RIM Comes Clean Over Carrier IQ

Wayne Rash

When Carrier IQ’s mobile device monitoring software first came to everyone’s attention after a security researcher demonstrated how it logged everything from text messages to locations on a Sprint Android phone, there was a lot of consternation over which devices might actually be stealthily loaded with the application.

Carrier IQ has the ability to create software for virtually every mobile platform out there except Windows Mobile 7. However, there were assurances that the software really wasn’t on every phone, or even used by every carrier.

Mobile operators deny it all

In the US, Verizon Wireless, said it does not use Carrier IQ at all. AT&T and T-Mobile confirmed that they do use the software. T-Mobile released a statement that it only uses the software for improving call quality.

Research In Motion said it does not install Carrier IQ on any of its devices, and does not authorise carriers to install it. The company also told eWEEK at the time that there have been circumstances in the past where similar software was installed on its devices and that it had helped users remove it.

Last week, however, a leaked T-Mobile internal document revealed which phones include Carrier IQ software. It turns out that T-Mobile in the US installs Carrier IQ on three BlackBerry devices in spite of RIM’s policy that it should not be doing so. Those BlackBerry devices in the memo are the new touch-screen Bold 9900, the Curve 9360 and the new full touch-screen Torch 9810. The document also shows that the Carrier IQ software was installed on Android phones from T-Mobile.

The Android devices are covered in the description furnished by Trevor Eckhart in his Android Security Test. Eckhart also provides software and instructions for removing Carrier IQ from Android phones, but the problem is that you must “root” your phone and replace the operating system to get rid of it.

RIM’s description of the BlackBerry solution is less likely to cause problems, and the company has provided instructions on getting rid of Carrier IQ from every BlackBerry platform capable of supporting it.

A senior RIM executive provided to eWEEK the instructions for removing the Carrier IQ software. BlackBerry users should look for an app called “IQ Agent.” Note that this procedure will work with any third-party application on your BlackBerry device, including Carrier IQ.

It should also – if British operators are to be believed – not be necessary for UK-based BlackBerry users. But it does mean that if you travel someplace where the authorities routinely place monitoring software on your BlackBerry, you can get that off too. This procedure is also useful for killing that memory-hungry version of Solitaire that causes problems when some other memory-intensive app runs and needs more space.

Continoued on page 2

Continued from page 1

What’s nice about the BlackBerry approach is that it’s entirely supported by the existing software management tools. All you have to do is locate the app and direct the BlackBerry delete it.

This makes sense. After all, RIM takes the security of the BlackBerry very seriously. Allowing a piece of software to exist on its devices that has the capability, whether it’s used or not, to record keystrokes, text messages and email as well as location data compromises the security of BlackBerry devices in a way RIM has never tolerated. RIM has resisted pressure from India, the United Arab Emirates, Indonesia and others that threatened to ban RIM products if the company didn’t turn over its data encryption keys.

RIM stood its ground and refused to compromise its customers’ data privacy. It was willing to risk the ban rather than break its promise to its customers. After facing down the intelligence services of several nations, why would RIM cave in to a couple of wireless carriers that install spyware?

Carriers have failed to explain their position

For its part, Carrier IQ has tried hard to explain its position by issuing a statement claiming it’s the carriers that want to capture the information. Carrier IQ has consistently said it doesn’t receive any of the data in question. So far, it seems that the concerns addressed to Carrier IQ are more properly addressed to the carriers.

Unfortunately, none of the carriers contacted by eWEEK provided a useful response. T-Mobile repeated its original statement; the other carriers had no comment.

In a brief statement, Carrier IQ defended how its software works.

“Carrier IQ is pre-installed on RIM devices by Network Operators to help solve problems consumers find on their devices,” Andrew Coward, vice president of marketing at Carrier IQ wrote in a statement. “By removing Carrier IQ, Network Operators will no longer be able to offer a high level of service in the event that customers call for assistance.”

If T-Mobile, Sprint and AT&T were going to collect any sort of data from customers’ smartphones, then those companies should have revealed exactly what they were collecting and what was being done with the data and given the customer the ability to opt out.

None of the carriers that use Carrier IQ has done this.

By contrast, Verizon, which does collect information from customers, discloses this fact in its privacy statement, which includes an opt-out provision. There’s no reason the other carriers couldn’t do the same. There’s also no reason that the carriers that use such software couldn’t adopt a policy of transparency instead of stonewalling about information that will eventually come out anyway.