Mobile “Big Brother” Carrier IQ Busted

Mobile service intelligence company Carrier IQ has been caught out recording all the keystrokes  of US Android, RIM and Nokia phone and tablet users on behalf of  network providers Sprint and Verizon.

The software is installed as a third party app by US carriers, as well as others including Vodafone Portugal. It runs stealthily in the background, and can’t be disabled or safely uninstalled. After the Carrier IQ software was  revealed and demonstrated in a video by Android app developer, Trevor Eckhart, the company tried to silence him.

It’s for your own good

The Carrier IQ software logs every key press, using a uniquely assigned value for each, and records text messages and information transmitted over the secure protocol, https, designed to encrypt data. It also reveals location, according to Eckhart.

Although Carrier IQ has a London office, eWEEK Europe has not yet found evidence of its application in action in this contry, although it is reportedly in use by Vodafone in Portugal.

Carrier IQ has denied any invasion of privacy, but also sent a cease and desist letter from Eckhart, which it then retracted, acknowledging his right to freedom of speech.

The company claims its software “does not record keystrokes, provide tracking tools, inspect or report on the content of communications, such as the content of emails and SMSs, provide real-time data reporting to any customer or sell Carrier IQ data to third parties” – despite evidence that the software is capable of doing just that.

Despite these claims, Carrier IQ has been very proud, in  previous press releases, of its software’s ability to snoop, saying it “gives wireless carriers and mobile device manufacturers an unprecedented view into what is actually happening on mobile subscribers’ devices as it occurs, at the point of delivery and use”. Its marketing material adds that the IQ Insight Experience Manager uses data directly from the mobile device to give a precise view of how the services and the applications are being used, even if the phone is not communicating with the network.

“Experience Manager takes customer experience profiling to an advanced level with multiple levels of granularity, from the entire population, to comparative groups, down to individual users– all at the touch of a button,” said the company.

This level of detail on what most consider to be private data is a cause for concern, but what has Eckhart upset is that users do not seem to have a say in the matter. The software, which he considers to be a rootkit as it gives service providers continued privileged access to devices without user consent or knowledge, is also so deeply embedded, that it cannot be safely removed, and users cannot opt-out or disable the tool.

“It’s almost impossible to fully remove Carrier IQ. The browser is modified to send to Carrier IQ daemon, as is almost everything else.  The application is so deeply embedded in our devices that a user must rebuild the whole device (system.img and boot.img) directly from source code to remove every part of CIQ,” said Eckhart on a website dedicated to discussing the issue.

According to Eckhart, who demonstrated the software on his HTC Android phone, this rootkit is installed on many other mobile phones including BlackBerries, Nokias and various tablets offered by US carriers, Sprint and Verizon, among others.

Customer experience or spyware

In an unrelated press release, the company said that Carrier IQ software is deployed on over 150 million devices including smartphones, feature phones, data cards, radio-equipped devices and downloadable agents from vendors, world-wide, and plans to extend its analytics software to tablet devices, e-readers, and non-handset devices by the end of 2011.

While Carrier IQ does have offices in London, the company was not available for comment, and it is unclear whether its monitoring software has been deployed by UK service providers.

A spokesperson from the Inbformation Commissioner’s Office (ICO) told eWEEK Europe UK that it was currently not aware of any UK service providers running the product, and that if such software were to be introduced, it would have to meet the requirements of the Data Protection Act. “The first principle of the Act is about fair and lawful processing of data to ensure privacy. Unless the data collected is fully anonymised, retaining no personal information at all, companies adopting such technology, would clearly have to comply with the DPA and, where there were any doubts, we would expect to be consulted on the matter.”