Today in corporate denials: Carrier IQ edition

Spot the difference.


  1. It is funny how weasel-worded even AT&Ts ostensibly blunt denial is. It could mean “we track every last thing you do just to improve network performance, because everything affects the network.”

    1. “In-line with” ≠ “in line with”
       . . . and even if they do mean the same thing, they both mean nothing insofar as they refer to the privacy policy, which is surely a paragon of clear concise writing.

      And the word “solely” comes before the word “use”, which implies that CIQ is their exclusive software data of choice.  It does not mean that CIQ software data is used solely for the purpose of improving wireless network and service performance and nothing else.  And, yeah, who the hell knows the methods used for said improvement?

      The statement isn’t even a denial.  Not saying anything would have been less deceptive.

    1. Haha! Yeah I thought it would be more telling if it read as this:
      To be %100 clear: Carrier IQ is not* on Verizon Wireless Phones.

      1. I don’t think so, rob. look at the vertical placement of the symbols — it’s up top, not in the middle.

  2. Seriously, how many fails does it take before they boot Dan Hesse. Nextel, WiMAX, Clearwire, WiMAX, lightsquared, Clearwire, LTE.  Why isn’t DanDan flipping burgers. I don’t understand guys :(

    1. because this is chump bait.  Sprint is making a play here. they need investor support, spectrum and money. I’m not saying Sprint should be let off here. But all these carriers use a form of Carrier IQ. How else do they know if you’re tethering or not?

  3. Seems like Sprint is trying to be open, where the other carriers are trying to say as little as possible and not get their foot stuck in their mouth.
    Roger’s and Verizon say they don’t use Carrier IQ, but they make no other mention in regards to their own data gathering solutions.
    The thing that sucks is that the consumer finds out about these things after the fact (ignore the fact that the customer signs privacy agreements agreeing to let Sprint collect “data”), and lends to the idea that something more sinister is going on.

      1. “Completeley Different” isn’t exactly a true statement. Also, it’s still ambiguous as to whether or not it’s on the CDMA iPhone 4 (which is an APPLE INC. phone) and Verizon just doesn’t use it (ignorance is bliss right?). Or if they’re just lying through their teeth.
        It could be said that the CDMA iPhone 4 on Verizon wireless and Sprint use exactly the same hardware and possibly even almost exactly identical software.  I’m dubious that CIQ doesn’t exist on Verizon phones at all. I’m guessing it’s just that Verizon doesn’t use the technology, though i’d be happy to be proven wrong.

        1. Yes, seems like hair-splitting. But the iPhone does NOT have a Verizon logo on it; it is NOT a Verizon phone.

          I’m amazed at this whole focus, though: I kinda think that EVERY carrier employs some sort of quality-monitoring/reporting software on their smartphone handsets. The issue shouldn’t just be with CIQ but rather, is there software which COULD, or actually HAS, violated user privacy laws, promises and social expectations?

  4. After the announcement that Apple don’t support Carrier IQ anymore – this is where Apple turn around and plow all that money into making their own carrier. This is where they say that they will never perform surveillance upon their users. This is where they could completely clean up.

      1. Privacy from everyone but Apple, maybe. For which Apple would certainly love to make it impossible for users to jailbreak and thus actually control their phones.

  5. Apple, MS and Nokia are special cases, because they have more control over the software than makers of Android phones. It looks like Windows Phone and Symbian are totally in the clear, and that Apple did not do anything nefarious with it (i.e. AT&T’s blanket denial does apply to the iPhone) 

      1. As an opt-in that you had to turn on to enable with a specific message explaining the very limited set of Carrier IQ features that were being used. Not running in the background from the moment of purchase without ever giving any hint to the user that it existed.

      2. Ummm, complicit in what? Doing business with a legal entity? Allowing users to opt-in to reporting service issues quasi-automatically? Neither of those are illegal or unethical.

        Go ahead and look up “complicit;” it involves illegal activity. Your “obvious” smells like BS.


  6. This makes me unusually pleased to be a verizon customer.

    Are they lying though?  cynicism says probably.

    My phone comes up clean so I’m not personally concerned (right now) though i do have a sort of general displeasure over the whole thing.

  7. How ridiculous are all of you concerned to such a degree about Carrier IQ? For the love of god, you’re using their network. How do I put emphasis on this? YOU’RE USING THEIR NETWORK. Your phone calls and text messages and photos don’t reach their end destination via magic. It’s routed over their towers. Your phone calls aren’t encrypted. Your SMS aren’t encrypted. Your photos aren’t encrypted. As they pass through their towers, they have every single bit of information, less the diagnostic information that Carrier IQ is providing them, about what you’re doing. They have the content, the time, the recipient, their replies. That information is there, and they have access to it already.

    1. How ridiculous are all of you concerned to such a degree about Carrier IQ? For the love of god, you’re using their network. How do I put emphasis on this? YOU’RE USING THEIR NETWORK.

      But the thing the carriers (and perhaps you) don’t understand: you’re the customer, not the product.

      When the carriers of the world demonstrate that they understand this (and stop selling you and your data), then we can stop worrying about things like this.

      1. The point of Carrier IQ is not selling your data, but network diagnostics. You’re misinformed, but that’s fine, there’s so much misinformation that gets floated around when mass outrage breaks out for stuff like this. 

        My point was not that being concerned about your privacy is wrong, it was that only being concerned about Carrier HQ is insane. You should not expect your communications via cellular network to be private.

        1. That is the most idiotic response. “I knows more tha u LOL!”

          CarrierIQ logs information that does not use the carrier networks, it logs info that goes through Wifi, and actions done offline and information that is encrypted like SSL passwords. It is logging stuff that you are doing on *your* phone not one *their* network.

          1. As far as the carriers are concerned, until you finish your contract, the Hardware still belongs to them, even if you use it on your own, or a competitors network.
            Therefore, they feel that they are entitled to know exactly what you are doing with their device.

            A Device-Server SSL connection also reduces how much they can compress the data in their network.

          2. I doubt you’ll come back to read this, but just in case:

            I’m not trying to be condescending. People have their areas of expertise, this Carrier IQ thing intersects with part of mine. All I’m trying to do is counteract what I feel is misinformation.

            The main video going around being cited about keystrokes being logged is by Eckhart. His video is of an HTC phone and an insecure log file. This issue actually lies on the shoulders of HTC, who produced a sloppy implementation. That file is being populated by the operating system, not by Carrier IQ. It’s a log of all the API calls being made in the OS, the most glaringly horrible of which Carrier IQ is not concerned with. All the outrage directed at CIQ should be at HTC for writing these debug logs in the first place, but also for doing so insecurely.

            Other independent analysis of the CIQ software has since shown that the majority of sensitive information on your phone is not being relayed. One thing that is correct is that it’s logging URLs and I completely agree with people having a problem with that. However, user names and passwords and the like are not being sent. The actual content of HTTP or HTTPS (SSL) connections is not being sent either.

            So really _most_ of the information being relayed by Carrier IQ is diagnostic and related to network quality, which can be used for improving cellular reception and diagnosing dropped calls.

    2. Um… not ridiculous at all?

      If I make a secure http connection—even OVER THEIR NETWORK (as you say)—I shouldn’t have to worry about whether the data is being logged clandestinely in plaintext on my phone and forwarded at a later point to a third party.

    3. The Communications Act of 1934, the Supreme Court case “Katz v. United States”, and the Electronic Communications Privacy Act (even after being weakened by the USA PATRIOT act) are all very clear that if there is a reasonable expectation of privacy*, communication is protected by the Fourth Amendment of the Constitution and that the carrier has absolutely NO RIGHT to intercept it–regardless of encryption. 

      *Reasonable expectation of privacy is defined in Katz v. United States to apply under the conditions “first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.”

      1. On the other hand, the law is not settled on the privacy of radio communications. (Citation missing, too hard to find from my phone’s browser.) And in fact, many would argue that we have an inherent right to sense and process (including decode or decrypt) any radio frequency energy that passes through our property or personal space. Of course, that’s somewhat tangental for what that means for a radio telephony carrier.

      2. I think you should get the head of AT&T on the line and let them know their wiretapping gig with the NSA is illegal…

        I’m being facetious but my point is that you don’t base your security decisions on the law.

  8. Here’s an interesting data point somewhat related to this. 

    I heard a story on NPR a few weeks ago talking about the voicemail hacking scandal. They found that hacking could easily be done by paying a small fee to a company which will change your caller ID for you. Then you hit the voicemail star-code. Because you now have the caller ID of the target’s cell phone, the voicemail system thinks you’re the target. NPR found that AT&T and Sprint give you the option of not requiring a PIN when you call voicemail from your own phone! I wasn’t clear if that was opt-in or opt-out, but what was that statement from Bruce Schneier that user security should neither be opt-in nor opt-out?. Verizon and T-Mobile require a PIN regardless (i.e. security not optional). This is what made voicemail hacking so easy.
    So I wasn’t at all surprised to see Sprint’s and AT&T’s response.(Source:

    1. Verizon and T-Mobile require a PIN regardless (i.e. security not optional).


      My work phone is a Blackberry on T-Mobile, and it most certainly does not require a PIN.

    2. That’s weird. My iPhone on ATT most definitely requires my voice mail PIN (it caches it) before Visual Voice Mail can be set up. I’ve had to re-enter it the few times I’ve had to do a restore on it.

    3. Thanks; I always wondered how it had been done so easily by ordinary PIs. Makes me wonder also how seriously we REALLY care about privacy when such an obvious loophole has gone unclosed for years; people seem more interested in the scandal of CIQ.

      And, of course, in the deeply unethical behavior of News Corp employees. Still, no sensible responses?

  9. I’ve looked at the video. I’ve done a lot of phone programming, including on Android. There is no question that the CIQ app can see everything the user does. I think it’s evil to put a piece of SW like this on someone’s phone, and not give them control over it, or the ability to opt out and remove it.

    That said, I haven’t seen any evidence that the raw data is being either logged, or sent to CarrierIQ, the carriers, or third parties. Until we know what actually gets sent, I’m going to hold off on calling for heads to roll. This may be another hacked waterpump story. There is a legitimate desire by the carriers to know under what circumstances the users are having problems, and a lot of that can be done by an app like this without compromising privacy.

    I don’t trust phone companies one inch, but I want to be fair.


    1. You know I’m all about ganging up on massive privacy violations. But I’m kind of in pgt’s boat here. I’ve seen the device logs, but I’d like to see the network pcaps to see what is actually transmitted. The reaction is similar to the caching of location data on the iPhone that was discovered some months ago. If the data is gathered on a device I have in my possession but never sent from it (at least the personally identifying stuff like passwords, bank data, etc…)I’m still annoyed, but not as pissed as if it was sucking my data down the network with a big old straw.

      I’m not saying it is or isn’t happening. But I’d really like to see some evidence if it is.

      1. You two are being way too rational. Any discussion that involves cell phones is more like religion than any serious public debate.

  10. It’s a very limited version, and apparently doesn’t do anything with the limited data it collects. And it can be easily disabled by the owner in the System Preferences.

  11. OK, I’m clearly crazy. Because I actually find the Sprint statement to be more useful. The Verizon statement gets points for being simple and blunt about CIQ, but it doesn’t say whether or not they run any other software that does the same thing. The Rogers statement is a clumsier way to say the same thing as the Verizon one. The AT&T one refers you to I can’t even count how many pages of legalese that, so far as I can tell, says, “We do whatever we want. Suck it up and deal.” Only the Sprint statement acknowledges that they, like everybody else, monitor handset and network performance, that they use CIQ to do this, and they’re nicely specific about what info CIQ does and doesn’t send them.

    Of course, none of the four are saying this under oath, and therefore you’d have to be a total idiot to believe any of them in today’s caveat emptor ethics-free business environment. But at least Sprint addresses the subject in detail.

  12. According to the EFF, Sprint was sent 8 MILLION requests for user GPS data by law enforcement. That’s just in 2010. That’s just Sprint. That’s jsut GPS data. WTF. The less they track, the better….

  13. Your site is a real fail… Mobile site will not let u zoom, which makes the comparison above unreadable. Clicking “full site” took me to your home page and not the desktop version of the article…

    Disappointing for a tech blog… I expect it from my weird uncle’s weblog.

  14. Can we get a lower res, crappier image of text please? This is way too easy to read, I prefer a challenge.

  15. Rooted my phone and flashed CyanogenMod on my Sprint HTC Evo 4G this afternoon. So far it’s running smoother and it’s eating less of the battery.  I’m really glad I did.

Comments are closed.