom of Information Act request's response has indicated (per the FBI) that Carrier IQ files have been used for "law enforcement purposes", but Carrier IQ has denied this. And there seems to be a growing realization that all of this has somehow become standard practice; as Dennis Fisher astutely observes, With Mobile Devices, Users Are the Product, Not the Buyer.

Those are the details; now what about the implications?

Debate continues about whether Carrier's IQ is a rootkit and/or spyware. Some have observed that if it's a rootkit, it's a rather poorly-concealed one. But it's been made unkillable, and it harvests keystrokes -- two properties most often associated with malicious software. And there's no question that Carrier IQ really did attempt to suppress Eckhart's publication of his findings.

But even if we grant, for the purpose of argument, that it's not a rootkit and not spyware, it still has an impact on the aggregate system security of the phone: it provides a good deal of pre-existing functionality that any attacker can leverage. In other words, intruding malware doesn't need to implement the vast array of functions that Carrier IQ already has; it just has to activate and tap into them.

Which brings me to a set of questions that probably should have been publicly debated and answered before software like this was installed on an estimated 150 million phones. I'm not talking about the questions that involve the details of Carrier IQ -- because I think we'll get answers to those from researchers and from legal proceedings. I'm talking about larger questions that apply to all phones -- indeed, to all mobile devices -- such as:

• What kind of debugging or performance-monitoring software should be included?
• Who should be responsible for that software's installation? Its maintenance?
• Should the source code for that software be published so that we can all see exactly what it does?
• Should device owners be allowed to turn it off/deinstall it -- or, should they be asked for permission to install it/turn it on?
• Will carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
• Should carriers or manufacturers pay phone owners for access to the device owners' data?
• Where's the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
• Will data transmission be encrypted? How?
• Will data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
• What data will be sent -- and will device owners be able to exert some fine-grained control over what and when?
• Who is is responsible for the security of the data gathered?
• Who will have access to that data?
• When will that data be destroyed?
• Who will be accountable if/when security on the data repository is breached?
• What are the privacy implications of such a large collection of diverse data?
• Will it be available to law enforcement agencies? (Actually, I think I can answer that one: "yes". I think it's a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See "FBI", above, for a case in point.)

Lots of questions, I know. Perhaps I could summarize that list by asking these three instead: (1) Who owns your mobile device? (2) Who owns the software installed on your mobile device? and (3) Who owns your data?

Filed Under: mobile, privacy, rootkit, spying
Companies: carrieriq, sprint, verizon wireless

FBI Admits That It Uses Carrier IQ For Law Enforcement Purposes; Won't Say How

from the and-then-there's-that... dept

So remember Carrier IQ? That would be the company that is providing what's been deemed a root kit on a ton of mobile phones. While the company has sought to downplay the security and privacy risks of its software (to the point of threatening the main researcher behind the revelation), further research suggested that the software likely tracked actions down to the keystroke. Again, Carrier IQ has insisted that its only purpose was to help mobile operators get data and information to help out when users are having problems. For example, it notes the ability to highlight when and how users have dropped calls. And if this was all it really does, then the software might be slightly reasonable (though, the fact that it's hidden and almost impossible to remove represents a significant problem no matter how benign the software might be).

However, Michael Morisy over at the site Muckrock, decided he might try a different angle to learn about Carrier IQ and whether it was used for surveillance: he filed a Freedom of Information Act request with the FBI to find out if and how it uses Carrier IQ data. Not too surprisingly, the FBI won't provide him any details, but the way in which it turned him down was actually quite telling. Rather than just saying there were "no responsive documents," it instead said that it did have responsive documents "but they were exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation." That may imply, contrary to Carrier IQ's suggestions, that its software isn't for monitoring and spying, that the FBI views it quite differently, and already makes use of some Carrier IQ data. Of course, Morisy notes that there is another possible explanation: the FBI could be investigating Carrier IQ itself following these allegations, and it won't reveal the data for fear of compromising that investigation. Either way, it at least raises some significant new questions concerning Carrier IQ and how its data is being used.

Update: Carrier IQ has come out with a response insisting that it has never given out info to the FBI. I would imagine that's true, but it's besides the point. The issue is whether or not the FBI uses Carrier IQ data that it receives via the mobile operators.

Filed Under: fbi, privacy, spying
Companies: carrieriq, sprint, verizon wireless

Security Researcher Shows That -- Despite Carrier IQ's Claims To The Contrary -- CarrierIQ Records Keystrokes

from the now-that's-kind-of-scary dept

Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down... and again insisted that the claims of keystroke logging were simply not true.

Yeah. So. Don't piss off a security researcher. Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless. Dave Kravets at Wired highlights what's really scary about all of this:

By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.

It’s not even clear what privacy policy covers this. Is it Carrier IQ’s, your carrier’s or your phone manufacturer’s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government’s ban on wiretapping?

And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?

I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).

