Software from the company Carrier IQ that’s preinstalled on many mobile devices sold in the United States is capable of recording many of the activities performed on those phones and potentially relaying the data back to carriers, according to security researcher Trevor Eckhart. Eckhart refers to the software as a “rootkit.”
The revelation has caused a great deal of concern over user privacy. U.S. Senator Al Franken has demanded answers from the company, and carriers and device manufacturers are scrambling to confirm whether or not their phones contain the software and to what degree it’s used.
Carrier IQ’s software can track metrics ranging from dropped calls to device types to what websites the user visits and where the user is when visiting those websites, Eckhart warned.
The news has triggered allegations that such monitoring may breach wiretap laws. It has also led to a spat between Carrier IQ and Eckhart.
“The fact that they’re surreptitiously collecting keystroke information, websites visited and the general location of the user at the time they’re accessing different websites or information with their smartphone, without the express permission of the users, is stupid beyond description,” Charles King, principal analyst at Pund-IT, told TechNewsWorld.
Carrier IQ did not respond to our request for comment for this story.
Many Android handsets reportedly include versions of Carrier IQ’s software. Iphones also allegedly use the software, but in a limited capacity that is only activated when the phone is in diagnostic mode.
Meanwhile, Research In Motion spokesperson Jamie Ernst and Verizon Wireless spokesperson Debra Lewis told TechNewsWorld that their companies don’t preinstall Carrier IQ’s application on their devices.
Nokia North America spokesperson Keith Nowak dismissed as inaccurate Eckhart’s claim that certain Nokia handsets carry the software. “Carrier IQ does not ship products for any Nokia devices,” he told TechNewsWorld.
Among Us Stalk the Sentinels
Carrier IQ is typically deployed in a way that completely hides its presence from users, Eckhart stated. The application checks in to a server or receives commands through other means. The commands can allow a third party to access a device without the user’s knowledge, Eckhart said.
Third parties can identify a user’s location, what’s running on the device, what keys are being pressed and what applications are being used at any given time, Eckhart alleged.
Eckhart posted a video in which he demonstrates what Carrier IQ is doing on his smartphone.
Carrier IQ’s patent application, listing what types of data it can collect, can be read here.
Only users with advanced skills can see what is really going on beneath the surface with Carrier IQ or remove the software, Eckhart said.
Senator Franken has called on Carrier IQ to explain what its software records, whether that data’s transmitted to the company or any third party, and whether it’s protected against security threats.
We Only Want to Help
Carrier IQ’s solution, according to its site, lets carriers analyze in detail usage scenarios and fault conditions by type, location, application and network performance while providing them with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components.
The company responded to Eckhart’s publishing information about its product by sending him a cease-and-desist letter November 16.
It withdrew that note and apologized after the Electronic Frontier Foundation fired off a response on Eckhart’s behalf Nov. 21.
“We’re acting as counsel for Mr. Eckhart in this matter, and we’re monitoring the situation as it develops,” EFF senior staff attorney Marcia Hoffman told TechNewsWorld.
Where’s the Privacy?
“If they’re gathering every individual’s keystrokes, that’s a tremendous invasion of privacy, John Simpson, director of the privacy project at Consumer Watchdog, told TechNewsWorld.
The situation could be made worse by a bill being considered in Congress, the Cyber Intelligence Sharing and Protection Act of 2011.
This bill, which is strongly supported by the telecommunications industry, is an amendment to Title XI of the National Security Act of 1947, and will exempt private firms from liability for sharing data with the government, among other things.
“This is a continual erosion of privacy rights,” Pund-IT’s King said. “There are countless cases of the service providers and wireless carriers providing data to the government on request without informing their customers.”
This could “make every smartphone a spy phone for the government,” Consumer Watchdog’s Simpson warned.