"From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more. So instead of seeing dropped calls in California, they now know “Joe Anyone’s” location at any given time, what he is running on his device, keys being pressed, applications being used."
"Verizon has publicly came forward with a statement regarding their usage on Carrier IQ statistics and give users a way to stop them from selling the information outside of Verizon"
Wow. No surprise that they would like to suppress that information, but they should've known better than to be so heavy-handed with the lawyering. They might have been able to spin it a little more positive with some decent PR, but now it just screams that they're being evil.
Is it possible, then, that carriers have in their databases the passwords of every server that every system admin has connected to over ssh from their smartphone?
This may be the heart of the problem. If the databases built with this include keypresses, then when a user logs into a site using https, their credentials are being recorded before they are encrypted. This opens another vector for hackers to get and sell the information for malicious use by surreptitiously acquiring the data from the tier 1 carrier like Sprint or Verizon instead of needing to get it by hacking a bank.
With such a large number of potential victims, it would be difficult to determine if a wave of thefts from a particular institution were the result of the institution's security being compromised or if a CarrierIQ database was compromised.
I develop some on Android and have been aware of this product for many months now but I have no idea what data it collects and transmits. Just what it is capable of. So this may be a non-issue. For now, at least.
Are there really still companies out there that don't know that such a needlessly hostile response will attract a lot of unwanted attention? Or do companies just do whatever their lawyers tell them to, and then their lawyers tell them to do whatever is most likely to lead to a costly legal battle (i.e. in the interest of the lawyer, but not necessarily in the best interest of the company)?
Or, to put it more bluntly, what did they expect to accomplish with this C&D letter? Did they seriously believe that he would just do whatever they said to?
A lawyer can tell you what you can do legally. They are good at that. A lawyer can't really tell you what you should do to further your business agenda. They're unusually terrible at that.
1) The lawyer is in-house, apparently. Maybe he bills by the hour, but I'm guessing not?
2) By providing a lengthy, specific c&d letter I'm guessing they get more leverage in settlement. At present, the C&D hasn't really cost them much; they can weigh the EFF response and decide whether or not to invest more resources. What's the worst that can happen with such a C&D? either the defendant gets scared, or beefs up legal protection and Carrier drops the suit.
If their lawyer never thought beyond the client/defendant in this case then that lawyer should lose their job.
The worst that can happen as a result of this C&D is 1) The Streisand Effect 2) Major news organizations smell blood in the water and decide to ramp up coverage 3) Lawsuits and Senate hearings
If the WSJ picks this up like they did the UDID, you can say goodbye to Carrier and all of the data they collect.
This and SOPA lead me to think at some point we might need technically-trained judges and congresspeople.
Understanding whether Eckhart was peddling 'inaccuracies' hinges, I think, on at least some technical proficiency. I'm not a legal expert, and even if there were inaccuracies I don't know if that establishes the plaintiff's claim or whatever.
As more and more legal complaints involve more and more complicated tech, how can we expect even a brilliant legal scholar with no technical expertise to determine facts in complicated cases?
Judges can draw on technical experts to help analyze the facts in a given case. It definitely helps be technically literate, but the judge doesn't need to be making open source commits by night to evaluate the situation fairly. On the other hand, it's not unreasonable to acquire some knowledge for the specific case, but again this can be on the level of a few hours of research (to be able to understand and communicate with the expert), rather than expecting the judge to take the time to become an expert him/herself.
While a technocracy is a good thing in theory, I'm always concerned about the likelihood of it turning into a serious echo chamber. If the only people involved in, say, banking are people who have domain-specific knowledge, what is the likelihood that you're going to get anything new out of it? It seems to me that it'll almost always devolve into a terrible feedback loop. That said, it isn't necessarily worse than what we have now.
I'm not sure I'd go that far; I don't believe that technical experts are by virtue of their expertise the best at making judgments, weighing alternatives, etc. I certainly wouldn't want a judge with only technical expertise making decisions.
I'm just wondering whether you can be a good judge without understanding the technical details as well as the legal ones, or at the very least be an exceptionally fast learner. At the same time, few people are both technically and legally proficient - even most patent lawyers don't need to fully understand the tech they're dealing with to write cease and desist letters, or advise their clients to settle, etc.
But maybe the judges do, and as tech progresses even more, how can we reasonably expect judges to know enough of both? I'm not trying to make the obvious point of "gee, shouldn't judges know how an iPhone works before ruling on it" but asking whether it's even possible to understand both technical and legal sides well enough.
Obviously he didn't. If he did infringe, they wouldn't have sent a legal statement saying that if he complied they would "release all claims" (as they did). Instead, they would tell him to stop and in return he wouldn't be continuing "willful infringement".
Saying "do these things immediately and all claims will be fully released" is usually a sign of weakness to begin with - pretty much any company lawyer is going to open by overplaying his hand.
Is it fair to assume that because Apple doesn't let carriers modify phone software, the iPhone is likely to be free of this? (not saying Apple can't do something like this themselves, just that the carriers can't)
They really need to start teaching "the Internet" in law school. When you try to suppress something, a bunch of anonymous people will step in to make sure the information is spread far and wide. If you just let something go, there probably won't be much damage to your business.
Oh wait, lawyers are paid to send letters, not to minimize the reputation damage to their clients. Now I know why this comes up all the time.
Aside - I haven't visited EFF in a while, but I'm loving that design. Perfect contrast, great legibility on the writing, just the right amount of white space. This is how it's done.
What their recruiters said on linkedin when they contacted me. I didn't respond, but I read this article and thought I'd heard the name somewhere...
[snip; about recruiter]
We sell software to tier 1 mobile network operators. Our software is running
on over 150mm handsets in the US. Each handset collects and reports 100's of
metrics of device and user behavior in real time. These metrics comprise 10's
of gigs of data per day resulting in Petabytes of data stored to date.
With our intelligence solutions, the Mobile Operator can for the first time,
analyze system, device and user behavior from every enabled smart phone
handset/device on their network. From this insight, the MNO can meaningfully
improve CAP/OPEX and customer satisfaction.
We need to hire someone to lead our data analysis effort for our ground breaking
solutions. This role would report to our VP of engineering.
[snip -- describing the company]
key phrase: " Our software is running on over 150mm handsets in the US. Each handset collects and reports 100's of metrics of device and user behavior in real time. These metrics comprise 10's of gigs of data per day resulting in Petabytes of data stored to date."
Do the carriers count these reported metrics against data caps? Overage fees can quickly add up I'm not sure I want my phone using my bandwidth in that manner. Granted, the amount is relatively small compared to user-triggered activities (viewing online video, etc), but the point remains...if I'm nearing my bandwidth limit and am consciously trying to limit my data use, but they're collecting and sending out as many metrics as they indicate in real time, that's not cool.
Considering 150 million devices and their quoted "These metrics comprise 10's of gigs of data per day", let's assume 10's of gigs to be 50GB (10's of gigs is less than a hundred and more than 10, so let's go with the middle ground).
50GB spread over 150 million users comes out as ~333 bytes per user and day.
Of course, the transmission of that data is likely more bursty, but even if it transmits all the data in one go, that's only 10K per month.
So your argument about the limit doesn't really fly because even if they did charge for for that data (which they probably do), considering a limit of 1GB per month, those 10k would be 0.001% of your monthly allowance, so it's probably not even detectable by their overcharge detection algorithm.
Now. Don't get me wrong: This kind of malware is really bad and shouldn't be on these phones, or if it is, it should be opt-in for the purpose of remote support.
It's just important that we hate it for the right reasons (security, privacy).
An average like that takes into account many people hardly using their phone so there is nothing much to report, or using it in a bursty manner so there is nothing to report most of the week but plenty at the weekend.
The "150m devices" claim is rather vague too. It will no doubt include devices that are no longer in use, like when a dating site claims to have X million members without mentioning the fact that all but a few thousand of them haven't logged in for many months - they can truthfully claim such devices have the software installed but that will skew the average bytes/device/day taken from the released figures downwards.
A rule of marketing (which includes selling the company to prospective employees if they are looking for them on linkedin): Never lie when you can selectively use honest statistics instead.
333 bytes is enough to send plenty of information, like your favorite apps and how long you used them. Consider something like: "com.android.browser:1.4h;1-800-HI-THERE:2.3min", which is only 47 bytes.
Would the stories making page 1 of /., HN or reddit have something to do with this?
Research is one thing but making the research known to a wider audience who generally do not read research papers, maybe that's another.
So given the choice between a handset with CarrierIQ and packed with "features" or one without all that but which works as it's supposed to, would all informed consumers continue to choose the one with the features?
Before cell phones, pen registers and wiretaps used to require a warrant. Would anyone need a warrant to get a postive response from a wireless carrier if they asked for some CarrierIQ data? They'd probably get a price quote.
Will this type of technology be used only to catch criminals, or might it someday be used to study consumer behavior? The argument it's used to improve wireless service and therefore a justified invasion of privacy just doesn't fly.
"Verizon has publicly came forward with a statement regarding their usage on Carrier IQ statistics and give users a way to stop them from selling the information outside of Verizon"
Wow. No surprise that they would like to suppress that information, but they should've known better than to be so heavy-handed with the lawyering. They might have been able to spin it a little more positive with some decent PR, but now it just screams that they're being evil.