Is someone spying on your smartphone?
COMMENTARY [Updated] Earlier this year, there was a bit furor over the iPhone tracking user locations -- a charge that the Wall Street Journal made when it reported iPhones transmitting what appeared to be positions to Apple (AAPL) but which the company denied. Now Google's (GOOG) Android is in the hot seat over what a third party may be doing.
Android software developer Trevor Eckhart found that Carrier IQ, which bills itself as a provider of "mobile service intelligence solutions to the wireless industry," has software that is secretly installed on millions of Android phones and transmits almost everything users do. Carrier IQ denies the findings and threatened the researcher with legal action. Now Eckhart has posted a video showing findings that paint a damning picture of privacy for many Android phone owners.
Apple activates the Reality Distortion Field: The iPhone isn't tracking you. Really!
Facts, schmacts: Apple and Google build creepware but won't fess up
There goes the data
Eckhart had initially reported his findings online, only to have Carrier IQ send a cease and desist letter, which claimed copyright infringement because the developer had posted some of the company's training materials on his site. The company also insisted that he stop his allegations, publicly apologize, and say that the company doesn't record keystrokes or provide user tracking tools.
The Electronic Frontier Foundation provided some legal assistance, and Eckhart continued his work in the form of a video.
The short version
Rather than going through the entire 17 minutes or so, here's a quick summary of what he found:
-- The Carrier IQ application runs even though it doesn't show on Android's running application list.
-- It has a very broad set of permissions for access to data, information, and functions of the phone.
-- You can't shut it down as you can with other applications.
-- It transmits a unique identification for many buttons that a user presses.
-- Every keypad number a user presses for a phone call is sent.
-- The application sends the body of received text messages.
-- It also sends URLs a user enters into the browser, even if the connection is encrypted.
That's a lot of data that seems to be heading off the phone.
[Update: Security researcher Dan Rosenberg says, based on what he's seen, that "there is no code in CarrierIQ that actually records keystrokes for data collection purposes." However, the hook to do so that do appear in the code suggest that "future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur."]
Carrier IQ claims that its software is on 141 million smartphones worldwide. Not all Android phones have it. For example, Google Nexus phones don't. It's on all Apple iPhones, except that users must give explicit permission for it to work, data goes to Apple only, and users can disable transmission of any data. Neither is the case with Android, where Carrier IQ's software apparently cannot be shut off or completely removed.
Research in Motion says it does not install the software on its BlackBerry devices, nor does it authorize carriers to do so. Because Android handset vendors can modify the operating system within boundaries, they don't need Google's permission to install the application. Verizon Wireless says that it doesn't use Carrier IQ. Sprint does. CBS MoneyWatch has inquiries in with AT&T and T-Mobile about whether they use it or not.
[Update: AT&T provided a statement to CBS MoneyWatch: "In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance." So, the company uses it and doesn't explicitly say that it doesn't collect detailed information.]
[Update: T-Mobile provided the following statement to CBS MoneyWatch: "T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience . T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes."]
Carrier IQ's response
Carrier IQ posted a statement:
Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices - feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.Maybe that is true, but it raises some questions:While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer's network or in our audited and customer-approved facilities.
Our customers have stringent policies and obligations on data collection and retention. Each customer is different and our technology is customized to their exacting needs and legal requirements. Carrier IQ enables a measurable impact on improving the quality and experience of our customers' mobile networks and devices. Our business model and technology aligns exclusively with this goal.
-- If Eckhart was correct in what he monitored -- and you might think that a professional developer would know the difference between a program taking note of an action and actually transmitting it -- then how extensive is the data being transmitted?
-- Who gets the data and what do they do with it? -- How long has this been going on? -- Which handset vendors, carriers, and models run the software? -- How much does Google know about this and is it involved at all?CBS MoneyWatch has questions out to Carrier IQ and a request to speak with someone at Google. As more information arrives -- if it does -- I'll update this post.
[Update: A Google spokesperson provides the following statement: "We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices."