Apple Clarifies CarrierIQ in iOS, Promises Removal

| News

iPhone PrivacyApple has issued a statement clarifying its use of the controversial CarrierIQ software in iOS, and promised to remove all traces of the logging product in an unspecified future update. The company said it has never logged keystrokes, that it anonymizes the data, has always made participation an opt-in function, and stopped supporting CarrierIQ in the first place with iOS 5.

CarrierIQ became a hot button issue this week as a demonstration of what the software was logging on HTC Android devices was published to YouTube. That demonstration found that CarrierIQ hid itself from the list of running apps, logged every keystroke (including text messages) and button push the user made, logged phone numbers dialed, and even search terms made over what should have been an encrypted connection.

While the self-titled company denied that it was doing many of the things shown in the demonstration, heat immediately mounted against the company from users and privacy advocates concerned about all of this data being logged and sent to CarrierIQ servers without the knowledge or permission of users.

Late on Wednesday, another security researcher, chpwn, published findings that showed references to CarrierIQ in Apple’s iOS, meaning the software was present in one way or another on Apple’s iPhone. From a blog post by chpwn:

Carrier IQ, the now infamous “rootkit” or “keylogger”, is not just for Android, Symbian, BlackBerry, and even webOS. In fact, up through and including iOS 5, Apple has included a copy of Carrier IQ on the iPhone. However, it does appears to be disabled along with diagnostics enabled on iOS 5; older versions may send back information in more cases. Because of that, if you want to disable Carrier IQ on your iOS 5 device, turning off “Diagnostics and Usage” in Settings appears to be enough.

He went on to detail how and when the software was activated, stipulating that it was only active when the user agrees to send diagnostic data to Apple. He also laid out what data was collected, writing, “I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely.”

On Thursday, Apple issued a statement that effectively matches chpwn’s research findings. The company said:

We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

CarrierIQ’s use on smartphones is a big deal, and it has already attracted the attention of Senator Al Franken (D-Minnesota), who wrote the company an open letter asking for detailed answers on what kind of information is being collected.

For iPhone users, Apple’s statement is a mostly positive development. On the one hand, the company used the software in the past, but on the other hand, it was an opt-in function that didn’t collect the kinds of personal data that is the most alarming about what was found on Trevor Eckhart’s HTC Android device.

At the same time, Apple said it stopped using the software in iOS 5—likely having developed its own home-grown solution for collecting diagnostic data—and pledged to remove any trace or reference of it from the operating system in a future update.

There’s a place in the cell phone industry for collecting diagnostic data—it can be very useful in improving performance on both the networks and devices we rely on. At the same time, it’s too easy for the corporations involved to lose sight of the differences between what they need, what they can get, and what they would like to have.

To that end, if you’ve made it to the end of this letter, you should take a moment to thank security researchers like chpwn, Trevor Eckhart (and the EFF for defending Mr. Eckhart against a CarrierIQ-threatened lawsuit) for exposing this kind of issue, and Senators like Al Franken who are concerned about privacy.

We should also note that Apple has issued its statement and that Nokia has also said it does not install CarrierIQ on its Symbian or Windows Phone devices (note that researchers have nonetheless found it on Nokia devices), but that other companies involved in this story have yet to do the same.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

41 Comments Leave Your Own

Michael S.

How well do you guys believe in your Apple Now?

other side

Apple doesn’t need CarrierIQ in iOS 5.  They have Siri.

Ahead of the game as usual.

Michael S.

Sure… Whatever makes you sleep better at night.The people Outside of Distorted reality knows the truth! You also might have some truth to you that they don’t need Carrier IQ, probably cause Siri logs everything… Gotta love Apple!

BurmaYank

”... Apple said it stopped using the software in iOS 5?likely having developed its own home-grown solution for collecting diagnostic data...”

