Programmer says the software violates mobile-user privacy, but Carrier IQ and some security experts say the threat is overblown.
Just what is Carrier IQ's software doing on your phone? And do you really need to worry about it?
A 25-year-old systems administrator in Connecticut set off a media firestorm after discovering mysterious software on his Android that appeared to be recording his activities. Software maker Carrier IQ says the software is designed to give carriers usage and other stats so they can improve the network and service. But the researcher argues that the software represents a serious privacy threat because sensitive data is being logged without user permission.
Mobile security researchers CNET has spoken with say that they believe that the risk posed by Carrier IQ's software has been overblown. Trevor Eckhart, who publicized his findings two weeks ago, has not responded to CNET e-mails or phone calls seeking an interview since yesterday.
So here's what we we know so far:
What is Carrier IQ?
Carrier IQ is software that comes pre-installed on certain handheld devices. It collects usage data that mobile operators and device manufactures analyze so they can make hardware, network and service improvements, according to Carrier IQ. It runs all the time and cannot be turned off, although it can be removed by unlocking the phone and gaining administrator access, which typically voids the warranty.
In an updated statement released today, Carrier IQ said its software "makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency."
"Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators' customer service more quickly identify the specific issue with the phone," the statement said.
Basically, carriers specify what types of information to gather, how much and how often, Coward told CNET in an interview tonight.
What data is tracked?
Eckhart said in his original blog post that the software tracks the phone's location, key presses, Web pages visited, when calls are placed, and other information. A video Eckhart posted to YouTube a few days ago appears to show Carrier IQ logging a text message in plain text and noting activities such as hitting the "home" button. It also logged a search on Google over an encrypted Wi-Fi connection.
But Andrew Coward, vice president of marketing for Carrier IQ, told CNET various types of data are gathered for customer support reasons and to help carriers troubleshoot problems with the network or the phone. "We don't capture the content of what people are actually doing, such as the content of SMS messages, the content of screens, voice calls, videos, photos of your children," he said.
The software doesn't record keystrokes but does look at key sequences and will take specified actions if it sees certain sequences pressed. For instance, a support representative might ask a phone user to dial a short code that will then trigger the software to send diagnostic information to the server, according to Coward. "At no point are we capturing your keystrokes or transmitting them," he said. "We're not storing those key sequences and we certainly are not forwarding them on."
The software can count text messages and flag them if they don't get sent properly and will listen for text messages that are coded in a certain way and sent by customer support representatives that can trigger other specific actions. "We do not record text messages or forward them," Coward said.
The software can be used to gather historical information on a phone, such as calls dropped in the last day or so, and information on phones that have dropped calls during a specific period in a geographic region can be aggregated to help point out network problems, according to Coward.
Carrier IQ can also collect URL strings, which can be used to help carriers troubleshoot problems people might report accessing certain Web sites, for example. And the software may need to know what applications are on the phone to figure out what might be causing a battery to drain, he said.
What happens with the data?
Eckhart's video doesn't appear to show any data being transmitted from the phone to a remote server. Coward said that Carrier IQ transmits data in encrypted form. The data can be sent to either Carrier IQ's network or the carrier's network, and it is typically stored for 30 days, he added.
The carriers are pretty much free to do what they want with it, including conceivably sell it or share it with third parties, Coward said. "They are in control of the data," he said. "We have no rights to it."Which devices and carriers use Carrier IQ?
Carrier IQ says its software is embedded in more than 130 million phones globally but doesn't name its customers. Eckhart used an Android-based HTC EVO for his video demonstration and said it was also in Samsung, Nokia, and BlackBerry phones and on Sprint and Verizon.
However, Verizon denied in a statement to CNET ever using Carrier IQ on its devices. Samsung told CNET that the data is sent to the carriers and they would be best to answer further questions. BlackBerry maker Research In Motion told CNET that it does not pre-install Carrier IQ on its devices or authorize carriers to do so.
Nokia has denied using Carrier IQ, but AT&T says it uses the data to improve network performance, according to PC Magazine. Motorola acknowledged its devices have it but referred further questions to carriers, the report said.
Sprint said it uses Carrier IQ to analyze network performance and identify areas for improvement. "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool," the company said in a statement to CNET. "The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint."
