[conspire] Lessons from CarrierIQ (was: Mashable - The Social Media Guide)

Sat Dec 3 14:13:17 PST 2011

Quoting Jesse Monroy (jesse650 at gmail.com):

> Good article on Carrier IQ. Do you concur with Dr Watson (ala windows)
> analogy?
> 
> http://mashable.com/2011/12/03/carrier-iq-is-misunderstood-not-evil/

No.  Author and '25-year industry veteran and award-winning journalist'
Lance Ulanoff appears to be an idiot, or an industry apologist, or both.
Or, actually, a trolling ex-Ziff-Davis hack who has nothing to say but
needs to file some provocative material on a trendy subject under tight
deadline pressure.  None of those is actually mutually exclusive.

In my experience, 'IT journalist' tends to mean little more than
'reporter assigned to cover computing because he/she can touch-type',
though there are honourable exceptions.  On balance, the sum and
substance of Ulanoff's article is probably 'Please stop ignoring
Mashable.com.  We're important, honest!  And we need your ad impressions 
to pay rent on the townhouse in Queens, so please get upset and post to
our feedback forums.'

The gist of Ulanoff's argument, such as it is:  relax about Carrier IQ
logging and analysing everything going outbound on your smartphone,
because you already knew that all of that bitstream was going outbound
throug your telco carrier anyway, and they're all just trying to measure
and improve network and smartphone performance.  And, besides, if you
ran Win95/98/NT, you were (unless you took initiative to disable it)
running a debugger named Dr. Watson that reported debugging data to a
local file following any userspace application error.

That's a superlatively dumb argument, particularly since Ulanoff says he
watched Eckhart's painstaking 17-minute video analysis, which means he
knows better unless he's a -total- moron.  

Dr. Watson didn't record anyone's full application session including all
keystrokes, but rather only basic process state data (stack contents,
etc.) analogous to some of what gdb captures.  More to the immediate
point, even that process-state data was captured _locally_ to
drwtsn32.log, which the user could choose to furnish to technical
support staff.  It wasn't automatically reported to anywhere, ever.

I note in passing this especially risible bit of Ulanoff drivel that is
his concluding judgement:

   The reality is it's an act of a company that's not used to
   dealing with the public.

Which explains their thuggish bullshit lawsuit threat (and greasy
non-apology apology) against researcher Eckhart how, exactly?

The keystroke-level logging to Carrier IQ even of everything the user
does in an _HTTPS session_ is a particularly damning betrayal of user 
expectations, and 'We were just trying to help you' is the predictable 
defence but is utter bullshit and everyone knows it, maybe even Ulanoff.

It's worth noting that HTC, RIM, Sprint, Nokia, Samsung, and probably a
bunch of other cellular telcos and handset manufacturers have almost 
certainly all been complicit in this, which gets back to the point of my
upthread post.  (Apple, Inc. used to include an earlier version of
Carrier IQ in its smartphones, but stopped doing so as of iOS 5.)  The
point is that this is business as usual in embedded computing, and that
the only way to prevent it is to use your own firmware load and make it
physically impossible.

So:  The telcos and embedded hardware makers are addicted to treating
their customers as corporate property, to lock in, manipulate, and mine
for information, and it's important never to forget that.  Even though
the major companies have been busy this week throwing Carrier IQ under
the bus
(http://www.theinquirer.net/inquirer/news/2129767/apple-nokia-rim-distance-carrier-iq-saga),
it's well to remember that it's more because the firm's become a PR
embarrassment than because of any pretence to ethics from eveyone else.