Today in corporate denials: Carrier IQ edition

Spot the difference.

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

http://twitter.com/sirdiesel Jason

…Is it that AT&T is the only one familiar enough with the program to call it by its nickname “CIQ”? CONSPIRACY!
http://boingboing.net/ Rob Beschizza

REPORT: Sprint scratches behind ear, looks up and to the right, avoids eye contact, asks itself question you just asked it before answering.
http://boingboing.net/ Rob Beschizza

It is funny how weasel-worded even AT&Ts ostensibly blunt denial is. It could mean “we track every last thing you do just to improve network performance, because everything affects the network.”
- jarmstrong
  
  “In-line with” ≠ “in line with”
  . . . and even if they do mean the same thing, they both mean nothing insofar as they refer to the privacy policy, which is surely a paragon of clear concise writing.
  
  And the word “solely” comes before the word “use”, which implies that CIQ is their exclusive software data of choice. It does not mean that CIQ software data is used solely for the purpose of improving wireless network and service performance and nothing else. And, yeah, who the hell knows the methods used for said improvement?
  
  The statement isn’t even a denial. Not saying anything would have been less deceptive.
stepshep

The Sprint response just seems like a roundabout way to say what AT&T said.
- Rephlex
  
  Haha! Yeah I thought it would be more telling if it read as this:
  To be %100 clear: Carrier IQ is not* on Verizon Wireless Phones.
mappo

To be 100% clear: putting the word “not” in “quotes” is not 100% “clear”.
- http://boingboing.net/ Rob Beschizza
  
  It’s actually in asterisks, for emphasis
  - http://twitter.com/jredville James Deville
    
    Or for double the footnotes! (double the fun)
  - kibbles
    
    I don’t think so, rob. look at the vertical placement of the symbols — it’s up top, not in the middle.
beemoh

Looks more like a marathon than a Sprint to me.
William Ventura

Seriously, how many fails does it take before they boot Dan Hesse. Nextel, WiMAX, Clearwire, WiMAX, lightsquared, Clearwire, LTE. Why isn’t DanDan flipping burgers. I don’t understand guys :(
- campcamp
  
  because this is chump bait. Sprint is making a play here. they need investor support, spectrum and money. I’m not saying Sprint should be let off here. But all these carriers use a form of Carrier IQ. How else do they know if you’re tethering or not?
vonbobo

Seems like Sprint is trying to be open, where the other carriers are trying to say as little as possible and not get their foot stuck in their mouth.

Roger’s and Verizon say they don’t use Carrier IQ, but they make no other mention in regards to their own data gathering solutions.

The thing that sucks is that the consumer finds out about these things after the fact (ignore the fact that the customer signs privacy agreements agreeing to let Sprint collect “data”), and lends to the idea that something more sinister is going on.
Guest

I’m glad I went with a custom ROM. Makes me question my plans to buy an iPhone from Sprint….
http://patrick.wagstrom.net/weblog/ pridkett

Isn’t Carrier IQ on the iPhone 4? Doesn’t Verizon have millions of iPhone 4 devices on their network? Help me understand.
- nixiebunny
  
  The Verizon and AT&T iPhone 4 devices have completely different phone hardware and software in them.
  - the_engineer
    
    “Completeley Different” isn’t exactly a true statement. Also, it’s still ambiguous as to whether or not it’s on the CDMA iPhone 4 (which is an APPLE INC. phone) and Verizon just doesn’t use it (ignorance is bliss right?). Or if they’re just lying through their teeth.
    It could be said that the CDMA iPhone 4 on Verizon wireless and Sprint use exactly the same hardware and possibly even almost exactly identical software. I’m dubious that CIQ doesn’t exist on Verizon phones at all. I’m guessing it’s just that Verizon doesn’t use the technology, though i’d be happy to be proven wrong.
    - Walt French
      
      Yes, seems like hair-splitting. But the iPhone does NOT have a Verizon logo on it; it is NOT a Verizon phone.
      
      I’m amazed at this whole focus, though: I kinda think that EVERY carrier employs some sort of quality-monitoring/reporting software on their smartphone handsets. The issue shouldn’t just be with CIQ but rather, is there software which COULD, or actually HAS, violated user privacy laws, promises and social expectations?
awjt

I bet it’s because Mohammed Atta had a sprint phone.
http://twitter.com/fractos Adam Christie

After the announcement that Apple don’t support Carrier IQ anymore – this is where Apple turn around and plow all that money into making their own carrier. This is where they say that they will never perform surveillance upon their users. This is where they could completely clean up.
- http://boingboing.net/ Rob Beschizza
  
  I’ve been saying for years that Apple will eventually sell us privacy, and we’ll buy it because everyone else is too invested in taking it from us.
  - Steve Clark
    
    Ummm yeaaaa
  - http://jimbeach.net mindfu
    
    Privacy from everyone but Apple, maybe. For which Apple would certainly love to make it impossible for users to jailbreak and thus actually control their phones.
http://twitter.com/Haggis_Herring HaggisAndTheHerring

Nothing about Telus?
http://boingboing.net/ Rob Beschizza

Apple, MS and Nokia are special cases, because they have more control over the software than makers of Android phones. It looks like Windows Phone and Symbian are totally in the clear, and that Apple did not do anything nefarious with it (i.e. AT&T’s blanket denial does apply to the iPhone)
- Steve Clark
  
  Please..the fact that Apple had CarrierIQ installed on iphones certainly makes them complicit
  - CPD_1
    
    As an opt-in that you had to turn on to enable with a specific message explaining the very limited set of Carrier IQ features that were being used. Not running in the background from the moment of purchase without ever giving any hint to the user that it existed.
  - Walt French
    
    Ummm, complicit in what? Doing business with a legal entity? Allowing users to opt-in to reporting service issues quasi-automatically? Neither of those are illegal or unethical.
    
    Go ahead and look up “complicit;” it involves illegal activity. Your “obvious” smells like BS.
    
    Please.
xzzy

I must be getting old, because that text is nearly illegible.
http://www.paradea.org/notes/ Teirhan

This makes me unusually pleased to be a verizon customer.

Are they lying though? cynicism says probably.

My phone comes up clean so I’m not personally concerned (right now) though i do have a sort of general displeasure over the whole thing.
- http://profiles.google.com/josephfinn Joseph Finn
  
  Why? Carrier IQ is not on phones; Verizon doesn’t address at all the issue of whether it’s on their network.
  - Quothz
    
    They also don’t say whether similar software is on VZW phones.
plus MEDIC

How ridiculous are all of you concerned to such a degree about Carrier IQ? For the love of god, you’re using their network. How do I put emphasis on this? YOU’RE USING THEIR NETWORK. Your phone calls and text messages and photos don’t reach their end destination via magic. It’s routed over their towers. Your phone calls aren’t encrypted. Your SMS aren’t encrypted. Your photos aren’t encrypted. As they pass through their towers, they have every single bit of information, less the diagnostic information that Carrier IQ is providing them, about what you’re doing. They have the content, the time, the recipient, their replies. That information is there, and they have access to it already.
- Ambiguity
  
  How ridiculous are all of you concerned to such a degree about Carrier IQ? For the love of god, you’re using their network. How do I put emphasis on this? YOU’RE USING THEIR NETWORK.
  
  But the thing the carriers (and perhaps you) don’t understand: you’re the customer, not the product.
  
  When the carriers of the world demonstrate that they understand this (and stop selling you and your data), then we can stop worrying about things like this.
  - plus MEDIC
    
    The point of Carrier IQ is not selling your data, but network diagnostics. You’re misinformed, but that’s fine, there’s so much misinformation that gets floated around when mass outrage breaks out for stuff like this.
    
    My point was not that being concerned about your privacy is wrong, it was that only being concerned about Carrier HQ is insane. You should not expect your communications via cellular network to be private.
    - http://twitter.com/muddi900 muddi900
      
      That is the most idiotic response. “I knows more tha u LOL!”
      
      CarrierIQ logs information that does not use the carrier networks, it logs info that goes through Wifi, and actions done offline and information that is encrypted like SSL passwords. It is logging stuff that you are doing on *your* phone not one *their* network.
      - Dan Woods
        
        As far as the carriers are concerned, until you finish your contract, the Hardware still belongs to them, even if you use it on your own, or a competitors network.
        Therefore, they feel that they are entitled to know exactly what you are doing with their device.
        
        A Device-Server SSL connection also reduces how much they can compress the data in their network.
      - plus MEDIC
        
        I doubt you’ll come back to read this, but just in case:
        
        I’m not trying to be condescending. People have their areas of expertise, this Carrier IQ thing intersects with part of mine. All I’m trying to do is counteract what I feel is misinformation.
        
        The main video going around being cited about keystrokes being logged is by Eckhart. His video is of an HTC phone and an insecure log file. This issue actually lies on the shoulders of HTC, who produced a sloppy implementation. That file is being populated by the operating system, not by Carrier IQ. It’s a log of all the API calls being made in the OS, the most glaringly horrible of which Carrier IQ is not concerned with. All the outrage directed at CIQ should be at HTC for writing these debug logs in the first place, but also for doing so insecurely.
        
        Other independent analysis of the CIQ software has since shown that the majority of sensitive information on your phone is not being relayed. One thing that is correct is that it’s logging URLs and I completely agree with people having a problem with that. However, user names and passwords and the like are not being sent. The actual content of HTTP or HTTPS (SSL) connections is not being sent either.
        
        So really _most_ of the information being relayed by Carrier IQ is diagnostic and related to network quality, which can be used for improving cellular reception and diagnosing dropped calls.
- heavyboots
  
  Um… not ridiculous at all?
  
  If I make a secure http connection—even OVER THEIR NETWORK (as you say)—I shouldn’t have to worry about whether the data is being logged clandestinely in plaintext on my phone and forwarded at a later point to a third party.
- http://twitter.com/noodles daniel g.
  
  The Communications Act of 1934, the Supreme Court case “Katz v. United States”, and the Electronic Communications Privacy Act (even after being weakened by the USA PATRIOT act) are all very clear that if there is a reasonable expectation of privacy*, communication is protected by the Fourth Amendment of the Constitution and that the carrier has absolutely NO RIGHT to intercept it–regardless of encryption.
  
  *Reasonable expectation of privacy is defined in Katz v. United States to apply under the conditions “first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.”
  - http://twitter.com/effablecomm Steven E. Sergeant
    
    On the other hand, the law is not settled on the privacy of radio communications. (Citation missing, too hard to find from my phone’s browser.) And in fact, many would argue that we have an inherent right to sense and process (including decode or decrypt) any radio frequency energy that passes through our property or personal space. Of course, that’s somewhat tangental for what that means for a radio telephony carrier.
  - plus MEDIC
    
    I think you should get the head of AT&T on the line and let them know their wiretapping gig with the NSA is illegal…
    
    I’m being facetious but my point is that you don’t base your security decisions on the law.
http://halfbakedmaker.org Robert Baruch

Here’s an interesting data point somewhat related to this.

I heard a story on NPR a few weeks ago talking about the voicemail hacking scandal. They found that hacking could easily be done by paying a small fee to a company which will change your caller ID for you. Then you hit the voicemail star-code. Because you now have the caller ID of the target’s cell phone, the voicemail system thinks you’re the target. NPR found that AT&T and Sprint give you the option of not requiring a PIN when you call voicemail from your own phone! I wasn’t clear if that was opt-in or opt-out, but what was that statement from Bruce Schneier that user security should neither be opt-in nor opt-out?. Verizon and T-Mobile require a PIN regardless (i.e. security not optional). This is what made voicemail hacking so easy.
So I wasn’t at all surprised to see Sprint’s and AT&T’s response.(Source: http://www.npr.org/2011/07/19/138519976/how-to-protect-your-voicemail)
- Ambiguity
  
  Verizon and T-Mobile require a PIN regardless (i.e. security not optional).
  
  Huh?
  
  My work phone is a Blackberry on T-Mobile, and it most certainly does not require a PIN.
- flosofl
  
  That’s weird. My iPhone on ATT most definitely requires my voice mail PIN (it caches it) before Visual Voice Mail can be set up. I’ve had to re-enter it the few times I’ve had to do a restore on it.
- Walt French
  
  Thanks; I always wondered how it had been done so easily by ordinary PIs. Makes me wonder also how seriously we REALLY care about privacy when such an obvious loophole has gone unclosed for years; people seem more interested in the scandal of CIQ.
  
  And, of course, in the deeply unethical behavior of News Corp employees. Still, no sensible responses?
http://profiles.google.com/josephfinn Joseph Finn

One is a slightly longer way of saying absolutely nothing?
http://www.nathanhornby.com/ Nathan Hornby

Got it anywhere in a format I can read?
Lobster

One of these things is not like the other…
pgt

I’ve looked at the video. I’ve done a lot of phone programming, including on Android. There is no question that the CIQ app can see everything the user does. I think it’s evil to put a piece of SW like this on someone’s phone, and not give them control over it, or the ability to opt out and remove it.

That said, I haven’t seen any evidence that the raw data is being either logged, or sent to CarrierIQ, the carriers, or third parties. Until we know what actually gets sent, I’m going to hold off on calling for heads to roll. This may be another hacked waterpump story. There is a legitimate desire by the carriers to know under what circumstances the users are having problems, and a lot of that can be done by an app like this without compromising privacy.

I don’t trust phone companies one inch, but I want to be fair.

PGT
- flosofl
  
  You know I’m all about ganging up on massive privacy violations. But I’m kind of in pgt’s boat here. I’ve seen the device logs, but I’d like to see the network pcaps to see what is actually transmitted. The reaction is similar to the caching of location data on the iPhone that was discovered some months ago. If the data is gathered on a device I have in my possession but never sent from it (at least the personally identifying stuff like passwords, bank data, etc…)I’m still annoyed, but not as pissed as if it was sucking my data down the network with a big old straw.
  
  I’m not saying it is or isn’t happening. But I’d really like to see some evidence if it is.
  - Derek Young
    
    You two are being way too rational. Any discussion that involves cell phones is more like religion than any serious public debate.
http://twitter.com/Flesh_of_Sadie Flesh of Sadie

Cannot read small text on graphics. Browser zoom poor substitute for actual text.
https://twitter.com/misterjayem MrJM

Anyone know if the Sprint phones used by Credo Mobile have this malware?
Dana Shetterly

Deny this…
Carrier IQ’s own marketing claims undercut its defense
http://www.pcadvisor.co.uk/news/mobile-phone/3322625/carrier-iqs-own-marketing-claims-undercut-its-defense/
pwandz

The lady dost protest too much, methinks.
Morkl

To be *clear*, publish text as text instead of low resolution image. Pretty please.
http://www.jimdraws.com Thorzdad

It’s a very limited version, and apparently doesn’t do anything with the limited data it collects. And it can be easily disabled by the owner in the System Preferences.
http://bradhicks.livejournal.com/ J. Brad Hicks

OK, I’m clearly crazy. Because I actually find the Sprint statement to be more useful. The Verizon statement gets points for being simple and blunt about CIQ, but it doesn’t say whether or not they run any other software that does the same thing. The Rogers statement is a clumsier way to say the same thing as the Verizon one. The AT&T one refers you to I can’t even count how many pages of legalese that, so far as I can tell, says, “We do whatever we want. Suck it up and deal.” Only the Sprint statement acknowledges that they, like everybody else, monitor handset and network performance, that they use CIQ to do this, and they’re nicely specific about what info CIQ does and doesn’t send them.

Of course, none of the four are saying this under oath, and therefore you’d have to be a total idiot to believe any of them in today’s caveat emptor ethics-free business environment. But at least Sprint addresses the subject in detail.
librtee_dot_com

According to the EFF, Sprint was sent 8 MILLION requests for user GPS data by law enforcement. That’s just in 2010. That’s just Sprint. That’s jsut GPS data. WTF. The less they track, the better….
joshetanner

Your site is a real fail… Mobile site will not let u zoom, which makes the comparison above unreadable. Clicking “full site” took me to your home page and not the desktop version of the article…

Disappointing for a tech blog… I expect it from my weird uncle’s weblog.
shinratdr

Can we get a lower res, crappier image of text please? This is way too easy to read, I prefer a challenge.
http://twitter.com/dougscripts dougscripts

What software _does_ Verizon use then?
http://profiles.google.com/pemrob Robert Pemberton

Rooted my phone and flashed CyanogenMod on my Sprint HTC Evo 4G this afternoon. So far it’s running smoother and it’s eating less of the battery. I’m really glad I did.