AT&T and Sprint have admitted secretly installing a spyware app called Carrier IQ on their smartphones, while RIM and Nokia continue to deny it, despite statements from researcher Trevor Eckart that he had found the rootkit on both Blackberry and Nokia phones.
It's a refreshing bit of honesty – though only by contrast with the other players – from major players, all of whom got caught red-handed running very capable spyware on the phones of their customers without mentioning that they'd done it.
Eckhart posted a video showing Carrier IQ recording all the keystrokes he made on the handset.
Carrier IQ, the company that makes the "mobile-service intelligence solution" said the software doesn't record keystrokes track users, inspect content on a phone or give real-time data on user activities to the carriers.
The company issued a statement Dec. 1 "vigorously" disagreeing with charges it had violated wiretap laws (PDF) by secretly recording user activities. the software collects performance data on phones, not the content of what users do. Every carrier sets up the monitoring in a different way, so it Carrier IQ can't give a firm list of all the information each collects.
Carrier IQ doesn't invade the privacy of customers, however, because it doesn't read their content, all the data it sends to carriers about what customers do is encrypted and remains inside the carrier's own network, and Carrier IQ operates under the same trusted relationship customers have with their carrier (there was no indication of snickering or sarcasm in that line of the press release, btw).
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen." Carrier IQ statement on surreptitious monitoring Dec. 1, 2011
All cleared up? Good.
Pay no attention to descriptions on the web site about IQ Insight Device Analyzer, the agent version of the software that runs on smartphones, which, according to Carrier IQ's data sheet, can:
- Identify failures at different layers (radio, service, application, device, UI).
- Define device profiles, which specify the event data to be submitted, as well as the circumstances that trigger capture.
- Manage the device lifecycle, which includes tasking devices with appropriate profiles, OTA update of profiles, and data uploads.
- View a pattern of events to compare results of a service.
- Capture device context on demand for later review.
- View trial statistics for device configurations, feature sets and events.
- Run custom reports to address your needs.
- Manage events and measures based on trial goals.
Given all that I'd be surprised if the software didn't also have the ability to read content.
The IQ Insight Experience Manager ("See how services and devices perform in the hands of real users," reads the descriptive copy on the web site), goes even further.
It promises to analyze data in real time (contradicting Carrier IQ's statement to the contrary).
- It promises to capture a "vast array of experience data, including screen transitions, button presses, service interactions and anomalies" (contradicting Carrier IQ's promise that it can't collect keystrokes or capture screen shots);
- It promises to let carriers "view application and device feature usage, such as camera, music, messaging, browser and TV,") making it pretty clear that Carrier IQ can all but replay a user's smartphone activity back for the entertainment of carrier execs, if necessary.
- Carrier IQ is very clear that the software it runs on smartphones is part of an overall framework designed to identify application conflicts, network bottlenecks and other issues that degrade the service a carrier is trying to provide.
Carrier IQ seems a little too glib about saying it's not spying on customers while it does so.
Carrier IQ – as well as RIM and Nokia – need to learn the lesson scandal-ridden politicians did years ago: when you're caught red-handed, it's best to 'fess up right away to put your own spin on the story and minimize gossip.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.