German regulators inquire about Apple's use of Carrier IQ

Posted:
in iPhone edited January 2014
Attention surrounding Carrier IQ, software found on mobile phones that can record detailed information about how and even where a device is used, has prompted a German data regulator to seek answers from Apple.



Apple issued a statement on Carrier IQ on Thursday, revealing that the data logging software has not been a part of "most of its products" since the release of iOS 5 in October, though traces of the inactive software do remain and will be removed in a future update. But the Bavarian State Authority for Data Protection seeks more answers than Apple provided in its two-sentence statement.



"We read in the press about the privacy concerns the software may pose and decided to ask Apple about the details, " Thomas Kranig, head of the data protection authority, said in an interview with Bloomberg. "If Apple decided to cease the use, all the better."



While much of the attention surrounding Carrier IQ has been about U.S. carriers, the company does have offices for customers in the Europe and Asia Pacific regions. Its U.S. headquarters is in Mountain View, Calif.



Apple was not named in a letter sent to Carrier IQ on Thursday by U.S. Sen. Al Franken, D-Minn., requesting information on how the company's software works. Franken has shown concern that Carrier IQ has the ability to log and transmit "extraordinarily sensitive information," including specific keys pressed and numbers dialed on a smartphone.



"We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update," Apple's official statement on the matter reads. "With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."



The Carrier IQ controversy took off this week when security researcher Trevor Eckhart uploaded a video demonstrating how the software secretly runs in the background on a stock Android-based handset from HTC, even when in airplane mode with cellular data disabled. Carrier IQ was tracked as having access to every action conducted with the Sprint phone, including key presses, numbers dialed, contents of text messages, websites visited, and even location of the phone itself.







Like Apple, Google has distanced itself from the Carrier IQ controversy, stating that it does not include the company's software in its own devices with the stock version of Android, such as Nexus phones and the original Xoom tablet. But because Android is open source, that has given U.S. carriers, and hardware makers, the ability to quietly add Carrier IQ software into their phones, and run it in a way that it doesn't even appear in the operating system's list of active tasks.



Defending itself, Carrier IQ has said its software counts and summarizes the performance of handsets in an effort to aid carriers. Its software is installed on more than 141 million handsets, and Carrier IQ claims its customers "have stringent policies and obligations on data collection and retention," while its software is "not recording keystrokes or providing tracking tools."







Speaking to John Paczkowski of All Things D, a spokesperson for Carrier IQ explained that while the company's software can "listen" to a smartphone keyboard, it doesn't log or understand keystrokes. This can be used for a technician to have a customer enter a certain code that Carrier IQ will understand.



"It's simply looking for numeric sequences that trigger a diagnostic cue within the software," Paczkowski wrote. "If it hears that cue, it transmits diagnostics to the carrier."



The company explained that it's actually the carriers who decide what is to be collected and how long it's stored. Carrier IQ said that data is typically kept for about 30 days, and the data is in control of the carriers the entire time.







Among U.S. carriers, Verizon has outright denied that it uses Carrier IQ in any of its handsets. In a statement to GigaOm, the company said claims that Verizon uses Carrier IQ are "patently false."



But the other three major U.S. carriers -- AT&T, Sprint and T-Mobile -- have admitted that they do in fact use Carrier IQ. In statements provided to Computerworld, the carriers said the software is used to improve wireless network performance. Handset makers HTC and Samsung said Carrier IQ was integrated into their handsets at the requests of those carriers.

Comments

  • Reply 1 of 20
    gqbgqb Posts: 1,934member
    Rule #1 in grabbing attention:

    If you can find a way to invoke 'Apple' (no matter how peripherally) do so. Guarantees you headlines.
  • Reply 2 of 20
    I've no problem with opting-in with Apple, but my issue is with Carrier IQ. Why doesn't Apple integrate their own software? Who the heck is this Carrier IQ? I don't want my info sent through their servers and databases.



    This news is very disappointing!
  • Reply 3 of 20
    nairbnairb Posts: 253member
    Quote:
    Originally Posted by bloggerblog View Post


    I've no problem with opting-in with Apple, but my issue is with Carrier IQ. Why doesn't Apple integrate their own software? Who the heck is this Carrier IQ? I don't want my info sent through their servers and databases.



    This news is very disappointing!



    Opt out then (assuming you opted in) - I assume that this is not difficult, although I am not an iPhone user.
  • Reply 4 of 20
    solipsismxsolipsismx Posts: 19,566member
    Did the German regulators ask anyone or just Apple?





    Quote:
    Originally Posted by bloggerblog View Post


    I've no problem with opting-in with Apple, but my issue is with Carrier IQ. Why doesn't Apple integrate their own software? Who the heck is this Carrier IQ? I don't want my info sent through their servers and databases.



    This news is very disappointing!



    I'm certain that Apple is using their own analytics. I'm certain there are other analytic software on phones that is being used that wasn't disclosed this week. It's only a big deal if it's 1) not anonymous, 2) you are not able to opt-out, 3) if they aren't disclosing what is being recorded, 4) if it's recording personal info like URLs, and/or 5) it has unacceptable features like a keylogger.
  • Reply 5 of 20
    Quote:
    Originally Posted by Nairb View Post


    Opt out then (assuming you opted in) - I assume that this is not difficult, although I am not an iPhone user.



    I did, however, I've been using iDevices since '07, and consumers need to know this kind of crap, I didn't know the info was filtering through a third party whose software records keystrokes and submits unencrypted HTTPS data. Apple may not be collecting such data but CIQ might've been since the data goes to their servers before being analyzed and sent to Apple.
  • Reply 6 of 20
    Apple is the only company using Carrier IQ that requires you to opt-in. It's the implementation that even implies that something like that is operating on your phone.



    So let's ask Apple what this is all about.



    Apple is the new E.F. Hutton.
  • Reply 7 of 20
    gwydiongwydion Posts: 1,083member
    Quote:
    Originally Posted by SolipsismX View Post


    Did the German regulators ask anyone or just Apple?



    Only Apple.



    And it seems that it is because the only manufacturer that has said that is using Carrier IQ is Apple.



    And, at least until now, the only phones where Carrier IQ has been found are US phones.
  • Reply 8 of 20
    Quote:
    Originally Posted by SolipsismX View Post


    Did the German regulators ask anyone or just Apple?









    I'm certain that Apple is using their own analytics. I'm certain there are other analytic software on phones that is being used that wasn't disclosed this week. It's only a big deal if it's 1) not anonymous, 2) you are not able to opt-out, 3) if they aren't disclosing what is being recorded, 4) if it's recording personal info like URLs, and/or 5) it has unacceptable features like a keylogger.



    My concern is that CIQ records all data, sends it to their servers, and then sends analyzed data to Apple. The problem is CIQ, I do not want my data going to anyone other than Apple when I opt-in, especially unencrypted HTTPS info and keystrokes.
  • Reply 9 of 20
    Quote:
    Originally Posted by SolipsismX View Post


    Did the German regulators ask anyone or just Apple?



    They asked just Apple, given that so far in Germany Carrier IQ has only been found on iPhones, not on other devices.
  • Reply 10 of 20
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by bloggerblog View Post


    My concern is that CIQ records all data, sends it to their servers, and then sends analyzed data to Apple. The problem is CIQ, I do not want my data going to anyone other than Apple when I opt-in, especially unencrypted HTTPS info and keystrokes.



    I'm pretty certain the data was anonymized, sent using SSL, and never recorded any high level actions. Not having it filter through multiple companies would be nice but it's not a deal breaker for me if enough precautions are taken on the device end.





    Quote:
    Originally Posted by el3ktro View Post


    They asked just Apple, given that so far in Germany Carrier IQ has only been found on iPhones, not on other devices.



    Carrier IQ, sure, but that's not the issue. The issue is carriers requesting OEMs to monitor certain actions. The questions that should be asked are:
    1. What analytic companies are used?

    2. What analytics are being recorded?

    3. How are they being sent?

    4. Where are they being sent?

    Carrier IQ isn't the villain here.
  • Reply 11 of 20
    Quote:
    Originally Posted by SolipsismX View Post


    I'm pretty certain the data was anonymized, sent using SSL, and never recorded any high level actions. Not having it filter through multiple companies would be nice but it's not a deal breaker for me if enough precautions are taken on the device end.



    Unfortunately it wasn't, and actually any site you visited under Secure-HTTP or HTTPS to logon or make a purchase, your data was sent to ICQ without any encryption, your username and password goes to their servers as exposed text.



    Watch the videos
  • Reply 12 of 20
    'Just because I'm paranoid doesn't mean they're not out to get me.'
  • Reply 13 of 20
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by bloggerblog View Post


    Unfortunately it wasn't, and actually any site you visited under Secure-HTTP or HTTPS to logon or make a purchase, your data was sent to ICQ without any encryption, your username and password goes to their servers as exposed text.



    Watch the videos



    You're talking about devices with Android or iOS? I am talking strictly about iOS. If there is a video showing my iOS passwords going to Carrier IQ in plaintext there will be a class action filed by the end of day.
  • Reply 14 of 20
    dentdent Posts: 10member
    Apple's implementation of Carrier IQ doesn't appear to include access to keylogging\\messaging! iPhone hacker\\jailbreaker Chpwn, dissected the software and found no connection to the UI.



    Quote:

    ..I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely.



    read the report on his blog, and if you're still bothered, you can always disable reporting - unlike on Android, Nokia & Blackberry iterations of the software.
  • Reply 15 of 20
    muppetrymuppetry Posts: 3,331member
    Quote:
    Originally Posted by bloggerblog View Post


    Unfortunately it wasn't, and actually any site you visited under Secure-HTTP or HTTPS to logon or make a purchase, your data was sent to ICQ without any encryption, your username and password goes to their servers as exposed text.



    Watch the videos



    That has certainly been claimed to be the case on Android devices, but not on iOS devices as far as I can see, which is consistent with Apple's statement (below) on the subject. The linked video only looked at two Android phones, unless I missed something. Are there others?



    ?We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.?
  • Reply 16 of 20
    tsatsa Posts: 129member
    I am waiting for a statement of Ms Kroes about this issue.
  • Reply 17 of 20
    Quote:
    Originally Posted by AppleInsider View Post


    U.S. carriers -- AT&T, Sprint and T-Mobile -- have admitted that they do in fact use Carrier IQ.



    the carriers said the software is used to improve wireless network performance.



    Handset makers HTC and Samsung said Carrier IQ was integrated into their handsets at the requests of those carriers.



    serves you right! anyone who only ever gets phones on contract through carriers, and never actually buy factory unlocked ones deserve all this crap and more.
  • Reply 18 of 20
    tsatsa Posts: 129member
    Quote:
    Originally Posted by sarges View Post


    serves you right! anyone who only ever gets phones on contract through carriers, and never actually buy factory unlocked ones deserve all this crap and more.



    Why is that? Please elaborate.
  • Reply 19 of 20
    No wonder the ads are eerily relevant. I mean, I'm on Jupiter right now and many of many ads are saying 'meet earthy Juipters now' and has a whole bunch of pics of hot girls! I'mma sign up ya'll!
  • Reply 20 of 20
    So if the carriers, ie. Verizon, ATT, Sprint etc. have nothing to hide and are not engaging in something that is not forthrightly being disclosed to their customers, why are they behaving as if they do have something to hide?



    I don't recall seeing any disclosure nor opt -in request that authorizes them to record in any fashion or other my use, conversation searches etc.



    You start with secret detentions, secret prisons, creative language to describe torture and we roll down a slippery slope where the shadow government ( corporate miscreants) feels it has the same privilege and immunity.



    Who is guarding our democracy?
Sign In or Register to comment.