Does Hidden Smartphone Software Threaten Your Privacy?
An independent developer has lifted the veil off a piece of software that secretly monitors millions of smartphone users' keystrokes, text messages and encrypted Web searches without their consent. The software maker contends its product enhances the customer's mobile experience, nothing more.
The software, Carrier IQ, is found on most Android, BlackBerry and Nokia phones, and is designed to gather diagnostic intelligence on mobile devices to increase their performance. But as Android developer Trevor Eckhart demonstrated in a 17-minute YouTube video, Carrier IQ also logs users' keystrokes , text messages, encrypted Web searches, and can record audio.
Eckhart pressed a series of buttons as if making a phone call, and showed how Carrier IQ gives each button receives is given a unique command code. "Every button that you press in dialer, before you even [make a call] already gets sent off to the IQ application," Eckhart said.
As Eckhart showed, Carrier IQ does not appear in the menu of running applications, and although it presents users a "Force Quit" option, it does not stop running even when "Force Quit" is pressed.
Carrier IQ took notice of Eckhart's video and addressed the privacy concerns he raised in a Nov. 16 media alert.
"While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools," Carrier IQ wrote.
Carrier IQ added that it does not sell any personal information to third-party companies, and that the information it collects from phones is "encrypted and secured within our customer's network or in our audited and customer-approved facilities."
So should you be concerned that your smartphone may know more about you than you thought? Dan Rosenberg, security consultant with Virtual Security Research, said that while Carrier IQ should allow customers to opt out, it's not as bad as Eckhart claims.
Rosenberg reverse-engineered Carrier IQ, and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data," he wrote on Pastebin.
"Anonymized metrics data" means data from thousands or millions of devices that's stripped of individual user information before it's crunched by analytic software. It's very valuable Google Maps' real-time traffic-conditions maps use it, for example.
But its use is guaranteed to freak out the general public, as was shown by the huge uproar this past spring over the iPhone's use of anonymous tracking data. And just this past week, a major shopping-mall operator was forced to cancel a test of a system that used similarly anonymized cellphone tracking data to analyze consumer shopping patterns .
"Based on what I've seen, there is no code in Carrier IQ that actually records keystrokes for data collection purposes," Rosenberg added. "Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur. But all the recent noise on this is mostly unfounded."