The Carrier IQ Story: The Tech Media Problem

From Gizmodo’s email blast last eve-

If you have any decently modern Android phone,
everything you do is being recorded by hidden software lurking
inside. It even circumvents web encryption and grabs
everything—including your passwords and Google
queries.

So I went checking, actually hoping to find this villainous
software.

My Galaxy S II – No Carrier IQ.

My wife’s Captivate Glide – No Carrier IQ.

My Nexus One – No Carrier IQ.

My peer’s new Razr – No Carrier IQ.

I expect little from Gizmodo, but such a fundamentally unproven claim — so trivial to dismiss — really sets a new low.

But they’re hardly alone. This whole story has been an exercise of hysterics and technical ignorance. Even on self-purportedly enlightened sites like Hacker News, the dominant opinion is superficial, lacking any real curiousity or discernment at all.

Why I Don’t Fear Carrier IQ

If I did find the software on one of my devices, I can’t say I’d be overwhelmed with fear.

The “security researcher” — realize that the media invents professions and credentials when they need a stooge to prop up a story without legs: when the WSJ ran with some domain stats I had gathered, they declared me the “world’s preeminate domainologist”. In reality my interest in domains started and ended with the fact that it was a large set of data usable for an index tutorial — became aware of the daemon on his Sprint phone while using the logcat tool available in the Android SDK. This is a tool run by millions upon
millions of devs.

His observation actually wasn’t unique, and the service had been noted and dismissed by many other devs using Sprint Android handsets over the prior year. He was the first, it seems, to announce unsupported, hysterical conclusions, the drama escalated when Carrier IQ poured fuel on the fire by sending him a heavy-handed cease and desist, which they later retracted.

He wasn’t using a “packet sniffer”. He was using the most rudimentary debugging tool that Android developers use, whereupon he found this software literally announcing its presence and what it was doing. Basically the exact opposite of hiding itself.

“But it records your keystrokes!” you say. There has been zero proof of this thus far. What has been shown is that the daemon software intercepts keystrokes, proudly announcing its achievement into an in-memory ring-buffer log. I suspect — with zero proof — that it uses these events to populate basic aggregate data such as “uses the keyboard heavily”. Nor has it been shown that any of this data is actually transmitted to Carrier IQ beyond aggregate
statistics.

Where are the logs of this activity The history of your keypresses and your web activity This is brutally easy to find, if it exists. Find it and become an internet hero.

But I doubt you will. Know why Because the legal landmine that Carrier IQ would find itself in, operating in one of the most heavily regulated industries around.

It goes against intuition that they would record, much less transmit to themselves, this information when it would represent enormous liability. Perhaps I’ll be proven wrong, but I highly doubt it.

Nothing that has been found contradicts exactly what Carrier IQ stated in their public announcement. All of the purported proof otherwise is a demonstration that most of the people manning the keyboards of the tubes don’t have the slightest clue what they’re talking about.