What’s the hullabaloo over Carrier IQ?

I’m going to botch this (which is part of why I’m asking), but for a starting point Carrier IQ is (seems to be?) an application that has been installed by either wireless carriers or phone manufacturers. It functions to track phone activity (SMS content, calls, URLs) and report back to the installing client. If you’re a subscriber in the United States, it’s likely that it’s running on your phone. It’s being called a rootkit because it has substantial privileges yet the user is unaware and unable to remove it, stop it, or know that it’s working.

Here is the Electronic Frontier Foundation’s page on it. I’m sure the more technically inclined will be along shortly to correct my summation.

I’m posting in GD because that’s where most privacy-related subjects go or end up.

So … what’s all the hullabaloo? From what I understand, whenever I surf a page the ISP can (and does) keep track of all URL information. All calls and whatnot are already tracked by the phone carriers, aren’t they? What is Carrier IQ doing beyond data mining and organizing? Has anyone worked out how to easily turn it off (all I’ve found in references and instructions to root your phone first)? Uninstall it? Block it?
I searched* intitle:Carrier site:straightdope.com *but found nothing. If there is a thread, please point the way.

It’s all about personal privacy; what do your with your cell phone and where you do it, as well as the potential the company shares that information without your knowledge, let alone permission.

Additionally, there is concern that the CarrierIQ software stack is saving sensitive data in the device’s system log. The system log is often transmitted to the network operator, OEM, or Google. None of these parties are necessarily expecting this sensitive data and may not be safeguarding it appropriately.

In general, logs shouldn’t contain passwords, SMS text, email text, web sites, etc. They are a privacy issue and aren’t useful for diagnostics or tuning.

I just figured it was debug information for use in tracking down bugs. That’s the stuff you need to nail them down sometimes.

But I have to admit I haven’t looked into it very deeply, and although that EFF page looks very detailed, reading it started to feel like work so I had to quit… I’m on Christmas break dangit!

An Android developer noticed that the Carrier IQ software that was on his phone was keeping track of every single keystroke he made, and keeping it in an unencrypted file on the phone. There were no references to this software anywhere on the phone, it was automatically turned on, there was no opt-out.

Carrier IQ says that this software is installed on the phones at the request of the carrier, and several carriers have said that they have the software on the phone. Carrier IQ has denied that it tracks all activity, it only keeps network and phone data. That data is then transmitted back to the carriers. Soon after, the FBI said that they had used Carrier IQ data, which Carrier IQ kinda denies.

My issue with it, as a corporate IT guy, was that it was keeping the activity in that file on the phone. We’ve been able to deploy Activesync (Exchange email to your phone) because we’ve been able to force encryption on our devices (Yes, I know there are ways around that, but we have to make the best effort). Without that encryption, we can’t have them, as we would be open to major repercussions if an unencrypted device were lost and found.

Link to video: Carrier IQ Part #2 - YouTube

On a more personal level. Imagine you have a smart phone, and use your phone for banking transactions. Now Carrier IQ is storing your bank login info, on the phone, in an unencrypted file. You leave your phone at Starbucks, someone snags it, accesses that file, and starts looking for www .mybank .com in the file. Guess what is likely to be the next set of keystrokes recorded.

Substitute credit card, Paypal, email, etc. for bank.

The video that was posted shows that you can connect a USB cable to the device, turn on some debugging features, and see the phone respond to keystrokes. As an engineer, I find this completely unsurprising - of course the phone is tracking keystrokes, it wouldn’t work if it didn’t. My take on this is that the ‘developer’ who posted the video has no idea what he’s looking at. I have yet to see any evidence that any of the data is actually be stored on the phone in a way that can be accessed by anyone outside the phone, other than by running a debugging trace as is demonstrated in the video.

So, uh, how do I turn it off?

You can’t. Hence the majority of our problem. If you could turn it off or get rid of it easily, we’d just be more annoyed and a little upset instead of super pissed off.

On iOS devices, you can turn it off through the general settings. You can view the files it sends from iOS devices, which are just network connection logs. You also have to opt-in to turn it on in the first place (the whole send Apple logs bit when you set up the phone).

Android devices all you can do it root the device to get rid of it.

Is there a list somewhere of which carriers don’t install it in their handsets?

He is running logcat, which requires the Android SDK. The problem is every time a key is pressed, the Carrier IQ app ID pops up in the logs. That shouldn’t be happening, why exactly does the Carrier IQ daemon need to be notified for a dialer key press? It also shows that HTTPS sites are being logged in the clear. This opens device up to man in the middle attacks.

Yes, logs can be a valuable troubleshooting tool. When you’re notified the data is collected. Some apps upon a crash and relaunch, will ask to send a crash log. That is okay. Electing to send usage anonymized phone-wide usage data is too, you’re usually asked to do this during initial phone setup. Logging almost every keystroke without informing the user isn’t.