As we explained in our post on Carrier IQ's architecture, one of the main factors in determining what the Carrier IQ stack does on a particular phone is the "Profile" that is running on that device. Profiles are files that are typically written by Carrier IQ Inc. to the specifications of a phone company or other client, and pushed to the phone by Carrier IQ Inc. using its own command and control infrastructure. Profiles contain instructions about what data to collect, how to aggregate it, and where to send it.
To create transparency for the public that has been monitored by the more intrusive variants of this software, we will need a comprehensive library of these Profiles, and to know which ones were pushed to which phones at what times. Profiles are stored in different locations in different versions of the Carrier IQ software, and in many cases, a phone may need to be jailbroken or rooted before the profile can be extracted.
If you have a rooted/jailbroken phone, and can find a Profile on it, please send us 1) a copy of the Profile, 2) which phone and network it was from, and 3) where on the phone's file system you found it. You can send us this information in an email at email@example.com or in a git remote we can pull from. [UPDATE: there is a thread at xda-developers.org discussing possible methods for finding profiles on phones]
How to read a Carrier IQ Profile
On casual inspection, Carrier IQ Profiles are a mixture of binary data and legible code (example). EFF volunteer Jered Wierzbicki reverse engineered the file format and has written a program for parsing it called IQIQ, which we are presenting for the first time here. The binary file format is WBXML with a custom DTD. The code in the Profiles is written in Forth (if you would like a quick reference on the language, this one is good).
IQIQ transforms Carrier IQ Profiles from WBXML to human-readable XML. You can browse the source code to it online, or fetch it with git:
git clone https://git.eff.org/public/iqiq.git
There are also some examples of default Profiles from some Android-derived smartphones,1 and an example of a commented version of the Forth code in one portion of the default T-Mobile Profile. That code appears to determine when Carrier IQ is active on those phones; it may also be buggy — if that is the case, it would have led to Carrier IQ being active when phones with T-Mobile SIMs were operating on non-T-Mobile US networks.
[Update 2011-12-21: The bug would only trigger if the phone's APN was also set to epc.tmobile.com, which should not happen on non-T-mobile networks. So this bug would only cause transmissions on unintended T-Mobile networks, of which there may be none].
1. Of course we hope people can also send us Profiles from Windows Mobile, BlackBerry, iPhone and "feature phone" ports of Carrier IQ.
We’ve compiled a list of notable books from the past year that stuck out to us. Even if we don’t necessarily endorse the arguments being made in them, we’ve included them for adding some valuable insight on conversations surrounding our issues and the work that we do.
We're looking forward to the imminent release of Rebecca MacKinnon's Consent of the Networked, previewed through her 2011 TED Talk. MacKinnon's first book promises to provide user-oriented solutions to taking back the Internet...from governments, from corporations, and from anyone seeking to repress!
Much has been written about the expansive creep of intellectual property through new legislation; These are serious problems, but not the only ones in the world of IP. In Copyfraud, Brooklyn Law professor Jason Mazzone takes a different tack, addressing the problem of rightsholders diminishing fair use and the public domain by claiming exclusive rights outside of those granted to them by law.
Official book description: The benefits of living in a digital, globalized society are enormous;so too are the dangers. The world has become a law enforcer’s nightmare and every criminal’s dream. We bank online; shop online; date, learn, work and live online. But have the institutions that keep us safe on the streets learned to protect us in the burgeoning digital world? Have we become complacent about our personal security—sharing our thoughts, beliefs and the details of our daily lives with anyone who might care to relieve us of them?
Official book description: In December 2009, Google began customizing its search results for each user. Instead of giving you the most broadly popular result, Google now tries to predict what you are most likely to click on. According to MoveOn.org board president Eli Pariser, Google's change in policy is symptomatic of the most significant shift to take place on the Web in recent years-the rise of personalization. In this groundbreaking investigation of the new hidden Web, Pariser uncovers how this growing trend threatens to control how we consume and share information as a society-and reveals what we can do about it.
Official book description: Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world's biggest companies--and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn't just about technological feats-it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information.
Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escape, and a portrait of a visionary whose creativity, skills, and persistence forced the authorities to rethink the way they pursued him, inspiring ripples that brought permanent changes in the way people and companies protect their most sensitive information.
Official book description: In the beginning, the World Wide Web was exciting and open to the point of anarchy, a vast and intimidating repository of unindexed confusion. Into this creative chaos came Google with its dazzling mission--"To organize the world's information and make it universally accessible"--and its much-quoted motto, "Don't be Evil." In this provocative book, Siva Vaidhyanathan examines the ways we have used and embraced Google--and the growing resistance to its expansion across the globe. He exposes the dark side of our Google fantasies, raising red flags about issues of intellectual property and the much-touted Google Book Search. He assesses Google's global impact, particularly in China, and explains the insidious effect of Googlization on the way we think. Finally, Vaidhyanathan proposes the construction of an Internet ecosystem designed to benefit the whole world and keep one brilliant and powerful company from falling into the "evil" it pledged to avoid.
William Patry, Senior Copyright Counsel at Google and author of the exhaustive seven-volume Patry on Copyright, is a prominent thinker and scholar in that community. With How to Fix Copyright, he provides facts on the state of copyright today and argues for a course correction towards more evidence-based policies.
James Gleick, a science journalist who's previously covered chaos theory, goes long in "The Information" on the history and theory of that field. Beginning with African tribal drums and running through computer science to the present-day Internet, Gleick points to a common thread of information as a fundamental element of the world we live in.
Official book description: Former hacker Kevin Poulsen has, over the past decade, built a reputation as one of the top investigative reporters on the cybercrime beat. In Kingpin, he pours his unmatched access and expertise into book form for the first time, delivering a gripping cat-and-mouse narrative—and an unprecedented view into the twenty-first century’s signature form of organized crime.
The title of Tim Wu's The Master Switch comes from a quote attributed to a 1950s CBS executive, referring to the near-monopolies that appear at one stage in the cycle that all new communications technologies seem to go through. Wu outlines the history of some of these important modern technologies, and explores the question: is the same fate inevitable for the Internet?
Though 2011 has in many ways been a year of triumphs for activists using digital tools, it has also been a year of increased repression, from crackdowns in China to shutdowns in Egypt and elsewhere. Morozov's book details the various ways in which authoritarian regimes control the Internet; though often posited as pessimistic, The Net Delusion contains lessons for all would-be digital activists.
Aouragh's book takes a look at the history of the Internet in the Palestinian territories and diaspora, showcasing examples of early online activism and highlighting the issues faced by Palestinians, from Israeli control of the Internet to communicating across borders. Palestine Online is the first book of its kind, and in light of the digital activism that pushed the Arab Spring forward, is a must-read for anyone hoping to understand the intricate usage of online networks in the Middle East.
Lawrence Lessig is best known for his work on copyright reform, but in the past few years he has embarked on the new challenge of "hacking at the root" of the problem with policy: money and its corrupting effects on government. Republic, Lost represents his first book on the new topic, and it presents both compelling descriptions of the deeper problem and some creative — if sometimes far-fetched — solutions.
Official book description: The top-secret world that the government created in response to the 9/11 terrorist attacks has become so enormous, so unwieldy, and so secretive that no one knows how much money it costs, how many people it employs or exactly how many agencies duplicate work being done elsewhere. The result is that the system put in place to keep the United States safe may be putting us in greater danger. In TOP SECRET AMERICA, award-winning reporters Dana Priest and William Arkin uncover the enormous size, shape, mission, and consequences of this invisible universe of over 1,300 government facilities in every state in America; nearly 2,000 outside companies used as contractors; and more than 850,000 people granted "Top Secret" security clearance.
Rather than focus on the controversies and internal strife surrounding Wikileaks, Sifry's book takes a broader focus, taking a cautious look at the age of transparency and positing that, if we have reached a point of no return, then we must consider the benefits of open governance and how to achieve them.
Threats to freedom are global, and EFF works internationally to defend your digital rights. Here are some things EFF achieved this year with the help of our global partners and supporters like you:
Protecting Freedom of Expression Worldwide EFF supported activists around the world as they used the Internet to organize democratic protests against authoritarian regimes. EFF ran a very successful campaign to expand the Tor network, providing much-needed bandwidth services and anonymity to those activists and all Internet users.
Fighting Against Copyright Abuse Consumer privacy, civil liberties, innovation, and the free flow of information on the Internet are all under attack by ill-conceived international intellectual property proposals. EFF released Global Chokepoints, a website that documents attempts in key countries to turn Internet intermediaries into copyright police, to help Internet activists worldwide combat similar proposals in their own nations.
Securing Privacy Rights and Civil Liberties of Internet Users EFF is one of the strongest voices for Internet users’ rights at the OECD, the United Nations, the annual privacy commissioners' meeting and the Council of Europe. This year, we worked to secure privacy rights and civil liberties protections during the legislative implementation of the Council of Europe’s Cybercrime Convention, and we fought proposals that would have compromised anonymity, free expression and association.
Ensuring Corporate Responsibility In the wake of news that American companies are involved in the sale of surveillance equipment to authoritarian regimes like Syria's, EFF ramped up our efforts to ensure that technology companies take human rights into account. EFF works with the Global Network Initiative and other organizations to encourage companies to resist pressure from international government censors and to advance freedom of expression in their products and services.
With the winter holidays fast approaching, now is the time to make our wish lists. There are plenty of presents EFF would like to receive for the holidays — the defeat of the Internet blacklist bills SOPA and PIPA would make a great start — but here are just a few of the things that companies could do to protect digital civil liberties this season:
AOL and Google should stop referring to the "no message logging" options in AIM and GChat as "off the record," in order to avoid confusion with OTR.
Adium should introduce a prompt when users first create or import messaging accounts that asks users to decide whether or not they want to log their OTR chats.
Apple, Amazon, HTC, and other makers of mobile computing devices should give customers an officially documented way to get root access on every device they sell.
Phone carriers should either commit to giving users regular, prompt mobile OS security updates, or stop controlling the software on the user's phone, so that software developers and handset manufacturers can do it themselves.
Facebook, Microsoft, Yahoo, Twitter, and the phone companies should follow Google's lead in regularly disclosing the number of requests they get from government agencies on a regular basis.
Skype should allow end-to-end verification of users' encryption key fingerprints. Unlike other encryption software, Skype doesn't give users any way to verify that the person on the other end of the conversation is using the right encryption key. Instead, users just have to trust that the Skype network has told the software the right key. This makes the Skype network into a centralized certification authority, with no transparency in its actions and there is no way to double-check its assertions.
Google should make sorry.google.com render in HTTPS whenever users are redirected to it by an HTTPS URL. When people searching Google over HTTPS trigger Google's bot-detectors, the page where Google sends users to prove they're human includes the users' search terms—in the clear, with no HTTPS protection, violating users' trust that these terms would be encrypted.
All software downloads should be provided only over HTTPS. When software is downloaded over unprotected HTTP, an ISP or local network operator can tamper with it and invisibly add spyware or vulnerabilities.
Craigslist, eBay, Amazon, Yahoo, and Bing should turn on HTTPS for ordinary use of their sites.
Akamai should make HTTPS support a standard feature for all Akamai customers, so that web sites that rely on Akamai have an easy path to turning on HTTPS for all users.
Social media sites should not track Internet users who load pages with embedded "Like" buttons but who don't click on the buttons.
Google, Facebook, and Twitter should stop tracking clicks on outbound links or give users a clear, easy way to copy and paste outbound link URLs without tracking.
Cloud backup services should urge users to pre-encrypt data before uploading it, so that the backup services can't snoop through or leak the contents of users' backups. As secure backup provider Tarsnap puts it, "[b]ackups are supposed to be a tool for mitigating damage — not a potential vulnerability to worry about!"
Cloud backup services should prominently provide users with information about how to do this and provide easy integration with tools that make it straightforward to do so. If cloud backup services provide their own software for accessing the service, the software should include functionality to do strong client-side encryption and decryption.
Today the Ninth Circuit handed the Internet a bittersweet and crucial victory by affirming a district court's holding that the safe harbors created by the Digital Millennium Copyright Act (DMCA) protected Veoh, a now-defunct video hosting site, from copyright liability. The case has been pending since 2007, when Universal Music Group (UMG) sued Veoh based on allegedly infringing content in UMG music videos that Veoh users uploaded.
It's a hefty decision, but here are some highlights:
The sweet: The appellate court squarely rejected UMG's assertion that the DMCA safe harbors do not apply to any service that "displays" or "distributes" copyrighted material rather than simply "storing" it. As EFF (with several other public interest groups) pointed out in an amicus brief on which the court expressly relied, every web hosting service "displays" and "distributes" the material that its users upload -- that's how the Web works. Quoth the court:
UMG's theory fails to account for the reality that web hosts, like Veoh, also store user-submitted materials in order to make those materials accessible to other Internet users. The reason one has a website is so that others may view it. As amici note, these activities define web hosting -- if the web host only stored information for a single user, it would be more aptly described as an online backup service.
If UMG's arguments had been accepted, virtually every hosting service could lose the DMCA safe harbors. That, in turn, would mean that it would be too dangerous to host content without first clearing every bit with every conceivable copyright owner. If this were the law, the Web would be transformed from an open platform for amateur creativity into something a lot more like television, where nothing gets on the air until every clip is "cleared" by an army of lawyers.
The court also dismissed UMG's claim that general awareness that one's site hosted some infringing videos is enough to deprive a service of the safe harbors. UMG's theories, the court explained, would render the safe harbors "a dead letter." Instead, the DMCA requires that service providers act expeditiously when they have specific knowledge of particular infringing activities -- such as information provided by a proper DMCA notice. That is consistent with Congress' intent in drafting the DMCA: to encourage service providers and copyright holders to cooperate in policing infringement but not, as the Ninth Circuit has repeatedly held, to shift the burden identifying and documenting infringement to service providers.
The bitter: The cost of defending the case effectively drove Veoh out of business years ago. If Hollywood manages to get Internet blacklist bills SOPA and PIPA passed, expect to see many more innovative startups meet the same sad fate -- or never get off the ground in the first place. UMG will doubtless claim that this decision is why it needs more arrows in its online enforcement quiver. Given that UMG never bothered to send a single DMCA notice to Veoh before filing suit -- meaning, it never bothered to take advantage of the tools it already had -- this case actually sends a very different message: Don't give Hollywood new ways to impede online innovation and expression.
In the not-so-aptly-named Democratic Republic of Congo, SMS was banned by the government last week in an attempt to maintain public order in the wake of contested elections that have left Kinshasa at a standstill. The country joins a growing list of nations, including Syria, Egypt, and Libya, that have cut off communications this year in an attempt to prevent unrest.
Aside from the obvious implications on free speech, DRC's decision to shut off SMS functionality is having a serious impact on the country's deaf population, as BBC News points out. In a country where Internet penetration hovers at less than one percent, SMS is a vital tool for the hearing impaired; in Kinshasa, community groups that support the deaf population say that text messages are an essential tool for security at a time when going out into the streets can be dangerous.
EFF condemns the DRC's ban on text messaging and urges the government to respect the inalienable rights of all its citizens.
Kazakhstan cuts communications inZhanaozen
On Saturday, reports emerged that the government of Kazakhstan had shut off communications in the western city of Zhanaozen. The city is the site of an ongoing oil workers' strike that turned violent on Friday after a group of unidentified men destroyed equipment set up for Independence Day celebrations in the town center.
According to Human Rights Watch, the government has cut off access to "at least some mobile, voice, and text services in Zhanaozen" and "access to Twitter.com and other news sites reporting on the unrest had been blocked by the authorities."
EFF joins Human Rights Watch in calling for Kazakhstan to immediately restore access to communications networks.
Pro-SOPA study on DNS filtering cites censorship research
A recent paper written by Daniel Castro of the Information Technology & Innovation Foundation and promoted by the MPAA on Capitol Hill argues in favor of DNS filtering to block access to copyright-infringing sites. In an effort to argue the effectiveness of DNS filtering, Castro cites research from Harvard's Berkman Center for Internet & Society that suggests that "no more than 3 percent of Internet users in countries that engage in substantial filtering use circumvention tools."
What is worth noting here is that the countries cited in the Berkman Center paper--China, Iran, the UAE, Armenia, Ethiopia, Saudi Arabia, Yemen, Bahrain, Burma, Syria, Turkmenistan, Uzbekistan, and Vietnam--are all countries that engage in pervasive censorship of the Internet. Therefore, Castro is basically saying that since DNS filtering works for repressive regimes, it can work in the United States too!
It is also worth noting that the US Department of State has put significant resources into more than a dozen circumvention tools over the past few years. In other words, those same tools that Castro hopes American citizens won't use to access pirated content are in fact funded by the US government.
Yesterday and today, the House of Representatives Judiciary Committee has hunkered down in the Capitol for markup sessions of SOPA, the Stop Online Piracy Act. The basic facts looked bleak: this Internet blacklist bill is a disaster that stands at odds with the Constitution, but the deep pockets of its legacy media backers managed to make it enough friends in committee that its quick passage seemed possible. Judiciary Committee Chairman, author of the bill, and “Hollywood’s Favorite Republican” Lamar Smith scheduled just a single hearing, stacked the deck in his bill’s favor, and rushed it through to markup now, at the end of the legislative session.
But then a funny thing happened: the Internet fought back. It started in bits and pieces, from our coverage of the bill’s introduction to the citizens who took our action alert and told their Congressmembers that Internet censorship is unacceptable. Then more and more people began realizing the dangers of SOPA and finding their voice against it. One month ago today, American Censorship Day counted almost 6000 participating sites, tens of thousands of people called their Representatives, and more legislators started coming out against the bill.
It was clear then that Congress wouldn’t be able to slip SOPA through under the public radar. But this week was the most important one yet, with the bill heading to markup and possibly even to the floor. That’s why EFF, with a broad coalition of organizations (of all political stripes), tech companies, innovators, and users, declared this week a Week of Action Against Censorship.
But the most important thing to happen this week was that thousands of people took action to oppose the bill, calling their representatives and spreading the word via blogs, tweets, social media videos and word of mouth.
And it looks like it made a difference. In a marathon markup session yesterday, which we covered on our live-Tweeting stream @EFFLive, a persistent group of Representatives attacked SOPA from all fronts. Although there wasn’t enough opposition to kill the bill outright, the messages we’ve been sending for weeks — that the bill would create blacklists for online censorship, harm cybersecurity efforts, set a bad international precedent and lead to a fractured Internet — couldn’t be ignored.
During a markup session earlier today, Chairman Lamar Smith acknowledged that the Judiciary Committee didn’t yet have all the facts, especially on the cybersecurity questions. After an amendment vote he abruptly announced that markup would be suspended, and consideration of the bill would be resumed at the next practicable opportunity — which is tentatively scheduled for next week, but could be pushed to late January.
Legislators’ considering facts when crafting new laws is a good thing, and we commend Chairman Smith for recognizing it. We also want to acknowledge Representatives Zoe Lofgren, Darrell Issa, Jared Polis, and Jason Chaffetz, who brought refreshing perspective and expertise to the markup session. Their input — and actual amendments — stand in clear contrast to SOPA proponents’ common refrain that the opposition doesn’t contribute any real suggestions. (Another fact belying that refrain: there is an alternative bill already on the table: the OPEN Act proposed by Senator Ron Wyden and Representative Darrel Issa. It’s not perfect, but it takes the conversation in a better direction, and we urge Internet users to go the http://www.keepthewebopen.com to contribute their views on it.)
We've written before about Maikel Nabil Sanad and Alaa Abd El Fattah, two Egyptian bloggers under fire. Though their cases differ dramatically--Sanad was arrested for content written on his blog, while Abd El Fattah was charged in relation to his alleged involvement in the October 9 Maspero massacre--the two men have two things in common: both are being targeted for their opposition to military rule, and both--as civilians--have refused to recognize the right of a military court to try their cases.
Though Sanad had successfully appealed an earlier sentence of three years, on Wednesday he was sentenced once again, and this time to two years in prison by the Supreme Military Court of Appeals. Because Sanad, a civilian, was tried by a military court, the decision cannot be appealed.
On Thursday, 27 out of 28 detainees arrested in relation to the events of October 9 were released, leaving Abd El Fattah the sole detainee left in prison. According toThe Daily News Egypt, lawyers said that since Abd El Fattah had already filed appeals that were rejected, he legally has no right to file another appeal for 30 days, whereas the released detainees had not appealed earlier decisions. Abd El Fattah, who is charged with stealing army weapons, refused to be interrogated by a military prosecutor on the grounds that the military is guilty of crimes that took place during the events of October 9. Human Rights Watch has called Abd El Fattah's detention "a blatant effort to target one of the most vocal critics of the military."
EFF reiterates our call for the immediate release of both Maikel Nabil Sanad and Alaa Abd El Fattah, prisoners of conscience in the Egyptian military's ongoing efforts to clamp down on freedom of expression.