Security Researcher Shows That -- Despite Carrier IQ's Claims To The Contrary -- CarrierIQ Records Keystrokes

from the now-that's-kind-of-scary dept

Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down... and again insisted that the claims of keystroke logging were simply not true.

Yeah. So. Don't piss off a security researcher. Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless. Dave Kravets at Wired highlights what's really scary about all of this:

By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.

It’s not even clear what privacy policy covers this. Is it Carrier IQ’s, your carrier’s or your phone manufacturer’s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government’s ban on wiretapping?

And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?

I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).

Filed Under: android, keylogger, phones, rootkit
Companies: carrieriq, sprint, verizon wireless

DOJ Document Shows How Long Telcos Hold Onto Your Data

from the a-long,-long-time dept

With the Justice Department believing that it can get all sorts of data from telcos without any oversight or without a warrant, it seems rather important to know what kind of info your mobile operator is keeping -- and for how long. The ACLU, via a Freedom of Information Act request, was able to get a "for law enforcement use only" document that shows how long the carriers hold on to what data (Wired also notes that the document could already be found online if you knew the title). The document itself is a pretty weak scan: Thankfully, however, now that the data is out there, we can show it friendlier formats. Michael Robertson was kind enough to take the data (minus the "for law enforcement use only" part, and put it into a Google docs spreadsheet: Additionally, the folks at Wired put together a nice infographic from the data: What it seems to show is that Verizon holds onto your texting data for the least amount of time, but also retains the actual text of your text messages -- something no one else, outside of Virgin Mobile, does. How long until we see a push for a mobile data retention law to "standardize" what these companies have to hang onto and for how long?

Filed Under: data, data retention, justice department, telcos, text messages, texting
Companies: at&t, sprint, t-mobile, verizon wireless

Verizon Wireless' Solution To Tracking Fears: A Warning Sticker You'll Ignore

from the but-we're-doing-something! dept

With the new questions being raised about how much tracking data is being recorded (and potentially sent to others) from your mobile phone, Verizon Wireless has come up with a solution that allows it to wipe its hands of the problem: warning labels. Yes, the ever-popular liability minimizing trick of affixing a warning label has made its way into this debate: I'm sure that will settle everyone's concerns.

Filed Under: privacy, tracking, warning sticker
Companies: verizon wireless

What Does It Take For Mobile Operators To Care About SMS Cramming Scams?

from the scams-pay? dept

The various mobile operators have been making tons of revenue off of premium "short code" SMS programs. These are ways to add charges for various things directly to your phone bill. For example, they've become popular with various charities, so you can support them simply by texting a message to a particular short code. Of course, in many cases, the mobile operators charge you or take a cut for allowing this. And, of course, as with anything like this, it's been left open to scammers... and those scammers have moved in. Just as we saw with phone service cramming, where charges would be added to your landline phone bill, there's been a growing set of operations cramming premium SMS offerings.

Broadband Reports highlights the saga of JAWA, a Scottsdale, Arizona-based company that's at the center of allegations of cramming. The company and a bunch of shells allegedly send text messages to people that say:

"Text back STOP if you don't want to subscribe."

Most people, of course, don't text back because they think it's a scam. What they don't realize is that even if it's a scam, it's the not replying that lets the telcos start adding fees to your bill. The big question here: why does any mobile operator allow charges to be put on your phone bill for inaction?

The blog AZDisruptors (normally about Arizona startups) has been calling attention to the company, including putting together this video explaining how the cramming works, how JAWA's CEO Jason Hope is apparently building the largest house in the US (complete with a 3-story night club), and how AT&T pretends (falsely) that it can't do anything about it: Oh yeah, Broadband Reports also notes that Hope's former blog, which was all about the Lamborghinis and other luxury cars he was acquiring, has suddenly changed to point to a page about his philanthropic work.

The thing is, JAWA has been doing its thing for quite some time. After Texas regulators began investigating, Verizon Wireless finally realized it needed to do something and sued. Amusingly, JAWA's defense to the lawsuit appears to be that it employs lots of people and is good for Scottsdale. However, it also points out that it's made Verizon Wireless tons of money, and even complains that Verizon Wireless seems to be withholding money owed.

While it's nice that Verizon Wireless has filed suit, it appears this only happened after Texas regulators began investigating, and after they made money from JAWA for a period of nearly four years. AT&T now claims that it's investigating too, but only after AZDisruptors demonstrated company representatives blatantly lying to him about whether or not they make any money from this and whether or not they can stop it.

The big question in all of this really should be why the mobile operators allowed this to happen at all. Why would they ever allow charges to be added to an account as a result of inaction, rather than through direct acceptance?

Filed Under: cramming, mobile operators, scams
Companies: at&t, jawa, verizon wireless

You Can Use Up Your Entire Monthly Verizon Wireless LTE Data Allotment In Just 32 Minutes

from the broadband-caps dept

We always find it amusing when people point to various wireless data networks as real "competition" to wired broadband offerings, in part because the various 3G offerings out there all have ridiculously low data caps -- usually 5 gigs per month -- that a large percentage of users are likely to bump up against if they used the connection as their primary connection. The one exception -- for now -- is Sprint's WiMax offering which has no cap, but may eventually. The issue, of course, is capacity. These networks simply weren't built to handle the type of capacity that people would use it for if they could. But as the data speeds get faster, it leads to ridiculous situations like the realization that with Verizon Wireless' new LTE offering, you can use up the monthly allotment of 5 gigs in just 32 minutes (of course, that's assuming you've got 5 gigs to download, and you're getting pretty damn good speeds on that network). I'm somewhat surprised that Verizon Wireless isn't following Sprint in dumping the cap for the next generation network. Maybe, instead of just focusing on more speed for press releases, they should focus on building capacity so that people could actually use these next generation networks.

Filed Under: broadband caps, lte, wireless
Companies: verizon wireless

Verizon Wireless Fined $25 Million For Bogus Fees... But May Have Still Made Out Profitably

from the doing-the-math dept

A few weeks back, Verizon finally admitted what the press had reported for years (and which Verizon Wireless had denied for years): that it had erroneously charged 15 million customers $1.99/month fees for supposedly accessing data on their phones, even though many had specifically declined to allow data services on their phones. At the time, Verizon Wireless said it would pay back "up to $90 million." The FCC noted that it wasn't satisfied with this response, and now it's come out that Verizon Wireless will also pay a $25 million fine to the federal government over these actions. That's separate from paying back customers, but the amount Verizon Wireless will have to pay seems to be shrinking. The original report was "up to" $90 million, but now people are saying "a minimum" of $50 million in refunds. So, it's still possible it'll pay $90 million in refunds, but it seems unlikely.

Of course, as Broadband Reports points out, something in the math doesn't make sense. This apparently went on for 2 to 3 years and impacted 15 million customers. While not every customer was charged the fee every month, many claim they did see it pretty much every month. So, start doing the math. Even if we assume that, say, one third of the users saw it every month for just one year and the rest saw it only once, we're already talking $90 million. But if it's true that many of them saw it for multiple years, and even if you throw in the $25 million fine, it sounds like Verizon Wireless could come out ahead in the end... Oh, and in case you were wondering, Karl Bode confirmed that no one at the FCC audited Verizon Wireless's estimates for how many people were charged this fee, so it's going on faith that Verizon Wireless -- who for years denied this fee existed -- is telling the truth about how many times it was charged.

Filed Under: fees, fine
Companies: fcc, verizon wireless