X

Carrier IQ analysis finds no evidence of 'keylogger'

An in-depth analysis of Carrier IQ finds no evidence of an alleged keylogger, but other privacy concerns remain.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

A Linux kernel hacker who completed an in-depth analysis of Carrier IQ's controversial software has determined that it's incapable of recording keystrokes or perusing SMS messages and e-mail correspondence.

Dan Rosenberg, who has discovered more than 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, published a blog post last night that analyzed the data Carrier IQ collects and transmits on a Samsung Epic 4G Touch. He found that contrary to what a slew of initial -- and erroneous -- reports claimed, the Carrier IQ software is not a keylogger and "cannot" be configured as one.

"CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so," Rosenberg concludes. "There is simply no metric that contains this information." (See CNET's FAQ, related articles, and a list of removal apps.)

Rosenberg determined that Carrier IQ can, as a YouTube video by Trevor Eckhart indicated, record what digits are pressed in the dialer application. But it "cannot record any other keystrokes besides those that occur using the dialer," wrote Rosenberg, who says he has no affiliation or relationship with Carrier IQ.

A Carrier IQ representative said this morning that the company didn't release technical details on its own -- a move that could have reduced some of the criticism, including a letter from Sen. Al Franken, the Minnesota Democrat, an concern from European regulators -- because consumers would not have believed the source.

Even if Carrier IQ is incapable of capturing keystrokes--the most serious charge lodged against it-- other privacy concerns remain.

Rosenberg suggested that carriers need to let consumers "opt out of any sort of data collection," that there should be "more transparency on the part of carriers in terms of what data is being collected from users," and that there "needs to be third-party oversight on what data is collected to prevent abuse."

Carrier IQ vice president Andrew Coward told CNET last week that the company's software, which is designed to be installed by carriers hoping to improve network performance, can report back what applications are being used and what URLs are visited. Carrier IQ doesn't make these decisions; rather, it sells configurable software and the carriers decide what options to enable.

It's true that carriers already know what URLs you're visiting when you use their network--meaning that, in many cases, Carrier IQ can be configured to send them data they already have. Privacy concerns arise when a list of URLs is stored on the device and accessible to forensic analysis, when a list of URLs visited on a Wi-Fi network is transmitted, or when encrypted HTTPS URLs are leaked.

Sprint and AT&T, which have acknowledged they use Carrier IQ, have not elaborated on what options they have chosen to enable, except to indicate that the use is consistent with their privacy policies. (Sprint's statement is here.)

Neither AT&T nor Sprint have responded to questions regarding which Carrier IQ features they've enabled. CNET queried the companies on Friday evening.