Carrier IQ: More privacy alarms, more confusion
Controversy over a mobile data-logger called Carrier IQ escalated on Thursday, with a U.S. senator raising an alarm and Apple and Verizon distancing themselves, even though it's still unclear how the software works.
An Android security researcher, Trevor Eckhart, reported last month that Carrier IQ software phoned home with details about how the phone was being used and where it was. Earlier this week, Eckhart posted a video elaborating on his claims, which was followed by another report that the software has been found on iPhones.
Apple responded Thursday, saying it hasn't used Carrier IQ since it released iOS 5 last month and will remove it entirely from its products "in a future software update". In a statement to ZDNet Asia's sister site CNET, the company said:
We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
BlackBerry maker Research In Motion (RIM) also told CNET it has neither pre-installed Carrier IQ on its devices nor authorized carriers to do so:
RIM is aware of a recent claim by a security researcher that an application called "CarrierIQ" is installed on mobile devices from multiple vendors without the knowledge or consent of the device users. RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution. RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to CarrierIQ.
Smartphone manufacturer HTC went further, telling ZDNet Asia's sister site CNET Asia that Carrier IQ is "required on devices by a number of U.S. carriers", and suggested users contact carriers directly for more information. It also stressed that it was not a "customer or partner and does not get any data from the company or carriers", and is "investigating the option to allow consumers to opt-out of the application".
Verizon spokesman Jeffrey Nelson also told CNET that "Verizon Wireless does not add Carrier IQ to our phones, and the reports we have seen about Verizon using Carrier IQ are false."
For its part, Sprint circulated a statement denying that it uses Carrier IQ to look at the "contents" of communications, a important legal point, but didn't provide specifics of how the software is configured:
Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint.
AT&T likewise acknowledged using the Carrier IQ software "to improve wireless network and service performance", saying it did so "in line with our privacy policy."
Joe Belfiore, from Microsoft's Windows Phone 7 product team, said on Twitter that "Windows Phones don't have CarrierIQ on them either".
U.S. Senator Al Franken, a Minnesota Democrat who heads a Senate panel on privacy, sent a letter (PDF) on Thursday to Carrier IQ asking pointed questions, including what data are logged, what data are transmitted, and whether the company believes its software complies with federal privacy laws that prohibit wiretapping. Franken asked for a response by Dec. 14.
Carrier IQ, based in Mountain View, Calif., has not responded to a series of questions that CNET posed this week. A spokeswoman said that she is "only one person and have been unable to respond to the thousands of incoming requests."
What remains unclear is exactly what is transmitted, a key point that will determine whether Carrier IQ is a privacy and security threat--and, secondarily, if anyone has been lying.
Security researcher Dan Rosenberg posted a note saying that he's reverse-engineered Carrier IQ and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data". There's "no code in CarrierIQ that actually records keystrokes for data collection purposes", he said.
If Rosenberg is correct, it wouldn't be the first time that there was a widespread Internet panic over false or unverified accusations. It happened earlier this year when Samsung was cleared of false allegations lodged by a security specialist in a now-deleted NetworkWorld article that claimed keylogging software was installed on two of the company's laptops.
CNET's David Hamilton contributed to this report.