Comments on: Nokia denies Carrier IQ tracking; iPhone code spotted but Nexus clean

By: Guest

Guest — Mon, 05 Dec 2011 22:33:00 +0000

nokia has installed carrier iq on all their phones using the Nokia
Analytics Collector. Get rid of it using application manager on your new
nokia phone. first update your phone to the latest, check for updates
again and make sure no updates are available then uninstall it (your phone functionality is unaffected). ensure
you do not click update firmware after that as it tries to reinstall and
you need to uninstall it all over again. it shows up as a fake OS
update with important priority once uninstalled like all good spyware.

By: Benitez Burns

Benitez Burns — Sun, 04 Dec 2011 08:22:00 +0000

Okay I am so slow but from reading the comments below I have understood as this. Basically what I type in the format of “text message” is seen or can be seen by my carrier? Is that what the article is saying???

By: mruss

mruss — Sat, 03 Dec 2011 22:45:00 +0000

TrevE does reach some invalid conclusions about HTTPS, but you are completely wrong in stating that HTTPS encrypts only POST requests. When requests are sent over HTTPS, all the content except the hostname (including the method (GET, POST, OPTIONS, HEAD, etc.), the URL, the query string, and any POST data) are encrypted.
You may have observed many sites sending POST requests (e.g., userid/password submissions) over HTTPS, while retrieving other content (images, HTML, etc.) over plaintext HTTP. This is not uncommon behavior, but this is a function of the site’s design. GETs can be encrypted just as easily as POSTs; some developers choose not to do this because they think just encrypting the POST request with the password is sufficient, and they’ll save cycles by sending everything else plaintext. There are reasons why this is not a great idea, but it’s a common approach.

Where TrevE is wrong is that HTTPS would not prevent a software agent running locally on the device (especially one with system privileges) from reading the data in his browser. HTTPS only protects data when it’s sent over the network. Once the browser receives, processes, and displays it, the data is unencrypted in memory (potentially on disk as well, depending on cache settings). CarrierIQ isn’t “breaking” HTTPS in any way; it’s simply not a factor when reading data on the local device.

HTTPS has nothing to do with it… and the HTTP verb (GET vs. POST) does not determine whether content can be encrypted.

By: Adam Saunders

Adam Saunders — Fri, 02 Dec 2011 17:29:00 +0000

I can’t disagree with that, but I think there is a more over reaction about what it can really do versus what the worst an app could actually do on a device. What really shocks me is the efforts to hide it!

Something that isn’t clear yet is if Carrier IQ are collecting the information centrally or if the app is sending the information to the carrier directly. It’s like mast information can get a ton of information about you and your phone usage, but its not the firms that manufacture the mast or software that collect this information, it’s the carriers.

By: Jacob Weeks

Jacob Weeks — Fri, 02 Dec 2011 17:13:00 +0000

We Americans tend to value our privacy. So it’s no wonder that people are freaking out, and they should. The more eyes looking at my personal information, the better chance that my info is shared with people that shouldn’t have it. The fact that this code is even in the phone makes the phone that much more susceptible to phreaking and hacking.

By: Adam Saunders

Adam Saunders — Fri, 02 Dec 2011 16:47:00 +0000

Some of the stuff is such bollocks such as the HTTPS “intercept” which can see the URL that was processed, but the query was in the GET request not POST request on a browser that may not support encrypted GET requests. Only POST requests would be encrypted so that whole section is possibly turd. The fact it can see what URLs you visit is a no no, though your carrier can do this anyway if you are on 3G. Same with SMS.. your carrier can see your SMS messages. They don’t need to see what you type on your phone… don’t people realise this?
There is a lot of panic by people that don’t understand it. Granted, that is expected, but this is the first article that actually started to show what REALLY can be seen. It’s not as bad as some tech sites are making out, but still more than they should without a way to opt-in or out.

By: Anonymous

Anonymous — Thu, 01 Dec 2011 11:59:00 +0000

The key question that has yet to be answered is WHO DECIDES on implementing this spyware. What I read so far it seems to be only on carrier-branded phones.
This would make sense to a certain extent, as Carrier IQ advertises their data mining to “carriers desiring to improve customer experiences”.

However, this datamining practice could be considered a criminal offence in Germany (iirc), so it would be a wise thing by Carrier IQ to disclose the decisionmakers, not in naming them, but in telling affected users whether it’s their carrier or device manufacturer who has it installed.

Case in point, my unbranded european Samsung Galaxy S2 does not seem to have CIQ on it (tool-tested), whereas it has supposedly been found on at least one type of the US versions of it.

Another good reason to ditch that harmful carrier subsidizing sceme…
If they were only accessing inaccurate data for network improvement, that would be one thing…
But recording to-be-encrypted web traffic is an absolute no go!

Anyway, one-up on the devs, and a big one! Hope they gather enough evidence to build a case to stop this evil practice!