The Carrier IQ scandal is getting bigger and I thought I’d weigh in with my thoughts.
Trevor Eckhart, a security researcher, discovered a piece of software on mobile phones that records all interaction with the phone, including key presses. This software is called Carrier IQ. He posted videos on YouTube demonstrating Carrier IQ collecting key press data from a smartphone.
The story spread quickly. There was a lot of finger pointing and denials by OS providers, phone makers, carriers, and Carrier IQ themselves. Carrier IQ even got an invitation to testify in front of Congress to tell exactly what its software does.
The bottom line is that AT&T and Sprint are using the software on their networks. Both carriers claim that no personal information is being collected and they only use it to monitor use of their networks.
Phone makers HTC and RIM outright blame the carriers by saying they insist the software be included. Apple also uses it, although keystrokes aren’t collected, but claims they “stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update.” I’m not sure what “stopped supporting” and “most” mean but I do know that you have to turn it on explicitly when you set up the phone and you can turn it off or on easily on the iPhone.
Why is this a big deal?
There is proof that Carrier IQ is collecting keystrokes on a phone. This means that passwords, URLs, text messages, etc. are all being collected. We don’t know (yet!) if any of that is transmitted from the phone and, if so, who is holding that data. If the data is transmitted there is potential for misuse. This kind of misuse falls into three categories.
1) Crime. Identity theft. Blackmail. If passwords, text messages, and other such information is stored, someone can get it and use that for criminal activity.
2) Privacy. If that information is being stored, can the government subpoena it if you are being investigated? Do consumers know that when they purchase a phone?
3) Marketing. Are carriers mining this information to sell it to marketers? Again, do consumers know that when they purchase a phone?
As is often the case, the cover-up is worse than the crime. I actually don’t believe that there is any actual evil intent here, but there is the potential for it and that is what is worrisome.
Collecting information from phones to monitor network performance is a legitimate need of the carriers. They do need to make sure the networks are running well and need information to help troubleshoot problems when necessary. We all complain pretty quickly and loudly when the networks aren’t running so we shouldn’t deny them the means to improve or repair the service.
The reason Carrier IQ is so controversial is that there is proof that it is collecting information that is not necessary for the purpose of monitoring network health. Keystroke collections are not necessary.
Even if this information is not being used for evil purposes, the potential exists if the data is being collected and this is what really worries people.
The first step to remedy the situation is that everyone involved here (carriers, phone makers, Carrier IQ) needs to come completely clean about what data is collected, transmitted, stored, and how its being used. Then we all can then rest a bit easier. Even if you’re not using Carrier IQ itself but something similar (this means you Verizon!) you need to fess up and come clean before you’re caught.
The next step is that any phone with collection software installed needs to require an opt-in and needs to have an easy way to opt out. This functionality cannot be hidden from users. All phones should be come out of the box with tracking turned off. The user has to intentionally opt-in. Also, there should be no way to remotely turn on collection.
Only then can there be trust and have networks that run well.