Apparently this has been rumbling on for a while, but this is the first I've heard about it.
Everything You Need To Know About The Carrier IQ Privacy Controversy (So Far)



Also,
What is Carrier IQ? Is My Phone Spying On Me?

Plus,
How to turn off Carrier IQ on your iPhone

If this was on your PC, wouldn't it be classed as malware or a keylogger? Seems like it's the networks, and not the manufacturers, that are insisting on it being on our smartphones.

So, comments? Harmless piece of software, or something to be concerned about?

So, it can even track the codes you enter if you use your smartphone for banking?

Security has always been one area I've never really heard discussed in the open public domain as much as PC security.

If it was on a PC it would be flagged up and removed as malware.

The fact that manufacturers are saying they're not using information such as emails, key logging, websites visited etc isn't the real concern to me - it's the fact that the potential for this information being collected and transmitted to a third party (i.e not the manufacturer or the network) opens up far wider privacy and security concerns. For example, is that information transmitted securely and also encrypted when it's stored on this third party's servers? I bet it isn't!!

Here's Trevor Eckhart's video on YouTube...
http://www.youtube.com/user/TrevorEckhart
(it's a bit geeky and long winded, but it does show that keys are logged, URLs records, SMS messages recorded, etc)

As I understand it, Carrier IQ still remains in iOS 5.0.1, but unsupported - but Apple are planning on removing it in a later update, possibly 5.0.2?

Still, at least Apple provide a way to turn the "feature" off, seemingly unlike other manufacturers which could be transmitting all sorts of information to this third party. If the other manufacturers' statements are to be believed, then some of them weren't aware of this software being installed by the networks. I'm not sure I really believe that.

Or more worryingly, a third party may get hold of the data. Look at the Sony and Steam cracks that have happened recently...

Indeed.

Whether the data is used or not it is stored somewhere. No matter what any company says, all data is vulnerable.

Thankfully, as far as the reading of the topic I've managed so far, Carrier IQ don't operate in the EU; in fact the general consensus seems to be it would be illegal to install their 'agent' software on phones sold within the EU. Of course that may be an issue if you've imported an unlocked phone from some other part of the world or bought it off eBay for example.

As to the data being transmitted - it may not be stored unless/until it's required, but nobody outside carrier IQ actually knows. The thing that's driving this issue isn't the stuff they're known to have done, it's the stuff people don't know for certain they haven't done, if you follow. In the end though, this is about the phone service providers - they want to use the Carrier IQ's facilities and they ask for it to be installed on the phones they sell. It's notable a couple of US carriers have already come out and said 'don't look at us guv, we don't use it'. if/when not using Carrier IQ becomes a selling point in a very competitive market, you can bet they'll all stop soon enough.

Will it come to much in the end? Probably not. Even a class action suit requires some evidence of loss of some sort on the part of the phone owner and, as far as I know, no such evidence exists. It's a pretty low trick on the carrier's part, but was anyone under the delusion they anything but a bunch of bastards anyway?

Jon

Google have stated that this software is not on any of their Nexus phones, including the Galaxy Nexus. I am safe.

Nope (to the origonal Question) - but then I have a Nokia N70

Well, as I say in the EU you're fine but the denials from the manufacturers mean nothing. They aren't the ones that are putting the stuff on in the first place, the carriers are. All the manufacturers are declaring is the agent software is not part of the base OS install. That's rather like Smith & Wesson saying their guns are 100% safe because they don't ship them with any bullets in.

Jon

Ho hum. Considering that my software build isn't network-modified anyway, but I digress...

There's also this to consider.

Carrier IQ 'not used by UK mobile networks'

If you aren't using AT&T or Sprint sourced 'phones, or iPhone 3G/3GS or 4S with a version of iOS prior to 5 (iPhone 4 is still using it with 5 though), then you arenn't going to have it on your phone.

The big problem is, nearly every major blogging and news site has published this, without actually checking their facts. Heck, most of them just reported what the guy said on the video, without actually checking it! The guy talks of "packet sniffing", yet he has the phone in Flight mode (no network usage) and all the information that is shown is USB Debugging mode!

USB Debugging != Network packet sniffing!!!!!!!

What could have been a very interesting story has been rendered pretty mute by ineffective testing.

From the video, we know the following:

• An htc Evo on the Sprint network had the software installed
• In debug mode, the operating system traps give a lot of raw data to the CIQ software

What we don't know from the video:

• What CIQ software does with the information it receives from the OS
• What information it actually sends home
• Whether said information is anonymised
• Whether said information includes any excess information (URLs, text from text messages etc.)
• What other model and makes of phone are affected

Through testing and looking at knowledgeable sources, we can safely say:

• htc, Samsung and other Android manufacturers have only put the software on certain models of phone, which were destined for certain US carriers (AT&T and Sprint at the moment, Verizon haven't used it and T-Mobile USA hadn't made a statement before I went to be last night)
• Apple did use it, up until version 5 of iOS, but since then, it has been removed from most models, although the iPhone 4 still has traces of the software, but it will be removed in coming updates
• RIM have never installed it on any of their devices and they have never authorised any carrier to install the software
• There is no version for Nokia Symbian phones (which could explain their unpopularity with the US networks)
• There is no version for Windows Phone 7 (which, again, might explain why carriers in the US have not been promoting WP7)
• O2, Vodafone & Orange all said that they have never used it (an O2 anonymous source said CIQ had approached O2, but they weren't interested in the software)
• T-Mobile, Vodafone, O2 and E-Plus in Germany have all said they have never used it
• The Portugal carriers had also said they never used it
• heise.de (German tech news site) checked all phones in their office and found no traces of CIQ on any of them
• All independent reports from readers on the European news forums are showing negatives, none have so far found CIQ
• My Sensation, the Desire HD and the Samsung GSII of colleagues at work are clean (unbranded, Vodafone and T-Mobile respectively)

For those outside of America and those in America, who don't use Sprint or AT&T, this seems to be very much a non-story.

The quality of the journalism from the major tech sites (and the amount of knowledge they have exhibited) is of a shockingly low standard.

CIQ spoke out yesterday as well, claiming that they collect the date/time a call was made, which cell tower was used, and if an SMS fails to be sent, they record the date/time and cell,, so that the carrier can improve their network security.

They also said, that the information is transmitted in encrypted form and does not include URL, SMS text or any other information that is not relevant to dropped calls or failed SMS sending.

And that the data is not sent in real time, the data is collected on the phone and transmitted in blocks back to CIQ - which, if it is recording dropped calls and failed SMSs, isn't surprising, because they probably wouldn't be able to get a connection at the time anyway.

That said, nobody has yet actually packet sniffed an affected handset, to see exactly what IS sent, but as the information is encrypted, it will take a bit of work to crack the data packets and be able to inspect them.

And, tbf, the OS install does ask you if you wanted to send 'diagnostic information' back to Apple (although I can't remember if it's opt-in or opt-out) and you can disable it from the GUI. I think people are getting wound up by Carrier IQ as much by the surreptitious nature of it as what it's actually logging. If something is having to hide itself, your immediate assumption is you wouldn't like what it's doing.

As to the standard of web journalism, or lack of it, I thoroughly agree. Sadly, it's not at all a new phenomenon.

Jon

I believe that the other models also had an opt-in/out when setting the device up.

For Apple, I can understand them finding the dropped calls information useful, after the problems they've had with pretty much every version dropping calls on a regular basis (especially on AT&T in America).

I haven't heard that mentioned before tbh. I can't really say first hand given their lack of presence in the EU.


You know Dave, I've got a little challenge for. Try and go at least a week without turning every gadget related thread into complaining about Apple, eh?