

Carrier IQ references discovered in Apple's iOS - acak
http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone

======
Kylekramer
Companies love data. Every last of one of them from your local grocery store
to Apple. Love it, want as much of it as possible. Heck, most of the major
publicized features of iOS 5 put your data on Apple's servers (iMessage: your
texts and MMS; Siri: pretty much every thing including searches, calendars,
and email; iCloud: it is called iCloud).

Long and short of it is that if you want privacy beyond "I'm boring, so no one
cares", a device that holds pretty much every important bit of info about you
made by large corporations that is nearly always connected to the internet via
carriers isn't really for you.

~~~
Samuel_Michon
If you are not paying for it, you're not the customer; you're the product
being sold. That's why I don't use Gmail. When I pay for cloud services (like
MobileMe, now iCloud) I feel more confident that my personal information isn't
analyzed, sold, and used to manipulate me. Apple doesn't need to sell my data
to profit from me.

I value my privacy but I'm not Richard Stallman. I carry a cell phone, so
there's a chance I'm being tracked. I like viewing web sites in a graphical
web browser (not Chrome) -- it has JavaScript permanently turned on, I accept
some cookies, and I find the geolocation service convenient. I understand I'm
giving up some privacy by doing all that.

~~~
Xuzz
Okay, so you say "not Chrome". You realize that Chrome is pretty completely
open source and does _not_ send browsing history back to Google?

~~~
molesy
_Chromium_ is open source. Chrome is mostly open source. Both send a
significant amount of data to either Google or your default search provider by
default unless you tell them not to. I primarily use Chromium and I've been
through the process of disabling all of its reporting several times - it seems
to get easier over time, though following the code that might call out gets
significantly more difficult.

I currently have my default search provider set to Bing because I hate
searching from the navigation bar anyways and it _really_ annoys me that
there's no way to turn it off. I suppose that's the price I pay for using a
browser built by a search engine.

I fondly remember the days when Michael Arrington was some corporate puke
working for RealNames, a search-from-the-URL-bar concept that everyone outside
of RealNames and Microsoft hated. Literally. Everyone.

Google made Mozilla profitable by paying them to be the default search engine.
The moment they figured out that worked was probably the last moment browsing
was safe anywhere - and the last moment being a Mozilla employee was safe as a
long term goal for anyone, oddly enough.

~~~
mda
Chrome is Chromium, the only difference is branding and dynamically linked
plugins (PDF, flash) which you can disable from about:plugins or delete, then
you have identical binary to chromium.

<http://news.ycombinator.com/item?id=3034628>

Also if you want to change any privacy settings go to preferences->Under the
Hood->Privacy thats it. You don't have to change your search engine.

~~~
Xurinos
This is partially true.

At one point I was trying to figure out how much I would enjoy Chrome, and one
test I do with my applications is to have tcpdump in the background running
while I run them. Whenever I went to any site, internal, external, or
whatever, Chrome phones home to specific google sites. I think the published
reason has to do with faster DNS lookups, but when I looked the sites up, they
seemed attached to ad-related services. I searched around and could not find
any setting to disable this feature. No, "Preferences > Under the Hood >
Privacy" has nothing for disabling this feature. I think this phoning home was
still there for Incognito mode, but time has left my memory fuzzy on that
detail; Incognito mode is useless if you want to actually use cookies to
maintain some session anyway, and why should I tell google about what accounts
I hold across the net?

For the wiseguy who picks up on that last comment, my preference is Firefox
with NoScript, AdBlock, and a disinclination for downloading sex.exe, so no,
the common tracking systems do not know much about me. However, my ISP is
quite familiar with my habits.

Someone recommended to me Chromium, claiming that it was stripped of this
nonsense. So I tried that. Chromium did not phone home in my tests. It also
lacked a few nice features that Chrome had, as if it were at least a version
behind; I cannot remember what they were, only that at that point, I was sick
of the hassle and ditched both pieces of software.

If you are concerned about apps phoning home, just run
tcpdump/wireshark/whatever and watch. The extra paranoid will route their
connections through a box with these tools.

My tests were within two months ago, so I feel the claim is pretty relevant.

~~~
mda
Sorry but your comment is just hand waving. Can you give a specific example of
those ad related sites Google "phones" whenever you go to any site on a
vanilla Chrome installation?

------
gurkendoktor
When I upgraded to iOS5, I was asked if I wanted to help Apple by
automatically sending anonymous usage data. Doesn't this sound like _exactly_
what CarrierIQ would be doing? If this is really what it is, then this is a
total non-issue on iOS.

See here (for those not on iOS5):
<http://www.youtube.com/watch?v=oxBsKO2lJQk#t=42s>

But if this _is_ CarrierIQ working there, then it means it's also being used
in Europe. And it probably also means that the media will get in an iOS vs
Android fight again instead of highlighting the issue. And FWIW, it surprises
me much more that RIM would do crap like that.

------
doe88
Here are the result of the current investigations made by @chpwn
<http://blog.chpwn.com/post/13572216737>

I'm an iOS user and I'm concerned by this, I know that maybe these data are
not sent to any remote server or maybe it depends on the carrier, but still
I'm concerned that Apple would integrate a third party binary on its system.
That's plain wrong for me. I want them to tell us what their phone collect,
what their phone send to remote servers and for what uses. It is a matter of
trust, trust is hard to gain and easy to lose and I think that Apple should
handle this asset with great care.

~~~
Anechoic
_still I'm concerned that Apple would integrate a third party binary on its
system_

Really? Based on the "Legal" section of my 3rd gen iPod touch, there appears
to be a bunch of third-party binaries integrated into iOS.

~~~
doe88
I didn't say third party _code_ but third party _binary_. That's not the same
thing, there are plenty of third party libraries used in iOS indeed. But, you
must recognize that's highly unusual for Apple to bundle third party software
in iOS and even more when the type of software is by nature highly risked and
highly controversial such as logging/tracking softwares are.

~~~
lloeki
Wy 3rd party? It might just as well be implemented by Apple currently, and
using CarrierIQ as a service.

------
jritch
Apple would like your help to improve the quality and performance of its
products and services. Your device can automatically collect diagnostic and
usage information and send it to Apple for analysis — but only with your
explicit consent.

Diagnostic and usage information may include details about hardware and
operating system specifications, performance statistics, and data about how
you use your device and applications. None of the collected information
identifies you personally. Personal data is either not logged at all or is
removed from any reports before they’re sent to Apple. You can review the
information by going to Settings, tapping General, tapping About and looking
under Diagnostics & Usage.

If you have consented to provide Apple with this information, and you have
Location Services turned on, the location of your device may also be sent to
help Apple analyze wireless or cellular performance issues (for example, the
strength or weakness of a cellular signal in a particular location). This
diagnostic location data may include the location of your device once per day,
or the location where a call ends. You may choose to turn off Location
Services for Diagnostics at any time. To do so, open Settings, tap Location
Services, tap System Services and turn off the Diagnostics switch.

You may also choose to turn off Diagnostics altogether. To do so, open
Settings, tap General, tap About and choose “Don’t Send” under Diagnostics &
Usage.

To help Apple’s partners and third-party developers improve their apps,
products and services designed for use with Apple products, Apple may provide
such partners or developers with a subset of diagnostic information that is
relevant to that partner’s or developer’s app, product or service, as long as
the diagnostic information is aggregated or in a form that does not personally
identify you.

For more information, see Apple’s Privacy Policy at www.apple.com/privacy

~~~
quadhome
Sweet copy paste.

~~~
jritch
Hahah, was simply. Opt and pasted from my iPhone to show ppl ;). (I get
seriously bored in work)

------
X-Istence
I wish we could get straight answers from Apple, HTC, Nokia, Samsung and
others as to whether this tracking technology is located within devices they
are selling, on what carriers and what is happening with the data, what is
logged, where is it logged, what it shipped from the device up to remote
servers, and exactly how is that data being used?

~~~
omouse
Who cares! It's time for a free/opensource firmware and operating system you
can flash into the ROM of _any_ and _all_ phones. The phone manufacturers, the
software makers and the carriers have proven hostile to consumers, there's no
reason for them to be allowed to control things any more.

------
epistasis
Perhaps now this story will get the media storm it deserves.

~~~
leoc
I'm happy to assume that iOS's Carrier IQ, er, integration is much less
comprehensive than what has been put into Android handsets, and may never have
been activated at all. Nonetheless I can't resist pointing at
[http://daringfireball.net/linked/2011/11/30/imagine-if-it-
we...](http://daringfireball.net/linked/2011/11/30/imagine-if-it-were-apple)
and muttering something about seafood stew.

UPDATE: And _if_ Apple's Carrier IQ code is only ever activated in an opt-in
diagnostics mode, then it may be in the clear completely here.

------
brisance
Apparently some folks on androidcentral picked it up a little more than a year
ago. [http://forums.androidcentral.com/sprint-
optimus-s/45729-ever...](http://forums.androidcentral.com/sprint-
optimus-s/45729-ever-wondered-what-iqagent.html)

------
mey
Has anyone compiled a list of devices confirmed with CIQ, confirmed not to
have, unknown and suspected?

~~~
gurkendoktor
It is not device, it is device-per-carrier. If the same device models _had_
been sold with silently acticated CarrierIQ in the EU, that would be a lot of
fun for lawyers.

------
rytis
Just another angle to approach the problem:

I suppose one way to fight this is to develop some sort of "multiple
personalities" behaviour and habits.

There's "normal A" me, who goes to work every day, using the same route,
checking the same webpages on route, doing the same web searches while at
work, sending the same type of messages on IM during the day, etc, etc.

Then there's another me, "normal B", with his own habits and hobbies. But
normal A and normal B should not overlap in terms of devices, friends, maybe
even (online) behaviour. Location is bit more difficult, especially when
you're at home. Home should be associated with only one "persona".

Once you make a conscious effort it might become easier with time, and thus
hiding your real "identity".

Drawbacks?... Well, sounds bit like DID
(<http://en.wikipedia.org/wiki/Dissociative_identity_disorder>), so don't get
caught accidentally :)

~~~
Tyrannosaurs
Alternatively you can just use this sort of mechanism to screw with them.

How many people can we get to take out some sort of loyalty card which tracks
your behaviour and then use it to buy only root vegetables and lube?

------
OoTheNigerian
Why is Carrier IQ being made the villain here? From what I understand, they
provide a service which has been abused by the _phone manufacturers_ probably
in conjunction with the carriers.

Logitech makes web-cams, would you hold them responsible if you found them
hidden in hotel rooms and they were put there based on request by the CIA?

Let us hold the right people responsible. That will mean Apple, HTC, Samsung,
RIM etc.

~~~
hsshah
It's not a proper comparison. Using your analogy, Logitech should be held more
liable if the video streams from the webcams were uploaded to Logitech's
server. Would you agree?

~~~
OoTheNigerian
It is a proper comparison but not complete. Your server addition completes it.

I would direct my anger at the hotel who I have a contract and relationship
with.

------
tlear
Anyone seen any specifics about CIQ on blackberry? I hear reference to it in
the original Eckhart video but can not seem to find real data

------
aheilbut
Surely whatever this is tracking is covered under the contracts with the
carriers. _Someone_ must have read them...

------
justinweiss
If you're interested, you can see the data the iPhone has collected so far --
Go to Settings -> General -> About -> Diagnostics -> Diagnostic & Usage Data.

------
Samuel_Michon
Wow. That leaves Windows Phone and Bada as the only mobile OSes where no
Carrier IQ references have been found so far.

~~~
cryptoz
Kind of. It's not been found in the actual Android operating system, has it?
Only in carrier- or manufacturer-modified versions correct?

~~~
shareme
correct, which means that the Carrier, AT&T originally made it part of its
deal with Apple..

~~~
magic_haze
And most probably, Microsoft as well: there has been no evidence to the
contrary yet.

~~~
Athtar
Given that carriers are only limited to 5 apps and can't make any changes to
the Windows Phone OS, I would doubt that there are any Windows Phone devices
with Carrier IQ.

~~~
cryptoz
I thought carriers were limited to 0 apps and couldn't make changes to iOS.
However, that appears to be completely incorrect. Windows Phone may be safe or
it may not be. But the argument that carriers couldn't touch WP7 doesn't hold
any water given what seems to be happening with iOS.

~~~
Synaesthesia
>But the argument that carriers couldn't touch WP7 doesn't hold any water
given what seems to be happening with iOS.

That argument was exploded in the whole WP7 update catastrophe earlier this
year. Carriers blocked the WP7 updates.

------
mikerg87
I will give he befit of the doubt to apple right now. Remeber that Steve was
talking about iAd and one of the benefits was that they hated how personal
data was just taken from users. And privacy was a problem in apple' link up to
FacEBook which didn't happen.

If it's active - its going to leave a huge huge mark.

------
kumarm
Will Fortune Pay losses for (non Apple) Smartphone Manufacturers for costing
them sales now?

[http://tech.fortune.cnn.com/2011/11/30/extremetech-
carrier-i...](http://tech.fortune.cnn.com/2011/11/30/extremetech-carrier-iq-
gate-is-best-reason-to-buy-an-iphone/)

------
berend
What i wonder is, who gets the data? Is it the carrier or Apple?

------
alantrrs
uhmm...this sound more and more like a Carnivore reloaded

------
nirvana
Several issues with this story:

1\. The reference is found in a 2 year old version of iOS.

2\. "IQAgent" sounds like things Apple could name, e.g.: I've seen no evidence
that this has anything to do with CarrierIQ. There's been no disassembly
(unless I missed it) so it quite possibly could simply be the fact that at one
point Apple used the two letters "IQ" in an obscure file.

3\. People watch the data iPhones transmit pretty closely, I know I have on
occasion watched iOS devices talking to the cloud. If "every keystroke, every
SMS" were being logged, I'd think people would have more than just a filename
to go on.

4\. As mentioned it seems this file is not used outside of diagnostic mode,
which makes this much ado about nothing at this point.

I think its fine to be suspicious, but these things really should be
approached with some objective detachment until actual transmission of user
data that shouldn't happen is uncovered.

I don't know how many of the points above apply to the "indications" in
android as well, but I think we should have more neutral, unemotional, and
detached coverage of it as well.

I think spying on people is bad, and I think that americans are spied on more
today than ever before. I think that's also why we have to be really careful
about reporting it.

Edit: Deleted a digression that pointed out that the government is including
language in recent legislation that allows them to collect data about us that
previously would have been illegal. This was a distraction from my main point.

