Carrier IQ is a scandal now
The furor over Carrier IQ tracking software only intensified on Thursday, as different affected parties attempted to limit public relations or potential legal damage. Apple and Verizon both essentially disavowed Carrier IQ, while Sprint acknowledged using the software/service but narrowed the scope. Meanwhile, the Carrier IQ website couldn't handle sudden traffic surges. BetaNews used a Google cached version to obtain the official statement, but later reached the site.
Android developer Trevor Eckhart instigated the Carrier IQ scandal in a blog post and YouTube video based on his investigation of a persistent process running on HTC Android phones. He uncovered Carrier IQ, which he calls a rootkit because of its stealth behavior and the amount of information/services tapped. "The application is hidden in nearly every part of our phones, including the kernel", he writes. "Carrier IQ also subverts standard operating system functionality".
The video demonstrates keylogging behavior. It's quite dramatic to watch -- information captured as Eckhart types. Carrier IQ disputes this apparent capability: "We are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools".
What information Carrier IQ collects, how much or how little it transmits and who has access to what is the crux of a rapidly-developing privacy scandal. Carrier IQ might be less than it seems, a poorly designed program that like Sony's music-CD rootkit six years ago is more spyware by fault than design. Or it could be much more. The company's own press material reveals extensive data-collection capability, provided in real-time:
IQ Insight Experience Manager gives wireless carriers and mobile device manufacturers an unprecedented, objective view into what is actually happening on mobile subscribers’ devices -- including quality of service, application usage and the related experience -- as it occurs, at the point of delivery and use..IQ Insight Experience Manager uses data directly from the mobile device to give a precise view of how the services and the applications are being used, even if the phone is not communicating with the network.
Despite Eckhart's convincing presentation, questions remain about whom (carriers and handset makers) and what (devices) use Carrier IQ. The researcher demonstrated on a smartphone from Sprint, which has since acknowledged using Carrier IQ:
Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance...We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don’t provide a direct feed of this data to anyone outside of Sprint.
Not surprisingly, Carrier IQ is a hot topic on Sprint support forums. Writes one poster:
I'm a business owner that often transmits proprietary data and information using my Sprint Mobile device and I'm wondering why I was never told that every keystroke I ever made including https was being catalogued and stored by a third party software company. I want this software removed and I want to know where my data is being stored so I can make sure it is deleted from this third party's servers.
Another: "Sprint, it appears you have broken your Terms of Service agreement with us. You have unknowningly shared ALL our data with a 3rd party customer who is sending it in an insecure way. I would like you to either void my requirement to continue using your service or remove your rootkit software from MY phone".
AT&T admits, Apple disavows
Opt-in is a point Apple makes in its statement about Carrier IQ. Yes, Apple. "Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment", according to Carrier IQ. Based on evidence at hand, manufacturers install Carrier IQ and wireless companies decide whether or not to use it. HTC and Samsung also acknowledge providing the software on a carrier-by-carrier basis. Apple has backed off, according to the statement:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
The statement shouldn't be misunderstood in context of Carrier IQ's official response to Eckhart's claims and to company marketing material. Apple places the software there for its carrier partners. Apple might not record "keystrokes, messages or any other personal information" but that doesn't mean someone else couldn't. Additionally, Carrier IQ is still part of iOS, which segues to another concern: Security.
All parties may be genuine in their responses, including Carrier IQ. None of them may be collecting personally identifying information, as they say. However, if Eckhart's analysis is correct, Carrier IQ pretty much records everything done on the phone, and it's embedded deeply into the operating system. Disconcerting: On Android when "Force Stop" is used, "the application continues to run".
The very extensive list of Android security permissions granted to IQRD would raise anyone’s eyebrow, considering that it’s remotely controlled software, but some things such as reading contact data, Services that cost you money, reading/edit/sending sms, recording audio(?!??!?) and writing/changing wireless settings seem a bit excessive.
Assuming Carrier IQ collects information on everything, or even lots of processes and activities, and can't easily be turned off or disabled, it is ideally suited to exploitation by cybercriminals. Carrier IQ is potentially the keys to the kindgom -- tens, perhaps hundreds, of millions of cell phones. If cracked -- and that's assuming functionality as Eckhart identifies -- Carrier IQ could be a boon to cybercriminals.
RIM, Verizon Untouched
As the drama unfolds, two parties stand above the furor -- so far. "Any report that Verizon Wireless uses Carrier IQ is patently false", says the company, which does have opt-in data collection options. "We were transparent about how customer information will be used and gave clear choices to customers about whether they want to participate in these programs. Carrier IQ is not involved in these programs".
Then there's Research in Motion:
RIM is aware of a recent claim by a security researcher that an application called 'Carrier IQ' is installed on mobile devices from multiple vendors without the knowledge or consent of the device users. RIM does not pre-install the Carrier IQ app on BlackBerry smartphones or authorize its carrier partners to install the Carrier IQ app before sales or distribution. RIM also did not develop or commission the development of the Carrier IQ application, and has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to Carrier IQ.
Today, Sen. Al Franken (D-Minn.) sent a letter to Carrier IQ, setting a December 14 deadline to explain itself. He says:
The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer.
But when and how? If someone hasn't filed a lawsuit, one is sure to follow. Carrier IQ's challenge: How to explain itself without risking great legal liability. Statements in its defense now could be used in court later on.