Updated 7:09 pm ET Thursday, December 1
Your smartphone is probably spying on you, unless you’re a Windows Phone customer.
That’s the unfortunate conclusion of a number of tech bloggers and security researchers over the past two weeks who have stumbled upon the whopper of all real-life tech conspiracies: That a piece of what appears to be remote, real-time tracking software called “Carrier IQ,” made by a company of the same name, is installed on upwards of 140 million handsets worldwide, including many popular Android, iOS, Nokia and BlackBerry devices in the U.S.
Further, the software records a breathtaking amount of user information, including keystrokes, SMS messages, Web searches and a user’s location, all without a user’s knowledge or expressed consent.
Still unanswered: Just who installed the software on the handsets in the first place and who is receiving all of the user information obtained. Handset makers (such as HTC and RIM) are blaming wireless providers (carriers such as AT&T, Verizon and Sprint), but many wireless companies have denied installing the software.
Whoever is benefitting from the software, they and Carrier IQ could be subject to a class-action lawsuit for breaking U.S. wiretapping law, a former Justice Department prosecutor recently told Forbes.
In the case of the Android, Nokia and BlackBerry devices, the software may be capturing and recording nearly all of a user’s activities by logging their keystrokes, according to systems administrator and Android researcher Trevor Eckhart, who first brought the matter to light in a blog post the week of November 14, after he hooked his Android phone up to his computer and ran an analysis on the Carrier IQ software, only to find that it “secretly chronicles a user’s phone experience, from its apps, battery life and texts,” as Wired Threat Level reported.
Eckhart later posted a revealing video showing just how much information the software captures, including every keystroke on his Sprint HTC EVO 3D 4G Android device, and all without any disclaimers that it is doing so and without any way to stop it.
Carrier IQ on November 23 posted a press statement attempting to rebut Eckhart’s demonstration, saying Carrier IQ software “does not record your keystrokes, does not provide tracking tools, does not inspect or report the content of your communications, such as the content of emails and SMSs, does not provide real-time data reporting to any customer.”
Still, based on the work of other hackers and security experts online, it appears that although Carrier IQ’s reign is widespread, it isn’t on every device, and doesn’t take the same form on all devices.
On November 29, blogger and Windows hacker Rafael Rivera tweeted “I have found no evidence to suggest CIQ is present on any Windows Phone device. Let’s hope it stays that way.”
On November 30, iPhone hacker and Hacker News creator Grant Paul, aka Chpwn, published a post on his blog detailing the fact that Carrier IQ can also be found in a less extensive form on all versions of iOS, from iOS 3 onward.
As the Verge reported, in the case of iPhones, “the good news is that [Carrier IQ] does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default.”
We’ve reached out to Carrier IQ, Microsoft, and Apple on these these pressing issues and more.
Furthermore, based on the information retrieved and the responses of handset makers, it appears as though Carrier IQ’s primary customer base — that is, the recipients of the user information obtained on the phones — is wireless service providers, not the device makers themselves. In fact, many of the device makers seemed to be flabbergasted at the news of Carrier IQ’s existence.
As Research in Motion, the manufacturer of the BlackBerry, told TPM in a vehement denial via email:
RIM is aware of a recent claim by a security researcher that an application called “CarrierIQ” is installed on mobile devices from multiple vendors without the knowledge or consent of the device users. RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution. RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to CarrierIQ.
Nokia and HTC released issued similar statements denying that they have any relationship with Carrier IQ. Nokia told TPM via email that “Carrier IQ does not ship any products for Nokia devices. Nokia devices do not contain Carrier IQ.”
The HTC statement provided to the blog Bright Side of News is revealing in that HTC notes: “Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we’d advise them to contact their carrier.” (emphasis added)
But many carriers are playing dumb, saying they are not responsible for installing the software on mobile phones that contain it.
Verizon emailed TPM the following statement: “Verizon Wireless does not add Carrier IQ to our phones, and the reports we have seen about Verizon using Carrier IQ are false.”
We’ve reached out to America’s other three major wireless carriers — AT&T, Sprint and T-Mobile — for more information on their relationships with Carrier IQ and will update when we receive a response.
It should also be noted that Carrier IQ, the six-year-old Mountain View, California company behind the eponymous software, hasn’t been exactly cooperative during the process of this crowdsourced investigation. Quite the contrary in fact.
The company responded on November 16 to Eckhart’s initial post by firing off a cease-and-desist letter to Eckhart, threatening to sue him for “copyright infringement,” for publishing the inner-workings of their software.
Eckhart smartly sought counsel from the Electronic Frontier Foundation (EFF), a non-profit digital rights advocacy organization, which responded on November 21 with it’s own letter telling Carrier IQ it had no legal grounds upon which to threaten Eckhart and to back off.
As the EFF wrote in its letter to Carrier IQ: “Given that there is no basis for your legal claims, we must conclude that your threats are motivated by a desire to suppress Mr. Eckhart’s research conclusions, and to prevent others from verifying those conclusions. Mr. Eckhart stands by his research and, accordingly, declines to meet your demands. We ask that you immediately withdraw your allegations in writing.”
Carrier IQ capitulated two days later on November 23, faxing a letter to the EFF saying it had unequivocally dropped the cease-and-desist request and was “sorry for any concern or trouble that our letter may have caused Mr. Eckhart.” Carrier IQ also said it should have reached out to Eckhart directly to “start a discussion” about the issues he raised and asked the EFF to help initiate a “dialogue.”
The EFF, for its part, told TPM that “We’re acting as counsel for Mr. Eckhart in this
matter, and are monitoring the situation as it develops. Unfortunately,
we can’t provide independent analysis at this time.”
TPM has a number of calls out regarding the software and will keep you informed on the latest developments. In the meantime, follow along with the rapidly evolving story yourself on Twitter under the hashtag #CIQ
First update: Microsoft PR confirmed in an email to TPM: “The Windows Phone operating system does not include the Carrier IQ software.”
Moreover, Windows Phone program manager Joe Belfiore tweeted on Thursday: “Since people are asking— Windows Phones don’t have CarrierIQ on them either.”
We’ve reached out to Microsoft to see if any comparable software is installed on Windows phones and will update when we hear back.
Second update: A spokesperson from Google emailed TPM the following response: “We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices.”
OEMs are “original equipment manufacturers,” those companies including HTC and Samsung that create the mobile devices upon which Google’s Android runs.
The Verge earlier discovered that Google’s Galaxy Nexus phones, manufactured by Samsung but tightly controlled by Google, also don’t contain Carrier IQ.
We’ve reached out to Google to ask why the Galaxy Nexus phones don’t contain the software as well as asked if any Android phones contain other “mobile service intelligence solutions.”
Third update: Apple provided TPM the following statement:
“We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”
An Apple spokesperson also revealed to TPM that the company would be releasing an update “in the near future” that would eliminate Carrier IQ from older versions of iOS. The spokesperson declined to say why Apple had decided against Carrier IQ after electing to use it previously, but said that the program had been used in the past to “optimize information about networks to make Apple products and services better.”
Fourth update: PC Magazine has a great compilation of all the responses from the various actors in this saga, including phone manufacturers and wireless providers.