
Apple: We Don’t Use Carrier IQ… In Most Of Our Products… Anymore. - llambda
http://techcrunch.com/2011/12/01/apple-we-dont-use-carrier-iq-in-most-of-our-products-anymore/
======
ugh
If Carrier IQ on iOS only collects information about calls and location data
during those calls and if it is turned off by default and if Apple is explicit
about the data they collect† then there is no problem.

It seems obvious to me that carriers or manufacturers can collect that data if
the user explicitly agrees to it (by actually flipping a switch without being
forced or tricked into doing so).

Carrier IQ is only a problem if it is turned on by default and if it collects
more data than is explicitly said∆.

—

† If the Diagnostics & Usage switch indeed controls Carrier IQ then we already
know that the last two conditions are met.

∆ This is only the minimum viable evilness. Worse kinds of evil are
imaginable, like not telling users anywhere that data is being or collected or
making it hard for users to turn the collection of data off.

~~~
pyre

      > Carrier IQ is only a problem if it is turned on
    

The problem being that having it installed is just another attack vector that
houses potential vulnerabilities on your device.

~~~
Xuzz
I disassembled the iOS version of Carrier IQ, and it exits on startup if not
enabled. Even when enabled, it runs as an unprivileged user and connects via
SSL so should not be any "attack vector".

~~~
robterrell
This is reassuring -- would you consider writing it up in more detail?

~~~
Xuzz
I did here: <http://blog.chpwn.com/post/13572216737>

------
franksalim
I'm surprised the author didn't jump on this sentence:

"With any diagnostic data sent to Apple, customers must actively opt-in to
share this information..."

As I understand it, Carrier IQ is about sending data to carriers. Apple only
denied that data was silently sent to Apple. That's completely different than
saying no data has been transmitted at all.

~~~
conradev
While that is a good observation, it has been proven that no statistical data
is sent to CarrierIQ when the preference is disabled. This has been determined
by reverse engineering the daemons used for CarrierIQ reporting on various iOS
versions.

This has more information: <http://blog.chpwn.com/post/13572216737>

------
dabeeeenster
Has anyone actually found evidence of Carrier IQ software ACTUALLY STORING
personal data such as key-presses on Android or iOS? All I have seen is log
events being generated from adb logcat, which is not the same thing, by any
means.

~~~
bad_user
Does it really matter?

Why on earth would they be doing keylogging? What data can they get that
doesn't violate my privacy? If they aren't using that data, then why the fuck
is that code there tracking the keys pressed?

~~~
pilsetnieks
Ostensibly, they are looking at keystrokes to see if a particular key sequence
is pressed while talking to customer support, thus indicating that it should
send the diagnostics data to the operator. Ostensibly.

------
idspispopd
CarrierIQ itself isn't the problem, it's a diagnostic device with legitimate
functionality for mobile devices(we want our service to get better, this
requires certain aspects of reporting.) The problem stems from CarrierIQ being
implemented poorly, and reporting information which is not reasonable for
diagnostic uses or privacy reasons.

As such I feel like this is being blown out of proportion, Apple's use of
carrier IQ has never been anything to worry about. A user can optionally
choose to participate. (I.e it's not an opt-out scenario) and the information
it sends is benign and not personally identifiable.

The issue has been that some vendors have been adding full-capability
CarrierIQ to android handsets which then have been shown to be reporting more
than what can be considered reasonable, including allegations of key logging.
This is obviously wrong and should be corrected. (Or simply removed.)

~~~
zmmmmm
> have been shown to be reporting more than what can be considered reasonable

Funny how you first lament that the issue is being blown out of proportion wrt
Apple and _then blow it out of proportion yourself_. Nobody has shown what
data is being reported or indeed, evidence that any data is being reported at
all.

They primary issue at this point seems to be that the temporary local logging
of the data represents a security risk on these devices even if it is never
reported.