I wonder if CarrierIQ is actually a permanent SW backdoor on everyone’s web-connected device, mandated by some secret TIA-enabling law, for a NSA/FBI/DEA or Echelon packet sniffer like Carnivore was (before it was “replaced” in 2005?), because if so, then Apple would be legally (and secretly) required to put such a secret packet sniffer backdoor on all its devices. So, even if Apple got rid of its CarrierIQ backdoor, it would still need to have ”... developed its own home-grown solution for collecting… data...” for Echelon, etc.

ppartekim

Gotta love Apple!

And still do.. No more paranoid today than I was yesterday.. This it the world we live in now… no true privacy….

Have you seen “Person of Interest” lately, or remember that carriers record all text msgs anyway, phone calls are typically recorded “for teaching moments” and keyloggers have been around as long keyboards have existed.

As Shatner was said “Get a life”..

bobsbiggerballs

whatever Apple got caught and they are covering there butts..
nice try.

Michael S.

ppartekim Said:

Get a life…

Really I have one laughing at you morons. Have fun!

ppartekim

Really I have one laughing at you morons. Have fun!

And by “moron”, I have to assume you mean anyone using a smartphone from any OS company or even a cell phone in general. Heck even the old landline phones had logging on them in that each number called was logged.

Or are you one of those Apple haters who just love to slam Apple at any opportunity.

Yes, I like Apple products but I am not married to them. I have other cell phones, consoles, computers, etc.

Michael S.

@ppartekim

I hate Apple cause they don’t take responsibility for anything that happens, like “Antennagate” for example… Surprised that they fessed up to this.

RonMacGuy

You are clueless, Michael S. so Apple giving away free bumpers to anyone who bought the antennagate-affected iPhones is not taking responsibility? Nice try. Go troll elsewhere, moron.

Bryan Chaffin

Michael S. & bobsbiggerballs: I suspect you didn’t read the article. Taking this report as an “Apple got caught” simply doesn’t comport with reality.

Unless you mean that Apple got caught not doing what HTC was found doing.

Michael S.

They were still doing it, and probably still are somehow with Siri… So the Idiot that wants to call me a moron obviously needs to look in the mirror. Apple Sucks Period! With the “Antennagate” they blamed The way you were holding it, and then blamed “Software” and when software didn’t fix it, They Blamed the “Media” for “Hyping” the situation! You guys discust me for being as stupid as you are for being a follower that obviously caan’t think for themselves. Shows how “Cool” you really are… Not Cool! Live in whatever world that you want to, but Apple Blows, and you will soon find that out. IOS isn’t anything! You’ll find out soon!

Ref Librarian

Oh, what a rebel.

RonMacGuy

LOL.  Bryan, why do your articles attract people like Michael S.?

So, Apple Sucks Period, huh Michael?  Selling 30 million iPhones every three months, and as you can see in Bryan’s latest article entitled, “Survey Finds iPhone 4S Customer Satisfaction Highest Yet.”

And I quote Bryan’s introduction:  “Owners of Apple?s iPhone 4S are reporting satisfaction rates even higher than the company?s 2010 iPhone 4. Changewave Research released the results of a new survey that found 96% of iPhone 4S owners are either ?Somewhat Satisfied? or ?Very Satisfied.? That?s three percentage points higher than the 93% of iPhone 4 owners that said the same thing in July of 2010, but Apple gained five percentage points in those who are ?Very Satisfied,...?

Yes, antennagate really bothered a huge number of iPhone 4 buyers - 93% customer satisfaction rating.

Oh, and we “disgust” you.  We don’t “discust” you.  I mean, really, Michael?

OK, I’ll stop feeding the trolls now!!

grin

Ref Librarian

I don’t understand the passion and bad spelling not to mention flying spittle that is invoked by people who buy (and like) a different smart phone. It just is one of those peculiarities of, I don’t know, thirteen year old males? Vacuum, coffee maker manufacturers just don’t get the same venom, I don’t understand it.

Michael S.

Oh, I’m sorry for having not so perfect grammar for your Apple World… Just iSheep that can’t think for yourself, so glad Siri corrected me… Whooptie Doooo! You: Siri, What is the purpose of my Existence? Siri: Without you I would be incomplete, and with all you peasants; We can Resurrect Steve Jobs who is an Immortal! HAHA! Stupid!

Ref Librarian

Yes, yes, you just let all those nasty emotions out, posting here in bad English is cheaper than a psychiatrist.

Michael S.

I’m sorry, Siri was telling me what to write… Shows how screwed up Apple is!

Ref Librarian

Michael, you’ve already said you wouldn’t own an iPhone, remember? We all know that aren’t talking to Siri. And if you were, she would tell you to breath into a paper bag for awhile.

In all seriousness, would you mind explaining why you are doing what you are doing? I mean, I don’t go over to the Dyson vacuum sites and foam at the mouth because the people there have bought one of those terrible Dysons rather than a Miele, like I have. I think it is normal. Do you coming here to rave at people for buying a different smart phone is normal?

Ref Librarian

Excuse me, “Do you think coming here to rave at people for buying a different smart phone is normal?”

RonMacGuy

It just is one of those peculiarities of, I don?t know, thirteen year old males?

Hey Ref Librarian, don’t insult thirteen year old males, the majority of whom act more mature than Michael S. is right now!!

wink

Michael S.

Really? Thought iPhones were kids toys, so what make you guys any different? Just what I read on the internet. Don’t hate the messenger! Apple thinks it’s all that and a bag of chips. It isn’t crap! Lack of communication tools on it, like dropped calls, etc… I guess you guys are to busy playing games like Angry Birds to care about any of that though. Sorry I bothered you…

Ref Librarian

You didn’t bother us, I’m still curious about your motivation.

Unlike you, I have an iPhone, have had one for 3-4 years and I don’t have dropped calls, I have plenty of communication tools on it, the pictures and camera are great, each one has been fast and fun and easy to use, hence I’ve continued to stay with iPhone. I think it is all that and a bag of chips. I don’t understand why my satisfaction with a smart phone makes you so angry.

RonMacGuy

Michael, I’m only responding because you are just too funny and I am enjoying the laughs after a long and agonizing day at the office.

No, iPhones are not kids toys.  You do realize that 1 in every 4 smartphones sold is an iPhone, right?  And > 80% of tablets sold are iPads.  And Apple sells more iMacs and MacBooks every quarter in record numbers.  Apple is the most valuable corporation in the world based on market capitalization.  So yes, Apple is all that and a bag of chips.

Dropped calls?  Check the date of the articles you are reading - that is so 2 years ago, and affected very few people.  Lack of communication tools?  Where are you getting all of this?  I just feel for you that you are either so misguided or so angry with Apple for some reason that you are trying to make arguments that are simply false.

My iPhone 4 on Verizon is simply the best cell phone I have ever had, bar none. AT&T had issues with the dropped calls primarily because they couldn’t handle the iPhone load on their networks, which are not very good anyway.  So blame AT&T, not Apple.

Tbizzle

So are they really going to remove it? Or are they just going to hide it better next time?

Michael S.

I just really have a Hatred for Apple. Glad I could give you guys amusement for tonight. For your safety, I hope Apple removes that and quits tracking you. Knowing Apple wants to control the world, I won’t hold my breath on that. Have a good night.

ClifCham

I just checked my girlfriend’s new (<1 mo) iPhone 4S from Sprint and found that SEND was activated. Fixed that. Based on what someone said Apple may have lied again about it not being activated in IOS5.

cybersecurityofx

As an US computer military intelligence officer this sickens me. I can absolutely guarantee to you at this point that many of our military, government and national security infrastructures have been breached and compromised. The Chinese, Russians, North Koreans, and Iranians all now have root access to our systems thanks to Carrier IQ and other vendors.  Carrier IQ will be prosecuted at so many levels it will make their head spin.

Here’s how the keys to our systems were handed over to the “other guys”.  We all know that many government and military members have these infected smart phones with Carrier IQ’s software installed.  Some of these people have used their phone to check email or do some other task which required them to type their username and password at some point. Since each key press is recorded and sent instantly over a non-secure channel as shown in the video, no https, no handshaking, etc…, this means all it takes is one compromised router to sniff out this information and send it to the “bad guys”.

It doesn’t even take a compromised router to pull this off because many government and military officials have to travel to not-so friendly countries where all outbound internet traffic goes through the country’s government approved firewalls. So even if they are using encrypted US government approved apps / software / websites it doesn’t matter, because the key press itself has been sent, thus basically bypassing any type of security the app / software / website has implemented.

It doesn’t take a rocket scientist to figure out that once they have the username and password they log in as those users and begin installing root kits within our systems. 

Doing this type of automatic filtering and scraping is trivial to any skilled computer programmer and we all know that cyber-security and espionage is taken very serious by the Chinese, Russians, North Koreans and all organized crime syndicates.

RonMacGuy

I’m sorry you have such a hatred of Apple, Michael. Apple doesn’t want to control the world, they simply want to provide shareholder value, just like any other major corporation. But, unlike most nowadays, they are actually succeeding in a huge way, which tends to make people hate them for some reason.

I hope that you do realize that your hatred of Apple is making you blind to the real problem here, in that it has been proven that CarrierIQ has actually been collecting data on android and RIM phones like Samsung (what a shock) and HTC.  Check out the earlier article on macobserver:  CarrierIQ  Apple is actually being forthcoming with information (even though some are accusing them of lying).  CarrierIQ has obviously lied, and will be caught in those lies.  We will soon find out who the real culprits are.  Are the carriers lying?  Are the handset makers lying?  Who has been paying CarrierIQ to track and provide personal data to them?

Don’t let your hatred of Apple blind you to the real concern over CarrierIQ on android and RIM phones.  Please try to see past your baseless Apple bigotry, do more detailed research, and make informed decisions.  I wish you well, and have a great evening.

Michael S.

@RonMacGuy

Let me correct you on one thing. RIM doesn’t put that on their devices.

http://www.reuters.com/article/2011/12/01/rim-idUSN1E7B00V720111201

Now if by some chance it is caught on a device… Done by the Carriers like T-Mobile.

http://www.facebook.com/l.php?u=http://support.t-mobile.com/thread/12668?tstart=0&h=6AQEvrZnr

Like the US Computer Military Intelligence Officer on here along with ClifCham.

I suggest to do more detailed research, and make informed decisions on what is best for you for security, if it is recording keystrokes. Have a Good Night.

archimedes

In a previous comment on TMO, I asked a very important question - what exactly enables HTTPS URLs to be logged? Normally HTTPS URLs are encrypted and therefore won’t be disclosed to third parties without modifying the browser or other dodgy practices such as key logging.

Nobody seemed to have a good answer. Now, the answer seems to have revealed itself: Carrier IQ apparently modified Android browsers (at least) to log HTTPS URLs *and* installed a key logging “feature.”

Originally I had assumed that Carrier IQ was only on Android, but now Apple has confirmed that Carrier IQ was on - and may still be on some - iPhones and iPads as well?!!!

Bad move, Apple, for including this malware-like software, whose Android version (at least) breaks the security of HTTPS and transmits formerly “secure” URLs to third parties.

In addition to chpwn’s blog post, I’d like to see a detailed accounting of all “diagnostic” information that is disclosed to Apple and other third parties, including independent verification that HTTPS URLs and traffic - not to mention keystrokes in Safari - are never logged.

Additionally, it would be nice to have a clear and comprehensive statement from Apple on precisely what happens to data transmitted to Apple by Siri.

archimedes

If my understanding of chpwn’s blog post is correct, he seems to have observed the iPhone logging and transmitting his phone number, so Apple’s claim that the data are “sent in an anonymous ... form” would be erroneous or at least highly misleading.

RonMacGuy

Let me correct you on one thing. RIM doesn?t put that on their devices.

Michael, no need to correct something I never said.  I did not say that RIM put it on their device.  I simply said that “it has been proven that CarrierIQ has actually been collecting data on android and RIM phones.”

I suspect Apple used the software in diagnostic mode to help them in diagnosing problems with people’s iPhones when they call for assistance.  There is nothing wrong with software that tracks keystrokes when used to understand what the user is doing when their product starts to have problems.  Heck, in my company if I have an IT problem our help desk will actually watch what I am doing, and even take control of my PC to fix the problem.  I also suspect that Apple wanted to stop paying royalties to CarrierIQ for their software, which is why they then integrated the functionality into iOS 5.  Again, there is nothing wrong with logging data in diagnostic mode.  The problem is when the software hides itself from the user (so you don’t even know it is running) and constantly records and sends data that CarrierIQ then probably sells.  This has been proven to be running in normal mode on android/RIM/Samsung/HTC phones.  Not sure if the carriers or the phone manufacturers or Google or the government or some top secret global organization put it there.  Maybe we’ll find out soon.

Lee Dronick

Today’s Joy of Tech comic has a pretty good take on why Carrier IQ is on smart phones.

jfbiii

So the Idiot that wants to call me a moron obviously needs to look in the mirror.

Nobody wants to call you a moron. It just happens to be the nicest accurate term available.

Michael S.

@jfbiii I call a spade, a spade. I call a [expletive deleted]. It just so happens to be the nicest accurate term available! If you want to believe Apple isn’t doing anything to compromise security, then whatever. That’s on you!

[Edit: At TMO, we use big boy words. Take your profanity elsewhere. - Bryan]

zewazir

And once again, after wading through troll BS thicker than the grounds of a feed lot, I have to wonder: why would someone who hates all things Apple spend so much time on a web site devoted to Apple products and run by and for Apple fans?  Are your lives so hopelessly lame that flaming sites like this actually give your lives some kind of perceived meaning?

I peruse this site because I like Apple products. So I searched and found a site devoted to discussing them. I detest Dell products, and Acer - I spend an inordinate amount of time fixing them - about half our manhours go to supporting 15% of our computers, those being primarily Dell or Acer, with 85% being Macintosh.

But, detesting Dell and Acer, I have zero desire to seek out Dell or Acer centric sites to flame their products. I don’t buy Dell or Acer for myself - that i plenty for me to express ny dissatisfaction with their products. So it puzzles me to no end why people spend their time coming here to express their hatred toward Apple products or Apple Corp. Are you forced by your jobs to support Apple products, as I am forced by mine to support Dell and Acer?  Or do you simply have such hopelessly pathetic lives that gaining attention through flaming Apple on Apple centric web sites gives it some kind of wacked out, off the wall meaning?

Partsmutt

Wow.  Name calling from the security of his little apartment.  Gotta love internet balls.  LOL!

BurmaYank

“And once again, after wading through troll BS thicker than the grounds of a feed lot, I have to wonder: why would someone who hates all things Apple spend so much time on a web site devoted to Apple products and run by and for Apple fans?? Are your lives so hopelessly lame that flaming sites like this actually give your lives some kind of perceived meaning? ...So it puzzles me to no end why people spend their time coming here to express their hatred toward Apple products or Apple Corp.  ...do you simply have such hopelessly pathetic lives that gaining attention through flaming Apple on Apple centric web sites gives it some kind of wacked out, off the wall meaning?

I’ve been puzzling over that, too, and since long before Michael S., bobsbiggerballs & Tbizzle stampeded over here to our corner, while this most recent really bad news about Android thundered over the www landscape.  These guys are just the latest horde of Android vandaltrolls here.

I suspect they are feeling the jealous ghetto-rage of the Have-Nots against the Haves.  They enjoy spitefully vandalizing ehe beautiful things forbidden to them in their neighborhood and trashing the identities of the privileged, as things happen to turn nastier there for them.

Snrub

There’s only one logical reason why someone goes out of their way to rant on special interest forums when they despise said company/product especially when they state they don’t/won’t own the product. They just like stirring the pot. They love the responses they get. No normal person acts like this.

For example would a normal person drive to another state, attend some random city counsel meeting and gripe about how they operate that city when they have zero connection to that city in any form? Of course not.

When these types of people do show up, we can only nod our heads and let them have their say and let them see themselves to the door.

Peace.

ctopher

For example would a normal person drive to another state, attend some random city counsel meeting and gripe about how they operate that city

Oh man I am so going to do that!

Log-in to comment