7 questions that Carrier IQ needs to address immediately

7 questions that Carrier IQ needs to address immediately

Summary: According to Carrier IQ's website, the rootkit is deployed on over 140 million handsets.

TOPICS: Security, Mobility

[UPDATE: According to a statement from Apple, the company stopped supporting Carrier IQ with iOS 5.0 on most of its devices, but the iPhone 4 still uses it.]

So it has been revealed that millions of handsets (yes, even the iPhone) have been kitted out with a 'rootkit' that logs out activity on that handset. That 'rootkit,' which is called Carrier IQ, is used to supply diagnostic information to the carriers and handset makers.

But it turns out that evidence has emerged that this software is logging all sorts of handset activity, including it seems key presses and the contents of text messages that have are sent or received.

According to Carrier IQ's website, the rootkit is deployed on over 140 million handsets.

The capabilities of the rootkit were first discovered by 25-year-old Trevor Eckhart. Here a video in which he presents the case against Carrier IQ. It's scary stuff:

Carrier IQ have their own video in which they claim that the tool doesn’t record keystrokes and doesn’t provide tracking tools:

Given these mixed messages, Carrier IQ need to address the following questions:

  1. What devices has Carrier IQ been installed on?
  2. Carrier IQ claims the rootkit doesn't log any data, but Eckhart's video seems to suggest otherwise - what's going on here?
  3. What data is being sent back to the carrier/handset maker?
  4. Is the data sent/stored in a way that could identify the handset?
  5. Who has access to this data?
  6. How long is this data kept?
  7. Can users opt out?

At the moment we have deluge of questions and a drought when it comes to answers.

[UPDATE: Senator Al Franken sent an open letter to Carrier IQ’s president and chief executive Larry Lenhart with a whole load of questions of his own.]


Topics: Security, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It is not Carrier IQ who installs their software on devices, so, actually,

    ... most serious questions have to be addressed to the likes of HTC, LG, <strike>Nokia<strike> (Nokia now claims it does not use this service), RIM, et cetera -- who agreed to install that software in this criminal form as it is.<br><br>They could follow Apple's way -- on their devices this service does not work by default and even when it works it collects only tiny portion of information (basically irrelevant to privacy concerns), comparing to wall-to-wall spying as on many other devices.<br><br>So obviously manufacturers knew what they were doing.
    • RE: 7 questions that Carrier IQ needs to address immediately

      @dderss Yes but it is not installed by mfg's by handset, its installed by region and carrier. I have already confirmed this personally.
      • If by Carrier ....

        @Jimster480<br>What is the method.<br>In iOS it appears to be embedded in the OS.<br>Based on Apples past practice, they would have to do this mayhap at the Carriers request.
    • Define by default

      I have a couple of idevices iOS 4.x
      Show me where the opt out is?

      On iOS5 there is no mention of CIQ anything, just a plea to help Apple improve its products.
      If Apple is no longer using it, why do I have the opt in option?
  • RE: 7 questions that Carrier IQ needs to address immediately

    Guess what information is needed for such answers: Some scaring quotes from the website:

    ??uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network.??

    ??See which content they consume, even offline. Identify problems in service delivery, including the inability to connect to the service at all.??

    ??Get an instant view of performance across the network and compare by geography, tower, user group and a wide range of configurable parameters??
    They can divide the users into groups like ??Mainstream Youth??, ??Pioneer Youth??, ??Careerists??

    ??Analyze data in real time ??

    WTF?? Take that: ?????Task??? phones dynamically over the air to optimise data selection??

    ??Capture a vast array of experience data including screen transitions, button presses, service interactions and anomalies.??

    ??How do users respond to mobile advertising???


    OK, I didn't expect that before starting to collect quotes!

    Also compare the above to the privacy policy: http://www.carrieriq.com/company/privacy.htm
  • RE: 7 questions that Carrier IQ needs to address immediately

    Man that Android UI walkthrough is UGLY. Talk about an awful experience.
  • to Adrian

    Adrian Kingsley-Hughes,
    Where does the movie show any kind of logging and remote transmission?
    It just shows Eckhart using some app called "USB debugging" to show on his Ubuntu console what is happening on the device. Every computer software receives and interprets keystrokes from input devices like keyboards.

    Also, why you are posting more about software than about hardware on your blog that has a name of Hardware 2.0? Post more about new hardware pieces than hype histories about software, please.
    • Blind?

      Take a second (or third) look.
      It has transmit capability apparently.
      Then go look at Carrier IQ marketing statement - it confirms it does just that.

  • RE: 7 questions that Carrier IQ needs to address immediately

    Well there goes that lucrative contract they were hoping to get to prepare for SOPA and PIPA along with the riders from the CIA and the NSA....
    Sceptical Observer
  • And Mark would

    ABSOLUTELY [b]LOVE[/b] this on the Facebook phone.....
    Sceptical Observer
  • Carrieriq site

    Odd ... their website seems a mite slow in responding. :{)
  • Who is &quot;paying&quot; for the data stream?

    Since 'unlimited data' is disappearing quickly, who is paying for the data stream?

    If it being charged to the phone owner, the carrier customer, that's theft. Especially if the phone is being used internationally where data charges are outrageous.

    Legitimate network quality control data should go back to the carrier or manufacturer over a channel that is free of charge to the customer, and of course, with the customer's knowledge and consent.

    This explains some of the mysterious data overhead that we are being charged for......
  • Trevor Eckhart's sloppy diction seems to match his ...

    sloppy view of transparency and democratic process.