
How Carrier IQ was wrongly accused of keylogging  - wglb
http://news.cnet.com/8301-31921_3-57335715-281/how-carrier-iq-was-wrongly-accused-of-keylogging/
======
podperson
Please change title to "How Carrier IQ's PR Department is able to post
articles on cnet".

~~~
corin_
While I agree with you in terms of content, based on how they've handled the
rest of this mess I find it almost hard to believe they would be capable of
looking up a cnet editor's email address, yet alone pursuading them to write
anything.

~~~
marshray
They are not having any trouble with being in contact with the press at this
point.

What seems more likely is that they were able to feed the reporter enough
material from their side of the story that the reporter used mostly that to
meet his deadline. Of course, the reporter may write a story from the opposite
perspective Monday.

------
ghshephard
"There's zero evidence that Carrier IQ captured, recorded, or transmitted any
keystrokes"

...except the 17 minute Youtube Video that showed Carrier IQ capturing, and
recording keystrokes.

~~~
spoondan
No. Trevor Eckhart's video showed him capturing and recording the Android
event log. This only demonstrates that the CarrierIQ agent running on the
phone attached an event listener to keyboard events. While that behavior is
consistent with a key logger, it's also consistent with lots of totally
harmless software doing totally normal things.

~~~
drivebyacct2
>it's also consistent with lots of totally harmless software doing totally
normal things.

lol. What "totally harmless software" or "normal things" require userland
software to monitor every keystroke. And not just monitor them, but echo them
so that they appear in the logcat?

~~~
rictic
I don't think that they've earned the benefit of the doubt here, but I think
it goes too far to say that there's no reason why benign diagnostic software
might pay attention to key presses. For example, a particular button
combination could bring up a diagnostics screen or send additional
information.

The logging, likewise could be just some debug code accidentally left in.

~~~
marshray
How about the https urls being intercepted?

Those were for a diagnostic command sequence or debug code too?

------
ChuckMcM
Data really is an attractive nuisance. It is not too hard to see how many
legitimate carrier questions could be answered to the benefit of consumers by
having phones log data. Perhaps the simplest one is "Where do I have areas of
weak coverage and so more dropped/distorted calls?" If a large percentage of
the handsets can log GPS + signal strength info over a long period of time,
the phones that are in suitcases (erroneously recording poor signal strength)
and those in airplanes (erroneously recording great signal strength) will be
balanced out by real world scenarios. Given 12 months of data (which covers
various weather conditions, and correlating by date) one could quickly and
efficiently decide where additiona transmitter/receiver resources should be
deployed, and under what conditions it might make sense to bring up more
resources and when you could shut them down (rain for example absorbs 1.5 -
2.5 Ghz radio signals.

Of course that information can be accumulated much more painfully by driving
around in a van to pick up this information. And the quality will be both
better and worse, better in the sense that a signal-quality-van could have
equipment to evaluate the signal strength very accurately, but worse in that
you wouldn't get the time of day and conditional variation from weather.

The 'attractive nuisance' aspect of it however comes into play when you've
created a logging/monitoring _platform_ and now you can collect other kinds of
information. Like warrantless wiretappers who are unable to restrain
themselves from listening in on conversations they have no reason to listen
to, once the infrastructure is there the humans in the loop seem unable to
prevent themselves from succumbing to their desire to 'know.'

I had a long discussion with some law enforcement types at a security
conference along these lines (I was advocating outright bans on some of the
tools they consider 'essential' for fighting crime). The economic cost of not
using the tools is higher (higher taxes (to pay for more cops), higher phone
bills (to pay for signal strength vans)) and, until it is actualized, only a
"potential" risk of abuse. That is such a terribly hard equation for people to
evaluate on instinct.

------
podperson
It should be noted that (having finally watched the video) what he is accusing
Carrier IQ of is key logging, but he does not demonstrate key logging of the
keyboard (he demonstrates key logging of two of the hardware keys and the
numeric phone dialer, but never demonstrates the same behavior when using the
virtual keyboard -- he does show that the unencrypted url is being sent (which
means that the Carrier IQ software has hooks into the browser where it
shouldn't) but does not demonstrate key logging of, say, a password typed into
a web page on an encrypted connection.

If the article made this point it might have some credibility. As it is, it
simply looks like Carrier IQ's PR department working overtime.

~~~
drivebyacct2
It's the same thing. The way virtual keypads work in Android and the same as
the hardware keyboard. Also, it's already been noted that it is aware of HTTPS
urls and reports those just as meerily (at least to the adb logcat, I can't
make other claims).

Further, the keyboard doesn't magically work differently when it's entering
text into one page other the other... not sure what track you're thinking on
there.

~~~
podperson
Yes, I agree that it's definitely tracking the url (and not the domain) but
thet is not the same as key logging (which would capture things like passwords
entered into a web page). I'll take your word for it that the text keypad is
just as compromised as the numeric, but it would have been a lot more
compelling to show a username / password (for example) being captured on a
banking website before the user even pressed "submit" (or whatever).

------
ghshephard
Turns out they aren't wrongly accused of keylogging. Carrier IQ, likely in
partnership with either the Handset Vendor and/or the carrier were responsible
for the storing of personal information.

