New Questions About Mobile Phone Privacy
Doug Bernard | Washington DC
Trevor Eckhart, by his own account, is a 25-year-old “average Joe.” A digital developer based in Connecticut, Eckhart’s been quietly exploring the privacy and security aspects of the Android mobile operating system.
This week, the quiet ended.
First posted on his website “Android Security Test” a while back, Eckhart began exploring what applications developed by the firm Carrier IQ were doing while he was on his Android phone. Carrier IQ, based in Mountain View, California, markets a variety of mobile applications, or apps, that monitor and track mobile phone use, and then provide that information back to service providers and developers. Carrier IQ says this information is limited and protected, and is only used to improve mobile service and use. “We are counting and summarizing performance, not recording keystrokes or providing tracking tools,” reads in part a statement on the company website.
But Eckhart says his research suggests that’s not the case, and in documents on his site – and visually in a 17 minute video – he lays out the case that Carrier IQ products are doing much more than they say, all out of sight of the average user.
Using his own HTC Evo mobile phone, Eckhart demonstrates how apps such as “HTC IQAgent” run in near-hidden mode on his phone; even once he finds them, he’s unable to turn them off. He then runs his phone through its paces – turning it on and off, dialing numbers, sending SMS text messages and browsing websites. Alarmingly, it appears that the IQAgent app logs and transmits every keystroke he makes, all hidden from view. Eckhart dials a number, and IQAgent duly records and transmits every digit. He sends a text, and it notes who, how, when, and of course what the message actually said. There’s even a complete log of every website he visits and what he does there, even while using the security-enhanced “https” format. Remember – this is all in addition to the actual functions his phone is performing with the actual service provider.
Eckhart called IQAgent a “rootkit”, which in tech terms is a bit of software that is considered critical to function, loads and runs automatically, and is largely (or entirely) outside of the user’s control. That, apparently, was fighting words for the Carrier IQ. They responded swiftly, denying the claim, demanding he remove information about the company and threatening Eckhart with legal action. Late last week, the Electronic Frontier Foundation, or EFF, stepped in to provide Eckhart assistance and legal help, and Carrier IQ pulled back.
The kerfuffle only drew more attention to Eckhart’s work, and to the largely un-noticed Carrier IQ firm.
Reporters started digging, and it quickly became clear how little was known about the company, its products and who uses them. How many apps are there, what are its clients, and just who are they transmitting all those keystrokes to?
Here’s what’s known. It’s estimated that Carrier IQ’s tracking apps run on 150 million hand-held devices, an astonishingly large number. This week AT&T, Apple, Sprint and T-Mobile all admitted to using Carrier IQ software on at least some of its devices. Sprint and AT&T also acknowledged they receive some transmitted data, but both firms insisted it was all anonymous, and for network diagnostics only.
For its part, Carrier IQ continues to state that its products don’t actually “record” all those keystrokes, meaning that its software may detect a large amount of keystrokes (or all of them) but that most of that information is not communicated back to the service providers. CNNMoney spoke with security analyst Dan Rosenberg, who said “People need to recognize that there’s a big difference between recording events like keystrokes … and actually collecting, storing, and transmitting this data to carriers, which doesn’t happen.”
But that’s cold comfort for digital privacy proponents, who note the firm originally denied even detecting all those keystrokes – a claim it has gingerly inched back from since Eckhart posted his video. And the timing for Carrier IQ could hardly be worse, coming just a week after a flurry of reports – and Congressional denunciations – of mobile apps that track a shopper’s movements through stores and shopping centers. (The British firm, Path Intelligence, has backed off those plans, for now.)
For the moment, with a little help from the EFF, Trevor Eckhart says he’ll do what he can to continue his work. Only now, it’s likely he won’t be the only one.
Eckhart’s demonstration video:
Carrier IQ’s response: