Holy data privacy scandal! Over the last week the news that Carrier IQ has been tracking millions of smartphone users without their knowledge has ballooned into a full-blown clusternut. Carrier IQ, huh? Sounds nefarious. But what exactly does it do? And why should you care?
Carrier IQ is a third-party metrics service...
Smartphone manufacturers and carriers alike are dying to know how you use their products in the real world. They want this information to help them to study performance, make business decisions, and improve products. Carrier IQ is an "embedded analytics company" that serves that information up to its clients on a silver, snooping platter.
…that, unbeknownst to customers, possibly installed software on millions of Android, BlackBerry, and iOS handsets...
Until yesterday, most people probably didn't even realize they had Carrier IQ installed on their phones. The software isn't part of Android, iOS, or BlackBerry OS. It's installed independently by either your carrier or your phone manufacturer. A rolling counter on the Carrier IQ website claims more than 140 million devices. But which ones? It's not entirely clear at this time, although several companies have stepped forward to say they don't have the software. It's off by default in iOS but activates, in a limited way, when you put your phone in Diagnostics mode. Android owners can also test their handsets to see if they're affected.
…to collect swaths of "performance data"...
What data the software collects depends on what entity installed it on your phone, because Carrier IQ is customized to meet the desires of the client that uses it. In corporate marketing materials, Carrier IQ says that includes relatively benign info like data speed and app usage. But Trevor Eckhart, the developer who first outed Carrier IQ, has demonstrated that the software can log virtually anything you do on your phone: calls, location, even keystrokes. That means it could in theory log all your passwords and credit card numbers when you punch them in.
…which is definitely creepy…
If we've learned anything about privacy from Facebook it's that this level of granular data collection freaks people out even when they know about it. And when you think about what it does when it's done with spying, tracking, logging—pick a term—it's downright sickening. What's being collected and what do they know about me? What are they going to do with that information and who has access? Those are all still open questions.
…and it's possibly illegal…
Well, Carrier IQ has already been hit with a Senate investigation, and as Forbes reports, since we didn't know about the service it might actually violate the Wiretap Act millions of times over. Is it possible that you signed off on some terms and conditions agreement that had Carrier IQ buried deep? Sure. But it's still not unreasonable to expect a class action lawsuit and other legal action.
...despite Carrier IQ claims that it's actually benign...
According to a statement by Carrier IQ, it's besides the point that they can log keystrokes because the software is "counting and summarizing performance, not recording keystrokes or providing tracking tools."
...which are demonstrably untrue.
The company claims it's not logging keystrokes or anything else, and even if it was, it's all processed before it ever goes back to the clients. But that stance was largely disproven by Eckhart, who demonstrates on film that keystrokes submit unique key codes to Carrier IQ on affected phones, and that even secure connections are vulnerable.
There's going to be a lot more information coming as this story unfolds, but in the meantime: either the carrier/handset manufacturers associated with Carrier IQ didn't know exactly what was going on, or they did and thought they wouldn't get caught. And either way, this is repulsive stuff. Hopefully a reckoning is on its way.
Update: Research in Motion has released the following statement in response to this article.
RIM is aware of a recent claim by a security researcher that an application called "CarrierIQ" is installed on mobile devices from multiple vendors without the knowledge or consent of the device users. RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution. RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to CarrierIQ.
You can keep up with Mario Aguilar, the author of this post, on Twitter and Google+.