Carrier IQ Speaks: Our Software Ignores Your Personal Info

Carrier IQ, maker of a network diagnostic tool installed on millions of smartphones, has a simple rebuttal to accusations that its software logs keystrokes on the devices on which it is installed:

It doesn’t.

While CIQ might “listen”* to a smartphone’s keyboard, it’s listening for very specific information. Company executives insist it doesn’t log or understand keystrokes. It’s simply looking for numeric sequences that trigger a diagnostic cue within the software. If it hears that cue, it transmits diagnostics to the carrier.

So, for example, if during a support call a technician asks a customer to enter a short code, CIQ will be listening for it; when it’s entered, CIQ will relay the appropriate diagnostic information to the carrier. Any keystrokes beyond that are ignored.

“The software receives a huge amount of information from the operating system,” Andrew Coward, Carrier IQ’s VP of marketing, told AllThingsD. “But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.”

So what are we really seeing in security researcher Trevor Eckhart’s video, which shows Carrier IQ collecting all sorts of information about how a phone is being used and where?

“What the Eckhart video demonstrates is that there’s a great deal of information available on a handset,” says Coward. “What it doesn’t show is that all information is processed, stored, or forwarded out of the device.”

Okay. Then what information is being captured and passed along to the carriers who use Carrier IQ? Data related to call quality, battery life, device crashes — everything you’d expect, really.

“If there’s a dropped call, the carriers want to know about it,” says Coward. “So we record where you were when the call dropped, and the location of the tower being used. … Similarly, if you send an SMS to me and it doesn’t go through, the carriers want to know that, too. And they want to know why — if it’s a problem with your handset or the network.”

And Coward is quick to point out that CIQ isn’t doing anything nefarious with our text messages, either.

“We don’t read SMS messages. We see them come in. We see the phone numbers attached to them. But we are not storing, analyzing or otherwise processing the contents of those messages.”

The same is true of Web site URLs. CIQ has the ability to capture them, but not the associated content. So it might note a device having trouble accessing Facebook, but not the content on Facebook itself.

Which is reassuring. That said, CIQ still has the ability to capture a wide variety of user data. So who is determining what exactly is being collected?

The carriers. They decide what’s to be collected and how long it’s stored — typically about 30 days. And according to Carrier IQ, the data is in their control the whole time.

“It’s the operator that determines what data is collected,” says Carrier IQ CEO Larry Lenhart. “They make that decision based on their privacy standards and their agreement with their users, and we implement it.”

On this point, Lenhart is particularly emphatic. “We capture only the data they specify, and provide it to them,” he reiterates. “We don’t capture more than that.”

Which sounds a bit like “we only do what they asked us to,” but, as Coward reminds us, the carriers’ behavior is governed by their contract with customers.

“What’s actually gathered, stored and transmitted to the carrier is determined by its end-user agreement,” he says. “And, as I’m sure you’re aware, the carriers are highly sensitive about what data they’re allowed to capture and what they’re not allowed to capture.”

One last question: Does Carrier IQ share the data it collects with other third parties beyond the carriers? A vehement no from Lenhart. “The data is the consumer’s data,” he says. “We would never take that data and distrubute it to a third party. We are prohibited from doing that by our agreements.”

Trevor Eckhart did not respond to a request for comment.

(*Handy euphemism for “pattern match filtering.”)

Here’s a freshly released Carrier IQ statement:

MOUNTAIN VIEW, Calif., Dec 01, 2011 (BUSINESS WIRE) — To clarify misinformation on the functionality of Carrier IQ software, the company is updating its statement from November 23rd 2011 as follows:

We measure and summarize performance of the device to assist Operators in delivering better service.

While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.

“Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous,” asserts Rebecca Bace of Infidel Inc. a respected security expert.

Privacy is protected. Consumers have a trusted relationship with Operators and expect their personal information and privacy to be respected. As a condition of its contracts with Operators, CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities.

Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions.

Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency. We are deployed by leading Operators to monitor and analyze the performance of their services and mobile devices to ensure the system (network and handsets) works to optimal efficiency. Operators want to provide better service to their customers, and information from the device and about the network is critical for them to do this. While in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service – the mobile device itself.

Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers — the mobile Operators. Carrier IQ does not gather any other data from devices.

CIQ is the consumer advocate to the mobile operator, explaining what works and what does not work. Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators’ customer service more quickly identify the specific issue with the phone.

Related Posts on Carrier IQ:

Full Carrier IQ Coverage »

46 comments
Guest
Guest

So, I am on a small data plan, and I am paying for this to be sent over that, behind my back?   This explains why my data use is nearly unpredictable.  

I am glad at least I have an iPhone where Apple has never used this like it's being used on Android.   Of course, we all know that Android has zero security, but this is just outrageous.

Arthur Tabb
Arthur Tabb

Let's not forget Elkhart was on WiFi with the cellular radio turned off.

So why was CIQ still logging anything, much less everything?

Winski
Winski

Sounds like an old Blackwter defense testifying before congress before Eric Prince decided it was easier to leave the country. ALL LIES.

Pundits and clowns will continue to spew excuses and alibis until a mountain of their rotting corpses lay in a mountain of disposables.... Go read the Federal Wiretap Law and then whoever is left, comeback and apologize to the global tech community. Carrier IQ, their carrier pals and a bunch of the handset makers have violated the Wiretap Law and they need to pay the price for that... In some cases - bankruptcy.

If nothing happens, then we can all go out and start building out own wiretap devices with no fear of ramifications.... HAVE FUN !!!

Uncle Bernie
Uncle Bernie

Someone posted the steps required to stop this on my iPhone, which I did. There were dozens of lines of IQ stuff in the diagnostics page, none of which was understandable to me. I had to reset all to clear it, but iCloud worked as promised and made me whole again.

Bernard Fischer
Bernard Fischer

How can the carriers simultaneously collect mountains of information and provide horrible customer service? Even with caller ID, I have to give my phone # everytime I get transfered to a new rep.  But, I guess they're keeping track of my score on Angry Birds?  How is this possible?

Zach
Zach

What a bunch of bullshit. They acknowledge that they collect all this personal information, and then we're supposed to trust their formerly secret closed source software (which is so secret that it actively takes measures to cloak its very presence on your phone) to only transmit certain bits to the mothership, and then we're supposed to trust their servers to only store certain bits of that data. If there's truly nothing to hide, why all the secrecy?

Plenty of apps phone home with debugging data, but do so in a responsible and transparent manner. These apps provide an opt-in mechanism (or at the very least, disclosure of the feature and an opt-out) and permit users to examine precisely what information is being sent. Mac OS X, for example, has a "Diagnostic and Usage Messages" tab in its Console application, pre-installed as part of the US, where I can see all the logged data (mostly how long various Spotlight searches took).

Despite their denials, CarrierIQ is collecting and storing highly personalized data. Even the secret collection of phone numbers attached to my SMS messages is an invasion of my privacy and would require a court order if done by the police. If I have a problem and need tech support, carriers can provide me with a way to specifically collect and transmit the information they need to diagnose the problem. We see this all the time on computers: tech support will ask users to send them a log file or run a test program when they need more information. Similarly, Firefox doesn't report the URL of every webpage you visit back to Mozilla in the name of customer service; it actively asks permission to submit a report only if the browser crashes and asks for specific permission to report the address of the page you were viewing (http://www.squarefree.com/blog...

Jeff Bacon
Jeff Bacon

I appreciate the straight forward information presented in this article. Too many bloggers and writers are sensationalizing this issue for press when it's almost a non-issue. Read your ELUA and contracts. They'll have broad provisions for the carrier to capture data for their internal use. If you didn't read them or understand what that meant (and didn't ask) that's your own fault. Go choose a carrier that does not use Carrier IQ (there are many).

serge
serge

Sorry, Charlie...information received is information that can, and will, be used.

xboxsold
xboxsold

carrier IQ statements are outrageous. Were just suppose to TRUST them, that they will collect my private data, that they will be responsible, The fact that they CAN collect every phone number called and EVERY text sent and received is BS. We are loosing our freedom everyday. This has got to STOP support the Electronic Freedom Foundation and keep the internet FREE and protect your electronic rights. I dont trust a company to do this PERIOD..

JohnPaczkowski
JohnPaczkowski

@MarketingXD my understanding is that the numeric sequences are short codes -- about three numbers or so.

Troy Weeks
Troy Weeks

Relax people.  No cliff jumping. Its a diagnostic tool.  The ubiquitous mobile phone appears to be just a small computer but it is a pretty complex piece of equipment working within a even more complex network.  Feedback is essential to improving that system.  That said a little light shining is good but lets not get crazy.

PaulJay
PaulJay

Big Brother CIA/NSA/Google is in your pocket.

sarahx
sarahx

I see lots of quotes in this story that concern me, and nothing that is "reassuring."

I get that my carrier may already know my location from a call. Or the number that sent me a text (or even the text). Or the URLs that I visit on their network. But there is NO reason for a third-party company, whom we know nothing about and were never told about, to know all this about me. To log it. And store it.

They "claim" they don't collect specifics. How do we know? Essentially, they're saying they actually collect it all, but don't read it. How nice of them. And they only pass along what the carrier asks for. Way to hide behind your client's skirts, so to speak.

At the end of the day, I'm sick of everyone always trying to track me. If a carrier needs to know when I've dropped a call, give me a VISIBLE app to self-report it if I want. 

And if you watch Ek's video, the keylogging of everything you type is really ridiculous.

Offbeatmammal
Offbeatmammal

so... in order to respond to a specific sequence of keystrokes on the minimal offchance you ever get through to an operator in a telco call center they have an app running the whole time using battery resources but cloaked in such a way that it's never visible and hasn't been vetted as a security risk by companies allowing employees to access BIS or Exchange mail etc ... no matter how they protest their innocence I'm more than a little uncomfortable

Ian Betteridge
Ian Betteridge

Yes. In order to be able to enter a local diagnostic mode, a piece of software *has* to listen to your keystrokes. It doesn't have to log them, except as required to cache for that key sequence (ie if the sequence is 8 strokes long, it needs to cache 8 strokes - probably actually a few more).

Yes, it should be cloaked: It's effectively a system daemon, which on any modern computer platform should be hidden from general view. You should be able to find it by poking around - as Eckhardt did - but there's no coherent reason to know it's there from a user perspective. 

This is how technology works: diagnostic software on any platform is usually hidden deep away from the user. The computer you're reading this on is almost certainly running a deep process which does the same thing. 

Offbeatmammal
Offbeatmammal

The point being … why does it have to run all the time listening for keystrokes. If it was really harmless and just to help a CSR debug a specific problem why not have it as a menu option that I could choose to activate/deactivate as needed? For tracking calls drop-outs, SMS failures, 3/4G signal quality etc it would be a simple matter to get the user to opt into (and install/activate) an app rather than all this cloak and dagger crap.

Matteo Panella
Matteo Panella

There are tons of wrong assumptions here:
1) the Android dialer is perfectly capable of invoking Actions and Intents whenever a specific USSD code is punched in, there is no need whatsoever for a hidden service snooping keystrokes all the time;
2) system daemons on a modern computer are *NOT* hidden on the process list of any OS: whenever a process is running but does not show up there's something fishy going on in kernel space;
3) two major OSes implement data collecting for application and system crash reporting (Windows and OSX), but _you have to explicitly opt in_. CarrierIQ, on the other hand, is running from the very first boot of your device and you have no way of opting out of it.

TRENT_PALMER
TRENT_PALMER

A bunch of corporate baloney if you ask me.  Watch Trevor Eckhardt's video.  You can see CIQ literally logging keystrokes.

JohnPaczkowski
JohnPaczkowski

They insist it's pattern match filtering, not key-logging.

gamburg
gamburg

Thanks for great reporting and thorough research John. These are the reasons why i keep coming back to this website. 

James Katt
James Katt

Carrier IQ's software means the police or FBI can wiretap your phone easily since your phone is already sending all the data out - including data that should have been encrypted.  All of your passwords are also sent out - without encryption.  And you cannot stop your phone from doing this.  All of your phone numbers, your web searches, your key presses, your location, etc. are sent out of your iPhone to Carrier IQ's servers, then are passed onto the carrier.

Wow.  What an invasion of privacy.  This is also why Android Phones has slow reaction times. You're being monitored and recorded.

This is the primary reason to avoid Android Phones.

Traycer
Traycer

You really don't understand the issues, do you?  There is nothing but assumptions and wild-assed guesses in your post.  No evidence or proof whatsoever.  Eckhart's original video never shows any sign of data actually being sent from the phone, for one thing.  For another, it is easy to stop this sort of thing from running, but Eckhart was running an unrooted phone, so he did not have access to do so.

You do realize that the phone logs this sort of background activity whether or not anything is actually watching it?  All Eckhart does in his video is display the debug log, which by design will show a lot of extraneous information going by.  It is used for diagnostic purposes, hence the name "debug log".

jdreson
jdreson

How is this easy to do if you have to root your phone? You think the average user is technically competent?   

You do realize the issue is not with what a debug log is?  It is that CIQ is being notified of everything the user does. The fact that it was determined from watching the debug logs is absolutely irrelevant.  

You really don't understand the issue either, clearly.  

If CIQ is being notified of everything you do, it's trivial to have the software send out messages containing all of this data. Just because it doesn't currently doesn't mean it doesn't have the potential to.  

MagicMiguel
MagicMiguel

Two questions then:

1) Why is smartphone battery life consistently getting worse?
2) Why are Sprint & AT&T's networks the worst for dropped calls?

Something tells me your software really isn't focused on those two aspects as much as your pretend it is.

Ricky S
Ricky S

So they ask me to close my eyes and trust the carriers with my information.... oh well of course ... where's the opt in and opt out options? 

GiggityGoldStar
GiggityGoldStar

A simple opt-in should be required, like Apple did it.  Handset data belongs to the owner of the handset.  Not the carrier and not CIQ.  That's the bottom line.  This is nothing but a key logger and should be illegal and I don't understand how this does not violate wire tap laws.  Just because the data is digital, doesn't mean it isn't communication being illegally monitored.

Matt Manzella
Matt Manzella

Interesting that this guy's name is Coward. :)

OvyOneKenobee
OvyOneKenobee

"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. "  - But they could if they wanted to.

Traycer
Traycer

Newsflash: A great number of employees working at your phone company, your mobile carrier, your ISP, etc. have the ability and access to read all your e-mail, watch all your web browsing activity, and listening in on your phone calls.  They don't do it, but they could if they wanted to.  Just because someone _can_ do something, does not necessarily mean they are or will do it.  You cannot presume someone guilty of a crime because they _might_ commit it.  You can only charge them after they've committed it.

So far, the only things the telcos are guilty of (and it's not even on CIQ's shoulders) are not being more upfront about thheir quality monitoring activities, and not offering an explicit opt-out of the data collection.  They are not reading your SMS or keeping a copy of the web pages you visit or storing your passwords.

Jeff Smith
Jeff Smith

The problem with their response here is that Trevor Eckhart's video clearly shows those keystrokes not only "listened to", but attempting to send the information out.  At this point, they're fucking lying.  There's no excuse for these responses.

JohnPaczkowski
JohnPaczkowski

Where in Eckhart's video does it show data actually being sent from the phone?

Josh Brannon
Josh Brannon

With all due respect, the author seems awfully credulous. The software has to monitor every button press and keystroke every second the phone is on on the outside chance that the user will punch in some secret code to send a data dump? They're either lying or this is tremendously poor programming form, especially on a phone where the user could be requested to run an app to perform such a task.

JohnPaczkowski
JohnPaczkowski

Not credulous at all. I grilled them hard and at length. And then I ran them through Al Franken's questions for good measure.

xmichaelx
xmichaelx

Shocking they didn't crack under such intense scrutiny!

They've already lied once regarding what their software does, yet you believe they're not lying now. It doesn't make sense, does a disservice to your readers, and makes you look naive.

JohnPaczkowski
JohnPaczkowski

Look, I asked them the questions that I felt were top of mind for many of us. And I pushed them hard. Their answers are above. I'm not commenting on their veracity, because I'm not in a position to. 

Josh Brannon
Josh Brannon

You specifically used the sentence, "Which is reassuring." That you're explicitly taking them at face value is really the very definition of credulity.

Brianna Spacekat Wu
Brianna Spacekat Wu

I found this to be more light than heat, which is great in a story with so much hysteria. Thanks for the informative reporting, John. I am still very skeptical of Carrier IQ, because declarations of noble intent are quite predictable. But, at least you get where they're coming from. 

Dale P
Dale P

They see URLs but not the content? That's fine on sites that require authorisation (well it's not, but...); the majority of URLs lead you directly to their content.

I anticipate that my carrier or ISP knows the sites I visit, I don't anticipate an unknown third party knowing.

I agree with the poster, this doesn't seem like much of a grilling. And their description of the key sequence listening is awfully vague - does it keep the last X symbols in memory, comparing them to its expected sequence? Details!

Dale P
Dale P

This is going to come in handy regardless of how Carrier IQ does things, thank you!

Colin Strasser
Colin Strasser

@FaustsHausUK:disqus: I hope that Carrier IQ doesn't use the matching algorithm you described below (the one used by Paul Irish for the cornify hack in 2009). It's slow and wastes memory. Look up finite state machines to see how to do this efficiently. For example, see http://tomasp.net/blog/ahocora.... The gist is that you don't need to store/search all previous keystrokes. You just have to know whether the most recent one advances you toward a successful match.

Dale P
Dale P

To recognise a sequence of characters, you have to know which characters came before the current character - otherwise each is a meaningless standalone entity.

Here's an example, in JavaScript/jQuery, of listening for the Konami cheat code sequence in a web browser: http://paulirish.com/2009/corn...

With every key press, the character is added to a string array, then the code looks for the Konami key sequence in that string array. If it finds it, it unbinds the event that listens to every key press and performs an action. If it doesn't, it keeps listening till it does. If it never hears it, it may end up with everything you type within that browser window right there in memory.

If Carrier IQ use that same technique (and in my limited experience, I can't think of another way), what they are doing *is* key logging. They can minimise this if their approach has some garbage collection, e.g. if they know their sequence is 8 characters long, they only store the most recent 8 characters in memory and flush the rest first in, first out.

MarketingXD
MarketingXD

@JohnPaczkowski:disqus Re: "They explicitly said they are only looking for numeric sequences that trigger a diagnostic cue within the software."

You realize that the phrase "numeric sequences" includes everything a smartphone does? Because text and button presses are just numbers to a computer. So this doesn't provide any extra assurance. Did they give you a list of these diagnostic cues?

JohnPaczkowski
JohnPaczkowski

They explicitly said they are only looking for numeric sequences that trigger a diagnostic cue within the software. They ignore everything else.

wardmundy
wardmundy

So the only thing standing between Big Brother and your confidential communications is the honesty of the carriers? Now that's reassuring!

Tati
Tati

And oh, when were they planning to reveal this to end users?

Ricky S
Ricky S

never ..... this is a shady tool until someone find away to "listen" or intercept that information ... I understand why they use it but it shouldn't manage that way ..... very shady ...

Trackbacks