HTC said in a statement to CNET that some carriers require phone makers to install the software:
Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier. It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.
Google confirmed that it has never shipped Carrier IQ on any of its Nexus devices. "We do not have an affiliation with Carrier IQ," a spokesman said in a statement sent to CNET. "Android is an open source effort and we do not control how carriers or OEMs customize their devices."
After iOS developer Grant Paul revealed that he found Carrier IQ on the iPhone, although with more limited functionality, Apple said it hasn't used Carrier IQ since it released iOS 5 last month and promised to remove it entirely from its products in a future software update.
Is Carrier IQ violating my privacy?
Sen. Al Franken, a Minnesota Democrat who heads a Senate privacy panel, sent a letter to Carrier IQ today asking the company to provide information on the types of data collected and other questions:
It appears that Carrier IQ's software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics - including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit. These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter."
And Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, told Forbes that there might be grounds for a class-action lawsuit based on a federal wiretapping law.
Carrier IQ dismissed that notion. "Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions," its statement said.
So, is this just hype or what?
Eckhart called the software a "rootkit" because it gathers data without the user's knowledge or permission, but some security researchers have taken issue with that characterization and say the risk may be overstated.
Calling it a "rootkit" is a "bit of hyperbole," according to mobile security provider Lookout. "There is no question that Carrier IQ has deep access to sensitive user data, and questions around the handling of that data are completely legitimate," Lookout's Tim Wyatt wrote in a blog post today. "While this is true, there are also credible reports that a deeper look at the mechanics of Carrier IQ's software indicate a bit of hyperbole in labeling it a root kit. In short, it doesn't appear that they are sending your keystrokes straight to the carriers."
The most alarming aspect of Carrier IQ is that people are not aware that it is on their phones and don't know what data is being collected, Wyatt said. "Based on what we know so far, it doesn't appear that Carrier IQ's software is malware, and for that reason it's not flagged as such by Lookout," he wrote. "It is software that is developed in partnership with carriers with the intent to improve network performance. As far as we can tell, it meets this description in execution."
Mobile security researcher Dan Rosenberg wrote in a Pastebin post that he has reverse-engineered Carrier IQ and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data." He found "no code in Carrier IQ that actually records keystrokes for data collection purposes."
Open-source programmer John Graham-Cumming also is unconvinced. "If you watch the 'security researcher's' video you'll find that nowhere does he make the claim that content that the application sees is leaving the device," he wrote in a blog post. "At no point does he enter a debugger and look inside the Carrier IQ application, and at no point does he run a network sniffer and look at what data is being transmitted to Carrier IQ."
Carrier IQ's statement quoted security expert Rebecca Bace of Infidel as saying, "Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user's content are erroneous."
And another mobile security expert CNET contacted echoed some of the other opinions. "While I haven't analyzed the code myself, most of what I'm hearing from folks who have dug deeper is that the claims and media reports are way overblown. It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystroke, SMS messages, or web browsing session content are being transferred off the device," said Jon Oberheide, who has uncovered security issues in Android.
Any sort of data collection that could potentially impact user privacy should be disclosed to the end user and offer the opportunity for the user to opt-out, but Carrier IQ doesn't appear to be as much of a risk as people are making it out to be. Certainly scrutiny and public awareness is important, but so is responsible research and reporting.
Why is this coming up now?
Mountain View, Calif.-based Carrier IQ has been quietly operating for six years but hit peoples' radar when Eckhart raised an alarm in a blog post in mid-November. He complained about the surreptitious nature of the software and published Carrier IQ training materials. As a result, the company sent him a cease-and-desist letter demanding that he retract his claims and apologize. But Carrier IQ backed down and withdrew the letter a week later after the Electronic Frontier Foundation stepped forward to represent Eckhart.
CNET's Declan McCullagh contributed to this report.
Updated 8:15 p.m. PT with comment throughout from details from phone interview with Carrier IQ and Updated 5:09 p.m. PT with Rebecca Bace comment and updated Carrier IQ statement saying it does not record or transmit contents of e-mails and SMS messages, explaining why it gathers the data and denying illegality of the software behavior.