Please move to the proper area, but I feel this is an extremely disturbing threat to our liberties. PLEASE someone with connections notify Ron Paul and Rand Paul and spread the word. Someone with resources start a class action lawsuit NOW!! THIS MUST BE STOPPED, and if this ends up taking down half the mobile industry, it's a necessary sacrifice if our liberties and freedoms end up benefiting in the long run. If we win here and strike this down dramatically, it will set a powerful precedent for generations to come.

At least 141 million phones are being illegally wiretapped by your carrier and a little known company called "Carrier IQ". Here's the link to the article:

http://www.pcworld.com/article/245229/carrier_iq_rootkit_reportedly_logs_everything_on_m illions_of_phones_updated.html

One of the commenters said it best:



<in response to a question as to which companies are involved in this> all the companies involved from carrier iq developers to the phone carriers to the phone and os developers who put it in, the whole chain

can you imagine in a time of war and terrorism these folks are capturing from our elected officials, their staff, military chain of command, soldiers, ect...

and from what i've read the thing is open to hackers to abuse, can you imagine hackers or terrorists or foreign governments getting this raw feed

what were they thinking

i find it disturbing, irresponsible, illegal, immoral, and even dangerous for them to put a root kit you don't know about and can't easily get rid of

think about it, local/federal police, judges, lawyers, prosecutors, fbi, cia, ect all use cell phones that they use both personally and professionally, and these people have a feed to their phone use, who else can gain access to those feeds or redirect them.

the most sensitive / secret / sacred material is transfered by these folks and a bunch of nobodies without any clearance are all listening in on it!

and not just for this country for all countries, the carrier iq folks brag they are on over 141 million cell phones and rapidly growing


EDIT:

Another link providing further info:

http://venturebeat.com/2011/11/30/heres-how-cell-phone-carriers-are-tracking-everything-you-do/




http://www.youtube.com/watch?v=T17XQI_AYNo




http://www.youtube.com/watch?v=legx3K_Ul_I

Also, do a google news search for "carrier IQ" and you can find some good information as all of you dig into this.

PLEASE, someone, I don't have a lot of money, but this is extremely alarming and requires massive effort on all our parts. Believe me when I say this is potentially a national security threat, and the kind that hits a little too close to home. We always suspected this, but this is proof and the researcher who found this is a hero and deserves HUGE praise for finding this. Coupled with the Patriot Act and our CIA/FBI's tendency to abuse it's powers, this is absolutely criminal in the worst kind of way.

Pass this around, this is bad, really really really bad. Big brother here, big brother is now, the infrastructure is in place to make it happen, and it is sitting in your pocket.

Any wireless comunication that is not encrypted is wide open for anyone to listen in on. This has always been the case. If you thought otherwise you were wrong.

What a surprise. Oh... no, not really. There're backdoors and trojans developed by LEOs all around the world to intercept your communications, "encrypted" or not. German LEOs were recently exposed for having developed and deployed a trojan for Skype which not only eavesdrops on communications, "encrypted" or not, but can also take screenshots of what's being displayed on the desktop and remotely take control of the PC. It was practically unsecured, so anyone aware of the trojan's existence could use it to do anything the German LEOs could.

For a class action lawsuit, it needs to be proven that this software not only collects and stores data, but indiscriminately transmits and retains it. So far, we really don't know all that much about this story. Android, RIM, and iOS [edit: iOS apparently has the software pre-installed, but it is not enabled by default and doesn't track nearly the information as is done on other devices] all appear to be affected -- but, this was mostly the choice of the carriers. While Android's being talked about a lot, Google's own phones (Nexus & Xoom) do not have this software pre-installed. WP7 phones also appear to lack the CIQ software.

Any wireless comunication that is not encrypted is wide open for anyone to listen in on. This has always been the case. If you thought otherwise you were wrong.
Aside from the Skype incident, where encrypted conversations could be listened to, it's also worth noting that in this case, the software's taking information before encryption and possibly after decryption, so encryption's pretty useless with this particular software. Edit: it actually doesn't appear to be logging keystrokes in the browser, but appears to intercept encrypted queries and then decrypts them... but that can't be right.

What a surprise. Oh... no, not really. There're backdoors and trojans developed by LEOs all around the world to intercept your communications, "encrypted" or not. German LEOs were recently exposed for having developed and deployed a trojan for Skype which not only eavesdrops on communications, "encrypted" or not, but can also take screenshots of what's being displayed on the desktop and remotely take control of the PC. It was practically unsecured, so anyone aware of the trojan's existence could use it to do anything the German LEOs could.

For a class action lawsuit, it needs to be proven that this software not only collects and stores data, but indiscriminately transmits and retains it. So far, we really don't know all that much about this story. Android, RIM, and iOS all appear to be affected -- but, this was mostly the choice of the carriers. While Android's being talked about a lot, Google's own phones (Nexus & Xoom) do not have this software pre-installed. WP7 phones also appear to lack the CIQ software.

Still, this is 141 million US phones we're talking about, NOT a small number. And this is EVERY KEY STROKE AND WEBSITE YOU VISIT, EVEN IF YOU NO LONGER HAVE A CONTRACT AND ONLY USE IT FOR WIFI.

Not only that, but it's possible to remotely control the phone using the features of this software installed on the phone to do things like send text messages, maybe turn on audio recording and transmit the file to your location, etc. The carriers may not actually DO THIS, but they retain the capability, which of course is invaluable for law enforcement armed with Patriot Act powers.

And this isn't some third party running an illegal operation using a virus. This is a very big portion of the cell phone industry doing this, presumably "for our own good". It's not a stretch if they retained this mass of data and sold it wholesale to law enforcement clandestinely for surveillance purposes (or someone hacks into their servers and steals the data).

Remember the uproar about the Iphone and how it had software that recorded and transmitted every location that it (and you) have ever been using GPS? Well this incident is nothing compared to what we're seeing here.

Still, this is 141 million US phones we're talking about, NOT a small number. And this is EVERY KEY STROKE AND WEBSITE YOU VISIT, EVEN IF YOU NO LONGER HAVE A CONTRACT AND ONLY USE IT FOR WIFI.

Not only that, but it's possible to remotely control the phone using the features of this software installed on the phone to do things like send text messages, maybe turn on audio recording and transmit the file to your location, etc. The carriers may not actually DO THIS, but they retain the capability, which of course is invaluable for law enforcement armed with Patriot Act powers.

And this isn't some third party running an illegal operation using a virus. This is a very big portion of the cell phone industry doing this, presumably "for our own good". It's not a stretch if they retained this mass of data and sold it wholesale to law enforcement clandestinely for surveillance purposes (or someone hacks into their servers and steals the data).
If it's only being used for "lawful interception," or people who've accessed the data without authorization, is there really any case?

That is freaky. I watched the video of the guy with the HTC Sense logging the IQ software logging his information. I used to do a bit of programming... it is incredible that this is running so hidden in the background. The information it is catching, like securely encrypted web addresses, is truly frightening. All around, this is pretty damn scary.

Its a keylogger, not a packet sniffer.

If it's only being used for "lawful interception," or people who've accessed the data without authorization, is there really any case?

Yes. Wiretapping laws explicitly forbid individuals or government agencies from monitoring someone and collecting their data without their express consent. WATCH THE YOUTUBE VIDEO.

You'll see that not only is this done without the user's knowledge, but it's hard to find, and next to impossible to remove without advanced methods. There is no "opt in", and unless you're willing to take the risk of voiding your warrenty and bricking your phone, there is no easy way to "opt out" or remove this software. If you secretly recorded someone without their knowledge to implicate them for some crime or blackmail, you could face a lot of legal problems if the feds found out. Same thing applies here, but in this case there is no way to disable the software without taking drastic measures even if they advertised it every time you turned on your phone. This software is illegal and the company needs to be taken down and the bosses and developers of this software must face a series of "life changing events" (legally) for this to make an example of them and the carriers must be punished severely enough that they are more careful with what types of monitoring they use. This should prompt a wider investigation into the general business practices of all cell phone carriers and similar "key logger" rootkits

You probably give consent in your phone contract. Not that the government cares about consent...

/////

Verizon so far appears to be the only carrier permitting opt-out. Users can opt-out @ www.vzw.com/myprivacy (http://www.vzw.com/myprivacy) -- this doesn't get the rootkit off your OS, so as far as removing the real threats, it's probably useless.

///////

Its a keylogger, not a packet sniffer.

Oh it's way more than that. It's a ROOTKIT. They can actually zoom in on your individual phone and make your phone do things without you doing anything. The permissions given to this is pretty much like "god mode". If an employee wanted to make a random phone send text messages to a random nigerian number, they have the capability.

You probably give consent in your phone contract. Not that the government cares about consent...

The consent you gave does not include logging every single keystroke you make on your phone. That is way past the scope of what you agreed to. Don't post 3 times, although maybe it was a computer error that made you triple post.

...

!!!

You probably give consent in your phone contract. Not that the government cares about consent...

