2011年12月6日火曜日

スマホ 個人情報を収集

個人情報を収集するCarrier IQが報道された。
 米Appleは携帯電話の情報を勝手に収集するとして問題となっている
ソフトウエア「Carrier IQ」をモバイルデバイス製品に実装していること
を認めた。Appleは同ソフトウエアの使用をやめる方針も明らかにした。

Trevor Eckhart
・Androidデバイスに搭載されているCarrier IQはキー入力からSMSメッセ
 ージやWeb閲覧履歴等、あらゆる情報を収集可能
・Carrier IQはデバイスの奥深くに埋め込まれており、ユーザーの手で
 このソフトウエアを削除することはほとんど不可能

chpwn
・iOS3の時からCarrier IQが実装されている

Apple
・iOS 5でCarrier IQのサポートをやめた。
・将来のソフトウエアアップデートで完全に同ソフトウエアを削除
・Appleに送信されるすべての収集データは事前に必ずユーザーの承認を
 受けており、暗号化して匿名で送られる上、個人情報は含んでいない。
 キー入力やメッセージ、その他の個人情報は決して記録していないし、
 今後もそのようなことは行わない

Carrier IQ
・当社の製品はユーザーのキー入力を記録したり、使用を追跡したりして
 いないし、収集した情報を第三者に販売などしてない

Carrier IQ搭載を認めた会社
ATT、Sprint、HTC、Samsung

Carrier IQ搭載を認めていない会社
Verizon Wireless, Research in Motion、Nokia

日本の主要通信会社の主力製品は全滅。
その上、主要通信会社は、何も発表していない。

情報収集アプリケーションは、ROMに実装されているようだ。
アプリ名がわかれば、電源起動時にアプリを停止させるのが
簡単な手かもしれない。

カスタムROMを提供しているディストリビュータなら、取り除けるかも
しれないが、組込む可能性もある。

位置情報を含む個人情報を特定できないように提供するとの契約を結ん
でも、契約が守られているか確認する手段が明記されていない。
一方的な契約でしかたなく使わされているように思う。
法律で決める話かもしれない。

グーグルは邪悪か


Carrier IQ Part #2


---ギャラクシーSの基本アプリにも個人情報収集機能---
DECEMBER 05, 2011 07:54
http://japanese.donga.com/srv/service.php3?biid=2011120528108

 通話記録、携帯メール、位置情報など携帯電話の個人情報を、ユーザーに内緒で収集する米「キャリアIQ」に似たソフトウェアが、三星(サムスン)電子のスマートフォンからも見つかった。ギャラクシーSとギャラクシーS2の基本プログラムである「鏡」や「データ通信設定」、「プログラムモニター」の3つのアプリケーション(応用プログラム)が、キャリアIQと同様の機能をしていることが確認された。二つの機種は、国内だけでも計1000万台以上が販売された。
 東亜(トンア)日報は3日と4日、高麗(コリョ)大学・情報保護大学院と共に、「キャリアIQ」が国内の携帯電話に設置されているかどうかについて調査を行った。調査の結果、国内携帯電話にはキャリアIQは設置されていなかったが、アプリの目的とは関係なく、個人情報収集の権限を持っているアプリの存在が確認された。
 ギャラクシーSのアプリ「鏡」は、カメラで自分の顔を映す単純なアプリ。ところが、端末に保存した連絡先や、△カレンダーの日程、△位置情報、△携帯メール(SMS)の内容、△写真、△録音内容など、スマートフォン内部の40以上の機能に、自由にアクセスできるように設計されていることが分かった。
 メーカー側がその気さえあれば、ユーザーが保存した連絡先を削除したり、位置情報を操作することができ、SMSを覗いたり録音を聞くことができる。この情報はマーケティングの目的で使うこともできる。顔だけ見せるアプリに、スマートフォンを自由に操る力を与えたことになる。
 無線データで第3世代(3G)通信網を使うかワイファイを使うかを選ぶ「データ通信設定アプリ」や、スマートフォンで実行中のプログラムやメモリー状態を管理する「プログラム管理」にも、鏡アプリとと同様の権限を与えている。
 三星電子が、同アプリでスマートフォンのユーザー情報を収集したかどうかは不明だ。三星電子は、同アプリが、個人情報流出に悪用されかねないことを、ユーザーらに前もって告知しなかった。鏡アプリなどは、基本的に設置されたアプリで、ユーザーが削除することはできない。
 高麗大学・情報保護大学院の金昇柱(キム・ズンジュ)教授は、「過度な権限を持つアプリをメーカーが顧客に説明せずに取り付けるなんて、ショックだ」と話した。これについて三星電子は「開発者の単なるミスだ」と釈明した。


---ユーザー情報を収集する「Carrier IQ」、Appleも使用認める---米報道---
2011/12/02
鈴木 英子=ニューズフロント
http://itpro.nikkeibp.co.jp/article/NEWS/20111202/375480/

 米Appleは携帯電話の情報を勝手に収集するとして問題となっているソフトウエア「Carrier IQ」をモバイルデバイス製品に実装していることを認めた。米メディア各社(InfoWorld、AllThingsD、TechCrunchなど)が現地時間2011年12月1日に報じたもので、Appleは同ソフトウエアの使用をやめる方針も明らかにした。
 Carrier IQは、モバイルサービスを手がける米Carrier IQのソフトウエアである。同社のWebサイトでは、「携帯電話からのデータを分析して提供し、モバイルキャリアとデバイスメーカーがユーザーのモバイル体験について優れた洞察を得られるようにする」と説明している。
 ところが、米GoogleのモバイルOS「Android」の研究者Trevor Eckhart氏が、Androidデバイスに搭載されているCarrier IQはキー入力からSMSメッセージやWeb閲覧履歴など、あらゆる情報を収集可能と指摘し、物議を醸していた。同氏によれば、Carrier IQはデバイスの奥深くに埋め込まれており、ユーザーの手でこのソフトウエアを削除することはほとんど不可能だという(米CNET News)。
 同氏はAppleのモバイルOS「iOS」については確認していなかったが、「chpwn」の名で知られるiPhoneハッカーが自身のブログで、「iOS 3」のときからCarrier IQが実装されていると報告した。
 メディア各社によると、AppleはモバイルOSの最新版「iOS 5」でCarrier IQのサポートをやめており、将来のソフトウエアアップデートで完全に同ソフトウエアを削除するとの声明を発表した。さらに「Appleに送信されるすべての収集データは事前に必ずユーザーの承認を受けており、暗号化して匿名で送られる上、個人情報は含んでいない。キー入力やメッセージ、その他の個人情報は決して記録していないし、今後もそのようなことは行わない」と述べている。
 またCarrier IQは、「当社の製品はユーザーのキー入力を記録したり、使用を追跡したりしていないし、収集した情報を第三者に販売などしてない」との声明を出している。
 なお、米AT&Tと米Sprint、台湾HTC、韓国SamsungはCarrier IQをプリインストールしていたことを認めているが、米Verizon Wireless, カナダResearch in Motion、フィンランドNokiaは否定している(InfoWorld)。


---Verizon Says It Doesn't Use Carrier IQ Software---
Dec 2, 2011 10:50 am
By Nancy Gohring, IDG News
http://www.pcworld.com/businesscenter/article/245315/verizon_says_it_doesnt_use_carrier_iq_software.html

Verizon Wireless said Thursday it doesn't add to its phones any software from Carrier IQ, the company that has come under fire in the past few days for what some say amounts to spying on mobile phone users.

Also, Carrier IQ put out another statement clarifying what its software does, in an attempt to calm the uproar, which began when a security researcher published a report showing the software could be used to collect data such as user locations, keys pressed on phones and what applications are running. Phone users typically aren't aware that their phones have the software and they aren't able to turn it off.

Apple, AT&T, Sprint, HTC, Samsung and T-Mobile have said some of their phones use the software. Research In Motion and Nokia have said they don't load the software onto their phones.

On Twitter, Verizon spokesman Jeffrey Nelson wrote on Thursday: "We do not add Carrier IQ to our phones. We do not use other similar software on our devices."

Carrier IQ, meanwhile, continues to assert that it doesn't collect any private information about phone users. In a statement it reiterated that its software does not record, store or transmit the contents of text messages, emails, pictures, audio or video. It captures information such as whether an SMS was delivered and which applications drain the battery, the company said. It "vigorously disagrees" with people who allege that Carrier IQ violates wiretap laws.

On Wednesday, Al Franken, the U.S. senator from Minnesota, sent a letter to Carrier IQ asking it to respond to questions about what kind of personal information it collects about users without their knowledge. He suggested the company might violate privacy laws.

His letter followed Carrier IQ's threat to sue Trevor Eckhart, the researcher whose report kicked off the uproar. Carrier IQ has since withdrawn that threat and apologized for it.

Eckhart reported that Carrier IQ software runs on Verizon phones as well as those from RIM and Nokia. Developers have reported that they have some evidence that shows some Verizon phones run the software. Verizon did not immediately respond to a request for comment about those findings.

Which devices and carriers use Carrier IQ?

Carrier IQ says its software is embedded in more than 130 million phones globally but doesn't name its customers. Eckhart used an Android-based HTC EVO for his video demonstration and said it was also in Samsung, Nokia, and BlackBerry phones and on Sprint and Verizon.

However, Verizon denied in a statement to CNET ever using Carrier IQ on its devices. Samsung told CNET that the data is sent to the carriers and they would be best to answer further questions. BlackBerry maker Research In Motion told CNET that it does not pre-install Carrier IQ on its devices or authorize carriers to do so.

Nokia has denied using Carrier IQ, but AT&T says it uses the data to improve network performance, according to PC Magazine. Motorola acknowledged its devices have it but referred further questions to carriers, the report said.

Sprint said it uses Carrier IQ to analyze network performance and identify areas for improvement. "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool," the company said in a statement to CNET. "The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint."

HTC said in a statement to CNET that some carriers require phone makers to install the software:

Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier. It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.

Google confirmed that it has never shipped Carrier IQ on any of its Nexus devices. "We do not have an affiliation with CarrierIQ," a spokesman said in a statement sent to CNET. "Android is an open source effort and we do not control how carriers or OEMs customize their devices."

After iOS developer Grant Paul revealed that he found Carrier IQ on the iPhone, although with more limited functionality, Apple said it hasn't used Carrier IQ since it released iOS 5 last month and promised to remove it entirely from its products in a future software update.

Is Carrier IQ violating my privacy?

Sen. Al Franken, a Minnesota Democrat who heads a Senate privacy panel, sent a letter to Carrier IQ today asking the company to provide information on the types of data collected and other questions:

It appears that Carrier IQ's software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics - including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit. These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter."

And Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, told Forbes that there might be grounds for a class-action lawsuit based on a federal wiretapping law.

Carrier IQ dismissed that notion. "Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions," it's statement said.

So, is this just hype or what?

Eckhart called the software a "rootkit" because it gathers data without the user's knowledge or permission, but some security researchers have taken issue with that characterization and say the risk may be overstated.

Calling it a "rootkit" is a "bit of hyperbole," according to mobile security provider Lookout. "There is no question that Carrier IQ has deep access to sensitive user data, and questions around the handling of that data are completely legitimate," Lookout's Tim Wyatt wrote in a blog post today. "While this is true, there are also credible reports that a deeper look at the mechanics of Carrier IQ's software indicate a bit of hyperbole in labeling it a root kit. In short, it doesn't appear that they are sending your keystrokes straight to the carriers."

The most alarming aspect of Carrier IQ is that people are not aware that it is on their phones and don't know what data is being collected, Wyatt said. "Based on what we know so far, it doesn't appear that Carrier IQ's software is malware, and for that reason it's not flagged as such by Lookout," he wrote. "It is software that is developed in partnership with carriers with the intent to improve network performance. As far as we can tell, it meets this description in execution."

Mobile security researcher Dan Rosenberg wrote in a Pastebin post that he has reverse-engineered Carrier IQ and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data." He found "no code in CarrierIQ that actually records keystrokes for data collection purposes."

