How Carrier IQ was wrongly accused of keylogging

In just a handful of days, a startup company named Carrier IQ has been subjected to extraordinary public vilification, with reports accusing it of making a "rootkit keylogger" that "creeps out everyone" or is the "rootkit of all evil."

The only problem, which is always a risk when a public lynching takes place, is that Carrier IQ appears to be not guilty of the charges lodged against it.

The most serious charge against Carrier IQ, a venture capital-funded startup in Mountain View, Calif., that makes diagnostic software for carriers, has been that it records keystrokes and transmits them to carriers. One article on a Mac Web site breathlessly reported that "Carrier IQ probably violated federal wiretap laws in millions of cases." (See CNET's FAQ and related articles.)

Well, no. There's zero evidence that Carrier IQ captured, recorded, or transmitted any keystrokes. But that didn't stop the self-appointed lynch mob on blogs and on Twitter (#OccupyCarriers, that would be you).

Dan Rosenberg, an exceptionally talented security consultant who has discovered more than 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ's software from his own Android phones. He then analyzed the assembly language code with a debugger that allowed him to look under the hood.

"The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."

Carrier IQ has given Rebecca Bace, a well-known security expert who's advised startups including Tripwire and Qualys, access to the company's engineers and internal documents. (Bace says she has no financial relationship with Carrier IQ.)

Bace told CNET that: "I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software--to serve as a diagnostic aid for assuring quality of service and experience for mobile carriers."

Andrew Coward, Carrier IQ's vice president for marketing, acknowledged last night that the company may not have taken the best approach in responding to public criticism, which started with a blog post by Trevor Eckhart, a 25-year old system administrator in Connecticut who noticed unusual software on HTC Evo devices. He dubbed it a rootkit, leading to legal threats from Carrier IQ, an intervention by the Electronic Frontier Foundation, and an embarrassing bit of backtracking a few days later.

Threatening to sue a security researcher, even a newly minted one, isn't exactly the way to make friends nowadays--especially after the last decade has seen a parade of ill-received threats from Cisco Systems, Hewlett-Packard, voting machine makers, and the Recording Industry Association of America.

That legal threat, not unreasonably, led critics to assume the worst. "That's really been part of our challenge in responding to the allegations," Coward told CNET. The company decided it needed to be more forthcoming after "going back and saying, 'No, we don't, no we don't,' which is where we started, didn't really work." (The company also released a public statement yesterday.)

There's now a "vast misunderstanding of what we do," Coward says.

This won't have been the first time a company was subjected to an Internet-wide rush to judgment. In March, Samsung was cleared of false allegations lodged by a security specialist who claimed that keylogging software was installed on two of the company's laptops. Network World, which published the unverified accusations, subsequently deleted the original article.

The real privacy issues
That Carrier IQ is innocent of the keylogging accusation, the most serious charge, does not, however, mean there are no privacy concerns.

Coward acknowledged that the company's software, which is designed to be installed by carriers, can report back what applications are being used and what URLs are visited. Carrier IQ doesn't make these decisions; rather, they sell configurable software and the carriers decide what options to enable.

"It's up to them whether they do or don't collect that information," Coward says.

The information is used to summarize how the device is working so carriers can improve their networks, he said. It also helps them when they're forced to field calls from outraged customers wondering why their handset keeps crashing or runs out of battery life in a few hours.

Typically the data dump to a carrier is configured to be sent daily, either over Wi-Fi or the carrier's networks, Coward said. "The device ends up storing about 200 kilobytes of data," he says. "That's typical upload size. When it gets to the point that it's full, it'll do an upload or it'll drop data and start wrapping and store summary information." (Customers aren't charged for the upload, and it's disabled when the phone is roaming.)

It's true that carriers already know what URLs you're visiting when you use their network--meaning that, in many cases, Carrier IQ can be configured to send them data they already have. Privacy concerns arise when a list of URLs is stored on the device and accessible to forensic analysis, when a list of URLs visited on a Wi-Fi network is transmitted, or when encrypted HTTPS URLs are leaked. (Remember, Apple's log of locations accessible to forensic analysis landed it in hot water earlier this year.)

In this case, the software can be configured to send data directly to the carriers or to Carrier IQ's data center. "The data is not controlled by us, regardless of which model is used," Coward says. "We have no rights to the data. We cannot sell it, lease it, rent it, share it. The operators are extremely strict about that, as you might expect."

Because the Carrier IQ software can be configured to send information about URLs and active applications, it's the carriers themselves who owe their customers an explanation. Whether it's a serious privacy concern depends on how well they disclose to their customers that such monitoring is possible (which doesn't seem to be the case). Or whether an easy opt-out mechanism is available (ditto).

Sprint said yesterday that: "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool."

That doesn't provide enough details to understand what's going on. Nor does AT&T's statement, which merely says that Carrier IQ is used in accordance with the company's privacy policies.

But when Sen. Al Franken, the Minnesota Democrat, wrote a letter (PDF) yesterday asking what data are collected, he didn't address it to Sprint and AT&T, who combined have probably the most influential lobbying operation in the nation's capital. In his own letter (PDF) today, Rep. Ed Markey, the Massachusetts Democrat, didn't either.

That's a shame. The carriers should be more forthcoming. And the politicians and class action lawyers (two, at last count, have been filed) are taking aim at the wrong targets.

Update, 8:45 p.m. PT: We've posted a follow-up article offering additional details and verbatim statements from Carrier IQ. In that article, Carrier IQ Vice President Andrew Coward says his comments were "misconstrued" in a CNN article today about how Coward was supposedly surprised by the data stream. He also elaborates on how data collection is performed and says he was misquoted in a Wired story in which he allegedly said his company's software could read the contents of text messages.