Thursday Dec 1st 2011
News Analysis: The installation of Carrier IQ's monitoring software on wireless devices causes privacy concerns. But it has more serious implications regarding security, federal data protection regulations and even wiretapping rules.
By now you've probably heard there's a mysterious phone tracking app called Carrier IQ that's been found on some smartphones. This app, according to Trevor Eckhart, a systems administrator and Android researcher, records keystrokes, instant messages and perhaps even voice and email.
He provides a demonstration of this on YouTube with a video about how to discover Carrier IQ. Eckhart demonstrates the app on his own Sprint Evo 4G, and shows how it records everything that passes through the phone.
Eckhart also claims that this same app, which is really nothing less than spyware, is installed on some Nokia and RIM devices. However, he doesn't show this. But what he does show is chilling. Now only does Carrier IQ record everything the phone does, but you can't remove it and you can't turn it off.
Carrier IQ released a statement that the only thing being collected is operational information necessary to provide better service, and that the software is installed by the device manufacturers at the factory. Clearly Eckhart's demonstration shows that Carrier IQ is at best disingenuous. The software collects far more than what the company is saying.
But what's less clear is how the software really gets on the phone and what it's actually transmitting to its own servers. Clearly, the part of the software that's on the Android phones is collecting everything. Carrier IQ is being far less than transparent in explaining what's actually going on. And that's not helping clarify what's really going on here. But we do know some things, at least.
Eckhart's demonstration shows that the Carrier IQ software exists on Android devices sold by Sprint. In the demonstration, it was on a device made by HTC. Since that was the only data point that I could confirm, I checked a few other devices I had handy. Here's what I found:
There was no sign of Carrier IQ on the Android phones from Verizon Wireless that I checked. Interestingly, Verizon says that it might collect such information and in its privacy statement explains fully what it may want to collect, and offers an opt-out option. But the Verizon phones I looked at didn't have Carrier IQ installed.
I also checked one Samsung and one HTC phone from T-Mobile and found no sign of Carrier IQ, although the Samsung phone had a logging app that may have a similar function, at least you can turn that one off.
However T-Mobile released a statement saying it does use Carrier IQ for diagnostic purposes.
So what does this mean to your business or your personal privacy? First, it appears that BlackBerry devices are not affected by Carrier IQ, but if it shows up on a BlackBerry, RIM will help you remove it. Second, while the iPhone may have Carrier IQ installed, it can be disabled easily and in any case may only run in a diagnostic mode. But Android devices are another story.
If your company uses Android phones, then it's important that you determine if Carrier IQ is installed on the device. If you find it, then the device should only be used for applications where there is no sensitive or protected data that can pass through it. Because Carrier IQ can record the content of email and text messages, it would probably violate U.S. Payment Card Industry, Sarbanes-Oxley Act and Health Insurance Portability and Accountability regulations even if the data isn't sent to Carrier IQ.
If you have a large corporate contract with a carrier that uses Carrier IQ, your best option is to insert language into your contract that the carrier will remove this software from any devices they provide. If the carrier refuses, then find another carrier. The risk to your company from having its protected data compromised by Carrier IQ is too great. After all, who wants to find themselves in prison just because some phone carrier wanted to monitor more than it should?
Basically, this means that if your carrier is Sprint, you'll need to check every Android device you have for the presence of Carrier IQ. If it's on those phones, the safest course is to ask Sprint to either replace the phones or remove the software. Of course, an even safer route is to buy something besides Android devices for your company. Android phones have suffered from a widespread problem with malware unrelated to Carrier IQ of late and that simply adds another layer of risk and another management headache.
If you're in the process of signing up a new wireless carrier, add language that the carrier cannot install any sort of monitoring software that has the potential to violate the law. If you allow your employees to bring their own smartphones for use at work, then you'll need to inspect them for the presence of Carrier IQ before they can be allowed on the company network or be used for company communications.
Finally, if you need some help figuring out just what information is being collected about your activities on your smartphone, Eckhart has a solution that might help
. But all of this adds another layer of management time and expense. It might be better just to avoid Android for now, at least until this is figured out and stick with devices that don't have the problem, such and Windows Phones and BlackBerries, and probably iPhones if they use iOS5 and can turn off Carrier IQ.
Editor's note: This story was updated with a statement from T-Mobile regarding it's use of Carrier IQ.