Saturday, December 03, 2011

Carrier IQ, smartphone spying, and the CIA connection

(Note: This post contains original research into the links between Carrier IQ and the CIA. If you're impatient to get to that stuff, scroll down. Then spread the news.)

If there's one thing I cannot abide, it's knee-jerk defeatism when it comes to questions of cyber-privacy. "Oh well -- that's the world we live in. Nothing we can do. If you're not doing anything wrong, you have nothing to worry about..."

Bullshit. There's a lot we can do. And just because you're a law-abiding citizen doesn't mean you should put up with snoops who trample on your rights.

(If you're not doing anything wrong, why not let me install a video camera in your bedroom? Why not let me plant mics in your home and car? Why wear clothing? Are you hiding something?)

I strongly urge you to read this and this. Yes, I just linked to a piece by Farhad MooJuice, who is often wrong on tech issues and obnoxiously complacent about the threat of cyber-spying. If Mr. Passive is worried, then it's time for a nationwide panic reaction.

The culprit is a piece of software called Carrier IQ, which installs a rootkit on your smartphone. It can track your location, your apps, your texts, your every keystroke.

For more on the controversy, see here and here. Predictably, CBS News has come to the defense of Carrier IQ -- which may be all the evidence you need to understand that the software is no damned good.

The Information Week piece (written in the second person, addressed to Carrier IQ) is particularly helpful:
Eckhart has two big concerns: First, your app appears to be seeing everything he does, from HTTPS strings in the browser to actual keystrokes. He wonders if the app logs this sensitive data, or transmits any of it to your servers? Second, he's concerned that the data being tracked by your servers could easily identify individual handset users. Accordingly, "I would like to know exactly who has seen this data, what data has been recorded, and who has recorded it. This data should also be subject to some clear privacy policy," Eckhart says. Without that clarification, he argues, the software is simply a rootkit: unwanted, hidden, hard to delete, but running with root-level access.

But instead of embracing the spirit of full disclosure, you send Eckhart a draconian cease and desist letter, threatening him with $150,000 per count of copyright violation (for the manuals) and warning that unless he bends over backwards to take back everything he's said about your company, you'll make him pay--big time.
If Carrier IQ weren't spying on users, they would never have responded in that fashion.

Allegedly, this software exists to "serve you better."

Bullshit. This is Uncle. He's spying on you, on all of us.

I own a tiny old cell phone which is used to make and to receive phone calls -- nothing else. (You can send me a text message, but don't expect me to text back.) Even if cost were not a factor, I would never "upgrade" to an Android or iPhone. It's not that I'm a Luddite or a technophobe -- I've repaired iPhones (on a modest scale), even though I would never own one of the damned things.

Why? Because you can't remove the battery of an iPhone, at least not easily. The iPhone was designed this way because governmental agencies can use your phone to track and triangulate your location every moment of every day. The only sure way to defeat GPS is to take out the battery.

Can "they" track you in other ways? Perhaps. But why make life easy for the people trying to spy on you? I say we should toss sand in their eyes whenever we can.

In truth, I live a rather innocuous life. But purely as a matter of principle, Americans should defend their privacy to the greatest degree possible. Even if you're a soccer mom and the president of your local PTA, live like a fugitive when you go online.

If that prescription seems excessive, then the least you can do is to support Al Franken's efforts to investigate CarrierIQ.

DO NOT BELIEVE the software and hardware providers when they say that they will not misuse the information they gather. They are lying. They can never, ever be trusted.

Only laws -- combined with much greater operational transparency -- will stop them. In their press statement, Carrier IQ tells the public that they are operating within the laws. They don't tell you that current law is woefully insufficient.

The CIA connection: Here are the executive officers for Carrier IQ. And now it's time for Cannonfire readers to play one of our favorite games: Spot the Spook.

Let's start with CEO Larry Lenhart. Hmm. How does this resume sound...?
Before his CEO experiences, Larry was a managing partner at Deloitte Consulting and at AT Kearny, where he provided strategic and operational expertise across the globe with such clients as EDS, AT&T, New Jersey Bell, E-Trade, Novell, Federal Express, GM, Saudi Aramco, Bank of South Africa, DuPont, and many others.
I must say, this was a particularly quick game of Spot the Spook. Almost too quick; I wanted more of a challenge.

Deloitte Consulting, eh? All righty, then. The question before us comes down to this: Is Deloitte a spooked up company? Are we dealing with one of those oh-so-special "private" firms which just happens to be plugged directly into our nation's intel community?

You betcha.

One of their senior managers was recently appointed Inspector General of the CIA. The IG is not a position for outsiders; the job usually goes to a "good old boy" veteran of the intelligence world -- someone who can be depended on not to rock too many boats.

Also see here. Carmen Medina of Deloitte (she's the nice lady in the photo reproduced above) also served as the director of the CIA Center for the Study of Intelligence. If you're trying to come up with an innocent explanation as to how such a thing might happen -- save your breath. And grow the fuck up.

Also read this:
Of Deloitte’s 45,000 employees worldwide, more than 5,700 work in this federal practice. They provide solutions regarding business strategy, operations, technology, risk management and human capital. The division works with a host of government contractors and agencies such as the FBI and CIA.
And this, from Deloitte's website:
Federal agencies trust Deloitte to address their most critical information and technology challenges -- and we deliver by providing measurable business value through IT.
With deep Federal and commercial industry knowledge, Deloitte is well positioned to support the FBI by leveraging our extensive IT experience in hardware, software, operations, maintenance, and technical and development services. Deloitte's Federal technology professionals offer a broad range of implementation and advisory services to support the FBI in its efforts to better manage critical business information and support mission objectives.
Our FBI service team is led by professionals who possess broad technical and consulting experience coupled with deep knowledge of the Federal law enforcement environment
Deloitte has the experience and professional knowledge to support the FBI's needs under the IT SSS contract. This includes:
* A deep bench of practitioners with active security clearances and extensive project management certifications
* Demonstrated performance and experience through the FBI Program Management and Support Services (PMSS) contract vehicle as well as other large vehicles with the Department of Homeland Security and Department of Defense
Deloitte is obviously thisclose to the intelligence/security apparat.

And that means we should be pretty damned scared when we learn that a former Deloitte head honcho suddenly got the funding needed (from In-Q-Tel, perhaps?) to start up a company which just happens to plant a "spy on everything" rootkit in smartphones everywhere.

Back in the '70s, nobody would have put up with that kind of shit. I fear that today's Americans are far more passive.


Zolodoco said...

This is yet another reason for me to avoid buying new hardware unless I can wipe it and install open source community firmware and software. My phone runs Maemo 5 which isn't open (yet), but at least it predates Carrier IQ, and everything I run on the phone is open source. It's my first and probably the only smart phone I'll ever own. They're just overpriced, awkward micro computers whose only standout feature is GPS reception.

If you haven't heard about it yet, you may be interested in the Cyanogenmod community project. I'm running 7 on a rooted Nook Color tablet with apps from the fdroid GPL repository. I set that up as a budget wifi netbook for travel.

Anonymous said...

Make a Faraday cage with aluminum foil; cover it with entirely with aluminum foil. The signal strength is almost entirely eliminated. In essence you are cutting signal strength by a factor of about a million. (I'm guessing here on the math; I know it is possible to do some tricks to pull a signal out of a Faraday cage but it is not easy and you have to be within a within a foot or so.)

husband of catlady

Megan said...

I don't even own a cell phone and if I ever do get one, it'll be just a basic one to make calls in emergencies. People really do need to wake up and realize all the dark forces in this country that are circling us. I'm careful what I put in my e-mails, because I know they're being monitored. Welcome to United Soviet States! I certainly will support
Franken on this one.

Anonymous said...

Quis custodiet ipsos custodes?


Gus said...

Never owned a cell phone of any kind, and certainly won't start now. My lady friend has one, but she can only make calls and text, no "smart" capabilities thankfully. I originally shunned them because I didn't want people to be able to reach me by phone anywhere and everywhere, now I have even better reasons to avoid them. Someday, when the hard lines are gone, I might have to get one, but it will be the most basic I can get, calls only.

The real problem with the "if you're not doing anything wrong, you have nothing to worry about" mentality is that the govenrment keeps adding "wrongs" to the law code at a rate that most Americans can't hope to keep up with. So, sooner or later, you will do something the government considers wrong, and they will come for you eventually (or your children, or your money, or all of the above, etc., etc.).

Anonymous said...

This is an intriguing post and set of comments.

I am only remotely techie, remote being pre-wifi, so this new stuff which is probably dated to real techie intrigues me, but I'm basically clueless.

Since my pc is slow, I'd love to switch to linux but scared that I'll completely wreck my computer.

I wanted to get a Nook Color but I read that it's an Android product and now I wonder about it.

This is my roundabout way of saying how about doing a post for non-techies on fixing up computers, tablets, phones to reduce the amount of intrusion that has been built into it.