Mobile "rootkit" maker tries to silence critical Android dev

A data-logging software company wants to squash an Android developer's critical research into its software, which is secretly installed on millions of phones.

<a href='http://meincmagazine.com/tech-policy/news/2011/11/mobile-rootkit-maker-tries-to-silence-critical-android-dev-1.ars'>Read the whole story</a>

 

[Stuka87]

So the question is, what is the data used for?

And unlike the fiasco a while back with the bug in location services in iOS, this is being done purposely. And without end users knowing about it.

 

[anurodhp]

Lies! the consumer benefits from Andorids openness! This is the reason why I use an iPhone. I hate the carriers and dont want them "improving" the OS on the phone with addins.

 

[LJ]

they're doing what they think is in the best interest of the company. If people aren't aware of the software, they're less likely to actively avoid it. People are very concerned with mobile phone privacy issues, and rightly so, and we don't know what carrierIQ does.

It may very well be that they're doing some things we'd feel violates our privacy. Or perhaps they want to keep all of their options open, some of which would certainly close if people were made aware of what they were all about, which phones it was on, etc.

While it makes legal sense for them to use these tactics if the tactics have a high probability of working, I think it's too late. The cat is out of the bag and they shouldn't try to be so heavy-handed. Couldn't they just bribe this kid?

 

[jaman4dbz]

The iOS issue both was done on purpose and without end users knowing.
The difference is that iOS has acknowledged there mistake and fixed it, while this company refuses to acknowledge the issues behind there software.

Also Apple is the same company that made the iOS software, so it is expected that they could be keeping track of some things. It's different when a third party keeps track of such things.

 

[sheltem]

They definitely have this on Sprint Android phones. Before getting an iPhone, removing Carrier IQ was one of the big things that custom ROM developers did for the Epic 4G.

 

[secretmanofagent]

I think it would be nice in the article to identify devices that have these installed, and how to determine if it is installed. I'm checking on mine, but not sure what to look for.

 

[thickslab]

The iOS issue both was done on purpose

Evidence, please.

and without end users knowing. The difference is that iOS has acknowledged there mistake

iOS is not a company.

 

[Zeus]

Andrew Coward, Carrier IQ’s marketing manager, said in a telephone interview Tuesday that the company, not Eckhart, should be in “control” of the manuals.

And consumers, not Carrier IQ, should be in "control" of our own privacy.

 

[DougHW]

I'm not really sure what the issue here is. Obviously carriers need to monitor a lot of this type of data to provide the services they do, and if they're the ones installing and using it on their own devices, covered by TOSes, I have a hard time calling it a "rootkit". Seems like by that standard many legitimate parts of OSes would be "rootkits". If they wrote the code themselves instead of outsourced it to a third party business partner who specializes in it, would that be different?

The carriers can already read your messages if they want, and they obviously have to do things like know and track where you are to be able to connect your phone to a cell tower... but somehow AT&T is more trustworthy than a contracted third party? Meh, idk, seems overblown to me.

 

[TheFLP]

As important as this story is, it's so badly written that I couldn't finish it.

I imagine Ars has no control over this since it comes from Wired, but someone at Wired should be embarrassed for running it without proper editing. If it's not worth their time to edit it, then it's not worth my time to read it.

 

[bojesphob]

Lies! the consumer benefits from Andorids openness! This is the reason why I use an iPhone. I hate the carriers and dont want them "improving" the OS on the phone with addins.

Well, that's nice that you like not being able to do much other than what Apple wants you to. I've already found some ways of finding this if it's on my Android phone and can go through and remove it if I so desire. Sure, Apple isn't going to come out and say this is what they are doing, but if they are, how can you tell/do anything about it?

 

[ayelao]

I seem to recall this causing a minor kerfuffle earlier this year: http://forum.xda-developers.com/showpost.php?p=11763089

 

[smoofles]

A friend of mine was talking to a Google Maps dev at the Google Conference in Berlin and was surprised how open the guy was about Google tracking all movement of people carrying Android phones in order to do "interesting stuff with Google Maps", like making maps of interesting locations that people with Android phones often go do, tracking traffic paths, etc.

The Google Maps developer also said that asking users permission to send location data would be "too complicated for the users", so they’re collecting it without saying.

Now, I have no way of checking whether that is true or not—but if it is, it wouldn’t surprise me at all.

 

[Glassy]

I'm not really sure what the issue here is. Obviously carriers need to monitor a lot of this type of data to provide the services they do, and if they're the ones installing and using it on their own devices, covered by TOSes, I have a hard time calling it a "rootkit". Seems like by that standard many legitimate parts of OSes would be "rootkits". If they wrote the code themselves instead of outsourced it to a third party business partner who specializes in it, would that be different?

The carriers can already read your messages if they want, and they obviously have to do things like know and track where you are to be able to connect your phone to a cell tower... but somehow AT&T is more trustworthy than a contracted third party? Meh, idk, seems overblown to me.

Actually, yes, AT&T is more trustworthy, because if they break their end of the bargain, they're violating a contract. Nobody signed a contract with CarrierIQ. Though, it's probably in the carrier legalese somewhere - the fact remains that nobody willingly opened their phones to a third party who "may" be able to read all your stuff. Relying on a company's goodwill is a bad way to prevent abuse, as we all know.

 

[ceb]

Seems to me the company's reaction is much more damaging to themselves that what Mr. Eckhart has done. They should have just said, "well, yeah, duh, that's what our software does, no big deal, nothing to see, move along." If anyone were to keep making a stink, they could try to work out some sort of "we'll add opt-out measures" or something while keeping it as low-key as possible.

 

[microlith]

Lies! the consumer benefits from Andorids openness!

While I won't argue the oft cited point that the openness is mostly for handset vendors and carriers, that it is open is immaterial to this issue as such openness allows shitty carriers to force this crap on your device, and it also allows the creation of things like Cyanogenmod.

Openness is a double edged sword. Suggesting that it's bad because unscrupulous companies abuse it is ridiculous.

 

[M Doiron]

I'm not really sure what the issue here is. Obviously carriers need to monitor a lot of this type of data to provide the services they do, and if they're the ones installing and using it on their own devices, covered by TOSes, I have a hard time calling it a "rootkit". Seems like by that standard many legitimate parts of OSes would be "rootkits". If they wrote the code themselves instead of outsourced it to a third party business partner who specializes in it, would that be different?

The carriers can already read your messages if they want, and they obviously have to do things like know and track where you are to be able to connect your phone to a cell tower... but somehow AT&T is more trustworthy than a contracted third party? Meh, idk, seems overblown to me.

I own my phone outright. I don't expect any software to be there that I haven't personally installed. Period. This is no different than my ISP claiming to need to install software on my PC so that the can provide me optimal service. BS and, BTW, illegal--because it is my computer and it is my phone.

--mark d.

 

[RobL777]

TheFLP
As important as this story is, it's so badly written that I couldn't finish it.

I imagine Ars has no control over this since it comes from Wired, but someone at Wired should be embarrassed for running it without proper editing. If it's not worth their time to edit it, then it's not worth my time to read it.

They are changing the name of the magazine soon from Wired to Baked to better reflect their over-all orientation to tech journalism.

 

[abergon]

Maybe those who are uncertain would usefully go visit Carrier IQ's website. The following are extracts from one of their official documents, retrieved from the company's website at 1907 UTC today 23 Nov.: http://carrieriq.com/overview/IQInsight ... asheet.pdf

Quote:"IQ Insight Experience Manager uses data directly from the mobile phone itself to give a
precise view of how users interact with both their phones and the services delivered through them,
even if the phone is not communicating with the network."
So this company is able to supply carriers (or whomever pays for their services) with information on your data usage of the device even if you are connected, say to your home wireless network.

Quote:"IQ Insight Experience Manager takes customer experience proiling to another level,
enabling you to view experience data at any level of granularity from the entire population, to comparative groups, down to individual users, all at the touch of a button."
"Down to individual users": if that doesn't raise an eyebrow in the most jaded of user, then I don't know what will.

Quote:"View application and device feature usage, such as camera, music, messaging, browser and TV."
Even if you are not querying/retrieving any data, this nifty little piece of software (don't call it rootkit, it makes them angry) will monitor anything you do with your phone.

And they are proud of it...

 

[zimdba]

This also provides the police another source of information to subpoena. That is, if Carrier IQ isn't already handing it over willingly. </tinfoil>

 

[Deleted member 1]

And that's why people that care about their privacy(as much as there could be privacy in the digital age) should at the very least consider abandoning the stock ROM in favour of CM7 or its brethren as soon as they get their hands on the device. Then again,most don't give a flying frak as evidenced by the runaway popularity of Twitter and Facebook...

 

[skicow]

A friend of mine was talking to a Google Maps dev at the Google Conference in Berlin and was surprised how open the guy was about Google tracking all movement of people carrying Android phones in order to do "interesting stuff with Google Maps", like making maps of interesting locations that people with Android phones often go do, tracking traffic paths, etc.

The Google Maps developer also said that asking users permission to send location data would be "too complicated for the users", so they’re collecting it without saying.

Um, what? That's why when you turn on any location identifying option in Android it specifically tells you that it will collect location based data, and you have to click on 'Agree'.

 

[dlux]

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

Probably?

Either they can or they cannot read text messages using their software. If this guy doesn't understand that this is an extremely sensitive topic for most people and is incapable of providing an honest answer, then he deserves whatever befalls his company in the aftermath of this.

Yet another executive weasel.

 

[rj_king]

This is disturbing...

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

 

[Ragnarredbeard]

Andrew Coward said,

"He answered “probably yes” when asked whether the company could read the text messages if it wanted."


Really asshole? Fuck you. Read that.

 

[AceRimmer]

Also Apple is the same company that made the iOS software, so it is expected that they could be keeping track of some things. It's different when a third party keeps track of such things.

Well, it depends on what is being done with the information collected. Does Carrier IQ just pass the information on the ATT and Verizon? If so, then it's basically like the carriers out sourced the development of critical software to Carrier IQ. If Carrier IQ is allowed to do whatever they like with the data collected, it's a more serious matter.

Also, how is the software installed? If it comes with the phone, then shouldn't we be mad at the wireless companies?

 

[Dark Side Cookies]

it is my computer and it is my phone.

--mark d.

No one actually "owns" their mobile phone, or the software installed on it. Look carefully at any of the licensing agreement you may or may not be knowingly agreeing to. I guarantee that 99% of them contain language that explains how you are merely purchasing a license to use the device or software within the terms set forth by the manufacturer or mobile carrier. This is why most manufacturers and carriers are against jailbreaking, or physically modifying phones. They simply don't want you to screw around with their code, device, or network. Considering that the mobile airspace is regulated by governments, you can bet the carriers will do whatever it takes to keep every device in line.

I believe there was some discussion during the early life of the iPhone that modified or jailbroken phones were causing congestion on AT&T's network. I'm sure this has been proven untrue many times; regardless, AT&T & Apple continue to use it as an excuse to to lock down the iPhone.

Now, if this particular application is tracking the location of the user, without a valid warrant, then that may be illegal soon enough. (It sounds like they are, because they track call records.) We can only cross our fingers and hope the corrupted tards on the Supreme Court will rule in favor of both John Q Public and logic, once this issue inevitably makes it there.

 

[beebee]

I wiped my Blackberry and installed the OS. I can run BBSAK and see the name of every code module. So where is Carrier IQ installed?

Regarding google maps and google earth, they track where people look to determine where to buy new imagery. I run Blackerry maps to avoid google tracking on me.

Google is the Borg. You have to be diligent to avoid their snooping. Run duck duck go for your searches.

 

[Deleted member 1]

This is disturbing...

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

Unless Nokia and Blackberry started making Android devices while I was making my coffee,this probably affects BB's OS and Symbian(Though I wouldn't be surprised Nokia's W7 phones could have this in their bowels to) - - - Though the software is installed on millions of Android, BlackBerry, and Nokia phones - - - The beginning of the second paragraph

 

[NickN]

Lies! the consumer benefits from Andorids openness! This is the reason why I use an iPhone. I hate the carriers and dont want them "improving" the OS on the phone with addins.

Well, that's nice that you like not being able to do much other than what Apple wants you to. I've already found some ways of finding this if it's on my Android phone and can go through and remove it if I so desire. Sure, Apple isn't going to come out and say this is what they are doing, but if they are, how can you tell/do anything about it?

Um, same as you. Root the phone. Why is it that Android advocates seem to think this is only an option on Android?

 

[rj_king]

it is my computer and it is my phone.

--mark d.

No one actually "owns" their mobile phone, or the software installed on it. Look carefully at any of the licensing agreement you may or may not be knowingly agreeing to. I guarantee that 99% of them contain language that explains how you are merely purchasing a license to use the device or software within the terms set forth by the manufacturer or mobile carrier. This is why most manufacturers and carriers are against jailbreaking, or physically modifying phones. They simply don't want you to screw around with their code, device, or network. Considering that the mobile airspace is regulated by governments, you can bet the carriers will do whatever it takes to keep every device in line.