Open-source programmer John Graham-Cumming also is unconvinced. "If you watch the 'security researcher's' video you'll find that nowhere does he make the claim that content that the application sees is leaving the device," he wrote in a blog post. "At no point does he enter a debugger and look inside the Carrier IQ application, and at no point does he run a network sniffer and look at what data is being transmitted to Carrier IQ."

Carrier IQ's statement quoted security expert Rebecca Base of Infidel as saying, "Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user's content are erroneous."

And another mobile security expert CNET contacted echoed some of the other opinions. "While I haven't analyzed the code myself, most of what I'm hearing from folks who have dug deeper is that the claims and media reports are way overblown. It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystroke, SMS messages, or web browsing session content are being transferred off the device," said Jon Oberheide, who has uncovered security issues in Android.

He continued:

Any sort of data collection that could potentially impact user privacy should be disclosed to the end user and offer the opportunity for the user to opt-out, but Carrier IQ doesn't appear to be as much of a risk as people are making it out to be. Certainly scrutiny and public awareness is important, but so is responsible research and reporting.

CNET's Declan McCullagh contributed to this report.


---What does Carrier IQ do on my phone--and should I care? (FAQ)---
Elinor Mills
by Elinor Mills December 1, 2011 4:28 PM PST
http://news.cnet.com/8301-27080_3-57335220-245/what-does-carrier-iq-do-on-my-phone-and-should-i-care-faq/

Just what is Carrier IQ's software doing on your phone? And do you really need to worry about it?

A 25-year-old systems administrator in Connecticut set off a media firestorm after discovering mysterious software on his Android that appeared to be recording his activities. Software maker Carrier IQ says the software is designed to give carriers usage and other stats so they can improve the network and service. But the researcher argues that the software represents a serious privacy threat because sensitive data is being logged without user permission.

Mobile security researchers CNET has spoken with say that they believe that the risk posed by Carrier IQ's software has been overblown. Trevor Eckhart, who publicized his findings two weeks ago, has not responded to CNET e-mails or phone calls seeking an interview since yesterday.

So here's what we we know so far:

What is Carrier IQ?

Carrier IQ is software that comes pre-installed on certain handheld devices. It collects usage data that mobile operators and device manufactures analyze so they can make hardware, network and service improvements, according to Carrier IQ. It runs all the time and cannot be turned off, although it can be removed by unlocking the phone and gaining administrator access, which typically voids the warranty.

When Eckhart published Carrier IQ training materials as part of his research, the company sent him a cease-and-desist letter demanding that he retract his claims and apologize. But Carrier IQ backed down and withdrew the letter a week later after the Electronic Frontier Foundation stepped forward to represent Eckhart.

In an updated statement released today, Carrier IQ said its software "makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency."

"Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators' customer service more quickly identify the specific issue with the phone," the statement said.

What data is tracked?

Eckhart said in his original blog post that the software tracks the phone's location, key presses, Web pages visited, when calls are placed, and other information. A video Eckhart posted to YouTube a few days ago appears to show Carrier IQ logging a text message in plain text and noting activities such as hitting the "home" button. It also logged a search on Google over an encrypted Wi-Fi connection.

In its statement today, Carrier IQ said: "Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

Andrew Coward, vice president of marketing for Carrier IQ, previously told CNET that the software notes when a call is dropped, if an SMS doesn't get sent, what keys are pressed, and how many times a phone is charged, among other information. "We are not interested and do not gather the text or the text message and do not have the capacity to do that," he said. He did not address whether recording the text the text of an SMS or a Google search term constitutes "keystroke logging."

In its statement two weeks ago, Carrier IQ said:

While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracing tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools.

And when Carrier IQ withdrew its cease-and-desist letter to Eckhart, it explained that it does not record keystrokes, provide tracking tools, inspect or report on the content of e-mails or SMSs or provide real-time data reporting.

What happens with the data?

Eckhart's video doesn't appear to show any data being transmitted from the phone to a remote server. The data Carrier IQ gathers is transmitted over an encrypted channel to customer networks or "audited and customer-approved facilities," the company statement said. "Most companies host the data inside their networks or we do that," Coward previously told CNET. "Our data isn't real time."

0 コメント: