Carrier IQ

Carrier IQ has issued a new press release defending its business and reminding us all that it works not unilaterally, but for the operator -- the carrier. The nut:

Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile Operators. Carrier IQ does not gather any other data from devices.

We've got a massive discussion coming up on the podcast, folks.

Check out the whole press relase for yourself after the break.

Carrier IQ Updates Statement: Operators Use Carrier IQ Software Only to Diagnose Operational Problems on Networks and Mobile Devices

MOUNTAIN VIEW, Calif.--(BUSINESS WIRE)--To clarify misinformation on the functionality of Carrier IQ software, the company is updating its statement from November 23rd 2011 as follows:

“Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous”

We measure and summarize performance of the device to assist Operators in delivering better service.

While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.

“Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous,” asserts Rebecca Bace of Infidel Inc. a respected security expert.

Privacy is protected. Consumers have a trusted relationship with Operators and expect their personal information and privacy to be respected. As a condition of its contracts with Operators, CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities.

Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions.

Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency. We are deployed by leading Operators to monitor and analyze the performance of their services and mobile devices to ensure the system (network and handsets) works to optimal efficiency. Operators want to provide better service to their customers, and information from the device and about the network is critical for them to do this. While in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service - the mobile device itself.

Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile Operators. Carrier IQ does not gather any other data from devices.

CIQ is the consumer advocate to the mobile operator, explaining what works and what does not work. Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators’ customer service more quickly identify the specific issue with the phone.

 
There are 55 comments

RETG says:

Personally, I don't give a damn what they say, and I don't care what the carriers say either. Give me the right to say yea or nea when I activate the device. Tons of software already do this.

eric.atx says:

Running cyanogen so no worries here!

MSgtSimon says:

Yep, epic win. Gonna start using this to convert anyone left I know to CM. No joke.

pleirosei says:

AOSP FTW.

faheyd says:

I quite honestly can't believe anything from CIQ or the 'Operators'.
We've been lied to before, and we'll be lied to again.
Dylan

This is a prime example of why carriers should be forced to allow us to s-off our phones without voiding the warranty. They should also be forced to allow us to use any unlocked device we want, even without carrier branding. We now know we can't trust them and we need to allow competition. Sprint only allowing Sprint branded devices, which are locked down and loaded with spyware, is not in the public interest. And with Verizon doing the same thing, it makes it even worse. FCC, where are you?

In Sprint and Verizon's pockets.

Kiryan42 says:

Privacy is protected. Consumers have a trusted relationship with Operators and expect their personal information and privacy to be respected. As a condition of its contracts with Operators, CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction.

BS; if you valued the privacy as much as you say, the unwanted, undocumented software would not be on my phone! I in no way approved, consented, or was informed of this potentially illegal app...and it's worse without an easy way of removing it!

Bottom line: I feel violated by CarrierIQ, the handset maker, and my carrier.

dwhall says:

You people are too paranoid...

RETG says:

Paranoid? Not really. Paranoia is a baseless or excessive suspicion of the motives of others. And in this example we have a company that admits to tracking your movement through the internet usage and via private text messages, etc. That is not paranoia, that is invasion of privacy.

joemul802 says:

It's not paranoia. Have you ever had your identity stolen?

Carrier IQ and their clients are logging and transmitting data that is supposed to be encrypted (like my passwords, banking, and credit card info) IN UNSECURED PLAIN TEXT even when I am not using their network and accessing the internet through a wireless router.

Where does this info go once it's sent from my phone? How easy is that transmission to intercept? Is it ever deleted? How many people have access to it? How easy would it be for someone to gain access to it?

crs2265 says:

While we may all feel "violated and shocked" by this revelation. Let's put it into perspective. 20 years ago, i owned a small ISP and the truth is, while i never did it, i could have spied on every keystroke any user transmitted through my lines. The same way, any Telco, Cable company or whomever you get your internet and/or cellular service from can do it today. The thing is, with all the millions of customers these (communication) companies have, why would they want "your" specific data?

This is nothing new, as consumers, as long as we want this technology, this capability (they have) will always exist. What we MUST make sure of is having legislature in place to make sure they cannot use it in a way that is harmful to us and proper penalties are in place to ensure the price for doing so is a deterrent for the action.

ads says:

A few points in contrast: technology to easily mine data has increased exponentially; you had no ulterior motive, 20 years ago. The mobile providers and Google rely on these things as part of their business model, plain and simple, and the tools to make use of it continue to proliferate. NOBODY did a significant amount of this 20 years ago.
The legislature largely lacks the ability to understand the issues - probably more-so than the folks that will see these posts.
Don't trust me, call your congressman or rep and ask them the basics about CIQ. I bet, "we'll get back to you" is the BEST response you get.
ADS

Xanadu73 says:

(If I understand all this right...) No, you could not have "spied on every keystroke any user transmitted through my lines".

CarrierIQ has been shown to capture Users' keystrokes PRE-encryption. Passwords getting sent over SSL, Google searches over SSL, etc., you could not have seen. CarrierIQ CAN and has been shown that it DOES see each keystroke before it ever gets encrypted because it sees them BEFORE the browser even does. It sees SMS messages BEFORE the User does. This is why this is nuts and why people are up-in-arms about CarrierIQ.

User types --> CarrierIQ records --> THEN Browser sends.

That's spooky stuff, folks.

M.

Versed says:

And you could have went to prison if you have done it and got caught.

It's not about CIQ or the carriers wanting my bank login information, it's is about somebody else getting the data that was supposed to be transmitted SSL. PlayStation Network getting hacked was a case of bad security. PlayStation didn't steal my info, they lost it to some else who did steal it.

DustoMan says:

If this software is so harmless and works in the customers favor, why is the process hidden or obscured? Transparency promotes customer trust. Make the program run front and center making it clear what data is collected and when it is sent.

ads says:

There are other resources on the interwebs that show button-pushes, phone numbers you dial, and yes, even things that are supposed to be https (secure web pages) are collected by this tool in the clear. IMO, anybody associated with this practice should be (legally) shot. Don't trust my opinion, search for yourself.
There are ways published on the web to determine if your provider and/or phone run this - call your provider and tell them you want to switch.

The tool, in and of itself, may be as advertised - a way to aggregate data for better services.
Cookies do similar on ANY browser including phones.
However, your computer browser doesn't (normally) have your phone number, access to all your contacts, etc.
Further, I don't believe you have any control over how they use the info.
ADS

Breedingh8 says:

That's all bullshit I've used those excuses to get out of contracts or get upgrades in which issues were legit and none of the carriers ever said let us examine your device to locate the issue; instead they open tickets for cell towers & whatnot or simply replace a device I dont care what they say "lie" about its about invasion of privacy.

Versed says:

Has nothing to do with getting out of contracts or getting early upgrades. Of course in a given population there will be people who try to abuse it. And all the carriers have to do is push an ota that removes or shuts this program down.

Well, if you have used the same excuses, to benifit your own gain, then you shouldn't have an issue. Consider it payback.

But seriously, I'm on your side. Fortunately, I don't have to play this game. All my devices are custom, CIQ free.

Still tho, it reeks of "homeland security".

Call me paranoid. But, I call an ace an ace, and a spade a spade. Doesn't take a rocket scientist to see the writing. Why is it, that is isn't anywhere except in the builds for the USA, and a couple other European countries (Britain maybe?)

mikemosh511 says:

You know, for being on 140 MILLION phones, nobody seems to be using it!

cadzilla74 says:

^^^^ ROFL. Good one Mike!

Verizon claims they don't use it at all. Can anyone disprove this? I have a Thunderbolt but not rooted.

No matter what excuse is given for running this on individual devices it's all BS and the invasiveness, while maybe not in place now, can surely be changed with a flip of a switch if government regulators ignorantly give the go-ahead.

Surely carriers can monitor peak usage and saturation of access points on their own hardware at the routing points without the need of collecting data from individual devices.

That's how we manage loads on the network I am an Admin on for a very large company. I really don't need to pinpoint an individual device unless it is misbehaving to the point of viral infection distribution, a faulty connection that is datastorming a router on a particular TCP/IP subnet, etc. Until a problem is detected that requires I use tools at my disposal to drill down to particular devices I collect nothing about them.

I'm far more concerned with denial of service due to poor planning, corner cutting during rollouts and implementations of new high end load bearing systems, etc.

Sorry, but I see this CIQ running on a smartphone as a ticking timebomb of a Trojan just waiting to be released and I'm not a conspiracy nut that sees black helicopters following me around either.

Maptec says:

I can say for a fact that after Inspecting numerous Verizon phones at my workplace, CIQ does not exist on the Thunderbolt, Bionic, or RAZR. My Evo, the Evo3d however is another story. I had went back to Sense because I just like the feel, but I am now back on CM once again.

iamfuze says:

Jerry has a perfect solution for all of this: buy a Nexus!

msgnyc says:

except that hasn't it already been confirmed to be on the Verizon Galaxy Nexus aswell? I thought i read that earlier today.

ads says:

Fairly unlikely on a pure goog phone, and the speed with which independent devs will remove it if it does exist will be swift.

You could be right, care to site a source on that?

ADS

Versed says:

Have an international version of the SGS2 unbranded etc... I ran supercurios program and it isn't on the phone. So, I would think the same would hold true for the GN.

Maptec says:

I just have a few questions about this. Does the transmission of these logs go on the consumers tab as far as data usage? Thinking about how much potential information is being transmitted, how much congestion does this cause on the network and could this be a chuck of the reason mobile data has slowed? I know around here Verizon is #1 when it comes to speed. THis is coming from a current Sprint customer.

ads says:

My guess is not, unless the carriers employing it are begging for lawsuits. However, on ANY operating system, significant logging (as this appears to be on other sites showing keystroke level logs), WILL slow the system throughput on the device itself, versus OTA or WIFI load, which certainly could be impacted regardless of if one gets charged for those packets or not.

ADS

dorelse says:

Well, I can't find it on my MoPho...but it appears to be on my son's LG Optimus S.

Personally, IF they're being truthful, (and by this point in the PR game...they had better be)... I can see the point of them needing to examine what you're doing on the phone (not recording user data), and monitoring for success, and trapping high level details about failures to send on to Sprint. I'm ok with that...

I would think Sprint's mainly interested in, for example, if 5% of texts fail at tower Y, 10% of voice calls fail on tower X...

Makes sense...IF...that's what they're doing...and that's all they're doing.

fogel35 says:

I can't see a reason nor point of them needing to exam what is happening on a phone. If they can't afford testers to do it for them , then they need to trim the bill since my services are not free lol.

dorelse says:

Nothing like data from the field.

There are lots of times that I can't recreate an issue/bug in the lab or testing cycle. Once that software is GA though, users create all sorts of scenarios that you'd never see in a lab environment.

You can test tell you're blue in the face...its still going to have bugs when its released to the users. That's why you need to know details about what created the users issue in order to fix it.

Its pretty standard SDLC kind of stuff.

pjjohn73 says:

Privacy and choice is the most important issue here, but on a side note...

In order for this "information" to go to the carrier, it must go through as data. So I imagine the user pays for this data, that they do not even know they are sending.

Battery performance on most smart phones is not great, and the constant monitoring and sending of data is making it worse. I have even read that (I believe it was on a forum for Epic 4G GB update) every change in the battery level was being sent in one case. Wow that's really going to make for a better customer experience!!

Give the user a choice. If I buy a computer, I install/uninstall what I want, Buy a phone and its more like your renting it. I am not suppose to root, I can't uninstall bloatware, I have to transmit personal information. Its bull.

Is there a chance they are treating the data securely and for well intended purposes, sure, but I still should be able to choose.

ads says:

My opinion is: Sell, Mortimer,sell, this company is toast, I hope. This is a company saying, "we only offer tools to poison the pot, we don't make the decision to release the poison, and subsequent fallout".
Many companies do the same, some get caught, some not, this one did. I haven't a care if it is legal or not, their pants are down, low!
Now, this doesn't absolve the carriers that employ this product; we'll let the courts decide this one.
But the root company? In my opinion they are now worth sand.

ScottColbert says:

So basically they're saying "We're only following orders." Where have I heard that before?

fogel35 says:

I think the real story is that CarrierIQ and it’s telcom customers still think the phone we purchase is their property. Well I hate to break it to them but no where in the contract does it say the phone I purchase is still their property. Personal property is protected by law.

ScottColbert says:

The loophole in that logic is that yes, you do own the phone, but not the software, bandwidth or other services they provide. Take all that away and all you have left is a paperweight.

Gator352 says:

You buy the phone, you buy the rights to the software. You pay the monthly charge, you own the bandwidth (up to agreed amount) and the services they provide.

Gator352 says:

Actually it is until it's paid for. Phones are subsidized at a certain price to you and the remainder of the balance is included in the price of the plan. What they don't offer is the breakdown of that price and show it on your bill. Kind of like a lease option, but after 14 days (30 days at BB), you have to keep it...period.

I say the price should be broken down, and once paid for, it becomes your personal property and the software (CIQ, or any software at that, should be able to be removed by you. And I agree with you fogel35...it should be our property as soon as it's activated.

I for one see this as a violation of my rights as an individual with my personal property. I was never given an option to opt-in to this violation and opting-out is disagreeing with the terms of service of the android OS resulting in android not loading. So they give you no choice. Well, you could take the phone back and go with another carrier, but all this didn't come to light until recently so most people didn't know.

I for one am outraged for not being told upfront, in writing, that CarrierIQ was on my phone and this is what it does (and it doesn't matter to me what it does) and not given any choice to either opt-in or opt-out. I think early termination fees need to be waived, phones exchanged for a comparable or same phone without CIQ or option to opt-in/out without due-recourse or you'll be able to join the class action law suit about to ensue. Period.

jeffy1988 says:

"Actually it is until it's paid for. Phones are subsidized at a certain price to you and the remainder of the balance is included in the price of the plan."

Then why is it once your contract is up, or if you buy the phone at full price, the plan stays at the same cost?

I know, it's a bit off topic, but this fact has always bugged me.

Gator352 says:

That has bugged me to and it shouldnt be that way. The price should drop to equal the subsidized price. You do know though, once your contract is up, you can negotiate a plan price thTs reasonable with sprint. Although, you'll have to sign a new 2 year contract. I did this when my contract ended on one of my lines. I have 5 lines and only pay one 20 dollar extra line fee.

I doubt Motorola Phones have Carrier IQ, all the "statistic" data collection I believe is done through Motoblur.

AT&T offers an "Opt-In" App called AT&T Marks the Spot, so it really annoys me that they would also force Carrier IQ. "Oh yea, and if it is installed on the device, check how many Marks the spot tasks and processes are constantly running...but any way it is at least supposedly "Opt-In" if *I* want to report a problem....

As far as the "Does it go against your data plan" I'm sure it does as the data use is metered from the network not from the device itself. When I swapped ROMs on my Atrix from the Stock Rom to Alien and skipped the blur setup, my data usage dropped significantly.

A non scientific way to test is to run 1 month or billing cycle with the stock rom, then swap Roms to an AOSP release for 1 month and compare the metered data used.

Questions I have about Carrier IQ, they claim it monitors the device to see things like Dropped Calls, network performance, and battery life ect.

How much over head and how many problems are being caused by the Carrier IQ software itself... How much of a battery goes to that software? How many problems are caused by any potential conflict the Carrier IQ software has with the Android Kernel's own task management capabilities.

bold1193 says:

I don't care too much, but it should be an option. Maybe get $20 off your phone or something for agreeing to the software.

demiles says:

Welcome to todays internet people. Nearly everyone wants yours data and I think you will be surprised that most are getting it someway or another. CIQ is just a drop in the bucket, there plenty more just like them out there.

DemonI81 says:

I've seen the videos of this spyware capturing keystrokes. It doesn't matter what they say, they are illegally capturing data and breaking the federal wiretapping laws.
"It's not our fault, it's the carriers, they asked us to collect this data" is basically what they are saying now. Does this mean the hired hitman is not guilty/should not be punished for murder because he was just "doing his job"? No, Carrier IQ needs to be prosecuted and shut down, as well as the carriers paying them, both parties are just as guilty.

phoneguy#AC says:

It's good to see everyone questioning the CIQ intrusion on our privacy, but I think you might want to think more "globally" about what is coming. CIQ is just the warmup.

Starting next year ALL cellphones will have a "Special chip" (http://vigilantcitizen.com/latestnews/fema-implements-special-chip-in-ce...) that ostensibly allows the US govt to send you alert messages that will override whatever you are doing on your phone. Not only that but it is widely suspected the chip will be able to not only collect location and other info about you but it might also be used to disable your phone while driving, in "emergencies", and more. Hello Big Brother.

You might ask: why can't the US govt just use SMS to send us important messages if that is all they really wanted to do? A special chip? More going on here than meets the eye.

orlanka says:

So it's a government conspiracy to hide the fact that Transformers are real? That would explain Google changing the Nexus to Galaxy Nexus instead of Nexus Prime. Distracting the users to not think about Optimus Prime, but then how does LG and Asus get away with it? Could they be the Decepticons?

Key strokes are my only concern. I could care less about them tracking where I am or senseless other details. Most of this is already being captured between internet use, credit card (or debit) payments and a long list of other ways for marketers or governments to track your behavior. Yes, we did not get the option to opt-in or -out but I hope everyone realizes that this is just the tip of the iceberg.

phoneguy#AC says:

The issue is privacy. You can be smug about what's coming but at least be consistent.

G. O. says:

Only the newer phones will have the chip installed (obviously). Right now, you can opt out of the "regular" TSA stuff, but you always get Presidential Decrees, which is basically whatever our leader thinks is important for us to know. Like maybe his latest golf score. You'd think after playing golf 80 times this year he wouldn't suck.

rherrera30 says:

If you root your phone, chances are you can delete or disable the application. I rooted my EVO 4G with Revolutionary and used Root Explorer to find all files containing "IQ". There were about 8 or so. Then I simply added ".org" to their names. I got a complaint notice from the system... something like "current services needs this application", but I disregarded and rebooted.

After the reboot, I checked my running apps and found that IQAgent was not running. Yes!!! So far, I've not had any problems calling, sending text, connecting via 3G or WiFi, browsing, downloading new apps from the marketplace or running existing apps.

Rooting took care of this issue, but that shouldn't have to be the case. As others have pointed out, we should be given the option of accepting CIQ data capture, usage, etc.

Is it just me, or does anybody else smell "homeland security"?

Doesn't seem to be an issue here in most other countries, just in the states, and maybe, a couple of other European countries.

Keep in mind, due to the patriot act, they can pretty much do anything they want to under the protection of that act. And they don't have to tell you they're doing it.

CIQ just gives them easier access to things like sms, mails, bank accounts, etc.

old song. James Brown (GRHS)
Livin in America... dot do dit dot o ditty dot
Livin in America... dot do dit dot o ditty dot
Livin in America... owww... it feels good!

New song due to CIQ and TSA....

Livin with the Patriot Act....dot do dit dot o ditty dot
Livin with the Patriot Act....dot do dit dot o ditty dot
Livin with the Patriot Act....owww... my ass hurts!

Gator352 says:

Ya know, if this CIQ was legit, it would only send signal intensity (1xRTT, 3G, 4G) to Sprint if there is a problem with a tower so they can locate a potential problem or outage. There is NO reason fo rit to log anything other than that.

I say we all email:

dan@sprint.com

To voice our concerns about this. I have.

G. O. says: