Carrier IQ analytics company and its eponymous software have been the tip of the news and under fire from security researchers, privacy advocates and legal critics not only for the data it gathers, but also for its lack of transparency.Carrier IQ claims its software is installed on over 140 million devices with partners including Sprint, HTC and allegedly, Apple and Samsung. Nokia, RIM and Verizon Wireless have been alleged as partners, too, although each company denies such claims. Ostensibly, the software’s meant to improve the customer experience, though in nearly every case, Carrier IQ users are unaware of the software’s existence, as it runs hidden in the background and doesn’t require authorized consent to function.
With respect to Android — this software is capable of logging user keystrokes, recording telephone calls, storing text messages, tracking location and more. It is often difficult or impossible to disable.So this post is to all those who need to be aware of the fact what it is and what consequences it can lead to.So to start off, Carrier IQ is a tool whose primary purpose is recording various info which helps carriers improve the quality of service for their customers. In other words,Carrier IQ is a diagnostic tool installed in millions of smartphones all over the world, is gathering a lot of info about your activity – possibly even recording keystrokes,recording telephone calls,content of SMS messages and more – and thus sending it to a third party.
From currently available info, Carrier IQ is present on most Android, BlackBerry and Symbian devices, but not on Google Nexus devices mentioned above, which is logical since it’s a tool meant to be used by carriers. References of Carrier IQ have also been found in iOS devices, but according to security researcher chpwn, it is disabled by default, and only works when the phone is in diagnostic mode.
All of this is reminiscent to the iPhone tracking scandal from April 2011, when it was discovered that Apple’s iPhone tracks your location history. Steve Jobs then famously said – in an e-mail reply to a question from a customer – that Apple is not tracking its users’ location, but Android is tracking everyone. The authenticity of such e-mails has often been disputed, but whoever sent that message might have been right.
So how this all Started…
In October, Trevor Eckhart a security researcher discovered that Carrier IQ is recording, among other things, your every keystroke and possibly sending it back to Carrier IQ’s servers. Carrier IQ responded by sending Ekchart a cease & desist letter and publishing a media alert, in which it claims the company is “not recording keystrokes or providing tracking tools.”
In the below video, Trevor presents much of his findings, which seemingly demonstrate Carrier IQ’s keystroke logging, location tracking and ability to intercept text messages. Even information that should be transferred only within encrypted sessions is captured in plain text by Carrier IQ. During the entire demonstration, Trevor’s phone was in airplane mode, operating only over WiFi. Although his actions were outside the scope of his wireless carrier (Sprint), the software continued to monitor his every key press. On his Android device(HTC EVO 3D.), it’s evident that Carrier IQ is running, even though it does not appear in the list of active processes. Further, the application doesn’t respond to “Force Quit” commands, and it’s set to startup when Android launches.So this can’t be stopped or removed by the user.
The software has the ability to record nearly every action you perform with your phone. The actual data logged, however, isn’t determined by Carrier IQ, but rather its clients. The system enables manufacturers and carriers to examine how phones are used, how they behave and to aid in resolving issues that customers may experience. So this is indirectly helping the OEM’s find out the faults and rectifying with out the user knowledge.
Clients are able to define specific parameters they wish to track, and also set events that would cause the device to report this information back to Carrier IQ. For instance, a manufacturer may wish to know which currently installed applications use the most battery life, while a carrier may choose to query the devices that experienced a service outage in a particular region during a given time frame.
A little bit about the company…
Carrier IQ was founded in 2005 in Mountain View, California. It’s a privately held operation, with investors including Accel Partners, Bridgescale Partners, Charles River Ventures, Mohr Davidow Ventures and Natua Capital. Intel Capital is known to be a prior investor as well, although it’s unclear whether it still holds equity in the firm.
The company’s newly appointed CEO, Larry Lenhart — who remains part of Mohr Davidow Ventures — recently published a video to YouTube explaining the firm’s stance on privacy, in which he outright denies that Carrier IQ records keystrokes or provides tracking tools. Perhaps the company is truthful in its assertion, although the statement seems to contradict the design and capabilities of its software.
Little bit about the software in question…
Talk about the software with the info obtained from Trevor Eckhart’s website, along with one of the company’s patents concerning data collection. On the analytics end, the software features a portal that allows administrators to create events that would trigger a Carrier IQ-enabled device to “phone home,” and choose the data which is to be sent. Alternatively, admins may also submit queries to individual devices, either by using an equipment or subscriber ID — or, they may choose to query pools of handsets by inserting wildcards into the string.
What’s the response…
For its part, Sprint has denied any foul play:
Carrier IQ is used to understand what problems customers are having with our network or devices so we can take action to improve service quality. It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems. We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.
HTC also insists it’s benign:
Paul Ohm, a former prosecutor for the Department of Justice and current professor at the University of Colorado Law School believes the software may violate federal wiretap laws, based on its perceived collection of text messages without users’ consent. If so, says Ohm, then there are sufficient grounds for a class action lawsuit. He adds, “In the next days or weeks, someone will sue, and then this company is tangled up in very expensive litigation. It’s almost certain.”
This has turned true because according to reports from paidContent class action lawsuits have been filed against Samsung, HTC and Carrier IQ. The class action lawsuits are seeking hundreds of millions of dollars on behalf of all U.S. residents.HTC, Samsung and Carrier IQ have been accused of violating the Federal Wiretap Act which “protects the privacy of wire, oral, and electronic communications” of all Americans. A St. Louis lawsuit against HTC states the following:
Plaintiff, Erin Janek owns an HTC Android phone using the Sprint network. At all relevant times Plaintiff used her phone to electronically send over her cell phone network various types of private data. This data was not readily accessible to the general public. She did not know that Defendants were surreptitiously monitoring and collecting this data, nor did she give them permission to do so.
In response to this,HTC said that it is “not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ” but that a number of U.S. wireless carriers use the service. Carrier IQ has denied that it provides tracking tools and says its “software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain.”
Senator Al Franken sent a formal letter to Carrier IQ forcing the company to answer 11 questions regarding its practices. Senator Franken gave Carrier IQ December 14th as the date to respond.
What you can do…
If you’re curious about the existence of Carrier IQ on your current Android handset, a simple application from Trevor Eckhart will give you the answer. His Logging TestApp requires that your phone be rooted, but thankfully, once you’ve gone that far, you’ve got a decent shot of removing the software from your phone entirely. Perhaps the most direct way to distance yourself from Carrier IQ is by installing a custom ROM that’s built from the Android Open Source Project (AOSP.) Alternatively, the pro version of Logging TestApp — available in the Android Marketplace for $1 — has also proven successful in most situations. Methods also exist for manually removing Carrier IQ from individual devices, which can be found within the forums of xda-developers.
François Simond (@supercurio) has swiftly developed a free app in Android Market, Voodoo Carrier IQ Detector, for any Android device. It allows users to check if the Carrier IQ software is present on their phone — though it doesn’t allows users to remove it (yet).
Simond has also uploaded the open source code to Github. So, if you’re feeling uncomfortable about the situation, now you can check it out (easily) for yourself.
Many questions are still left unanswered. We don’t know what Carrier IQ does with the data it collects, or whether it sends keystrokes, SMS messages or other info back to Carrier IQ’s servers. We don’t know the nature of the deal between Carrier IQ and – seemingly – most of the world’s carriers, since almost every device which is sold together with a carrier contract has the app installed.So wait for more info.
Jeffrey Nelson of VZW corporate communications has confirmed that Carrier IQ isn’t on any of its handsets.
All Things D has gotten a statement from Apple on the Carrier IQ situation. It says that it “stopped supporting CarrierIQ with iOS 5 in most of our products,” and that it will “remove it completely in a future software update.” The company’s full statement is as follows:
We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
In addition to Sprint, AT&T has now also confirmed that it does indeed use Carrier IQ on its handsets, but both carriers insist that it is solely being used to improve network performance. and nothing else. For its part, Microsoft has confirmed that Windows Phones do not have Carrier IQ on them — that word comes straight from Joe Belfiore.
And the statements keep on coming. Here’s the latest word from HTC, which lays the blame squarely on the carriers:
Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we’d advise them to contact their carrier.
It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.
Like clockwork, Carrier IQ has re-reiterated its stance:
Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions. Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency. We are deployed by leading Operators to monitor and analyze the performance of their services and mobile devices to ensure the system (network and handsets) works to optimal efficiency. Operators want to provide better service to their customers, and information from the device and about the network is critical for them to do this. While in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service – the mobile device itself.