Smartphone users have discovered a new name in recent days: Carrier IQ. It was discovered that certain mobile phones use software by this company – the Mobile Service Intelligence Platform – to track usage and send data to phone manufacturers and telecom companies. Security researcher Trevor Eckhart looked closely into what this software does, and discovered that it records keypresses, SMSs, URLs visited, and more. In fact, the software seems to be able to record – and send to third parties – just about everything a user does on their phone.
Eckhart first discovered this on a phone running Android – an HTC phone, which used the Sprint network. (He shows how this works in a YouTube video.) But subsequent research has shown that this occurs on a number of phones, and with a variety of carriers. The telephone companies claim, however, that they only use this software to collect information to improve network performance and quality of service. The handset manufacturers are blaming the carriers for “requiring” this software. This has turned into a hot potato, and has, once again, raised the spectre of people’s portable devices listening in on what they do, and sending information about their actions to third parties.
Engadget has an excellent Q&A about what Carrier IQ is and isn’t, and Cnet has collected a group of articles addressing the problem. What is most striking is how each company involved seems to try to pass the responsibility on to others. Engadget points out that, in spite of what the CEO of Carrier IQ said in a video posted to YouTube, the software is capable of collecting data and sending it to third parties; they examined patents held by the company, which describe the software’s capabilities.
This has gotten as far as the US Congress. US Senator Al Franken has asked for answers from Carrier IQ regarding what this software does, saying that the actions of the software “may violate federal privacy laws.”
And how does the iPhone fit in to this story? Apple has issued a statement regarding their use of Carrier IQ’s software:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
While software such as this may indeed help improve quality of service, the real worry is that the data collected my fall into the wrong hands. Given the number of high-profile hacks of customer databases in recent months, one may assume that this data is not sufficiently protected. In addition, there are some kinds of data that this software seems to be capturing that it shouldn’t. There is no reason for it to record keypresses, especially because this will include any passwords that you type on your phone.
So, if you use an iPhone don’t worry. Turn off the Diagnostics & Usage collection, and you should be fine. However, if you use another phone, it seems there is no way you can turn off this data collection. Engadget has a roundup of which companies – handsets or carriers – use Carrier IQ.
