Your smartphone is spying on you.

[PlutonianEmpire]

I dunno how long this link will last, considering it's Yahoo!, but who knows.

http://news.yahoo.com/smartphone-spying-204933867.html

An Android developer recently discovered a clandestine application called Carrier IQ built into most smartphones that doesn't just track your location; it secretly records your keystrokes, and there's nothing you can do about it.

Tons of applications do this, and you're probably used to those boxes that pops up on your screen and ask if you want to help the company by sending your data back to them. If you're concerned about your privacy, you just tap no and go about your merry computing way. As security-conscious Android developer Trevor Eckhart realized, however, Carrier IQ does not give you this option, and unless you were code-savvy and looking for it, you'd never know it was there.

Eckhart wrote an exhaustive blog post about his startling findings -- CarrierIQ collected lots data, including keystrokes, and there way for the user to opt out "without advanced knowledge" -- and CarrierIQ flipped out.

Is this crossing the line? If not, at which point DOES it cross the line? If it is crossing the line, why?

At what point will we all collectively say, "Enough!", and end these blatant invasions of privacy? Will congress do anything about this?

 

[Skwink]

And that's why I don't have a smartphone!

Actually, it's because I can't afford one.

 

[Cutlass]

Good thing my phone is kinda dumb It can't even text.

 

[Godwynn]

At least someone is listening.

 

[Maniacal]

I`m not the least bit surprised.

 

[SouthernKing]

What scares me is how I just got a new android last week...

 

[Zelig]

Not my Windows Phone!

 

[Elrohir]

I've watched his video, and the Carrier IQ program is shown under the programs installed on the phone, although not under running programs, even though there's an (ineffectual) option to force-stop it, implying that it is in fact running. The program itself is called "HTCIQ," I believe. I have a non-HTC android phone, and there's no corresponding program with "IQ" in the name that I can find -- do we know for sure if they all are called some version of that? It'd be nice to know if I've got a rootkit on my phone.

And yeah, this is pretty ridiculous. There should be an investigation, and if there's evidence that they know this was happening (and I don't see how they couldn't, even if they didn't use the data) there should be criminal charges filed. Petty fines aren't enough; we need to throw some people in jail. Tracking people's private data without at least notifying them is, and should be, a criminal matter.

 

[Joecoolyo]

Good thing my phone is to much of a moron to do any of this.

 

[Antilogic]

What's more sad: that Eckhart might lose this battle, or that it's only going to get worse from here on out?

 

[Mise]

Actually there is a lot you can do about it. You can install an AOSP ROM (i.e. one based on the Android Open Source Project), such as Cyanogenmod. You can remove the files manually, or you use the tools that XDA devs have made to remove it (search the XDA forums for more info on CIQ removal).

The culprits here are the carriers and the phone manufacturers. They add a whole load of crap to the phones, which tend to have security holes in them. Hell, I was just reading about one this morning: http://www.theregister.co.uk/2011/11/30/google_android_security_bug/ <-- this one, like the CIQ spyware, is caused directly by manufacturers and carriers adding flawed software to your phone.

More info on CIQ from XDA: http://www.xda-developers.com/android/the-rootkit-of-all-evil-ciq/
The dude's blog: http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

Anyway, this is just another reason to remove the bloated crap that manufacturers and carriers pile onto your phone and install a cleaner ROM. Or to buy a pure Android Google phone in the Nexus line.

 

[onedreamer]

Is this crossing the line? If not, at which point DOES it cross the line? If it is crossing the line, why?

Definitely crossing the line. Recording keystrokes is illegal afaik as it is an easy method to circumvent the vast majority of security measures (passwords). I don't think the Congress has to do anything about it, this can't exist period.

As far as what you can do to stop it, I think the easiest and most effective solution is return the smartphone. Should everyone do this I doubt that this kind of practice would have a lasting future.

 

[The_J]

Not my Windows Phone!

You can't be sure.
That spyware has also been seen on iOS (see here, at the bottom), so i'd not rely on the OS as the defense.
And as Mise said above, the problem are the carriers and manufacturers.

 

[Zelig]

Actually there is a lot you can do about it. You can install an AOSP ROM (i.e. one based on the Android Open Source Project), such as Cyanogenmod. You can remove the files manually, or you use the tools that XDA devs have made to remove it (search the XDA forums for more info on CIQ removal).

The culprits here are the carriers and the phone manufacturers. They add a whole load of crap to the phones, which tend to have security holes in them. Hell, I was just reading about one this morning: http://www.theregister.co.uk/2011/11/30/google_android_security_bug/ <-- this one, like the CIQ spyware, is caused directly by manufacturers and carriers adding flawed software to your phone.

More info on CIQ from XDA: http://www.xda-developers.com/android/the-rootkit-of-all-evil-ciq/
The dude's blog: http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

Anyway, this is just another reason to remove the bloated crap that manufacturers and carriers pile onto your phone and install a cleaner ROM. Or to buy a pure Android Google phone in the Nexus line.

Or buy a Windows Phone, where MS doesn't allow carriers to install crap that can't easily be removed.

You can't be sure.
That spyware has also been seen on iOS (see here, at the bottom), so i'd not rely on the OS as the defense.
And as Mise said above, the problem are the carriers and manufacturers.

After the crap MS has been through in the past, I'd be quite surprised if they allowed something like this to slip through.

And the OS makers really shouldn't be allowing carriers any control over the OS, all carriers should do is provide a SIM and service to that SIM.

 

[Mise]

Well, given the particular insidiousness of HTC's implementation of CIQ, I would be surprised if HTC's Windows phones didn't also have this or something similar.

 

[Zelig]

Well, given the particular insidiousness of HTC's implementation of CIQ, I would be surprised if HTC's Windows phones didn't also have this or something similar.

I'll bump this thread in a couple months when there still isn't any evidence that Windows Phones have anything similar.

MS has been pretty adamant that manufacturers and carriers don't get to install things that aren't obvious to the user. Even manufacturers that add pure hardware settings (screen brightness controls, sensor controls, dock controls, etc.) must do so in the form of removable apps. The only other customizations allowed AFAIK are various debugging and diagnostic shortcuts.

And FWIW, from the blog of the guy who found the iOS implementation: "It appears that if you really care about this, Windows Phone 7 is the only mobile operating system without this installed. ;P"

 

[Mise]

Fair enough about MS and customisation, but that last statement by the blog guy isn't true. Android doesn't have CIQ installed... MotoBlur, TouchWiz, HTC Sense, etc have CIQ installed, not Android.

 

[Zelig]

Those are semantics, and not very accurate ones. Those are just packages of OS customization applied to the Android OS, everything they contain are still "installed" to a particular Android phone.

 

[Mise]

It's not "semantics" at all, and it's far more accurate than claiming that WP7 is the only "mobile operating system" without CIQ. Android is a "mobile operating system" without CIQ, and any Android device without specific carrier/OEM modifications ships without CIQ. So it's not at all accurate to say that WP7 is the only "mobile operating system" without CIQ, because there are many Android phones that do not have CIQ. Neither of my Android phones have it, or have ever had it, at any point since I bought either of them. So far there are more Android phones that don't have it than ones that do. Telling people to "buy a WP7 phone" on the basis of CIQ being present on certain Samsung and HTC phones is terrible advice.

 

[Veles]

Solution: going back to classic stuff.