[amazing]

Everybody read up on Carrier IQ? Talk about questionable software to put on any phone!
Video shows secret software on millions of Android, BlackBerry, and Nokia phones logging everything you do – MacDailyNews - Welcome Home

Consensus is that it affects Android way more than Apple iOS.

On the other hand, here's Apple's statement on having Carrier IQ on iPhones:

"According to Apple, "We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."
Apple ended Carrier IQ support with iOS 5 | Macworld

Why are people letting Apple get away with a totally evasive and ambiguous statement? Quote: "We stopped supporting Carrier IQ with iOS 5 in most of our products..."

What does that statement mean? Why, a statement that vague could mean that Carrier IQ is still supported in iPhone 4S under iOS 5...it could mean virtually anything!

Another way of stating Apple's totally ambiguous statement is to reverse the "negation" portion as follows:

Original Apple Statement: "We stopped supporting Carrier IQ with iOS 5 in most of our products..."

Reversed Apple Statement: "We support Carrier IQ with iOS 5 in one or more of our products..."

That's pretty clear, isn't it?

The other way to interpret Apple's statement is that Apple used Carrier IQ on most Apple products up until just recently, namely iOS 5--doesn't that sound pretty horrible? How many years has Apple been using it? Again, from Apple's statement, their use isn't nearly as horrifying as on Android products...

PS: I'm reposting my own comments from the article on MacWorld.com...

[P]

Carrier IQ is present on iOS 5, but not enabled by default - you get a question during upgrading if you want to enable it. It can also be disabled later if you go into Settings -> General -> About and then the Diagnostics title at the bottom. From there, you can also see exactly what it sends. This means that it is nowhere near as hidden as it is on certain Android phones (NOTE: Not all Android phones. The default Android build does not include it at all).

Don't quite remember how it worked on iOS 4.

[olePigeon]

At least it's not an Android phone.

[amazing]

So, why didn't Apple say unequivocally that under iOS 5 Carrier IQ isn't supported on ALL products?

Which product is the one that is still supporting Carrier IQ?

And, in this season of Thanksgiving, let us all give thanks that iPhones don't run Android!

[Cold Warrior]

They said the iPhone 4 still had CIQ.

CIQ has been shown on Android to log and report keystrokes. Apple says their use of CIQ never did that. It'd be nice if they had a more detailed FAQ up.

[mduell]

Originally Posted by amazing 

Consensus is that it affects Android way more than Apple iOS.

Originally Posted by Cold Warrior 

CIQ has been shown on Android to log and report keystrokes. Apple says their use of CIQ never did that. It'd be nice if they had a more detailed FAQ up.

*cough*:"The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."

[amazing]

Yep, there's still a whole bunch of confusion surrounding Carrier IQ...and quoting an article that appeared just today simply extends the confusion--because what details are gonna come out tomorrow? Is that CNET article the final word?

I like Andy Ihnatko's take on it:

"The Apple community’s initial reaction of “Well, sure, you have to put up with that kind of crap when you buy an Android phone, don’t you?” was quickly stifled when a few Carrier IQ droppings were found on iPhones going back three generations of iOS."
Questions you should ask now that Carrier IQ has become a ‘gate’ - Chicago Sun-Times

[BLAZE_MkIV]

My issue isn't that anyone was using software like this to collect performance metrics, but that the government somehow thinks its okay that the companies can / must share it with anyone with a badge without probable cause. Given the low bar for privacy of customer information companies shouldn't be allowed to collect any information not directly related to billing.

[Cold Warrior]

I stand corrected on reporting keystrokes, inasmuch as we can tell at present from forensics and denials. Nonetheless a Wired story with the company shows how disturbing this software is when it is not anonymized, particularly full URL reporting. Carrier IQ Admits Holding ‘Treasure Trove’ of Consumer Data, But No Keystrokes | Threat Level | Wired.com

[amazing]

The most baffling part is that Apple thought this software was OK to put on the iPhone. Apple thought nobody would be offended and totally enraged when the software was discovered on the iPhone.

How could Apple think they could get away with this?

You kind of hold Android to a lesser standard (being thought of as riddled with Swiss cheese loopholes) but a whole bunch of somebodies at Apple had to be sticking their heads someplace where heads oughtn't be...

[mduell]

Originally Posted by amazing 

The most baffling part is that Apple thought this software was OK to put on the iPhone. Apple thought nobody would be offended and totally enraged when the software was discovered on the iPhone.

How could Apple think they could get away with this?

You kind of hold Android to a lesser standard (being thought of as riddled with Swiss cheese loopholes) but a whole bunch of somebodies at Apple had to be sticking their heads someplace where heads oughtn't be...

Google does not ship AOSP (Android source code) with Carrier IQ, and does not load it on their own phones (Nexus One, Nexus S, Galaxy Nexus).

[amazing]

Originally Posted by mduell 

Google does not ship AOSP (Android source code) with Carrier IQ, and does not load it on their own phones (Nexus One, Nexus S, Galaxy Nexus).

Correct: Google's cool. The more articles come about the whole thing, turns out it's the carriers that are the villains--namely ATT et al, but not VZ.

Big question is how Apple allowed ATT to require C-IQ. Apple must've wanted it for its own purposes.

Next big question is whether Apple will issue updates taking CIQ off for those iPhones that can't run iOS 5.

[Waragainstsleep]

My guess is Apple was collecting the search data. Now they have Siri to do this, they don't really need CIQ anymore.

[amazing]

Tracked whether you want to be or not...

It's for our own good and it's the Apple Way!

[amazing]

There are iPhones still in use that can't run iOS 5, namely the 3G running 4.2.1 and the original iPhone running 3.1.3

Is Apple gonna issue updates to earlier versions of iOS to correct the intrusive versions of CIQ in those older iPhones?

Apple installed Carrier IQ, they should be held responsible for removing it.

[chabig]

The point of CIQ is not to spy on people, it's to report system performance back to carriers and manufacturers so they can make better networks and products. When my phone drops a call, why shouldn't it notify the carrier of the weak spot?

[ghporter]

...as long as that "there is a weak spot in the network about here" report is completely anonymous, that's fine. But the problem is that I do not see a way I can trust Android to be that honest with me. With iOS, I can, because I can find and read the data being provided to the carrier, but the variability of Android implementations on different devices doesn't give me the feeling that all Android phone makers are particularly trustworthy; there's a lack of transparency that is exacerbated by all the variations in Android implementations.

[Waragainstsleep]

Originally Posted by amazing 

There are iPhones still in use that can't run iOS 5, namely the 3G running 4.2.1 and the original iPhone running 3.1.3

Is Apple gonna issue updates to earlier versions of iOS to correct the intrusive versions of CIQ in those older iPhones?

Apple installed Carrier IQ, they should be held responsible for removing it.

They haven't arrested you or assassinated you yet, why worry so much?

[amazing]

It's kind of like the 1st gen iPod nanos that are being replaced, oh so many years later (who knew people were still using those old nanos?) but only under duress, where Apple has been forced to do the right thing...

Apple should correct the problem in the early iPhones...

[chabig]

Originally Posted by ghporter 

...as long as that "there is a weak spot in the network about here" report is completely anonymous, that's fine. But the problem is that I do not see a way I can trust Android to be that honest with me. With iOS, I can, because I can find and read the data being provided to the carrier, but the variability of Android implementations on different devices doesn't give me the feeling that all Android phone makers are particularly trustworthy; there's a lack of transparency that is exacerbated by all the variations in Android implementations.

This mirrors my feelings perfectly. If it's anonymous, it's OK with me. The only company I trust to use my information anonymously is Apple. No single company is responsible for the mess on a typical Android phone.

[chabig]

Also, as ghporter said, it's a big deal that on the iDevices you can see exactly what information has been sent. It's completely transparent.

[amazing]

My friend's got an iPhone 4 running 4.something. How do you turn C-IQ off in that system?

[P]

Originally Posted by amazing 

My friend's got an iPhone 4 running 4.something. How do you turn C-IQ off in that system?

On iOS 5 it's under Settings -> General -> About and then the diagnostics option at the bottom. I think it's the same in iOS 4.

[Big Mac]

Nope, not there. I don't think it's at all transparent in iOS 4.

Also, we're supposed to take Apple or AT&T's word that there was no spying? That's like a thief getting caught red handed immediately after burglarizing a home and then telling the judge, "yes, but I didn't do anything wrong when I was in there."

[amazing]

Yep, doesn't look straightforward (deceptively hidden, perhaps?)

Here's some hint about what might work under iOS 4, but the doubts remain since a restore would implement the original settings (where the original setup and sending diagnostics to Apple seemed innocent enough...)

How to disable Carrier IQ on your iOS device | How To - CNET

[chabig]

Originally Posted by Big Mac 

Also, we're supposed to take Apple or AT&T's word that there was no spying?

Yes. I think it's safe to take them at their word. There is so much interest in this matter that it will be impossible for them to cover it up, if in fact it is true.

[ghporter]

How many different people would they have to be spying on? With a network that's oversubscribed and with well established track records of difficulty with even pushing out "thoroughly tested" OS updates. Just think of the terabytes of data that they tell us they're collecting... it's staggering. To assume that either Apple or AT&T have the resources to do this demonstrates a lack of appreciation for what those resources might be. That is, it would be an NSA-level endeavor, with multiple supercomputers chugging through the data just to find out that Betsy Jo is texting Social Studies test answers to her boyfriend Stevie....

While it's not something individuals should depend on for managing their own data security, the mass of data out there that might be of interest to someone is so vast and so complex that one would have to be very interesting to an entity with very deep pockets and very broad and advanced capabilities to need to be concerned about Apple's Carrier IQ.

By the way, I am not the kind of person to take security and privacy threats lightly. Hardly. It's just that part of the security and privacy equation has to do with what you protect and why you protect it; you have to determine what value your information has to some other party. Frankly, AT&T could probably realize a hefty improvement in their bottom line by simply making sure their billing system worked all the time, so my Amazon password, or the anonymized data about when I connect or disconnect my Bluetooth headset don't seem to have any real value by themselves. But knowing that 14,532 different users had their signal strength go into the toilet within a particular geographic area is definitely valuable to them, because they can either fix a bad cell site or add one in that area - to keep us whiny customers from bugging them about how bad their service is.

[amazing]

Except that when you have software installed on most smartphones, guess how long it will be before someone inserts a man in the middle attack and tells the software they want keystrokes and passwords?

[chabig]

Bravo ghporter! Someone with common sense.

Occam's razor also applies here. Which is easier to believe: 1) phone makers and network providers collect data to make the best possible products and networks, or 2) phone makers and network providers have engaged in a worldwide conspiracy to collect your secrets and sell them to the highest bidder?

Phone makes and cell phone companies have no financial interest in your data, which makes it unlikely that hypothesis number 2 is correct. Even though I can think of two companies that make their money by watching behavior (Google and Facebook) to sell ads, I still posit that hypothesis number 1 is the simplest and most likely.

[chabig]

Originally Posted by amazing 

Except that when you have software installed on most smartphones, guess how long it will be before someone inserts a man in the middle attack and tells the software they want keystrokes and passwords?

My car is powered by software, but I don't fear that someone will insert a man in the middle attack and tell it to drive me into a tree. I choose not to be paranoid that way.

[ghporter]

How does one produce a "man in the middle" attack on data that is, through virtue of the basic data system used by the phone, using an end-to-end encryption system? Like SSL, for example, the cellular data system establishes new connections on the fly, with brand new keys negotiated between the server and the mobile unit. This is even less likely than AT&T prying into your text messages, because of the technical difficulty of intercepting one individual connection on demand and inserting oneself "in the middle." It is not technically impossible, but it is both logistically and computationally infeasible. It's one of the strengths of this sort of encryption system.

On the other hand, there IS a car-based security threat: OnStar. It's basically a cell phone built into the car, that has access to your ignition, your door locks, and a lot of onboard data. It works by basically text messaging. Sure, the signals themselves are encrypted, but anybody with a smart-ish phone can send a text to anything with a phone number, and there is NO authentication built into the OnStar system. Not yet anyway. This vulnerability was identified and recently publicized, and I think there will soon be a fix. There had better be.

[amazing]

You're undoubtedly right on that, just that any target that juicy is gonna get a lot of attention...

[ghporter]

I think if SSL hasn't been broken yet, it's not likely that cell data will be any time soon either.

[amazing]

So, all the furor has died down--articles are now saying that Carrier IQ is benign, doing exactly what they've said all along, namely not spying or anything like that.

However, there's also the patent application, which is whole bunch more alarming (see quotes below.) All the furor may prove beneficial, because now they probably won't try this:

"The application says that the technology can, among other things, combine and analyze “service intelligence modules related to games, financial transactions, and medical diagnostics.”

"The patent application asserts that the technology would let carriers “configure a processor to read content selection, read location data, read application activity, and determine presentation/deselection of advertising messages.” It also claims that the product could be used to “group identifiers of mobile device users who have a higher probability of occupying a certain geographical area,” as well as provide carriers with a “means for tracing copyright ownership of content displayed on the device.”

Carrier IQ downplays 2010 patent request | Macworld