Filed Under: android, keylogger, phones, rootkit
Companies: carrieriq, sprint, verizon wireless

CarrierIQ Fails At The Internet: Threatens Security Researcher With Copyright Infringement Claim Over His Research [Update]

from the dear-barbra-streisand dept

Last week, we wrote about some research by security researcher Trevor Eckhart, detailing how software from CarrierIQ had all the qualities of a rootkit, was installed on a ton of phones from Verizon Wireless and Sprint, and could potentially reveal all sorts of info about what you do on your phone. Much of Eckhart's report came from a training manual explaining the features of CarrierIQ's system, which he found left free and open on CarrierIQ's website. These kinds of stories show up every so often, and the usual thing is for the company either to admit it wasn't careful enough on security or to deny the specific allegations... and everyone moves on. But CarrierIQ apparently doesn't get how the internet works, has never heard of the Streisand Effect, and decided to not just deny the allegations in the report (we got one of those notices), but to threaten Eckhart with copyright infringement for his posting of their training manual.

Oops. Cue Streisand Effect.

Eckhart, via the EFF, has rejected CarrierIQ's requests... and has called a lot more press attention to the original reports (which had died down pretty quickly). CarrierIQ didn't do itself any favors either, by having its marketing manager talk to Wired and stubbornly defend the copyright infringement claim by saying:

“Whatever content we distribute we want to be in control of that,” he said. “I think obviously, any company wants to be responsible for the information that gets distributed.”

What "any company wants" and what is the law are often two different things. It might have helped for CarrierIQ employees to familiarize themselves with the law first. Of course, the EFF's letter attempts a quick crash course in the subject:

With respect to your allegations of copyright infringement, Mr. Eckhart’s analysis and publication of Carrier IQ’s training materials is a classic fair use and, therefore, non-infringing. 17 U.S.C. § 107 (“the fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting . . . or research, is not an infringement of copyright.”). Courts generally consider four factors in a fair use analysis: 1) the purpose and character of the use, 2) the nature of the copyrighted work, 3) the amount and substantiality of the portion used, and 4) the effect of the use on the potential market for the work. Id.; Campbell v. Acuff-Rose Music, 510 U.S. 569, 577 (1994). Each of these factors favors Mr. Eckhart.

CarrierIQ is also claiming false allegations (i.e., defamation) over Eckhart's claims of its software being a rootkit. But, once again, the EFF and Eckhart are explaining the details of the law. Just because you don't like someone's opinion of what you do, or you don't like someone describing factually what you do, doesn't mean you get to accuse them of defamation:

You also claim that Mr. Eckhart published “false allegations” that are “without substance,” “untrue,” and that Carrier IQ considers “damaging to [its] reputation and the reputation of [its] customers.” We have repeatedly asked you to specify the statements you believe are actionable. You have failed to do so, and have instead merely repeated your broad accusations. We believe you are not able to substantiate your allegations because Mr. Eckhart’s factual findings are true. If you are able to specify any statement that you believe is false, Mr. Eckhart will be happy to provide you with the documentation of that finding.

Moreover, your client is a public figure. Under well-established Supreme Court precedent, commentary and criticism regarding Carrier IQ’s professional activities receive additional protections under the First Amendment, because there is a heightened public interest in facilitating such speech. See, e.g., New York Times Co. v. Sullivan, 376 U.S. 254, 270 (1964); Hustler Magazine v. Falwell, 485 U.S. 46 (1988).

And, of course, now we get another round of people paying attention to the allegations regarding CarrierIQ.

Update: And... commence groveling. Just received the following:

As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.

The company also reiterates that its software doesn't track a bunch of stuff and that it's really designed to make networks and phones perform better...

Filed Under: research, rootkit, streisand effect, trevor eckhart
Companies: carrieriq

Do Tons Of Sprint And Verizon Phones Contain A Rootkit, Potentially Tracking All Sorts Of Info?

from the privacy,-what's-that? dept

Security researcher Trevor Eckhart has put out a report suggesting that a ton of Sprint and Verizon Wireless mobile phones have what is effectively a rootkit installed on them. Specifically, he's talking about CarrierIQ, a bit of software intended to monitor device usage, supposedly for the purpose of understanding problems that a user might be having and helping to troubleshoot remotely. The description of the software seems mostly innocuous:

Carrier IQ is used to understand what problems customers are having with our network or devices so we can take action to improve service quality.

It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems. We do not and cannot look at the contents of messages, photos, videos, etc., using this tool

However, in digging into the details of the software, Eckhart realized that it can easily track all sorts of info, including what websites people are visiting and what keypresses they make. The software can also surreptitiously report where the phone is located. He further notes that the software is purposely hidden on a bunch of devices, and on many it appears that you simply can't turn it off.

Now, I don't think anyone is suggesting anything nefarious here. There are reasons why operators like to collect this kind of data and, in the aggregate, it seems useful. But, as Eckhart looked in more detail at training materials for the software, he realized it could easily be used to track at a much more granular level, down to individuals. The potential for abuse seems pretty high. Again, it's obvious why this software is installed, but it raises questions about what carriers are doing to make sure the software isn't being abused. It's also somewhat troubling that the carriers aren't all that straightforward about how this software is monitoring their users...

Filed Under: mobile, rootkit, wireless
Companies: carrieriq, sprint, verizon