

Carrier IQ Speaks Out: We ignore extraneous user Data - ghshephard
http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/?reflink=ATD_yahoo_ticker

======
djb_hackernews
They are hiring an "Extreme Analytics Architect", to work on datasets measured
in petabytes[1]. Would be interested to know what they consider extraneous.

[1]
[http://www.carrieriq.com/company/careers.htm#ExtAnalyticsArc...](http://www.carrieriq.com/company/careers.htm#ExtAnalyticsArch)

------
jrockway
This explanation is very interesting. I'd like to be able to share with my
carrier when a call is dropped and when a web page doesn't load, but I don't
want that being done automatically. Make a list for me, and I'll send it along
to the carrier once a month after making sure there's nothing I want kept a
secret there. Also, I should be getting paid to do this, because my job as a
customer is not to make some big company's product better.

It's a nice try to include software to do this in the background with no way
to opt out, but with the cat out of the bag, the carriers are going to have to
figure something else out. (I use Cyanogen Mod so I doubt this affects me at
all. But it's annoying to discover that the reason behind closed bootloaders
and firmwares is to spy on me behind my back without permission. Good thing
they employ shitty developers to write that code!)

------
flyt
The key question for them is "Why can't users disable Carrier IQ on their
device, and why does it run if the cellular antenna is disabled?"

~~~
tptacek
Two plausible answers:

(a) Because the carriers don't want you to, if only because it would increase
support costs to have to walk users through turning it back on, but probably
mostly because normal people don't really care about the stuff CIQ is intended
to do.

(b) Because the feature for disabling CIQ with cell service disabled makes
zero money for any party involved and therefore has slipped every MRD given to
its engineering team.

------
salimane
you ignore extraneous user data?!??! what!?!?! why do you get it in the first
place if you're only interested in a subset? bunch of lying rootkit developers

~~~
latch
How do you capture a subset of data without capturing it all (and discarding
what doesn't match)? If you are doing a find in a document, don't you scan
through the entire document and discard whatever isn't what you want? It
sounds like that's the explanation they are trying to give.

~~~
salimane
the thing is, given the context, you can do this without looking at everything
the user is doing, you can basically wait for the trigger (error, call
drop...) to happen before trying to submit error reports. that's the way it's
done in software applications

~~~
latch
Just to be clear, I'm not saying they are right, I'm just trying to look at
this objectively. If you read what they said, I don't think your solution
works:

"During a support call a technician asks a customer to enter a short code, CIQ
will be listening for it"

Without knowing a ton more, maybe there's a _much_ better way to do this..like
having the user explicitly launch a program rather than having something
always running and always listening. No argument there. But if you're thinking
they should abstract away some "code_entered" event, ultimately something
lower-level is going to be listening to each keypress and looking at sequences
to raise those events.

Some of this stuff happens at a lower level than a lot of us might be use to
programming nowadays. I'm not sure that there's necessarily a pretty error
event they can hook into. Something about all of this reminds me of using stuf
like Spy++ on Windows and you see just how much raw data is available at the
lowest levels

------
warmfuzzykitten
Well, of course, they only gather information requested by the carriers, and
we all trust the carriers. What could go wrong?

------
georgieporgie
Based on what I've read, none of the investigations actually looked at what
data was reported back.

My money is on Carrier IQ providing a valuable service in a somewhat sub-
optimal way with regards to privacy, and carriers probably doing a really
shoddy job of integrating it into the phones they distribute.

~~~
tptacek
I'm more or less convinced that you're right about this.

CarrierIQ brought some of this on themselves by reacting terribly to a
security researcher's claims regarding their software. Trevor Eckhart claimed
CIQ was a "rootkit", and they freaked out and threatened to sue him.

Naturally, everyone now assumes that CarrierIQ is evil, since suing security
researchers is almost invariably an evil thing to do.

People are paying less attention to the fact that CarrierIQ subsequently
issued a _formal apology_ to Trevor (from experience: companies stung by
security researchers virtually never do this; they just back off quietly), and
that nobody has really refuted CIQ's claims about what their software does.

The "there's this evil big brother company nobody has ever heard of that a
security researcher found out and got sued over" narrative is a lot more fun
than the banal reality, so that's what we're all going to run with.

It's also a little amusing to see people wigging out over the privacy of their
SMS messages. Their SMS messages have no privacy. The carriers see and log
_all_ of them. Lord only knows what other tools they have on their network
explicitly for the purpose of mining data out of those messages.

~~~
shiven
I guess CIQ just happens to be the outrage-flavor-of-the-week. This looks so
much like a public pile-on whenever Facebook screws people over with sneaky
settings changes. The classic cycle plays: breaking news, genuine anger,
hipster outrage, slow smoldering disinterest, and finally apathy and
collective amnesia ... until the next outrage-of-the-week comes along. The
Zuck was right: "dumb fucks".

If anyone is really all that outraged, what concrete steps have they taken to
make sure this crap gets sorted out?

Oh and BTW, do you have a link confirming the _formal apology_ ? Couldn't find
it with a simple DDG search. Maybe my search vector was wrong.

~~~
TeMPOraL
It's in <http://www.carrieriq.com/company/news.htm>.

------
101001010101
It would be interesting to see their agreements with the carriers.

Presumably the carriers could request any data, not simply diagnostics.

It certainly sounds like CIQ is prepared to deliver whatever a carrier might
ask for: CIQ's rootkit can capture everything.

~~~
tptacek
At (grave) risk of being repetitive: if you don't trust your _carrier_ with
your personal information, you shouldn't be using Android phones on their
network. CIQ or not, carriers have vastly more information about most people
to work with than e.g. Google.

~~~
101001010101
At least you have an agreement with your carrier. Alas, you have none with
CIQ. Even though you're using their software.

