The Carrier IQ scandal: Enough is enough

Last week, an Android hacker named Trevor Eckhart posted a video showing that an unkillable application running on Android smartphones is logging just about every action taken on the phone. In essence, it appears to be a built-in and sanctioned keylogger that delivers all that personal info to … someone (presumably Carrier IQ). It may even be happening in real time, although Carrier IQ disputes that — and notes the data is only transmitted in small doses, as if that makes it OK.

Eckhart’s video demonstration reveals the logging output of an HTC Android device, which clearly shows that Carrier IQ’s software is called when most buttons are pressed, when an SMS is received, and when a website is visited. Importantly, he demonstrates that visiting a supposedly encrypted SSL-secured site still delivers the URI to the Carrier IQ agent. The information given to Carrier IQ’s agent on the phone occurs prior to the actual request, as a keylogger would do.

[ See Paul Venezia’s post “How to stop Facebook, Google+, and Twitter from tracking you.” Check out “Is a privacy backlash brewing?” by InfoWorld’s Eric Knorr. And Galen Gruman reveals the even worse privacy invasions occurring today. | Get a digest of the key stories each day in the InfoWorld Daily newsletter. ]

So far, AT&T, Sprint, T-Mobile, HTC, and Samsung have confirmed that their phones include the tracking software; it appears to be disabled on the iPhone, and RIM has denied that the Carrier IQ software is on the BlackBerry. Nonetheless, it seems clear that a whole bunch of smartphone users have been carrying around a device that has been watching their every mobile move — including their location. Armed with this information, it’s trivial to know where any given person carrying that phone is at any given time, who they’re calling, what they’re texting, and so on and so forth. Essentially, it’s not just a keylogger — it’s a lifelogger.

Ostensibly, the Carrier IQ software enables carriers to gather data about the performance of their network, which could be considered a useful and pertinent tool. However, collecting data on the user’s every move — including unencrypted URI strings used on SSL sites — goes way too far. But heck, Carrier IQ even boasts about that on its site:

IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network. … Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline.

That, friends, is hubris. But are you really suprised to hear this? I’m not. This doesn’t require much in the way of technological chops — it’s pretty simple to implement. The only thing even a tad surprising is that the companies producing these phones not only pay to integrate this diabolical code, but also to keep it under wraps. Sure, the agent and supporting apps appear in the processlists (if you dig deep), but they’re unkillable, so there’s nothing to be done with them even if you knew what they are.

Carrier IQ’s site brags about this to a substantial degree. There’s a massive counter showing that Carrier IQ is gathering information on more than 140 million handsets, and the company states it gives carriers “unprecedented insight into their customer’s mobile experience.” Unlike the relatively hidden and obfuscated code running on the handsets, Carrier IQ’s marketing team is unabashed about what the company actually does: continuously spy on people through their own phones. In a discussion with Wired, Carrier IQ admitted that they have a “treasure trove” of user data, collected surriptitiously, but denies that the term “keylogger” is accurate. They’re right, in a way — their data collection tools are much more invasive than a keylogger. 

While some may be taken aback at the notion that they’ve been carrying around a tracking device delivering information on their every move to some unknown entity, I’m thoroughly unsurprised. When you work in network construction and security, you learn just how simple it is to do this kind of thing — and how simple it is to find on a network with tools like IPS and network analyzers. Android and iOS phones are just Unix boxes, after all; these tasks aren’t much more difficult to implement on phones than on servers.

I’m sure many people will shrug this off and say, “Well, I’m not doing anything wrong, so why do I care?” This is precisely the mentality that allows these practices to occur in the first place.

As useful as they may be, smartphones aren’t worth abrogating your personal privacy — certainly not without consent. Unfortunately, there are only two ways to combat this: ditch your smartphone or support legislation that correctly labels this type of nonsense as fraud and violation of privacy rights and comes with a massive fine. (Yes, CM7 is an option, but not for 99 percent of the population.) Even though several carriers have made a point that CarrierIQ isn’t on their phones, that doesn’t mean that their phones don’t or can’t have similar agents in use. As much as I dislike throwing around laws over every little thing, this is not a little thing. Ideally this nonsense will already be covered by federal wiretapping laws, and those responsible will pay the price for this malfeasance.

This story, “The Carrier IQ scandal: Enough is enough,” was originally published at InfoWorld.com. Read more of Paul Venezia’s The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.