I believe there was some discussion during the early life of the iPhone that modified or jailbroken phones were causing congestion on AT&T's network. I'm sure this has been proven untrue many times; regardless, AT&T & Apple continue to use it as an excuse to to lock down the iPhone.

Now, if this particular application is tracking the location of the user, without a valid warrant, then that may be illegal soon enough. (It sounds like they are, because they track call records.) We can only cross our fingers and hope the corrupted tards on the Supreme Court will rule in favor of both John Q Public and logic, once this issue inevitably makes it there.

Congress has already had hearings on this. Wouldn't be surprised if a law isn't passed in the next couple years to make this illegal. Imagine if someone hacked Carrier IQ and could find all their correspondence with lobbyists or their sexual affairs. They don't want to be monitored any more than the rest of us.

 

[RobL777]

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

All your data are belong to us!

 

[Donnicton]

A. Coward, really?

 

[rj_king]

This is disturbing...

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

Unless Nokia and Blackberry started making Android devices while I was making my coffee,this probably affects BB's OS and Symbian(Though I wouldn't be surprised Nokia's W7 phones could have this in their bowels to) - - - Though the software is installed on millions of Android, BlackBerry, and Nokia phones - - - The beginning of the second paragraph

I was a bit loose with my wording. i was more concerned with feature phones. I have a Sony Ericsson Equinox (feature phone) and wasn't sure if I should be worried about this.

 

[jukes_]

it is my computer and it is my phone.

--mark d.

No one actually "owns" their mobile phone, or the software installed on it.

Actually lots of people outside the US own their phones, and some inside do as well. You're basically right though that you have to agree to TOS when you use a network, and if the TOS include a requirement that you install this software for monitoring purposes then you're out of luck.

It would be interesting to know if such unsubsidized, unlocked phones have this installed as well though.

 

[smoofles]

A friend of mine was talking to a Google Maps dev at the Google Conference in Berlin and was surprised how open the guy was about Google tracking all movement of people carrying Android phones in order to do "interesting stuff with Google Maps", like making maps of interesting locations that people with Android phones often go do, tracking traffic paths, etc.

The Google Maps developer also said that asking users permission to send location data would be "too complicated for the users", so they’re collecting it without saying.

Um, what? That's why when you turn on any location identifying option in Android it specifically tells you that it will collect location based data, and you have to click on 'Agree'.

He wasn’t talking about applications collecting that data, but the system. Like I said, though, no way to verify, but the Google engineer was apparently very certain of collecting that data being "cool" and how asking the users permission would be confusing to the poor souls. That together with the whole show on Saturday made my friend leave by 2 or 3 pm, as he felt quite dissapointed at how Microsoft-y Google apparently is.

 

[MrSmith317]

information on your data usage of the device even if you are connected, say to your home wireless network.

Far be it from me to take this one snippet out of context but, I think someone is begging for a lawsuit. If I find that my device(s) have CarrierIQ on it you can be sure that I like many others are going to throw as hard a legal battle as I can afford at that company and Verizon on top of that. On my phone, using Verizon services I am somewhat beholden to Verizon policies(of which I consented), however tracking any data over my home network is an out and out violation of my privacy. I don't want money from these people, but if it will help stop them and their contemporaries from this kind of practice, I won't complain about taking it.

 

[Deleted member 1]

This is disturbing...

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

Unless Nokia and Blackberry started making Android devices while I was making my coffee,this probably affects BB's OS and Symbian(Though I wouldn't be surprised Nokia's W7 phones could have this in their bowels to) - - - Though the software is installed on millions of Android, BlackBerry, and Nokia phones - - - The beginning of the second paragraph

I was a bit loose with my wording. i was more concerned with feature phones. I have a Sony Ericsson Equinox (feature phone) and wasn't sure if I should be worried about this.

My apologies,but today of all days my industrial-strength coffee decided not to wake me fast enough I sincerely doubt they've got feature-phones running this rootkit,as both they are less of a target market these days(sorry),but also because it might be harder to gather,store and transmit data without the knowledge of the user.... HOWEVER,I wouldn't be surprised there's a solution to circumvent that (Maybe even as part of the basic firmware itself)

 

[EmeraldArcana]

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

And here's the problem. I'm hoping that the fallout from this will be huge. This is potentially worse than the iOS location tracking fiasco.