New Questions About Mobile Phone Privacy
Doug Bernard | Washington DC
Trevor Eckhart, by his own account, is a 25-year-old “average Joe.” A digital developer based in Connecticut, Eckhart’s been quietly exploring the privacy and security aspects of the Android mobile operating system.
This week, the quiet ended.
First posted on his website “Android Security Test” a while back, Eckhart began exploring what applications developed by the firm Carrier IQ were doing while he was on his Android phone. Carrier IQ, based in Mountain View, California, markets a variety of mobile applications, or apps, that monitor and track mobile phone use, and then provide that information back to service providers and developers. Carrier IQ says this information is limited and protected, and is only used to improve mobile service and use. “We are counting and summarizing performance, not recording keystrokes or providing tracking tools,” reads in part a statement on the company website.
But Eckhart says his research suggests that’s not the case, and in documents on his site – and visually in a 17 minute video – he lays out the case that Carrier IQ products are doing much more than they say, all out of sight of the average user.
Using his own HTC Evo mobile phone, Eckhart demonstrates how apps such as “HTC IQAgent” run in near-hidden mode on his phone; even once he finds them, he’s unable to turn them off. He then runs his phone through its paces – turning it on and off, dialing numbers, sending SMS text messages and browsing websites. Alarmingly, it appears that the IQAgent app logs and transmits every keystroke he makes, all hidden from view. Eckhart dials a number, and IQAgent duly records and transmits every digit. He sends a text, and it notes who, how, when, and of course what the message actually said. There’s even a complete log of every website he visits and what he does there, even while using the security-enhanced “https” format. Remember – this is all in addition to the actual functions his phone is performing with the actual service provider.
Eckhart called IQAgent a “rootkit”, which in tech terms is a bit of software that is considered critical to function, loads and runs automatically, and is largely (or entirely) outside of the user’s control. That, apparently, was fighting words for the Carrier IQ. They responded swiftly, denying the claim, demanding he remove information about the company and threatening Eckhart with legal action. Late last week, the Electronic Frontier Foundation, or EFF, stepped in to provide Eckhart assistance and legal help, and Carrier IQ pulled back.
The kerfuffle only drew more attention to Eckhart’s work, and to the largely un-noticed Carrier IQ firm.
Reporters started digging, and it quickly became clear how little was known about the company, its products and who uses them. How many apps are there, what are its clients, and just who are they transmitting all those keystrokes to?
Here’s what’s known. It’s estimated that Carrier IQ’s tracking apps run on 150 million hand-held devices, an astonishingly large number. This week AT&T, Apple, Sprint and T-Mobile all admitted to using Carrier IQ software on at least some of its devices. Sprint and AT&T also acknowledged they receive some transmitted data, but both firms insisted it was all anonymous, and for network diagnostics only.
For its part, Carrier IQ continues to state that its products don’t actually “record” all those keystrokes, meaning that its software may detect a large amount of keystrokes (or all of them) but that most of that information is not communicated back to the service providers. CNNMoney spoke with security analyst Dan Rosenberg, who said “People need to recognize that there’s a big difference between recording events like keystrokes … and actually collecting, storing, and transmitting this data to carriers, which doesn’t happen.”
But that’s cold comfort for digital privacy proponents, who note the firm originally denied even detecting all those keystrokes – a claim it has gingerly inched back from since Eckhart posted his video. And the timing for Carrier IQ could hardly be worse, coming just a week after a flurry of reports – and Congressional denunciations – of mobile apps that track a shopper’s movements through stores and shopping centers. (The British firm, Path Intelligence, has backed off those plans, for now.)
For the moment, with a little help from the EFF, Trevor Eckhart says he’ll do what he can to continue his work. Only now, it’s likely he won’t be the only one.
Eckhart’s demonstration video:
Carrier IQ’s response:
9 responses to “Carrier IQ, Quietly Tracking Your Phone”
I just listened to your responce video, it is not accurate! I dont appreciate your company recording, receiving, reporting, and stock piling my personal data. Your company is not trustworthy! A consumer has outted you and you respond with this video which is not truthful! Dishonest! And does not answer the problem posed by said consumer. I have chosen to join in the fight against your company! Your company and its practices (in reference) is anti-US wiretapping laws. A direct violation and your explanation does not justify its actions, in fact, your responces are not directly countering the claims made against you. Your responces, in my opinion, are practices in deception and avoidance! You seem to turn a corner to avoid the issues at hand. Truth be told, your company should be infront of Congress answering lots of questions, major fines should be applied as well as a cease and dismiss of practices in question! Your company and its practices discuss me!
I agree with Clyde on this issue. This company as well as the cell phone company’s who allowed them to install this software, should be sued..
my earlier comment is waiting moderation? In other words, if this site is a supporter of CIQ then my post wont see the light of day!
Clyde; it just took a few minutes to post. It’s not an instantaneous process, so it can lag a few minutes. Thanks for adding your thoughts; –db
Thanks Doug, my appologies
Unable to disable this software on a friends phone, I chose not to purchase a HTC. Unfortunately not the only phone it runs on. After dumping data from my phone I became unhappy! I fixed mine with a hammer, CRUNCH, software no longer runs!
I am no longer very happy about working on and updating similar devices for friends and customers. I will not be taking these devices home for work and connecting them to my home network. I wouldn’t be happy to work on such devices at work, if for instance a customer could not get their WIFI to work or some other general query from an inexperienced user. Would I be aiding wiretapping, as that is illegal in my jurisdiction and would I also be violating disclosure of customer privacy which is supposedly protected by law?
[…] IQ app …Carrier IQ disputes spying accusations; security researchers agreeLos Angeles TimesCarrier IQ, Quietly Tracking Your PhoneVoice of America (blog)Tips For Mobile Device Users Worried About Latest Security FlawsPC […]
[…] Carrier IQ 'Tracking' AppITProPortalZDNet (blog) -Android Apps Appolicious -Voice of America (blog)all 1,390 news […]
[…] […]