FAQ: Behind the Carrier IQ rootkit controversy

Critics say Carrier IQ software surreptitiously gathers personal data from phones; Vendor, carriers say only service-related data is tracked

The recent disclosure that top mobile phone providers are using software from Carrier IQ that critics say can gather and track all sorts of personal data from a user's smartphone has sparked a firestorm of controversy.

AT&T and Sprint Thursday admitted to installing the software in their phones, but insist that it's only used to collect service related data.

Apple: iOS 5 marked end of our Carrier IQ support

Other carriers deny using the software.

Here's what the controversy is all about.

What does Carrier IQ do?

Mountain View, Calif.-based Carrier IQ sells software designed to help wireless service providers and device makers identify and diagnose service and quality related problems such as dropped calls and battery drain. The software can be sued to collect data for analyzing service quality, device quality and what Carrier IQ calls mobile customer experience.

Carrier IQ says its software is installed on over 150 million devices worldwide.

What sparked the controversy over Carrier IQ?

Earlier this month, Trevor Eckhart, a 25-year-old security researcher from Connecticut published details of research he had done showing how Carrier IQ software can be easily tweaked to conduct surreptitious and highly intrusive tracking of Android, BlackBerry and other smartphone users.

Eckhart described the software as a keystroke logging rootkit that is hard-to-detect, hard-to-remove and programmed to run by default on millions of handsets without the users' knowledge.

In addition to collecting device and service related data, Carrier IQ's software can collect data about a user's location, application use, Web browsing habits, videos watched, texts read and even the keys they press, according to Eckhart. The software runs when the phone is switched on and can log all activities till it is switched off. Carriers can set 'triggers' or actions that cause specific data to be logged and sent to them.

Is it known which carriers and handset makers use the tool?

So far, AT&T and Sprint have confirmed that their handsets run Carrier IQ's software. Both carriers insist that the software meets their stated privacy policies and only to collects service and quality-related data. Neither company has identified the handsets running the software. Neither disclosed whether users are notified of its presence or if they can turn it off.

Device makers HTC and Samsung confirmed that their phones include the software, but added that it only added it after requests from the carriers.

What about other carriers and handset makers?

Verizon, Research in Motion and Nokia each say they don't use the software in their phones. All three say reports suggesting otherwise are incorrect. There have been several reports that Carrier IQ software has been found on Apple iPhones as well. iPhone hacker chpwn blogged about discovering Carrier IQ on several models "up through and including iOS 5"-based devices. However, the software appears to be easier to disable on the iPhone than on other devices, according to chpwn. Apple has neither confirmed nor denied the reports. The company did not immediately respond to a request for comment.

Is use of the Carrier IQ software on mobile phones legal?

You can safely bet that's a question a lot of lawyers are studying the legality of the software at this moment. In a letter addressed to Larry Lenhart, president and CEO of Carrier IQ today, U.S. Sen. Al Franken (D-Minn) said that use of the software may violate the U.S. Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act.

Meanwhile, the Electronic Privacy Information Center today briefly noted that the use of Carrier IQ's software to log data may constitute an "unlawful intercept" of data under the ECPA. In comments made to Forbes , former Justice Department prosecutor Paul Ohm said that the use of the software could be grounds for class action lawsuits based on federal wiretapping laws.

How has Carrier IQ responded to the complaints?

When Eckhart first published the report, the company threatened to sue him for breach of copyright. (Eckhart used publicly available training materials from Carrier IQ's site for his research. He later posted copies of those training materials on mirror sites). The company also asked him to withdraw his findings, say they were incorrect, and apologize to the company. After the Electronic Frontier Foundation intervened on Eckhart's behalf, Carrier IQ withdrew its threat and its CEO personally apologized to the researcher.

In a statement, Carrier IQ maintained that its software does not record keystroke, does not support user tracking and does not inspect data communications, according to a story in Forbes. The Carrier IQ site was down this afternoon.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

This story, "FAQ: Behind the Carrier IQ rootkit controversy" was originally published by Computerworld.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies