Everything you need to know about the Carrier IQ app - so far
5 December 2011 by Olav Hellesø-Knutsen
Last week, an Android developer discovered that a hidden spying app developed by Carrier IQ was installed on millions of handsets sold by some operators in the US
If you haven't been hiding under a rock for the past couple of days, you must have heard the name of this company several times by now. Carrier IQ is a software installed by operators (only in the US it seems) and it runs in the background as soon as you power on the smartphone. On some devices, it's impossible to shut down while other devices have an option to switch it off. The claimed intention of the Carrier IQ app is to gather detailed information about handset problems and poor network reception and report this back to the operators.
At first glance this looks like a good idea. The problem is that the Carrier IQ app is capable of recording much more. In fact, it is granted super user privileges so everything you do on the phone could be logged and sent off to a third part. As this app was installed by instructions by the operator, they are hopefully knowing what it does and which type of data are being reported back. According to the latest information from Carrier IQ, the gathered information is transferred encrypted to the operators networks or in to the operator-audited facilities.
The recent fuss about this "hidden" app started when Trevor Eckhart, a 25 year old support engineer and Android app developer, wrote an article about the Carrier IQ app in his findings regarding an daemon running hidden on his HTC smartphone. Eckhart downloaded publicly available training videos from the Carrier IQ web site and he made these available as a part of his findings. Carrier IQ did what now can be called the blunder of the year, when they sent Eckhart a cease and desist letter (PDF). Carrier IQ demanded that Eckhart immediately removed all his research findings and all unsubstantiated comments about Carrier IQ. They also wanted him to remove the training material and they claimed he violated their copyright. Eckhart did not comply to the instructions, but instead he contacted EFF and got juridical help from them. EFF sent Carrier IQ a response (PDF) to the Cease and Desist demand to Eckhart. A week later Carrier IQ reached out to Eckhart to apologized for the first letter. A couple of clarifications was posted in this last letter to Eckhart. The Carrier IQ software:
Further, Carrier IQ writes:
As a response to this letter, Trevor Eckhart published a YouTube video showing step by step what he actually discovered:
The existence of Carrier IQ running on some smartphones has been known for some time. The developers over at xda developers found a solution to remove the Carrier IQ software already back in early March 2011. You needed to root the Android device and replace the operator skinned OS with a custom firmware developed by the xda-folks, and not many are willing to sacrifice the warrant by tampering with their phone. We believe the trace of Carrier IQ app was first found in devices branded and sold by Sprint network operator. Later it has been known that AT&T and T-Mobile is using Carrier IQ as a way to learn more about their customers. Eckhart also said the software is included on handsets sold by Verizon, but they have denied this claim. Nokia, RIM, Sony Ericsson and Microsoft has later publicly announced that they do not have Carrier IQ on handsets made by them. Apple said it used to use the Carrier IQ software on its hardware but does not with iOS5. This is the US, so a class action is of course being filed against HTC, Samsung and Carrier IQ for violating Federal Wiretrap Act.
A couple of issues arises regarding anonymous and not so anonymous data monitoring. Are customers willing to send anonymous data to operators if that will improve mobile experience. Network operators already have theoretical access to much of your personal data. They know where you are, because they know which base station you are connected to. They know who you send text messages to, and they could know what these SMS are saying. Some governments are even actively looking for trigger words such as "al-qaeda", "bomb". Security researchers disagree with Eckhart's conclusions and said the video show only diagnostic info and at no point provides evidence that keystrokes, SMS or web browsing session content are being transferred off the device.
The latest press statement (PDF) from Carrier IQ tries to clarify misinformation about the Carrier IQ software. HTC latest word on the case is that "Carrier IQ is required on devices by a number of US carriers so if consumers or media have any question about the practices relating to, or data collected by, Carrier IQ we would advise them to contact their carrier".
The Verge did an interview of Carrier IQ's Vice President of Marketing, Andrew Coward where he explains a little more about the Carrier IQ software. Among the interesting part is that the Carrier IQ software initially do not have access to personal information. It's up to the carrier to develop software which hands valuable information over to the Carrier IQ software. The same thing was also communicated in the latest press statement:
Carrier IQ acts as an agent for the operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile operators. Carrier IQ does not gather any other data from devices.
It is for sure not the last thing we will hear about Carrier IQ and lack of consumer privacy.
What do you think? Is this hole case blown out of proportion? The interest from the press would probably be non-existence if network operators was transparent about the data they collected on the handset and the use of such data.
Alternatively post this in the Esato forum
Please sign in to your Esato account to leave a comment regarding this article
Latest update here