------
OoTheNigerian
I am still wondering why I was down voted into oblivion for suggesting carrier
IQ is not supposed to be the main party to be angry with
<http://news.ycombinator.com/item?id=3298924>

Can someone please explain why the rage is not directed at phone manufacturers
who asked for, and put this software in the phones they sold to customers?

~~~
somebear
> Can someone please explain why the rage is not directed at phone
> manufacturers [...]

Because every single statement from phone manufacturers have indicated that it
was the carriers that demanded this be put on the handsets (or did it
themselves in cases of operator modifications).

The only carrier I've heard say very clearly that they are not using Carrier
IQ is Verizon.

~~~
lukeschlather
No, I'm sure Verizon develops all the spyware they put on phones in-house.

------
tvon
The press release seems pretty clear to me, what's with the headline?

------
munin
if you paid hundreds of dollars for a device, and you pay a 50-60 dollar a
month contract ... you still may be the product..?

~~~
josefresco
No evidence yet that this information is being sold to third parties, or even
used internally for sales purposes. Although the latter would be pretty
obvious and not surprising (to me at least). Is there something buried in the
TOS that alludes that they may do this?

------
billmcneale
So Carrier IQ is still present in some iOS 5 and in all iOS prior to version
5.

That's still an awful lot of places.

------
nomdeplume
All it would take is someone who knows what they are doing to go check real
quick. report back whether or not the phone is throwing out information or
not.

------
nirvana
I think what's really remarkable about this is that Apple issued a statement
seemingly less than 24 hours after it became an issue. In the past, Apple has
tended to wait a week or so before issuing statements, resulting in a lot of
criticism and the issues sometimes steamrolling simply due to the fact that
the charges aren't answered.

I'm not at all surprised that Apple isn't violating users privacy.

~~~
bigiain
I'm pretty sure Apple's "wait a week" clock began ticking when the initial
flurry of reports about CarrierIQ on Android started circulating, not
yesterday...

~~~
st3fan
Where 'wait a week' probably is: some high level manager or vp asks people to
investigate this to get all the details before putting out any statements.

------
101001010101
All due respect, Apple should not need to use CarrierIQ.

They are a hardware company that sells the hardware it makes direct to
consumer. They are perfectly positioned and quite capable of writing their own
"rootkits".

Of course, when they do everything possible to prevent you from "rooting" the
phone you purchase from them it's a tad more difficult to check for such
things.

For the average non-technical iPhone customer it would seem next to
impossible.

~~~
pflats
True, but it seems that CarrierIQ is, as its name implies, a service for the
carriers. Since Apple doesn't let ATT et. al. customize iOS, it likely got
into the OS as part of the bargain with them.

~~~
101001010101
Right. The way I see it, CarrierIQ gives carriers the kind of information that
Apple could, in theory, gather quite easily. Maybe that was the idea behind
CIQ? Just taking a wild guess.

------
rewiter2011
haha! must be hard to realise for some ppl that not only the gov is spying on
them, but almost everyone else too. and you've paid thousands of dollars for
this feature!

------
funkah
An earlier report said Carrier IQ was definitely in iOS 5, and perhaps earlier
versions. So, which is it?

Either way, ugh. Bad Apple.

~~~
rajpaul
Apple's statement confirms that it is still in some iOS 5 products.

~~~
mvelie
It's still on the iPhone 4

------
nomdeplume
do I detect some Apple employees/shareholders in here? I think the (CIQ)video
made pretty clear the fact that YOU CANT TURN IT OFF and that THERE IS NO OPT
IN/OUT button because you would have to be digging around like a technophile
to find it in the first place. I would not be at all surprised if Apple uses
something like this. Wireshark anyone?

~~~
runjake
The CIQ video was of the Android software. Initial analysis of the iOS version
of the CIQ software indicates it isn't nearly as intrusive as the Android
version.

And from all indications (the researcher vs. what Apple states) is that you
can explicitly turn it off.

