Last spring, seemingly everyone was wound up about LocationGate: Apple was tracking the whereabouts of iPhone users. Never mind that in order for this to happen, the user had to agree to allow the tracking to take place. The situation was quickly addressed with an iOS update. At the time, Apple accused its competitors of tracking their users, but it wasn’t Appleicious, so the corporate media paid scant attention.
Now comes Trevor Eckhart, a Connecticut-based systems administrator, who discovered data-logging software installed on most mobile phones during his research. The software, Carrier IQ, is installed on millions of Android, Blackberry, and Nokia handsets and secretly sends information to the network carrier about installed apps, numbers dialed, text messages sent and received, and other user data. Eckhart re-published the Carrier IQ software manuals on his website and subsequent reports indicate that the various carriers use this data to different levels of granularity.
The Carrier IQ software is what’s known in security circles as a “root kit,” software installed at the deepest level without the user’s consent, knowledge, or control. It cannot be turned off without rooting the smartphone and replacing its operating system.
When Carrier IQ discovered Eckhart’s research findings and that he’d re-published its documentation, the company sent Eckhart a cease-and-desist letter notifying him of breach of copyright. Carrier IQ also removed the manuals from its own website. According to David Kravets writing for Wired, the company demanded Eckhart retract his claims about the software, a clear attempt to suppress Eckhart’s research.
Eckhart refused to comply with the terms of Carrier IQ’s cease-and-desist demand and within a few days, Carrier IQ, as it came under growing scrutiny, apologized to Eckhart and retracted its cease-and-desist demand.
By the end of November 2011, Eckhart had produced a video detailing how the Carrier IQ software works, reporting virtually everything a user does on her smartphone to the carrier.
Apple announced that it had mostly stopped using Carrier IQ in iOS5 (it’s still used on the iPhone 4) and would issue an iOS update without any remnants of the software. At any rate, unlike other smartphones, Apple’s iPhone can be easily prevented from sending any data by turning off Settings > General > About > Diagnostics & Usage.
By early December 2011, US Senator Al Franken (D-Minnesota) was demanding that Carrier IQ explain what user data was being captured by its software and how this data was being used. The wireless carriers quickly moved to either deny they used Carrier IQ (Verizon) or defend their use of it (AT&T, Sprint, and T-Mobile). AT&T, Sprint, and T-Mobile all maintain that they use Carrier IQ only to “understand customer experience” and “troubleshoot device and network performance.” Carrier IQ has until 14 December to respond to Franken. Additionally, US Representative Edward Markey (D-Massachusetts) has requested the US Federal Trade Commission (FTC) look into what consumer information the Carrier IQ software is collecting.
David Kravets, again reporting for Wired, cites former federal prosecutor Paul Ohm of the University of Colorado law school as saying Carrier IQ “verges on wiretapping.” In a followup article, Kravets reports that Carrier IQ executives acknowledge obtaining vast amounts of data from some 150 million mobile phone users, and “have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received,” but adamantly denied the company logs every user keystroke as has been claimed. “We do recognize the power and value of this data,” Andrew Coward, Carrier IQ’s chief marketing officer, told Kravets. “We’re very aware that this information is sensitive. It’s a treasure trove.”
While Carrier IQ maintains that collected data is encrypted during transport and storage, reports have surfaced that indicate some HTC devices are storing Carrier IQ data in plaintext files that are easily accessible. As Dieter Bohn, reporting for The Verge notes, it’s been commonly assumed that this was a Carrier IQ mistake.
Is this something about which to be worried? Well, yes, but no one yet knows just how much. What’s especially disturbing at this early stage is Carrier IQ’s attempt to suppress research and the dodging and weaving by all the companies involved. Carrier IQ insists this is a manufacturer mistake.