Carrier IQ snooping reports are "mostly exaggerated", says researcher
It's no secret that there are a lot of questions surrounding Carrier IQ and its software this week, but has popular reaction to the news been overblown?
That's the argument being made by Virtual Security Research senior consultant Dan Rosenberg, who says that the accusations aimed at Carrier IQ are based on incomplete evidence.
"People need to recognize that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn't happen)," Rosenberg wrote in a post published on PasteBin.
Other experts have echoed that skepticism. "I don’t think that any carrier is using it to snoop on what users are doing,"a network engineer from a major UK operator told ZDNet. "Carriers already have access to a lot of information on what its subscribers are doing simply because it’s their network being used," the researcher said, noting that that information is what carriers use to bill their customers in the first place.
Sprint, which admitted to using the Carrier IQ software, said in a statement that it collects the information to address network problems, not track the behavior of its subscribers.
"We do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint," the company said.
Carrier IQ defended itself on similar grounds. “[Our] software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company said in a statement. "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.”
The Carrier IQ situation mirrors that of the so-called "Location Gate" scandal that hit Apple and its iPhone earlier this year. In that scandal, an unencrypted database of Wi-Fi hotspots and cell towers was discovered tucked away on users' devices, prompting outrage from users and a measured response from Apple. As with the current Carrier IQ situation, Apple said that the purpose of the database was to improve device and network performance, not track the precise locations of its customers.
It took Apple almost a week to respond to the allegations, and while Carrier IQ has defended itself more rapidly the company still has many questions to answer. Clearly, transparency, not data snooping, is its biggest problem.
In spite of this, researcher Dan Rosenberg isn't too concerned. "Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes," he wrote.
His defense of CIQ, however, only goes so far. While Rosenberg doesn't seen any nefarious practices with Carrier IQ software, some of the possibilities embedded in it should raise some concern.
"The fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur," he wrote.