Saturday, December 3, 2011

Carrier IQ and Your Phone: Everything You Need to Know


There’s a storm of controversy flaring up over Carrier IQ, cellphone software that logs user activity and relays at least some of that information to wireless carriers. The carriers say they’ll use that data to improve their networks. But anything that’s peeking in on what you’re doing on a phone raises a host of privacy concerns, and many users are suspicious.

Carrier IQ is so controversial for a few reasons:
  • It’s hidden. Short of rooting, or removing certain software safeguards to obtain “administrator” access to your phone, it’s almost impossible to know if it’s there.
  • It’s everywhere. The software reportedly exists on millions of handsets on several carriers, including many Android phones and even some versions of the iPhone.
  • It’s not opt-in. Without the user’s explicit approval, the software is enabled and gathering data on the phone.
  • It’s voracious. According to Trevor Eckhart, who created the recent explosion of attention on Carrier IQ with a video he posted on YouTube earlier this week, the software logs every keystroke and incoming text message. However, there’s some question about how much of this information is actually sent to the carriers.

Here are the most important things you should know about this previously little-known piece of software:

What is Carrier IQ?
Carrier IQ, made by a Mountain View-based company of the same name, is software that runs in the background of your cellphone or mobile device. It’s there to examine how your information travels over your wireless provider’s network. Basically, it looks at how well your texts are going through, how fast your emails are getting delivered, and how much you’re clogging up things by watching Netflix all the time — with the intention of relaying that information to carriers so they can find ways to optimize their networks.

Wait a second… so the carriers are watching everything I do on my phone?
In a statement, Carrier IQ says the software is only “counting and summarizing performance, not recording keystrokes or providing tracking tools.” It goes on to say that it shares the data only with its customers, the wireless carriers, and that the carriers have stringent policies on data retention. Independent mobile-security company Lookout wrote in a blog post, “It doesn’t appear that they are sending your keystrokes straight to the carriers.”

The man who first pointed out the issue, Trevor Eckhart, demonstrated that Carrier IQ indeed was logging keystrokes on his HTC EVO 3D smartphone, among other activity. When Carrier IQ sent him a cease-and-desist letter for saying the software was acting as a keylogger, the Electronic Frontier Federation (EFF) came to his defense. Carrier IQ backed off, issuing an apology.

This all sounds, uh, bad. Is this legal?
Paul Ohm, a former prosecutor with the Justice Department says no way. He recently posted on Twitter: “If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case.”

Senator Al Franken, who raised privacy concerns over location tracking on cellphones earlier this year, also had a strong message for Carrier IQ, saying, “The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer.”

Is the software only on smartphones?
Carrier IQ says its software is on feature phones, smartphones, and tablets.

Is it on my phone?
Carrier IQ is running on 141 million devices in the U.S., according to InformationWeek. Among the major carriers, Sprint and AT&T have confirmed that they use it, and Verizon Wireless told Mashable that it doesn’t. 

In an email to Mashable, a T-Mobile spokesperson wrote
“T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers’ experience. T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers’ internet activity, nor is the tool used for marketing purposes.”

Speaking with TechRadar, Telefónica O2 stated it "doesn't collect any information via Carrier IQ. This is a question for the handset suppliers." When asked if they use any similar software on their phones, O2 stated that "the handset manufacturers might install it so that they can collect diagnostic data, but if they do, it's not on our behalf, and we don't have access to any of the data that may be collected." 

Meanwhile, Vodafone Group confirmed to TechRadar and PaidContent.org that it does not use Carrier IQ in any of its businesses, and going as far as stating that it would never allow such software on any phone on its networks, as this "would directly contradict our privacy policy to customers". 

France Telecom, parent company of Europe's Orange network, told PaidContent.org that while it could not rule out Carrier IQ being installed on phones used on its network, 'Orange does not validate it, or any diagnostic services similar to it, so it and other related services do not work'. 

The Canadian carrier Rogers has also tweeted that Carrier IQ is not used on any devices sold through its network. 

T-Mobile UK released the following statement
I can confirm that Carrier IQ software is not and has not been installed on any T-Mobile phones.

On the manufacturer side, both RIM and Nokia made statements that said it doesn’t install or authorize its carrier partners to install Carrier IQ on phones. Nokia similarly denied installing Carrier IQ on its products. If you’re an iPhone owner, Apple told AllThingsD that it removed Carrier IQ “in most of its products” when it released iOS 5, with plans to remove it completely in a future software update. 

HTC released the following statement
Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier. 
It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.
Google released the following statement
We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices.
Microsoft's Joe Belfiore has now confirmed that Windows Phones are free from the scourge of Carrier IQ software.
Since people are asking-- Windows Phones don’t have CarrierIQ on them either.
HP released the following statement
HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices. 
Samsung released the following statement
Some Samsung mobile phones do include Carrier IQ, but it's very important to note that it's up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ.
Sony Ericsson released the following statement
Sony Ericsson does not install or support Carrier IQ on its devices. The exception is in the U.S when required by carriers. Sony Ericsson does not receive or gather any information or data collected by Carrier IQ. For questions regarding Carrier IQ, we recommend consumers to contact their operator.
Motorola didn't have an official statement, but did mention that Carrier IQ is only pre-loaded as an operator requirement. 

How do I get rid of Carrier IQ?
If you have an Android phone, you can find out whether or not Carrier IQ is installed by using Eckhart’s Logging Test App, and you can use the app to remove the software for the cost of a dollar. The app requires rooting your phone, however, so proceed with caution and be warned: Some reports say it’s not always successful. Also as we said before, you can install the free App from Trevor Eckhart, you can get it from his post in XDA-developers.

There is also another app you can get to check for Carrier IQ, you don't need to root your device either, you can find it in the Android Market, the name is Voodoo Carrier IQ detector and it's available for free.

On an iPhone, it may already be absent from your iOS 5 device, according to Apple, but if you want to be 100% safe, TechCrunch says you should open your settings, go to “Diagnostics & Usage,” and select “Don’t Send.”

How likely is it that data collected by Carrier IQ could be accessed by a third party?
Considering there are no reports of this ever happening, you might conclude that it’s extremely unlikely. In its statement, Carrier IQ says the data it gathers is encrypted in its own network, or the carriers’ networks.

It’s unclear how secure the data stored on the phone itself is, however. Eckhart managed to access it, albeit on his own phone. It’s all hypothetical, but if you take into account the recent emergence of Android malware that’s able to “root” a phone, it’s impossible to rule out the idea that someone could design a piece of malware that could root the phone and access the data. In theory, it’s possible, but again, there are no reports that anyone’s done it.