Carrier IQ has recently found itself swimming in controversy. The analytics company and its eponymous software have come under fire from security researchers, privacy advocates and legal critics not only for the data it gathers, but also for its lack of transparency regarding the use of said information. Carrier IQ claims its software is installed on over 140 million devices with partners including Sprint, HTC and allegedly, Apple and Samsung. Nokia, RIM and Verizon Wireless have been alleged as partners, too, although each company denies such claims. Ostensibly, the software’s meant to improve the customer experience, though in nearly every case, Carrier IQ users are unaware of the software’s existence, as it runs hidden in the background and doesn’t require authorized consent to function. From a permissions standpoint — with respect to Android — the software is capable of logging user keystrokes, recording telephone calls, storing text messages, tracking location and more. It is often difficult or impossible to disable.
How Carrier IQ uses your behavior data remains unclear, and its lack of transparency brings us to where we are today. Like you, we want to know more. We’ll certainly continue to pursue this story, but until further developments are uncovered, here’s what you need to know.
What is Carrier IQ, anyway?
Privacy concerns surrounding Carrier IQ were initially brought to light by Trevor Eckhart, a security researcher who became alarmed by the extent of information accessible by the analytic software. In the following video, Trevor presents much of his findings, which seemingly demonstrate Carrier IQ’s keystroke logging, location tracking and ability to intercept text messages. Even information that should be transferred only within encrypted sessions is captured in plain text by Carrier IQ. During the entire demonstration, Trevor’s phone was in airplane mode, operating only over WiFi. Although his actions were outside the scope of his wireless carrier (Sprint), the software continued to monitor his every key press. On his Android device, it’s evident that Carrier IQ is running, even though it does not appear in the list of active processes. Further, the application doesn’t respond to “Force Quit” commands, and it’s set to startup when Android launches.
After watching Trevor’s video, it’s easy to form opinions that Carrier IQ may be the omnipresent snoop. In some ways, it is. The software has the ability to record nearly every action you perform with your phone. The actual data logged, however, isn’t determined by Carrier IQ, but rather its clients. The system enables manufacturers and carriers to examine how phones are used, how they behave and to aid in resolving issues that customers may experience. Clients are able to define specific parameters they wish to track, and also set events that would cause the device to report this information back to Carrier IQ. For instance, a manufacturer may wish to know which currently installed applications use the most battery life, while a carrier may choose to query the devices that experienced a service outage in a particular region during a given time frame.
Unfortunately, without Carrier IQ or its clients being explicit in the information it tracks, there remains a very real concern for individual privacy. As of present time, nobody is handling this quite well.
For some further insight into Carrier IQ, we’ll examine some of these aforementioned training materials that we obtained from Trevor Eckhart’s website, along with one of the company’s patents concerning data collection. On the analytics end, the software features a portal that allows administrators to create events that would trigger a Carrier IQ-enabled device to “phone home,” and choose the data which is to be sent. Alternatively, admins may also submit queries to individual devices, either by using an equipment or subscriber ID — or, they may choose to query pools of handsets by inserting wildcards into the string. The extent of information available to administrators upon querying a specific device is unknown.
If you’re curious about the existence of Carrier IQ on your current Android handset, a simple application from Trevor Eckhart will give you the answer. His Logging TestApp requires that your phone be rooted, but thankfully, once you’ve gone that far, you’ve got a decent shot of removing the software from your phone entirely. Perhaps the most direct way to distance yourself from Carrier IQ is by installing a custom ROM that’s built from the Android Open Source Project (AOSP.) Alternatively, the pro version of Logging TestApp — available in the Android Marketplace for $1 — has also proven successful in most situations. Methods also exist for manually removing Carrier IQ from individual devices, which can be found within the forums of xda-developers.
Excerpts from the Source Engadget