~~~
runjake
The article was updated to include iOS 5 long before you made this comment, by
at least 1.5 hours.

It's Carrier IQ stuff. See chpwn's frequently updating blog post at:
<http://blog.chpwn.com/post/13572216737>

~~~
lachyg
Just to make it clear to anyone that doesn't click the link; it only transmits
in a diagnostics mode, which is defaulted to 'off'.

~~~
Xuzz
(I wrote that post.) I _think_ that is the case: it is using the same
"diagnostics are enabled?" function call that the Crash Report submission is
using, and the binary logs "This is not supported hardware, or the user has
opted out." and exits if that call doesn't return true.

However, there definitely could be something else going on there: I do not
want to rule out any possibilities here, many people are very touchy about
privacy issues like this.

~~~
runjake
You should be careful about how you word things in your posts. You tend to
state working observations and theories as conclusions and then the press and
armchair security experts take it as fact.

That said, you've done very good work, and made a very valuable contribution
to consumers.

------
1010100101
I imagine there might be other software/consulting companies in the business
of stealthily collecting GB and PB's of personal data about consumers using
wired and mobile networks who are thinking "Am I next?"

And I imagine some of their employees' minds might now be filling with
thoughts about how to justify what they do, or to discount the need for anyone
to make a big deal about what they do.

Will consumers care about what's booting when they turn on their phone, or
what connections their phones are making? This will be very interesting.

~~~
1010100101
proper grammar: Are we next?

------
leoh
It turns out the setting to disable statistics is a bit tricky to get to. On
the latest version of iOS, I found it at Settings>General>About>Diagnostics &
Usage.

~~~
ugh
As far as I know you are explicitly asked whether you want to enable
Diagnostics & Usage when you first set up the device. (It’s one of the steps
in the setup process.) I don’t know what the default setting for that is,
though.

~~~
dusing
There is no default, they make you choose during setup. Location is the same.

~~~
ugh
Your comment made me look for a video of the setup process. The relevant step
is at 2:40: <http://vimeo.com/24789410>

Turns out there is a default and it defaults to being turned off. You can
immediately tap next and Diagnostics will be turned off.

Here is the exact text:

Diagnostics

Automatically Send

Don’t Send _(selected option)_

Help Apple improve its products and services by automatically sending
anonymous diagnostic and usage data.

About Diagnostics & Usage _(this is a link)_

—

Here is the text behind the link:

Apple would like your help to improve the quality and performance of its
products and services. Your device can automatically collect diagnostic and
usage information and send it to Apple for analysis — but only with your
explicit consent.

Diagnostic and usage information may include details about hardware and
operating system specifications, performance statistics, and data about how
you use your device and applications. None of the collected information
identifies you personally. Personal data is either not logged at all or is
removed from any reports before they’re sent to Apple. You can review the
information by going to Settings, tapping General, tapping About and looking
under Diagnostics & Usage.

If you have consented to provide Apple with this information, and you have
Location Services turned on, the location of your device may also be sent to
help Apple analyze wireless or cellular performance issues (for example, the
strength or weakness of a cellular signal in a particular location). This
diagnostic location data may include the location of your device once per day,
or the location where a call ends. You may choose to turn off Location
Services for Diagnostics at any time. To do so, open Settings, tap Location
Services, tap System Services and turn off the Diagnostics switch.

You may also choose to turn off Diagnostics altogether. To do so, open
Settings, tap General, tap About and choose “Don’t Send” under Diagnostics &
Usage.

To help Apple’s partners and third-party developers improve their apps,
products and services designed for use with Apple products, Apple may provide
such partners or developers with a subset of diagnostic information that is
relevant to that partner’s or developer’s app, product or service, as long as
the diagnostic information is aggregated or in a form that does not personally
identify you.

For more information, see Apple’s Privacy Policy at www.apple.com/privacy