You also gave consent to have Apple kidnap you and use you in biological experiments to create a Human CentIPAD.

http://www.youtube.com/watch?v=legx3K_Ul_I

Please watch. I edited the original post to include this as well as the original video starting this scandal. Please watch both.

The consent you gave does not include logging every single keystroke you make on your phone. That is way past the scope of what you agreed to. Don't post 3 times, although maybe it was a computer error that made you triple post.

My phone screwed up. Lol.

You also gave consent to have Apple kidnap you and use you in biological experiments to create a Human CentIPAD.

It wouldn't surprise me.

well I guess its a good thing they make them too expensive for me to own one

Reading this thread... Maybe I'm from a generation past a lot of folks here. No-one remembers Carnivore? Equinox? Every packet coming in or out of your ISP is scanned and inspected. It uses a technique called "DPI" which is Deep Packet Inspection -- meaning even if you are running mail traffic on an http port, it still reads it, etc. Now, fast forward 15 years, and you have mobile phones which eventually terminate in TCP/IP traffic. It's monitored as "special" internet traffic for 3G/4G/LTE, and *every single GPRS (voice) packet* is recorded and stored (literally) by the carrier. Every speech is scanned and key words are flagged, making the recording of your conversation available for human inspection later.

Our laws, particularly on mobile phones, allow for "warrentless wiretaps". Connect the dots here. If a warrant for an individual isn't required, then why not do it to everyone? Especially if you have already been doing it for land line and internet for more than a decade.

Here's another question.... Do you really think the military pays $200 for toilet seats, or maybe is $190 going to other un-listed programs? ;-) I digress.

Oh.. almost forgot.... "Hello, thank you for your interest in my message. Please support Ron Paul 2012. If he wins, your department could be eliminated and you could not only read, but contribute to this forum without fear of reprimand!" :-)

Reading this thread... Maybe I'm from a generation past a lot of folks here. No-one remembers Carnivore? Equinox? Every packet coming in or out of your ISP is scanned and inspected. It uses a technique called "DPI" which is Deep Packet Inspection -- meaning even if you are running mail traffic on an http port, it still reads it, etc. Now, fast forward 15 years, and you have mobile phones which eventually terminate in TCP/IP traffic. It's monitored as "special" internet traffic for 3G/4G/LTE, and *every single GPRS (voice) packet* is recorded and stored (literally) by the carrier. Every speech is scanned and key words are flagged, making the recording of your conversation available for human inspection later.

Our laws, particularly on mobile phones, allow for "warrentless wiretaps". Connect the dots here. If a warrant for an individual isn't required, then why not do it to everyone? Especially if you have already been doing it for land line and internet for more than a decade.

Here's another question.... Do you really think the military pays $200 for toilet seats, or maybe is $190 going to other un-listed programs? ;-) I digress.

Oh.. almost forgot.... "Hello, thank you for your interest in my message. Please support Ron Paul 2012. If he wins, your department could be eliminated and you could not only read, but contribute to this forum without fear of reprimand!" :-)

It's one thing if law enforcement does it themselves, it's quite another for a private corporation to do it for monetary gain and is invasion of privacy. Plus if the information was stolen on a regular basis by say China via hackers, they could potentially monitor information for certain "phone numbers" as well.

Again, this is private coorporations, not government big brother, although this certainly empowers big government to be sure.

Thus, one way to make sure to protect our liberty (and our identities and money) is to make sure that information is never there for them to grab in the first place. If restrictions in logging information were to be in place and mandatory annonymization of internet use was enshrined in the law, law enforcement, foreign governments and criminals would have one less tool to use against us.

The Patriot Act is pretty proof positive imo...

well I guess its a good thing they make them too expensive for me to own one

Yeah, I use the twisted pair to make telephone calls for that very reason.

Think anybody will throw out their electronic dog collars over this?

Nope, I didn't think so either.

http://www.youtube.com/watch?v=PoIfI-FK_Xs&feature=related

Again, this is private coorporations, not government big brother, although this certainly empowers big government to be sure.


That is a very good point. I didn't mean to detract from the original notion of wrongful non-consented monitoring via private enterprise, but it is also important to note the lack of distinction between the two (corporate and government). The profit motive is such that it is no mystery that private companies are trying to get more and more data for so long as they can do so legally (if no law explicitly prevents it) and fight off challenges in court, or through lobbying.

The ISPs and Telecom in this country are private enterprise, for sure, but work hand in hand with the government for mutual benefit. It is important to note the "mutual", as it is really an ingenious relationship. The private enterprise bears the cost and can reap the benefit of conducting (in the most literal of terms) full scale surveillance of the private person -- internet users, TV watchers (anyone with a box under the set), and mobile phone+data users. They track and monitor our purchases (non cash) and even our travel habits and our physical position (GPS and wifi-based location -- notice Google's wifi location service in Android?). The purchase monitoring companies boastfully proclaim they can even predict life events such as divorce based on the information they collect from our spending records. By cleverly designing social products to expose features useful for us, they can glean even more information. Can you believe it, and we even provide them the meta-data for free. Great examples are automatic face recognition in your photos, targeted advertisements based on the contents of emails and their attachments, and On-Star (we blindly assume it doesn't, or couldn't, run on the server side if we disable the feature or service). We write the names of the folks in the picture or link them to our contacts lists. We reply to emails or send our own attachments which undergo more automated lexical analysis and pattern matching. Some of us even pay for the privilege of having our lives monitored and our privacy pilfered.

Now, back to the "mutual" part -- as I said, private enterprise absorbs the cost in order to buy and sell everything about us. Government forms partnerships with private enterprise to requisition the data and the analysis of it, be it either through legislation, regulation, or contractual agreement. We read privacy policies that say "we don't distribute personal identifying information", but this is a very loose term. If I was able to describe to you every minute detail about the habits, and possessions of your neighbor, you would know who I'm talking about. Likewise, we are naive to assume that the "non-personal" information collected about us and delivered, enumerated, is not reverse associated at the source and retrievable by any privileged entity. Even Occam's Razor would suggest they would maintain the relationship of collected data to actual identity for sake of efficiency, so as to not send the same data stream representing an individual person more than once to anyone paying to receive it.

The point I really intended to make, is that we are really naive to perceive the issues as independent problems. Our personal information should really be implicitly considered our own private property, the same as our DNA or our individual likeness (not saying it is, just that is ought to be). To put it in perspective, just because you lost a hair, shed a skin cell, or gave blood doesn't imply consent for a private enterprise to collect it, sequence your DNA, and trade biometric information on you for cash to anyone who would buy it.

Just one point about the US Intelligence gathering alpha agencies... They are the largest storage data mining depositories users in the world. They just purchase their hardware across multiple Storage vendors to mask the entire amount of server farms out there in Big Brother farmland.
Over the last month, Carrier IQ has attempted to quash Eckhart’s research with a cease-and-desist letter, apologizing only after the Electronic Frontier Foundation came to his defense (http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha-apology/)Accolades to our Libertarian friends @ the EFF.org!


You probably give consent in your phone contract. Not that the government cares about consent...

Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases
http://www.forbes.com/sites/andygreenberg/2011/11/30/phone-rootkit-carrier-iq-may-have-violated-wiretap-law-in-millions-of-cases/


A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of Nokia, Android, and RIM devices that it’s tough to spot and nearly impossible to remove, as 25-year old Connecticut systems administrator Trevor Eckhart revealed in a video Tuesday (http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/). That’s not just creepy, says Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it’s also likely grounds for a class action lawsuit based on a federal wiretapping law.
“If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap.” he says. “And that gives the people wiretapped the right to sue and provides for significant monetary damages.”
As Eckhart’s analysis of the company’s training videos and the debugging logs on his own HTC Evo handset have shown, Carrier IQ captures every keystroke on a device as well as location and other data, and potentially makes that data available to Carrier IQ’s customers. The video he’s created (below) shows every keystroke being sent to the highly-obscured application on the phone before a call, text message, or Internet data packet is ever communicated beyond the phone. Eckhart has found the application on Samsung, HTC, Nokia and RIM devices, and Carrier IQ claims on its website that it has installed the program on more than 140 million handsets (http://www.carrieriq.com/).

Specifically, Ohm points to changes made to the Wiretap Act under the Electronic Communications Privacy Act of 1986 that forbid acquiring the contents of communications without the users’ consent. “Because this happens with text messages as they’re being sent, a quintessentially streaming form of communication, it seems like exactly the kind of thing the wiretap act is meant to prevent,” he says. ”When I was at the Justice Department, we definitely prosecuted people for installing software with these kinds of capabilities on personal computers.”
Carrier IQ didn’t respond to my request for comment, but the firm has posted a response statement (http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf) on its website, claiming that it collects only limited “operational information” on devices for its carrier customers:
While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities

http://blogs-images.forbes.com/andygreenberg/files/2011/11/paulohm-300x238.jpg (http://blogs-images.forbes.com/andygreenberg/files/2011/11/paulohm.jpg)Former Justice Department prosecutor and University of Colorado Law School professor Paul Ohm

But even if the data were somehow aggregated and anonymized before being communicated to a remote server, Ohm argues, Carrier IQ and possibly even Sprint and other carriers shown to have used the company’s services should still expect a costly class action lawsuit. “Even if they were collecting only anonymized usage metrics, it doesn’t mean they didn’t break the law,” says Ohm. “Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away.”

“In the next days or weeks, someone will sue, and then this company is tangled up in very expensive litigation,” he adds. “It’s almost certain.”
Over the last month, Carrier IQ has attempted to quash Eckhart’s research with a cease-and-desist letter, apologizing only after the Electronic Frontier Foundation came to his defense (http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha-apology/). Eckhart’s legal representation at the EFF declined to comment on the legality of Carrier IQ’s business practices.
If the case went to court, Carrier IQ’s first line of defense might be that users have agreed to some form of tracking in their contract with one of Carrier IQ’s cellular carrier customers. But when I reached Eckhart by phone, he pointed out that in his tests, he turned on the phone’s airplane mode, shutting down its cellular connection and using only Wifi. Even then, the app seemed to record all his keystrokes and communications as they happened. “[Sprint] defines their service as their network,” he says, referring to his own tests on his Sprint-connected HTC Evo. “I don’t understand how my phone on my own wireless network is their service, and how they have the right to look at that.”

Ohm argues that even when the phone is connected to the cellular network, only carriers are protected by contracts they make with users, not an intermediate software company of which most users are unaware. And carriers themselves typically don’t spell out in their contracts the kind of surveillance that Eckhart has shown Carrier IQ to be performing. “This seems like really intrusive, comprehensive surveillance,” says Ohm. “If so, is there really a provision in the contract that’s so all-encompassing? They may say they’ll periodically monitor for quality assurance, or something to that effect. But that seems like a far cry from saving every keystroke.”

Aside from the Skype incident, where encrypted conversations could be listened to, it's also worth noting that in this case, the software's taking information before encryption and possibly after decryption, so encryption's pretty useless with this particular software. Edit: it actually doesn't appear to be logging keystrokes in the browser, but appears to intercept encrypted queries and then decrypts them... but that can't be right.
no, it is logging everything from what i have read...

This is the future of the internet by the way. Trusted computing, windows 8, etc... And it will be mandated...don't have a trusted secure computer...ISP will shut you out. Can't have national security threat of a comprised machine hitting economic interests.

http://www.theregister.co.uk/2011/12/01/security_firms_compete_to_sell_snoopware_to_repres sive_governments/

enjoy...spying for sale

no, it is logging everything from what i have read...
Check the video. It isn't recording keystrokes on the virtual keyboard for the browser (or at least, I didn't notice it when I watched). It records some keystrokes, but not others. It is recording website addresses you view, though, whether encrypted or not, which I'd guess means CIQ is integrated in the browser, but Idunno.

Check the video. It isn't recording keystrokes on the virtual keyboard for the browser (or at least, I didn't notice it when I watched). It records some keystrokes, but not others. It is recording website addresses you view, though, whether encrypted or not, which I'd guess means CIQ is integrated in the browser, but Idunno.

The virtual keyboard is logged, there is a code associated with numbers, so i imagine it's the same with letters and characters. You should watch it again when he's dialing the numbers and it's logging it in the background. If you don't have a background or active interest in this sort of thing it can be hard to keep your attention for more than 5 or 10 minutes.

Again, no data is ever encrypted until it starts flying through the airwaves. You can come up with the best cipher in the world, but if a spy is hiding in your house while you translate the secret message into a readable format or vise versa, there is no need to break the code.

This is the future of the internet by the way. Trusted computing, windows 8, etc... And it will be mandated...don't have a trusted secure computer...ISP will shut you out. Can't have national security threat of a comprised machine hitting economic interests.

Not necessarily. I predict that all this sharing and ignorant trust will be greatly damaged if a cyber war ever breaks out and massive disruptions occur, with all of our personal computers as unknowing foot-soldiers for either side (or even multiple sides in some cases if there is more than one malicious program installed) for the especially computer illiterate folks. If it's bad enough, it will mean the end of our cyber liberties if the propaganda machine wins the hearts and minds of ignorant folks. But by the same token, there will be much greater demand for a more robust security system and the market forces and geniuses of mankind will be happy to oblige (provided they are free to develop countermeasures to privacy threats without overbearing corporate and government regulations.....and yes big corporation can be just as bad as big government.....after all corporations will be human beings, and human beings can only be trusted to be human with all the perks and downsides it involves).

Guys, I wrote a college paper about this stuff. There are so many programs and things out there that it is nearly impossible to use technology and avoid being monitored.