Carrier IQ’s use to log users’ smartphone activity has set off a brouhaha not unlike the one kicked off in the spring when Apple was found to be tracking iPhone and iPad users through a not-so-well hidden tool. Carrier IQ contends its software tracks only general, not personal, information on device use. AT&T and Sprint say they use the product, while Verizon says it uses neither Carrier IQ or similar products. A number of Android devices–but not all–run the software. Apple says it stopped using it with iOS 5.
Telecommunications firms argue that tools like Carrier IQ help them track and improve their network service. That’s a legitimate concern, and until someone figures out a way to help them do it without touching the activity of the devices themselves, they’re going to keep watching what you’re up to.
Though there’s been talk of Carrier IQ’s functions for some time, the issue surfaced again–dramatically–after Android developer Trevor Eckhart conducted a detailed analysis of exactly what the software tracks and stores. Among other things, he found the software records, keystrokes, text messages, urls of web pages visited, even those with security encryption. He report was detailed enough to fill 17 minutes of video, which he posted on YouTube (it’s below).
Before Eckhart posted his video, Carrier IQ sent Eckhart a cease and desist letter, essentially telling him to shut up after he published training manuals for the product. It’s since withdrawn the letter, but denies its product tracks the level of detail Eckhart claims.
A number of observers don’t think the story is a big deal. One of them, Dan Rosenberg of Virtual Security Research, says the allegations are based on assumptions that ignore a number of points.
But people need to recognize that there’s a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn’t happen). After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data. There’s a big difference between “look, it does something when I press a key” and “it’s sending all my keystrokes to the carrier!”. Based on what I’ve seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes. Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur. But all the recent noise on this is mostly unfounded.
In the days since Eckhart’s video came out the whole privacy discussion has–not surprisingly–flamed up, and has put pressure on Carrier IQ specifically. Though the whole privacy issue hasn’t gone away, it’s been kind of quiet lately. Did you know, for example, about the company that helps screen job applicants by compiling information on their social media accounts? Didn’t think so.
Fortunately, more information is appearing about how you can protect yourself from Carrier IQ. But if you think this is the last time we’re going to hear about products record where you are and what you’re doing, whether you want them to or not, you might want to get yourself one of these.