Mobile “Big Brother” Carrier IQ Busted

Mobile service intelligence company Carrier IQ has been caught out recording all the keystrokes  of US Android, RIM and Nokia phone and tablet users on behalf of  network providers Sprint and Verizon.

The software is installed as a third party app by US carriers, as well as others including Vodafone Portugal. It runs stealthily in the background, and can’t be disabled or safely uninstalled. After the Carrier IQ software was  revealed and demonstrated in a video by Android app developer, Trevor Eckhart, the company tried to silence him.

It’s for your own good

The Carrier IQ software logs every key press, using a uniquely assigned value for each, and records text messages and information transmitted over the secure protocol, https, designed to encrypt data. It also reveals location, according to Eckhart.

Although Carrier IQ has a London office, eWEEK Europe has not yet found evidence of its application in action in this contry, although it is reportedly in use by Vodafone in Portugal.

Carrier IQ has denied any invasion of privacy, but also sent a cease and desist letter from Eckhart, which it then retracted, acknowledging his right to freedom of speech.

The company claims its software “does not record keystrokes, provide tracking tools, inspect or report on the content of communications, such as the content of emails and SMSs, provide real-time data reporting to any customer or sell Carrier IQ data to third parties” – despite evidence that the software is capable of doing just that.

Despite these claims, Carrier IQ has been very proud, in  previous press releases, of its software’s ability to snoop, saying it “gives wireless carriers and mobile device manufacturers an unprecedented view into what is actually happening on mobile subscribers’ devices as it occurs, at the point of delivery and use”. Its marketing material adds that the IQ Insight Experience Manager uses data directly from the mobile device to give a precise view of how the services and the applications are being used, even if the phone is not communicating with the network.

“Experience Manager takes customer experience profiling to an advanced level with multiple levels of granularity, from the entire population, to comparative groups, down to individual users– all at the touch of a button,” said the company.

This level of detail on what most consider to be private data is a cause for concern, but what has Eckhart upset is that users do not seem to have a say in the matter. The software, which he considers to be a rootkit as it gives service providers continued privileged access to devices without user consent or knowledge, is also so deeply embedded, that it cannot be safely removed, and users cannot opt-out or disable the tool.

“It’s almost impossible to fully remove Carrier IQ. The browser is modified to send to Carrier IQ daemon, as is almost everything else.  The application is so deeply embedded in our devices that a user must rebuild the whole device (system.img and boot.img) directly from source code to remove every part of CIQ,” said Eckhart on a website dedicated to discussing the issue.

According to Eckhart, who demonstrated the software on his HTC Android phone, this rootkit is installed on many other mobile phones including BlackBerries, Nokias and various tablets offered by US carriers, Sprint and Verizon, among others.

Customer experience or spyware

In an unrelated press release, the company said that Carrier IQ software is deployed on over 150 million devices including smartphones, feature phones, data cards, radio-equipped devices and downloadable agents from vendors, world-wide, and plans to extend its analytics software to tablet devices, e-readers, and non-handset devices by the end of 2011.

While Carrier IQ does have offices in London, the company was not available for comment, and it is unclear whether its monitoring software has been deployed by UK service providers.

A spokesperson from the Inbformation Commissioner’s Office (ICO) told eWEEK Europe UK that it was currently not aware of any UK service providers running the product, and that if such software were to be introduced, it would have to meet the requirements of the Data Protection Act. “The first principle of the Act is about fair and lawful processing of data to ensure privacy. Unless the data collected is fully anonymised, retaining no personal information at all, companies adopting such technology, would clearly have to comply with the DPA and, where there were any doubts, we would expect to be consulted on the matter.”

Iris Cheerin

View Comments

  • Interesting comment that came in from David Harley, senior research fellow, ESET UK:

    “This issue demonstrates an essential problem with computers in general, not just mobile devices. A modern computer – especially one that is specifically designed for communications and networking (and here we are talking particularly about mobile devices) – is essentially a device for capturing and interpreting keystrokes, mouse movements, and touchpad/touchscreen pressure. Combining these factors with contextual awareness (application, network I/O, user profile and transmission protocols) means that your device is watching everything you do: that’s what it’s supposed to do.

    “But are you, as a user, aware of just how much information your device is giving to your network provider, or what use that provider is making of it (and just who gets to see it)? Most people haven’t thought about the first consideration, and are unlikely to be told the second. When there’s that much information, there is, inevitably, scope for misuse, and when people are forced to think about that, they tend to swing from unthinking trust to extreme suspicion. But it’s human nature to distrust any organisation we know has lots of potentially sensitive information, whether it’s Google, Facebook, the NHS, the NSA, our friendly local tax snoops, and so on. In a sense, that’s healthy: we take far too much on trust, and it’s important to realise that most of us lead very transparent lives, and legal systems tend to be inconsistent in the way that they address that transparency. In this context, it’s important to also realise that this isn’t really an Android problem, though Android is likely to inherit the popular distrust of Google with added spice from the growing awareness of Android malware. It’s a (mobile) device problem and at the very least, it looks as if Carrier IQ may need to further clarify the workings of its technology.”

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago