Carrier IQ: Not so invasive after all

The firestorm surrounding the Carrier IQ software built into Android and other smartphones may have been just a wee bit overblown, according to security researcher Dan Rosenberg. The software (or “rootkit”) — deemed highly intrusive in a recent report by Trevor Eckhart — cannot record the content of text messages, Web pages, or email, “even if carriers and handset manufacturers wished to abuse it to do so.”

Rosenberg, who works for application security company VSR, independently conducted an in-depth test of the Carrier IQ software, investigating the software’s hooks into Android, what sort of data the software can collect, and in what situations. In a nutshell, Rosenberg concludes that Carrier IQ shows no sign of “evil intent” — and provides a potentially valuable service in helping to improve mobile users’ experience on cellular networks.

[ See Paul Venezia’s post “The Carrier IQ scandal: Enough is enough.” Check out “Is a privacy backlash brewing?” by InfoWorld’s Eric Knorr. Galen Gruman reveals the even worse privacy invasions occurring today. And Roger A. Grimes reveals how the government is amassing huge amounts of citizens’ information. | Get a digest of the key stories each day in the InfoWorld Daily newsletter. ]

Rosenberg did observe that Carrier IQ — like any mobile app — could be modified for nefarious actions. What’s more, Rosenberg says that Carrier IQ — and more so, smartphone manufacturers and carriers — need to do better at protecting user privacy.

For his test, Rosenberg examined the version of Carrier IQ software that comes built in to the Samsung Epic 4G Touch. The researcher notes that the versions of Carrier IQ differ from device to device; and that carriers and smartphone makers ultimately decide just what sort of data the software records and reports. As an example, AT&T might want to gather data about dropped calls or battery life. The company relays its desires to smartphone makers, who in turn tweak the Carrier IQ software to send along data pertaining to dropped calls or battery life when certain criteria are met.

The specific situations or types of data that Carrier IQ collect and sends varies from smartphone to smartphone, though remain constant on a particular smartphone model. But in general, Rosenberg’s findings are as follows:

1. Carrier IQ cannot record SMS text bodies, Web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.
2. Carrier IQ (on this particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call. I’m not a lawyer, but I would expect cell carriers already have legal access to this information.
3. Carrier IQ (on this particular phone) cannot record any other keystrokes besides those that occur using the dialer.
4. Carrier IQ can report GPS location data in some situations.
5. Carrier IQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data.

The data that Carrier IQ does collect, Rosenberg writes, supports the company’s claims that its software is indeed used for diagnosing and fixing network, application, and hardware failures. “If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential. Consumers will have their own opinions about whether the collection of this data falls under the terms set by service agreements, but it’s clear to me that the intent behind its collection is not only benign, but for the purposes of helping the user,” he writes.

Rosenberg didn’t let phone makers or carriers off the hook entirely, suggesting they could better serve customers and respect their privacy while using Carrier IQ. The advice could well be extended to any party that seeks to pull data from users’ phones without their consent — say, a company such as Path Intelligence that makes systems that track shoppers’ movements in malls and stores.

Among Rosenberg’s recommendations:

1. Consumers need to be able to opt out of any sort of data collection. This option would need to be provided by carriers and handset manufacturers.
2. There needs to be more transparency on the part of carriers in terms of what data is being collected from users.
3. There needs to be third-party oversight on what data is collected to prevent abuse.
4. The verbose debugging logs demonstrated in Eckhart’s video are a risk to privacy, and should be corrected by HTC (the author of the responsible code) by disabling these debugging messages.
5. The legality of gathering full URLs with query parameters and other data of this nature should be examined.

This story, “Carrier IQ: Not so invasive after all,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.