Here is a pretty good quotation from their director of marketing: ""We're as
surprised as anybody to see all that information flowing," Andrew Coward,
Carrier IQ's director of marketing, told CNNMoney in an interview. "It raises
a lot of questions for the industry -- and not [only] for Carrier IQ.""

~~~
marshray
They're just trying to throw their customers (the carriers) under the bus at
this point.

They really don't want to shoulder these oncoming class actions alone.

------
kevinalexbrown
Not keylogging does not absolve Carrier IQ. This article doesn't exactly say
that, but it gives the impression that it's all one big misunderstanding from
an overzealous "newly minted" security researcher.

That people jumped to conclusions that it was transmitting keystrokes, when
"no no no, it merely has that _potential_ , you see!" well, what do you
expect?

------
ozten
I'm calling B.S. on carriers don't charge for your key-logging data.

My wire had some billing/technical issues and we worked through AT&T's data
transmission logs, there were unexplainable uploads that seemed like telemetry
or some kind of debugging. They denied it and told us it was our data uploads.

Now I know what that probably was ;)

Open up the tele-comm industry, this is really scare stuff!

------
brlewis
Quote: _It's true that carriers already know what URLs you're visiting when
you use their network_

Is that true for https?

~~~
sp332
They only know which server you're visiting, so they can route the packets
properly. But the headers are encrypted, so they shouldn't get the whole URL.
<https://en.wikipedia.org/wiki/Https#Network_layers>

~~~
brlewis
I'm familiar with the normal workings of https. What I'd like to know is if
there's anything special about cellphone browsers such that the carriers act
as MITM (like with Kindle Fire). What I can't imagine, though, is any way they
could MITM the URL and not be able to MITM the rest of the HTTP request and
response.

~~~
marshray
Non-smartphone browsers will often use a bastardization of https that does
allow the carriers to perform MitM interception.

This should* not be the case with smartphones however, particularly when
connected to wifi and not even transferring data via the carrier.

*The carrier may have planted an SSL trusted CA cert on your phone before giving it to you.

------
Dylan16807
Nobody ever accused carrier IQ of hacking the software onto the phones all by
themselves.

Tracking all URLs is half as bad as tracking keys.

And forgive me if I don't find claims that it doesn't record the keystroke
data that it's sent anyway in a customizable app very reassuring.

~~~
freehunter
How is tracking all URLs half as bad as a keylogger? You understand that any
ISP can see a log of which customer requested which website, right? They don't
need CarrierIQ to see that, it's an integral part of the function of being an
ISP.

~~~
Turing_Machine
The same would apply for SMS message and phone calls. A nefarious carrier
could log those without anything being installed on the handset at all.

That aside, wasn't the claim that Carrier IQ can also log stuff that _isn't_
going through the carrier's network (e.g., when you're using your WiFi
connection)?

~~~
cube13
>The same would apply for SMS message and phone calls. A nefarious carrier
could log those without anything being installed on the handset at all.

Carriers are logging both your SMS and phone call activity anyway. You get a
copy of the log in every bill.

------
rhizome
Isn't it a little early to say "wrongly," while the companies are still
playing hot potato?

~~~
anigbrowl
That's never stopped him before.

------
digitalboss
This reminds me of the story that the media ran hard on for "...hackers
launched a cyber attack against a water facility in central Illinois."

More and more tech sites now are turning into these media engines that just
want pageviews, their spinning a small story with very little facts into a Fox
type news story, it's very sad to see, and will continue to happen, so they
can be bought by the AOLs of the world.

The Russian hack never happened [http://www.tgdaily.com/security-
features/59984-the-russian-h...](http://www.tgdaily.com/security-
features/59984-the-russian-hack-never-happened)

~~~
marshray
The water pump story was primarily an elaborate screwup.

This story has some very interesting reality under it and the details are
still being uncovered.

~~~
digitalboss
I agree with you, but with so little facts up front, and with seeing the story
was so twisted in the media, it's just the reality of how things happen in
today's world. Buckle up and hold on, innocent later.

------
giberson
How, in the same article, do you say "an expert examined the assembly of the
software and determined there is no code that records or reports back" then
follow that a little later with "carrier IQ doesn't make the decision, they
provide the software with flags that the carriers can configure to record
and/or report back".... These two statements don't really mesh up.

~~~
marshray
<http://en.wikipedia.org/wiki/K%C3%BCbler-Ross_model>

Stage 1. Denial

------
dredmorbius
Who is Declan McCullagh and why should we believe he invented the Internet?

------
earl
This is stupid. If they don't want to be accused of being a keylogger and/or
rootkit, they should

(1) not allow keypress events to be sent to their software;

(2) force carriers to not hide their executable and show users what
information they are collecting on their phones;

(3) keep a record of information, again to be shown to users on demand from
the program installed on their phones, that has been uploaded;

(4) manage to answer simple questions, like (i) could you forward keystrokes,
sms, ssh passwords, ssl passwords, etc, (ii) can your software contact your
servers and download new control instructions, (iii) has this ever happened,
(iv) under what circumstances would it happen

(5) easily give users the ability to shut down the flow of information and
remove the program, including in all future updates

Really, this isn't rocket science.

~~~
rmc
I agree with your sentiment and most of what you say. But a lot of the general
public are not good at computers. Remember the "facebook login" incident? If
you tell these people that there a magic programme that runs all the time then
they will always turn that off. As a result carriers will haves basically no
information.

~~~
marshray
You mean people will be able to make informed choices about their privacy?

~~~
rmc
No, lots of people do not know about how to make informed choices about lots
of things about tech. You right know how to use computers, but there are loads
of people who Google "www.Facebook.com" they do not know about computers

~~~
rhizome
I'm kind of losing track of the argument here, are you talking about
defaulting to open vs. default-closed when it comes to privacy?

