Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Mobile privacy debate reignites over hidden smartphone app

A controversy over smartphone privacy has reignited following a coder's recent post detailing how a hidden software application on Android-based HTC phones can collect a range of information about the user's activities.

The client program is from a venture-funded company called Carrier IQ out of Mountain View, Calif.. It created software, dubbed by one security researcher as a classic rootkit, to collect a variety of "operational" data about the phone's usage, ostensibly to let carriers identify radio, performance and usage problems and correct them.

DIRTY DOZEN: Security vulnerable smartphones IDed 

But a number of programmers have been trying to delve into the details of how Carrier IQ actually works, and what information it accesses. The most detailed account was posted earlier this month by Trevor Eckhart, who lists his job as IT director and is part of the XDA-developers.com Website of Android and Windows Phone users and programmers. He blogged about what he discovered, surmised, and questioned in a two-part post, starting here, at his own Website, AndroidSecurityTest.com.

Last March, another XDA member, called k0nane, apparently was the first to actually take note of the Carrier IQ application on Sprint-based Samsung phones.

Complementing Eckhart's post, was one by Geek.com's Brian Holly, who elaborated on some parts of Eckhart's post, adding some context about CarrierIQ the company, and detailed the responses, or the lack thereof, by the software vendor, HTC (Eckhart used his own HTC Evo for this demo), and Sprint. Most of the comments were unsupported, general assurances that these companies could not analyze, or were not analyzing, detailed user information and activities.

Eckhart quotes from Carrier IQ's own materials, including the patent application, to define the intended scope of the software application. From the patent filing: "Carrier IQ is able to query any metric from a device. A metric can be a dropped call because of lack of service. The scope of the word metric is very broad though, including device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user's pressing of keys on the device, usage history of the device, including those that characterize a user's interaction with a device."

To do this, Carrier IQ provides an embedded client on the mobile device and server-based analytics applications. According to the vendor's documentation, these analytics give administrators details about performance and usage characteristics.

The program, says Eckhart, is a "rootkit" or software that gives a user privileged access to a computer's functions. "Carrier IQ...listens on the phones for commands contained in "tasking profiles" sent a number of ways and returns whatever "metric" was asked for," he writes.

At the same time, at least on the HTC phone Eckhart used, the presence of Carrier IQ is hidden, or at least buried, from the surface of the user interface. One issue that pundits and privacy advocates have focused on is that most handset makers and carriers don't inform users that this information is being collected, or, if they do, give them the ability to block the collection.

According to Eckhart, Verizon apparently is alone in describing this process in a privacy policy, and giving users an "opt-out" option

Holly, at Geek.com, contacted Jason Gertzen of Sprint's corporate PR department for comment on how the carrier handles Carrier IQ data. "Gertzen assured me that Sprint was unable to look at the contents of messages, photos, or videos using the Carrier IQ tools. He also noted that the information that is collected is not sold, and that no one but Sprint has access to a direct feed of the data they collect. Gertzen was unwilling to comment as to why Sprint was unwilling to provide an opt-out for the service, stating only that Sprint relies on Carrier IQ to help maintain network performance."

Holly noted that Sprint's privacy policy acknowledges the carrier monitors systems and services and will "anonymize or aggregate personal information for various purposes like market analysis or traffic flow analysis and reporting". The policy also says Sprint will share the information with outside companies in order to deliver targeted advertising to users based on their interests.

 

Eckhart created a 17-minute YouTube video that demonstrates some of the capabilities of Carrier IQ. At about 8:41, he starts to show log entries from his HTC phone that clearly show references to one or more Carrier IQ components. His most incendiary suggestion is that Carrier IQ can and does see and record individual keystrokes.

But the video is actually unclear, at least to viewers without a deep programming or security background, about whether the Carrier IQ client is seeing, or if it is, whether it's recording the keystrokes in the log.

And that's just the point that someone identified as "security researcher" Dan Rosenberg made in a posting at Pastebin.com, being cited in a range of online reports including this one at NPR.com. Rosenberg says he has reverse engineered the application, and sees "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data." He goes on: "There's a big difference between 'look, it does something when I press a key' and 'it's sending all my keystrokes to the carrier!'. Based on what I've seen, there is no code in Carrier IQ that actually records keystrokes for data collection purposes."

In a statement issued last week, in direct response to the controversy ignited by Eckhart's posts, the software vendor reiterated its insistence that nothing of the sort is happening: "While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer's network or in our audited and customer-approved facilities."

Carrier IQ's other response was to serve Eckhart with a cease-and-desist letter, which went public when he turned to the Electronic Freedom Foundation (EFF) for help. Eckhart had downloaded and then mirrored publicly accessible training documents on the Carrier IQ Website, containing more details about how the vendor's software worked. According to the EFF post, "Carrier IQ immediately made the files unavailable, but it didn't stop there. Carrier IQ fired off a cease-and-desist letter (pdf) to Eckhart, claiming that he infringed its copyrights and made unspecified 'false allegations' about its software. Among other things, the company demanded that Eckhart turn over contact information for every person who had obtained the files from him, and that he replace his analysis with a statement—written for him by Carrier IQ—disavowing his research."

On Nov. 23, about a week after Eckhart's postings, Carrier IQ issued a statement that it had withdrawn the cease-and-desist letter and had apologized to both Eckhart and the EFF.

Predictably, the presence of the software, and especially its alleged key-logging capability, has triggered outrage. "I mean, what kind of permissible purpose is out there that can allow a company to legally place a key logger on something and use it when you are not even getting service out of them?" fulminates egzthunder1, a poster at XDA-developers. "This is a clear infringement of consumer rights down to its core. Not being able to opt out is downright ridiculous and we would like to request that this is fixed in upcoming devices and software updates."

John Cox covers wireless networking and mobile computing for Network World.

Twitter: http://twitter.com/johnwcoxnww

Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Carrier, EFF, Electronic Frontier Foundation, HTC, LAN, Mountain View, Samsung, Sprint, Technology, Verizon, Verizon, Verizon Wireless
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: consumer electronics, htc, mobile security, networking, privacy, security, smartphones, wireless
Latest Blog Posts
Whitepapers
  • Three simple steps to better patch security
    It’s estimated that 90% of successful attacks against software vulnerabilities could be prevented with an existing patch or configuration setting. Yet patching is a persistent challenge for IT managers. With the glut of patches released each year, how do you know which ones are truly critical security patches and which ones aren’t? And how can you identify which computers are actually missing the patches they need? This paper details a simple approach to patching that gives you better visibility into and control over patch assessment and compliance.
    Learn more »
  • Oracle Business Process Analysis Suite
    Careful analysis and continuous optimization of business processes delivers real competitive advantage. Conversely, a random approach to process design negatively impacts a company’s bottom line. This insight is one reason successful companies adopt business process management (BPM) as a way of aligning their business processes with business and customer requirements. Success with BPM eliminates the gap between business strategy and implementation. Business users are empowered to participate in all stages of the business process lifecycle. Closed-loop integration between modeling, execution, and monitoring enables continuous and holistic business process improvement.
    Learn more »
  • Magic Quadrant for Managed Print Services, Worldwide
    Gartner's managed print services (MPS) Magic Quadrant is a useful starting point for identifying and evaluating MPS providers. It is intended for Gartner's client base of mainly midsize and large organisations, many of which operate throughout two or more regions, and some of which are truly global. Although not all MPS projects are multiregional or global at the outset, customers often choose to scale up one region at a time. In this way, they can manage their office printing in a unified manner globally. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.