Carrier IQ tracking scandal escalates: it’s not the manufacturers, blame the carriers
Carrier IQ is a simple telemetrics company but there’s one thing that makes it stand out from the rest - chances are, it’s on your smartphone and researcher Trevor Eckhart has recently found out that it records your every keystroke, SMS message, phone call and logs a lot of the data you transmit. Scary? Add to that the fact that you can’t remove it, and things start to look very Orwellian.
Apparently, those previously unknown findings weren’t warmly embraced over at Carrier IQ as the company sent an absurd and inimical cease and desist order, a copy of which you can find at the source link at the end of this article. Here’s an extract of Eckhart’s report on Carrier IQ that must have triggered that hostile response:
From training documents found we get an insight to the Carrier IQ Portal. Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs. The “portal administrator” can put devices into categories and see devices in California that have dropped calls at 5pm.
The down side to all of this is the “portal administrator” is also able to “task” a single phone with a profile containing any combinations of metric and trigger. From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more. So instead of seeing dropped calls in California, they now know “Joe Anyone’s” location at any given time, what he is running on his device, keys being pressed, applications being used.
Later on, after receiving the cease-and-desist letter, the researcher defended his position and was backed by the Electronic Frontier Foundation (EFF). Carrier IQ seemed to be breaking the First Amendment granting the right to free speech. Swiftly after, the company withdrew the letter and issued an apology. What followed then was a “Media Alert” press release titled with the exclamative “Measuring Mobile User Experience Does Matter!” (you can find the full PR at the end of the article).
The press release contains a lot of sweet PR talk and denies allegations about Carrier IQ's possible use for logging keystrokes and tracking the user. The vague excuse of only gathering “operational information” to improve the network experience however doesn’t directly answer Eckhart’s fact-based findings, and details have continued surfacing since then, and the scandal is just escalating.
Carrier IQ itself says its app is present on more than 141 million devices and while the scandal broke around the app on Android handsets, there’s more evidence pointing out that it’s also on iOS, other platforms and feature phones. The big question then is: who’s responsible for this piece of software silently ending up on your smartphone?
Here’s the company’s position on that: “Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.” Does it reflect reality?
To answer that question first, though, we should mention that not all Android devices have it. Interestingly, devices from the Nexus line including the Samsung Galaxy Nexus and ones in which Google has a more direct participation like the Motorola XOOM don’t have Carrier IQ’s software. The Verge confirmed this with an inside scoop from reportedly a reliable source (could be someone at Google).
Just recently, Apple hacker chpwn found traces of Carrier IQ in iOS. Particularly, there seems to be a daemon which is reportedly not logging any sensitive information, but we’re yet to have final clarity on that. Moreover, it seems that on iOS you can choose to opt out via Settings -> General -> About -> Diagnostics & Usage, where you should turn off “Send Automatically.”
Additionally, various people have chimed in on the debate agreeing that we shouldn’t blame the device manufacturer but the carrier. Apple enthusiast Seth Weintraub wrote:
“Carrier IQ is something that Carriers put on phones as part of their OEM software. This is out of the hands of both Google and the manufacturers.”
Kyle Sluder on Twitter pointed out that “this CarrierIQ story has been wrongly turned into an Apple vs. Android battle. It’s all about the carriers.”
Those findings and opinions round up everything we know so far, but we’ll definitely be hearing more about the scandal soon. In the meantime, though, feel free to check out the initial report that triggered all of this, then Carrier IQ’s response and its subsequent withdrawal.
You can view and download all of the related documents below, most of them are in a convenient to read PDF format:
- Carrier IQ | Android Security Test - the initial report published by Trevor Eckhart (web link)
- Carrier IQ cease and desist order (PDF file)
- Eckhart’s response (PDF file)
- Carrier IQ's withdrawal and apology (PDF file)
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: