Keys, wallet, phone. If you’re like me, it’s a little dance you do every time you’re about to leave the house to make sure you’ve got these three most important of possessions. But, as important as your keys and wallet are, smartphones are even more so these days. They’re not only our phones, they’re our virtual wallets, our confidants, our links to the outside world. They go everywhere with us—which is why we take it so seriously when we hear anything about their security being compromised.
Thus, the uproar over recent news that many popular smartphones include a piece of software called Carrier IQ, which carriers ostensibly use for making sure their networks are functioning optimally. But it seems that this software is doing much more than it should be, to the point where it may be compromising users’ data. Here’s a quick rundown of the players, what’s going on, and whether you should be concerned.
Carrier IQ bills itself as “an embedded analytics company” that works with the mobile industry—in this case, the carriers. Of its mission, Carrier IQ says “We measure and summarize performance of the device to assist Operators in delivering better service.”
Those measurements are collected by Carrier IQ’s eponymous software, which is installed on phones and works much like software that you might install on your website to see what kind of traffic it’s getting. But because of the way Carrier IQ is installed on your phone, you may not even know that it’s running, and it doesn’t necessarily alert you when it’s collecting information, or tell you what it’s collecting.
So what kind of information is it tracking?
Well, that depends. Carrier IQ is apparently capable of tracking a variety of information—the company does not spell out the full list—including whether an SMS message was sent accurately, what apps are draining your device’s power, when calls drop, and more.
But Android developer and system administrator Trevor Eckhardt alleges that Carrier IQ goes far beyond that. He says that Carrier IQ can be configured to record information like key presses on Web pages and contact data, transmit that information to remote servers, and even allow access to that data on a device-by-device basis. And it can do all of that while concealing itself from end users. Eckhardt recorded a video of himself demonstrating the capabilities of Carrier IQ on an Android-powered HTC phone.
As to what exactly is collected from users’ phones, it seems that it depends on their carrier and the maker of their phone.
Who’s collecting what, then?
And here we enter into the tangled web. Because according to Carrier IQ, it hands its software over to the carriers, then washes its hands of the matter.
For the carriers’ parts, both Sprint and AT&T have admitted that they use Carrier IQ, though they say that it’s solely for the purpose of improving their networks; T-Mobile has said much the same thing. Verizon has stated that it doesn’t use Carrier IQ at all.
As for phone manufacturers, Engadget has an excellent compilation of statements on the subject from the major players. In short, HP, Nokia, and Microsoft all say that their phones don’t use Carrier IQ, period.
Google says it doesn’t work with Carrier IQ, but has no control over its Android partners. Of which, HTC and Samsung—some of whose phones have been shown to run the software—say that the software is only included on some phones at the behest of U.S. carriers, and that the manufacturers don’t receive any data collected.
Research in Motion says it doesn’t pre-install Carrier IQ on any of its devices, or let carriers install it…”before sales or distribution.” Which is presumably not to say that it couldn’t find its way onto BlackBerries after they’ve been sold.
I notice you didn’t mention Apple. I use an iPhone, so what’s the deal?
Apple’s situation is a bit cloudier. The company issued a statement earlier this week saying that as of iOS 5, it stopped supporting Carrier IQ in “most” of its products.
The company told Ars Technica that the iPhone 4 is the only remaining device running Carrier IQ under iOS 5. But, the company says, in no circumstances is any personal information ever recorded. Only diagnostic information was collected, and then only when users opted in. The company says it will remove Carrier IQ entirely from all devices in a future software update.
I don’t remember opting in to this Carrier IQ nonsense on my iPhone 4—how can I opt out?
You probably don’t remember because you won’t find the words “Carrier IQ” anywhere on your iOS device, but if you’ve let your iPhone 4 send diagnostic information to Apple then you’ve enabled Carrier IQ, albeit in a very limited form.
To opt out, navigate to Settings -> General -> About and scroll down to Diagnostics & Usage. Inside you’ll find two options, Automatically Send and Don’t Send—tap Don’t Send, and your data will still be logged, but it won’t be sent to Apple.
If you’re hankering to know just what kind of data is being sent, tap the Diagnostics & Usage Data on that screen and you’ll see a list of the logged data, although it won’t tell you too much unless you have access to what the codes mean.
What’s being done about this?
As with the location tracking brouhaha earlier this year, all this talk has gotten the attention of the government. Senator Al Franken (D-Minnesota), who chairs the subcommittee on Privacy, Technology and the Law, has sent a letter to Carrier IQ demanding answers about what information is logged, where it’s sent, and how this data is secured. The company has until December 14 to respond.
Representative Ed Markey (D-Massachusetts), who sits on the House Energy Subcommittee on Communications and Technology, has also asked the Federal Trade Commission to look into Carrier IQ and determine exactly what information is being collected from consumers’ smatphones.
Meanwhile, some consumers have taken matters into their own hands, launching a federal class action lawsuit against Carrier IQ and HTC, alleging that Carrier IQ collected sensitive and personal information without the knowledge of users—a violation of the federal Wiretap Act.
Should I be worried?
It’s a hard question to answer, and it depends on your situation. Users of iOS devices likely have little to worry about, since Apple has stated that no personal information was collected or recorded, and the company is usually fastidious about such things. But if you’re concerned, you can deactivate Apple’s diagnostic system, as mentioned above—just keep in mind that the information that is logged can be helpful to Apple and the carriers for sussing out reception problems or network dead spots, and it may be a case of cutting your nose off to spite your face.
Users of other smartphones will want to check with their carriers and device manufacturers to figure out if there’s an issue. An Android developer has already released an app that users can run to see if their phone contains Carrier IQ.
In the grand scheme of things, I’d say that this situation is somewhat more worrying than the earlier fuss over the location information, as in that case it turned out that the information was not coordinates of users’ locations, but of nearby cell towers. But I wouldn’t wrap your phone in tinfoil just yet—for one thing, it’s really going to kill your reception.
Far more worrying to me is the finger-pointing and lack of responsibility amongst the involved parties, none of whom can seem to account for why this software was collecting as much information as it appears to have been. These carriers and manufacturers have, with our permission, access to a lot of our data, and when we can’t determine which ones are telling the truth, it becomes that much harder to trust any of them. So rest assured we’ll be watching this story’s development—especially where the government is concerned—with interest.