Carrier IQ isn’t spying on you, swears Carrier IQ

It’s been an interesting few days for Carrier IQ, the formerly obscure mobile software company now at the center of a Category 5 media hurricane.

Carrier IQ builds diagnostic software for cellphones that’s used by carriers to suss out problems with their networks. But its software has the capability of capturing a whole lot more information about you and me, and until recently it’s been doing it all in secret.

[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. ]

You say diagnostic software, I say spyware — let’s call the whole thing off.

The stink coming off Carrier IQ is palpable, and the inevitable class-action lawsuit has already been filed, along with the inevitable Senate inquiry.

Apple acknowledged using Carrier IQ’s software, then immediately washed its hands of it. HTC said don’t blame us, blame the carriers. Google quickly noted that the app was never installed on any Android handsets it had a hand in designing. Verizon issued a staunch denial of having used Carrier IQ’s software. AT&T, Sprint, and T-Mobile acknowledged using Carrier IQ but issued strongly worded statements about the types of information it has no interest in collecting.

After getting pummeled on the InterWebs for 48 hours, Carrier IQ finally emerged from under a rock and issued a new statement about the controversy, as well as an interview with AllThingsD’s John Paczkowski. The company didn’t really add much to what they said two weeks ago, but it did so in a slightly less haughty way:

While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store, or transmit the contents of SMS messages, email, photographs, audio, or video. For example, we understand whether an SMS was sent accurately but do not record or transmit the content of the SMS. We know which applications are draining your battery but do not capture the screen.

Security researcher Dan Rosenburg also dug into Carrier IQ’s software, and he didn’t find it phoning home with anything close to the data shown in Android security researcher Trevor Eckhart’s video:

There’s a big difference between “look, it does something when I press a key” and “it’s sending all my keystrokes to the carrier!” Based on what I’ve seen, there is no code in Carrier IQ that actually records keystrokes for data collection purposes.

On the other hand, he also says, “Carrier IQ does a lot of bad things. It’s a potential risk to user privacy, and users should be given the ability to opt out of it.”

[UPDATE: Three days after this blog post was published, Rosenberg published his findings of tests using Carrier IQ on a Samsung Epic 4G Touch. His conclusion: The software on his phone was not capable of capturing keystrokes or other potentially risky personal information.]

So much ado about nothing, eh? Not exactly. As Rosenberg and others have noted, the choice to have your smartphone tracked — even to a limited degree — should be in the hands of the person holding it. It should definitely not be a secret.

More worrisome is the gap between the information the Carrier IQ software could capture if someone wanted it to and the data it actually transmits up the line to carriers. According to Carrier IQ, it only sends the data its customers (the “operators”) ask for. Per the release:

Carrier IQ acts as an agent for the operators. Each implementation is different, and the diagnostic information actually gathered is determined by our customers — the mobile operators. Carrier IQ does not gather any other data from devices.

So far, the carriers have not asked for the content of people’s text messages, email, surfing histories, locations, and so on. Given the regulatory scrutiny they are under, it’s unlikely they ever would. But somebody else might.

Carrier IQ has also failed to address is why its software operates in secret and whether the same techniques it uses to obscure the software’s operations from users — what Eckhart called a “rootkit” — could be exploited by hackers, who would then have unfettered access to 142 million cellphones.

If nothing else, Carrier IQ has proven extremely clueless about the ways of the Web circa 2011, as well as the concerns of consumers. Let’s hope it’s a little less clueless about the security of its software.

Does having Carrier IQ software on your phone make you hinky? Post your concerns below or email me: cringe@infoworld.com.

This article, “Carrier IQ isn’t spying on you, swears Carrier IQ,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.