After you buy a smartphone and the required mobile broadband service, what you do with the device is your business, right? Maybe not. Earlier this month, the XDA-Developer site noticed that a preinstalled mobile app, named Carrier IQ, was logging all smartphone activities with no way to opt out. On Wednesday, a new video demonstration surfaced that demonstrates exactly what the Carrier IQ software does. And it’s disturbing, especially when you consider more than 141 million Android, BlackBerry, (s rimm) and Nokia (s nok) handsets have the software installed.
Here’s the entire 17 minute video; a bit long, yes, but if you have a smartphone, it’s well worth watching. If you want to skip the basic handset setup parts — showing that this is a freshly restored phone — hit the video around the 8 minute mark to see the logging aspects.
- Logging of keystrokes. Nearly every button — hardware or software — is noted when pressed. I noticed the keystrokes for input were based on ASCII standard codes, which are fairly universal. That means the keylogging feature can easily work across nearly all devices.
- Text of incoming SMS messages. Don’t expect privacy of what you’re sending or receiving on a phone with CarrierIQ installed.
- Web browsing information through what are supposed to be encrypted transactions. Eckhart did a simple Google search with the browser in a private mode using the secure HTTPS protocol. Yet, his exact search term in the browser was captured, even when using the phone on his home Wi-Fi network.
The Carrier IQ software can’t be disabled, either, making the situation even worse. Eckhart shows the service is set to run at all times and can’t be shut off through the standard “Force Close” option in Android. There’s no opt-out method; the service runs invisibly in the background; and there’s nothing a consumer can do to stop it. Why does CarrierIQ capture this data? According to the company’s website, the reason is to help both carriers and handset makers:
Recognizing the phone as an integral part of a mobile service delivery, and using the device to measure key parameters of service quality and usage, the Carrier IQ solution gives you the unique ability to analyze in detail usage scenarios and fault conditions by type, location, application and network performance while providing you with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components carrying it.
I understand the need to log data and share details — to a point. Let’s face it: Computers have logged such data for years; mainly to help troubleshoot problems. But those logs weren’t sent anywhere without the user’s knowledge, and that’s what makes this situation very different.
I’ll be looking into this a bit deeper, but while I do, there are some interesting questions raised by this video. Although consumers are buying smartphones — and assume they have ownership — are the handsets theirs to do with as they please, without the carriers or handset makers knowing what they’re doing? One could argue that the smartphone isn’t owned until it’s fully paid for, since carriers often subsidize the actual hardware costs, but I think the argument is lame, at best.
What about the network itself, which is generally required to gain the full benefit of having a connected device? Does the monthly fee to “rent” mobile broadband service mean consumers have no privacy rights while on the carrier network? From a consumer standpoint, I’d argue that yes, there should be some level of privacy. Then again, carriers spent billions of dollars on the infrastructure and want to protect their investment. Thoughts?