Carrier IQ, the mobile intelligence provider at the centre of a US privacy storm, has said it inadvertently collected some SMS messages as the result of a software bug.
Carrier IQ has admitted its data-gathering software inadvertently collected user text messages as the result of a software bug. Image credit: YouTube
Network operators can use Carrier IQ mobile-data logging software to gather information on customers' network usage. Carrier IQ said on Tuesday that its hard-to-detect software has mistakenly been collecting text messages.
"Carrier IQ has discovered that, due to this bug, in some unique circumstances, such as when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signalling traffic that is collected by the IQ agent," the California-based company said in a technical explanation of its software (PDF). "These messages were encoded and embedded in layer 3 signalling traffic and are not human readable."
Carrier IQ was thrust into the limelight when security researcher Trevor Eckhart published information on the working of its software. Eckhart posted a video showing an Android HTC device using Carrier IQ writing location, keylogging and SMS data to a logfile. In its technical explanation, Carrier IQ said of the demonstration that "it appears that the handset manufacturer software's debug capabilities remained 'switched on' in devices sold to consumers".
The revelations have raised concerns over the privacy implications of the data collection, and the head of a Senate privacy panel has asked US wireless providers and hardware makers to give details on exactly how they are using Carrier IQ.
In its explanation, Carrier IQ gave details of how its metrics-gathering tool works. The software installed on a device is called an 'IQ agent', it said. The agent can be used by network operators to collect and transmit information about mobile use.
Network operators using Carrier IQ software can specify which data is collected about customers' usage, and link that information to a particular device, it added.
"The profile defines which of the available metrics are to be gathered and provides instructions on how to pre-process the data prior to uploading," said Carrier IQ. "For example, the profile may request that the IQ agent summarise broadband throughput for the previous 24 hours."
A 'profile' or list of data to be collected and sent off can be uploaded to the device by network operators when the device connects to a network server.
People's data traffic can be linked to a specific device through its hardware serial and subscriber serial numbers, according to Carrier IQ. Network operators can specify how frequently data is collected and create summary information.
The software can list web URLs visited by a customer and record phone numbers that are dialled and received, before sending the information to network operators.
It is unclear whether the software is present on mobile phones used by UK customers. The four major UK operators have denied that they use Carrier IQ, but the software may be installed by handset manufacturers.
There are some indications that Carrier IQ data may be being used in US investigations. According to a blog post on MuckRock, the FBI declined a Freedom of Information request for its materials related to access or analysis of Carrier IQ-generated data, saying the information is in a file exempt from disclosure "since it is used for law enforcement proceedings".
Get the latest technology news and analysis, blogs and reviewsdelivered directly to your inbox with