Carrier IQ has recently found itself swimming in controversy. The analytics company and its eponymous software have come under fire from security researchers, privacy advocates and legal critics not just for the information it gathers, but additionally for its loss of transparency in regards to the use of said information. Carrier IQ claims its software is installed on over 140 million devices with partners including Sprint, HTC and allegedly, Apple and Samsung. Nokia, RIM and Verizon Wireless were alleged as a partners, too, although each company denies such claims. Ostensibly, the software’s meant to enhance the client experience, though in nearly every case, Carrier IQ users are ignorant of the software’s existence, because it runs hidden within the background and doesn’t require authorized consent to operate. From a permissions standpoint — with respect to Android — the software is able to logging user keystrokes, recording telephone calls, storing text messages, tracking location and more. It’s always difficult or impossible to disable.
How Carrier IQ uses your behavior data remains unclear, and its loss of transparency brings us to where we’re today. Such as you , we wish to know more. We’ll certainly continue to pursue this story, but until further developments are uncovered, here is what you could know.
What’s Carrier IQ, anyway?
Privacy concerns surrounding Carrier IQ were initially dropped at light by Trevor Eckhart, a safety researcher who became alarmed by the level of info accessible by the analytic software. Inside the following video, Trevor presents much of his findings, which seemingly demonstrate Carrier IQ’s keystroke logging, location tracking and talent to intercept text messages. Even information that ought to be transferred only within encrypted sessions is captured in plain text by Carrier IQ. Through the entire demonstration, Trevor’s phone was in airplane mode, operating only over WiFi. Although his actions were outside the scope of his wireless carrier (Sprint), the software continued to watch his every key press. On his Android device, it’s evident that Carrier IQ is running, although it would not appear within the list of active processes. Further, the applying doesn’t reply to “Force Quit” commands, and it’s set to startup when Android launches.
After watching Trevor’s video, it is easy to form opinions that Carrier IQ often is the omnipresent snoop. In many ways, it’s far. The software has the facility to record nearly every action you perform along with your phone. The true data logged, however, isn’t determined by Carrier IQ, but rather its clients. The system enables manufacturers and carriers to inspect how phones are used, how they behave and to help in resolving issues that buyers may experience. Clients may be able to define specific parameters they need to trace, and likewise set events that may cause the device to report this knowledge back to Carrier IQ. As an example, a manufacturer could need to understand which currently installed applications use probably the most battery life, while a carrier may decide to query the devices that experienced a service outage in a specific region during a given period of time.
Unfortunately, without Carrier IQ or its clients being explicit within the information it tracks, there remains a extremely real concern for individual privacy. As of present time, nobody is handling this quite well.
The corporate
Carrier IQ was founded in 2005 in Mountain View, California. It is a privately held operation, with investors including Accel Partners, Bridgescale Partners, Charles River Ventures, Mohr Davidow Ventures and Natua Capital. Intel Capital is legendary to be a previous investor besides, although it’s unclear whether it still holds equity within the firm. Carrier IQ’s management of those privacy concerns thus far was a multitude, to mention the least. After Trevor Eckhart reported his findings, which included the company’s training materials, Carrier IQ attempted to silence him with a cease-and-desist letter, demanding he replace his analysis with a press release disavowing his research. The corporate has since retracted its threat and apologized for its behavior, but not without first earning a black eye within the process.
The company’s newly appointed CEO, Larry Lenhart — who remains portion of Mohr Davidow Ventures — recently published a video to YouTube explaining the firm’s stance on privacy, wherein he outright denies that Carrier IQ records keystrokes or provides tracking tools. Perhaps the corporate is truthful in its assertion, although the statement seems to contradict the design and capabilities of its software.
The software
For some further insight into Carrier IQ, we’ll examine a majority of these aforementioned training materials that we obtained from Trevor Eckhart’s website, together with some of the company’s patents concerning data collection. At the analytics end, the software incorporates a portal that enables administrators to create events that could trigger a Carrier IQ-enabled device to “phone home,” and judge the info that is to be sent. Alternatively, admins can also submit queries to individual devices, either through the use of an equipment or subscriber ID — or, they might decide to query pools of handsets by inserting wildcards into the string. The level of knowledge available to administrators upon querying a selected device is unknown.
Seemingly contradictory to Carrier IQ’s assertion that it doesn’t collect keystrokes is the company’s patent application #20110106942, published May 5, 2011. An excerpt of the claims follows:
2. a means for collecting data at a server coupled to a communications network, comprising: transmitting to a tool an information collection profile, wherein the information collection profile comprises a plurality of parameters defining a fixed of information to be collected by the device, a primary condition under which the set of information is to be collected, and a second condition under which the set of information is to be transmitted; and receiving from the device the set of knowledge collected in keeping with the second one condition.
10. The process of claim 2, wherein the set of information pertains to an end user’s interaction with the device.
11. The tactic of claim 10, wherein the interaction with the device comprises the tip user’s pressing of keys at the device.
The response
For its part, Sprint has denied any foul play:
“Carrier IQ is used to grasp what problems customers are having with our network or devices with a purpose to take action to enhance service quality. It collects enough information to grasp the buyer experience with devices on our network and the way to plan solutions to apply and connection problems. We don’t and can’t have a look at the contents of messages, photos, videos, etc., using this tool.”
HTC also insists it’s benign:
“HTC, like most manufacturers, has an opt-in error reporting function in-built to our devices. In case your phone experiences an error, you’ve got the choice of ‘Telling HTC’ with a view to make improvements to our phones. Information about this are in our privacy policy on each device and to ensure that data to be collected, you should opt-in. In case you do opt-in, we protect your privacy by de-identifying and encrypting the information. HTC is committed to protecting your privacy and meaning a commitment to clear opt-in/opt-out because the standard for collecting any information we have to serve you better.”
Because the Carrier IQ controversy involves a boil, it isn’t only privacy advocates which are taking notice. Paul Ohm, a former prosecutor for the dep. of Justice and current professor on the University of Colorado Law School believes the software may violate federal wiretap laws, in keeping with its perceived choice of text messages without users’ consent. In that case, says Ohm, then there are sufficient grounds for a category action lawsuit. He adds, “Within the next days or even weeks, someone will sue, after which this company is snarled in very expensive litigation. It’s almost certain.”
There isn’t a denying that lawsuits could be a royal pain for every person involved, but when it escalates to that level, an awesome possibility exists that Carrier IQ may be required to reveal the level of its data collection within the discovery process. Our take? If it requires a courtroom battle to force transparency in regards to the number of your information and usage habits, then bring it.
In an industry where the safety of intellectual property is paramount, it sounds as if much of this controversy might have been avoided with a straightforward opt-in policy. Executed properly, Carrier IQ has the prospective to enhance the standard of service for millions of mobile customers — as long as the info collected stays at the up-and-up. What remains clear is that until Carrier IQ or its partners address these privacy concerns with explicit evidence and formal policies on the contrary, this issue isn’t going away.
What you are able to do
If you are fascinated by the existence of Carrier IQ to your current Android handset, a straightforward application from Trevor Eckhart gives you the reply. His Logging TestApp requires that your phone be rooted, but thankfully, once you’ve gone that far, you have a good shot of removing the software out of your phone entirely. Perhaps essentially the most direct thanks to distance yourself from Carrier IQ is by installing a custom ROM that’s built from the Android Open Source Project (AOSP.) Alternatively, the pro version of Logging TestApp — available within the Android Market for $1 — has also proven successful in most situations. Methods also exist for manually removing Carrier IQ from individual devices, that are found in the forums of xda-developers.
Naturally, we will treat this as a developing story, and can continue to give additional information because it becomes known.
[ Gavel photo via Shutterstock]
Hack enables fast refresh mode on Nook Simple Touch (video)
‘Hugo’ director Martin Scorsese, cast explain some great benefits of shooting movies in 3D (video)
