Carrier IQ

Carrier IQ, the company that everyone -- for right or wrong -- has come to hate of late has released a document explaining in plain English how it does what it does. "Understanding Carrier IQ Technology -- What Carrier IQ Does and Does Not Do" was released on Carrier IQ's website late Dec. 12 and is a PDF that details what Carrier IQ is, how it's loaded on devices (and what kinds of devices it can be used on), what information is collected, how it can be used by Carrier IQ's customers, and how the data is protected in the process.

Let's break it down.

A few choice points

  • Carrier IQ maintains that it's a provider of diagnostic data, and "that having an effective solution requires that the software gather only the critical diagnostic information and do so in a manner that protects consumers’ information."
  • Carrier IQ has been used on feature phones, smartphones, data modems and tablets.
  • Data is uploaded from the device once a day, at about 200kb a pop. The carrier absorbs the charge for the data.

Carrier IQ is loaded onto the phone as one of three ways

  • Preload: Installed by the hardware manufacturer at the behest of CIQ's client -- the carrier, it's not considered a traditional app and is not easily removed by the consumer, but it only has access to data accessible through the system APIs.
  • Aftermarket: Installed as a typical application, after purchase of the phone. Can be deleted by the consumer.
  • Embedded: Installed using a specific API from Carrier IQ, and differs from Preloaded in that it can report radio signal information.

Explaining the video

Speaking on the now infamous video from Trever Eckhart, Carrier IQ says that while it can't comment on every manufacturer implementation of its product (really?) the company says it looks like a hook was left in place that allows the CIQ metrics being collected to be passed to the Android debugging software, which is exactly what we see in the video, and that it's possible for that to be turned off. 

CIQ also contends that just because something was visible in the debugging screen (and, again, they're working to get that turned off), it doesn't mean it was necessarily being collected and/or transmitted by Carrier IQ. Think of it as the difference between being able to see something versus seeing, remembering and then sharing with someone else.

CIQ also explains that, indeed, it's possible to collect URLs that are visited -- if it's part of the data collection profile that the carrier put into place. 

Unintended collection

CIQ's also come clean about some unintended data collection. Apparently while collecting signal information (ie what's going on with the network when you drop a call), it's possible that if you're on a call and you receive an SMS message, that SMS "may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent." CIQ contends that "These messages were encoded and embedded ... and are not human readable," and that it's working with the carriers to make sure that information is no longer being collected. Only embedded versions of Carrier IQ had that problem.

Who owns the data?

Carrier IQ maintains that it has "no rights to the data that is gathered ... for any Carrier IQ customer." The servers that handle all of the data collection can be run by Carrier IQ, or by the carrier (or conceivably a third party). Carrier IQ says to its knowledge, it's never had a data breach.

The wrap up

There's more in the white paper regarding network analytics, and the entire thing is worth a read. You'll still have to come to your own conclusion about just how scary this whole thing is, and it's worth another mention that Carrier IQ doesn't exist in a vacuum. Carrier IQ is a customer of network operators -- the carriers you pay good money to every month.

And all that said -- we continue to believe that a simple disclosure and option to disable the analytics collection at initial startup would go a long way toward defusing this whole situation and restoring trust in Carrier IQ as well as in the carriers that hire its services.

 

Reader comments

Carrier IQ gives a lengthy look into how it works

41 Comments

Speak for yourself. I do want this on my device. I want the carrier working constantly to improve network speed and quality. Doing that requires a tool like this.

Everybody needs to get a grip and realize that they're just not important enough for anybody to want to "spy" on. Nobody cares about the contents of your text messages or emails or which porn sites you prefer.

If we want to pretend that the carrier has decided for some bizarro reason that they want to read your text messages or emails, why in the hell would they do it with software on your phone? Your text messages, emails, and phone calls all go through networks owned by the carrier. They can intercept, monitor, record, and ridicule every bit of your data at that point and there's nothing you can do about it.

Unless you're using an encrypted email client, web browser, and SMS client, you have to be an idiot to believe that software running on your phone is the easiest, simplest, or most convenient way for the carrier to "spy" on you.

I dont think you get it...

NO BODY Wants a 3rd party company to have access to it. Even if they do nothing with the information they collect waaay to much is the point. The context of my texts and email have nothing to do with improving the network. Not seeing how much data that I use and send from my device is one thing. But having the copies of emails and what not is NOT ok. Thats the issue.

"Nobody Wants a 3rd party company to have access to it."

Then try not to think to much over the fact that Sprint has all that tasty data that is going over their network and Google has access to more then its fair share of data as well.

Also did you not bother to read the article. The catching of txt was a bug, just as Google's catching of data on WIFI networks was a bug as well when it was driving around Europe to create street view in Google maps.

Neither Sprint nor Google are 3rd-parties where the device or network are concerned. Period.

There is an enormous difference between a "bug" and an enormous security oversight.

These are facts which are not in dispute by any rational person.

Sounds like the same flimsy rationale for "wanting" the Patriot Act. The "appearance" of responsiveness is more important than actual, rubber-hits-the-road responsiveness. You betcha!

First, if the FBI can use it I'm sure there is more than just network data they are collecting. like the FBI gives a sh1t when you dropped a call. http://www.forbes.com/sites/andygreenberg/2011/12/12/fbi-says-carrieriq-...

I would like the option to not have this crap on my phone. Its a simple request, why they try to dilute it with all this its ok take it as you will BS, is a clear fact that there is more they dont want you to know. I'd like to take it as I will, with the option to remove it.. thats how I'd like it

Nobody wants to spy on us? Nobody? Not a suspicious spouse? Not a divorce lawyer? Not law enforcement? Not a car insurance company (testing while driving)? Not a credit reporting agency? Not a malicious hacker?

Here's the thing that you don't understand: once data has been collected it stops being "ephemeral data in transit" and becomes "static data that can be retrieved from storage". Without CarrierIQ law enforcement can still get access to my data, true, but it takes a court order to get it collected. But all of those other companies or interested parties can't get it at all because it isn't collected and stored, and they can't get a court order to have it collected (at least not routinely). But once it becomes known that someone has a repository of data that has been collected on me, my whereabouts, and how I communicate with other people then it becomes a very juicy target for anyone who wants to subpoena, purchase or steal that data. Especially if I allegedly "opted in" to this data collection.

That's why we need the ability to opt out, otherwise before long the carriers will be "unlocking new revenue streams" by selling data on us to third parties who could potentially use it against us. I refuse to pay for that "privilege".

It's too bad for CarrierIQ they didn't take this approach in the first place, instead of unleashing the lawyers...

Why are they still going to such great lengths to keep this in the public eye and try to convince consumers that it's not bad?

Right and of they were monitoring our signal so much how come it took the voice of SSG2 epic 4g touch consumers to let sprint know about the LOS bug

Hammer and nail right here!! If the purpose of CIQ is to improve signal and device service then how come this didn't catch the LOS issue on the Epic Touch 4G??

I still say that there was some other purpose behind this. But at any rate looks like Sammy is being pro active and removing it from some phones. XDA has a leak of an Epic Touch 4G ROM with CIQ removed that came that way from Samsung. So it looks like Sammy is looking at removing it.

I don't like it either, but... considering how we all let Google track us as we search for the nearest Starbucks, or as we turn on navigation to get us to an unkown location, or as we use the bar code scanner to identify a product, all of these seemingly benign bits of data are stored somewhere. And with a few extra tables added to a database, all of a sudden these bits & bytes of information are put together in such a way that our personal patterns, tendancies, etc... can be analyzed. We are all being tracked much more than we realize, and we knowingly (or unknowningly) gave up a big chuck of our privacy a long time ago. And that's just on our wireless devices... Consider the amount of data being collected just from your credit (debit) card usage.

David

All I'd like to know, is how to opt-OUT, and maybe force Carrier IQ into asking for our consent when we first boot up our devices.
Kindda stupid having this so called opt-in service with no option opt-in or opt-out.....

Oh great, now that CIQ gave a clear explanation of what it does and does not collect, everything will be ok! We have nothing to worry about! They even admitted that they've only collected private text messages by accident and only by accident! Secretly installing a rootkit spyware on mobile phones without telling people it's there and then denying it after somebody discovered it and then having to deal with a tech media shitstorm, is definitely a much better option than...oh, I don't know, maybe presenting end users with an option to opt in, maybe explaining what it actually does, maybe giving people an option to opt out, no, no! Of course the latter three would present a great financial burden on the company (as opposed to a possibility of a class-action lawsuit), plus with all the different systems out there and that Android fragmentation they would've had to put in more work - all those hours just to make a screen that presents the actual user of the device with an explanation of what CIQ is and what it does and whether or not that user would like to turn it on. That would involve too much work and money! Instead Carrier IQ did what any ethical company would've done - install their software without all the hassle of explaining to people what it is, does, and if people actually want it! And if the company got caught, and gee whiz looks like they have, CIQ would do the honorable thing of giving half-assed explanations to people's concerns as they come ("if nobody's asking for it, it doesn't exist") and placing blame completely on the carriers themselves ("I didn't break your window, it was the brick").

I love Carrier IQ, such an honorable and ethical company!

/s

Apparently this company is run by Lloyd Christmas and Harry Dunne. When are they going to present us with the smart people that run this company?

So when can we expect the whole truth out of CarrierIQ?

The problem is this is all being done on the down low. This should be an opt in service, and based upon the fact that carriers charge about $4/month (or more) for various location services that benefit the end user (phone tracking, carrier provided nav software etc), IMO the carriers should be paying those that opt in essentially for the same service in reverse.. location services that benefit the carrier.

Oh, and it's spyware, no matter how you skin it. It walks like a duck, it quacks like a duck, it's a duck.

For those on Sprint, a ROM update directly from Samsung leaked today for the Epic 4G Touch that looks to have removed CarrierIQ. It's possible Sprint is moving to have it removed from its handsets.

@Carrier IQ

No amount of sweet talking or pages of drivel you waste time coming up with, is going to convince me your service is nothing more than a privacy intruder forced onto users behind our backs with no way of opting out. If anything, your services should be opt-in but since you guys don't have the decency to set it up as opt-in, the least you should do if you really care about staying in business is to allow users to opt out. Until that happens, Carrier IQ is nothing but a piece of malware that has no business being on our phones. End of story. PERIOD.

Some of you guys act like you have a private life. Get over it, the gov't watches you and everything you post on the internet is public. if you are worried about someone finding out about your porn stash than here's an idea.. STOP LOOKING! Everyone wants to be connected/social but when crap hits the fan in their life because they posted something on the internet they throw their arms in the air about privacy and blame it on everyone else. Stop being stupid and take responiblity for each other. This Carrier IQ thing isn't a big deal.

Let me sum up: If you post on Facebook then it's OK for spyware to capture and store your information in a clandestine way. Of course, that makes no sense at all.

The problem is with the concept of system-level software collecting and distributing this information without explicit permission. Maybe these guys are "white-hats". That doesn't matter. If we allow this, it will simply embolden the carriers to play even more loose with their customers' information. A line in the sand must be drawn.

Believe it or not, a lot of people such as myself are NOT using social websites (only 800 million out of the 5 billion people with cell phones are using Facebook).

And as much as I'd hate to side with the "social" website crowd, it remains a fact that they WILLINGLY signed up for sites like Facebook/Twitter/etc. CIQ, on the other hand, you can't opt out of.

Phillip Nickinson's reporting continues to display a pro-carrier bias to me. He continues cast the issue in the most benign terms. Finally,either his English is backward or there is something confusing in the article. When he writes " Carrier IQ is a customer of network operators -- the carriers you pay good money to..." it is the carriers who are customers to carrier iQ,since they are buying CIQ product and services.
The real question here is, can one be a reporter or blogger inside this industry and remain independent enough to provide a clear, fair perspective on sensitive developments? Maybe not in this case...

The real question here is, can one be a commenter on a site about this industry and remain intelligent enough to provide a clear, fair opinion on articles about sensitive developments? Maybe not in this case...

On XDA the Sprint Epic 4G Touch now has a No CIQ ROM right from SAMMY themselves! So the it looks that either Sprint or Sammy has taken notice and they are starting to put out no CIQ ROMS! WIN!!!

'1984' seemed far-fetched back in the day but we are moving more and more towards that. Privacy is something this generation won't realize the value of until it is too late.

Not that I agree with Carrier IQ, but there is an old saying:
"It is better to ask forgiveness than ask permission."

Also, has anyone watched "Person of Interest" on CBS.

@scrounger Yes, I watch "Person of Interest" religiously. They put a pretty face ("we use it for good") on the idea that not one of us has an ounce of privacy at all anymore. But since no one is coming to "save" us when "our number comes up", this is all just unauthorized surveillance. Stopping Carrier IQ isn't going to end this; the minute it's removed there'll be something else to take its place. In fact, this is probably just misdirection to keep us from noticing something worse they're already doing. Still, I'd like to see Carrier IQ face so many class-actions suits, of such magnitude it bankrupts the company. 'Sound harsh? So is what they're doing to us. Get them now; get the carriers next.

Time for somebody to get got--besides regular people paying for a utilitarian service. There IS a reasonable expectation of SOME degree of privacy that WE should have some degree of control over; Carrier IQ affords us no such degree of control. Ultimately, the carriers are to be held responsible for this, but right now let's just get rid of Carrier IQ.

As a general rule, though, you should realize that EVERY advance, every new convenience, offered us masks some degree of intrusion and incursion into what you thought was your private life. (And perhaps the NUMBER 1 culprit currently, I believe, is Microsoft Kinect, which I feel certain is the most "dangerous" toy available. You can't possibly imagine that a device that can detect and mirror your every movement in your space isn't transmitting that information somewhere, maybe even when you THINK the unit's off. Maybe somebody, somewhere, is watching you watch the TV, eh? Careful what else you do in front of your TV, and who you do it with...)