Windows Secrets Newsletter Issue 317 2011-12-08 TOP STORY Carrier IQ: A privacy tempest of what size? By Woody Leonhard A YouTube video by Trevor Eckhart documents a litany of privacy-busting transgressions made by Carrier IQ, a software program factory-installed on mobile phones. Almost every news outlet in the U.S. seems to have run the story about Carrier IQ as if 1984 had finally arrived, with Big Brother (in large, corporate form) working the phones — our smartphones in this case. But is that view accurate? It's not surprising that Trevor's allegations generated an extraordinary level of press coverage. It's an attention-grabbing story: Carrier IQ produces a data-gathering program used by telephone companies to retrieve information from specific smartphones, including models made by Apple and many Android phones from Samsung, HTC, and other manufacturers. The software is installed on more than a 100 million phones at the request of service providers, including AT&T, Sprint, and T-Mobile. The brouhaha catches the attention of the U.S. Senate; Senator Al Franken demands answers. And newly minted mobile-device experts opine on every conceivable aspect of the controversy. Amid sometimes wild allegations and threats, class-action lawsuits loom. It's grand drama, indeed. Frankly, I'm astounded that nobody publicized the Carrier IQ data activity earlier. In use for years, the software (info page) is supposed to help phone companies keep track of problems with their networks. Carrier IQ claims its software runs on more than 140 million smartphones. So is there any substance to the allegations of widespread and irreversible privacy abuse? The real picture of the Carrier IQ controversy is just starting to emerge. Permit me to explain why I think this frenzy in the media is mostly sound and fury, signifying very little. The factual foundation, sans flights of fancy There's no question that Trevor uncovered startling behavior by Carrier IQ's software. He conclusively demonstrated that the Carrier IQ program watches every single key press on the phone — even sensitive key presses, such as passwords entered when you're using a mobile Web browser on an HTTPS secure site. It tracks your location, even when you've instructed the phone to not provide location information. It watches the contents of every incoming message as it arrives on the phone. Trevor also demonstrated that the Carrier IQ program doesn't act like a normal program. It doesn't show up on the app screens. It starts whenever the phone is turned on, and you can't turn it off by using commands such as Android's Forced Stop option. You can't delete the program, either. In fact, unless you've rooted your phone (hacked it to gain control over the operating system), you won't even see Carrier IQ running. Trevor also showed that the Carrier IQ program periodically phones home collected data. Those are facts ably demonstrated in Trevor's YouTube video, "Carrier IQ Part #2." Since the video was posted, several more facts have fallen into place. Here are the particulars: As mentioned earlier, the Carrier IQ program is installed by phone manufacturers at the request of service providers. In most cases, the information retrieved by Carrier IQ doesn't go to the phone manufacturers or to Carrier IQ — it goes to the service providers. Apple has confirmed that Carrier IQ was baked into iOS 4. According to an AllThingsD story, Apple stated, "We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update." In an msnbc.com report, AT&T, Sprint, and T-Mobile confirmed that their sold-in-the-U.S. phones use Carrier IQ. All three companies claim that the software is used to improve system performance. AT&T says it doesn't track any user data. Sprint says it "cannot look at the contents of messages, photos, videos, etc., using this tool." T-Mobile says it "does not use this diagnostic tool to obtain the content of text, e-mail, or voice messages or the specific destinations of a customers' Internet activity, nor is the tool used for marketing purposes." Verizon, U.S. Cellular, and Vodafone say they don't have Carrier IQ on their phones. RIM and Nokia both claim that they don't put Carrier IQ on any of their phones, but that claim is disputed by Trevor. Microsoft states that no Windows phones have Carrier IQ. A tumblr.com device analyzer app turned up no Android phones (of 5572 tests) outside the U.S. and Puerto Rico running Carrier IQ. And it seems that no non-U.S. carriers will publicly admit to using the software. Those are the facts at this time. Everything else is speculation and interpretation. Carrier IQ reacts with the big-stick approach Trevor is convinced that Carrier IQ looks and acts like a rootkit. He says so on his blog. Other commentators have called it "a spyware rootkit" and "malware" and "wiretapping." I guess it all depends on how you define the terms, but from what I've seen, I don't think any of those characterizations applies. In any case, Carrier IQ overreacted to Trevor's revelations, with CIQ lawyers firing off a cease-and-desist demand that defies belief: CIQ demanded that Trevor take publicly available documents off his site and "cease and desist all false allegations." The CIQ lawyers further demanded that Trevor send out a public press release "on the AP wire" containing a statement — dictated by the attorneys — saying, among other things, "it is clear that while [CIQ] inspect(s) many aspects of device performance, they are not in fact recording keystrokes or providing user tracking tools and have no intention of doing so." Yes, the lawyers wanted Trevor to vouch for Carrier IQ's intentions and pronounce the company free of sin. They threatened to sue him for copyright infringement (for Carrier IQ training manuals he posted), including damages to the tune of "$150,000 per work." Trevor hooked up with the Electronic Frontier Foundation and, in an e-mail letter (PDF copy) sent by an EFF staff attorney, basically told the CIQ lawyers where they could stick their cease-and-desist demand. On Nov. 23, the EFF reported that Carrier IQ had dropped the threats and its CEO had apologized to Trevor. All these events unfolded in full view of the press. Initially, the technical press picked up on the YouTube video and statements about rootkits and keylogging. Then the mainstream press appeared, and a story with very precise technical boundaries turned into a massive slinging match, with relatively few facts in evidence. Make no mistake, the phone companies have data. Let's put this all into some useful perspective. The phone companies — the AT&Ts, Sprints, and Verizons of the world — know which phone numbers you dial and which numbers call you. They've been using that information to bill phone owners for decades. These days, the phone companies are also transmitting data to and from phones, giving them at least the theoretical ability to keep copies of SMS messages, e-mail, Internet traffic (such as websites visited), and the content of files uploaded and downloaded. They could also have the ability to record your voice and video calls. Even if you turn off location notification on your phone, the phone company still knows which cell tower you're using; with the aid of simple triangulation on three or more towers, they can pinpoint your phone any time they like. But why would a phone company want to monitor your keystrokes, your mail, your SMS texts, or your location using a program inside your phone? It doesn't make any sense. Working on data generated inside the phone is enormously inefficient and expensive as well as intrusive; it's difficult, both technically and legally, to make a case for it. As the controversy cools, it's becoming obvious that Trevor was indeed watching Courier IQ's program scan everything the phone was doing. But there's no evidence that the program was storing personal information or any other kind of personal data. There's also no evidence that the software sent sensitive information home to any of the carriers. According to its designer, Carrier IQ was specifically targeted at identifying problems with the mobile network — for example, what happens when a call gets cut off or the phone crashes. Everything I've seen to date confirms that observation. Security researcher Dan Rosenberg, who's been in the thick of the Carrier IQ fray since its inception, has published a thorough analysis of Carrier IQ running on one specific smartphone — the Samsung Epic 4G Touch. He watched everything Carrier IQ gathered and transmitted. His conclusions: Carrier IQ did not record SMS text bodies, webpages, or e-mail content. In this particular configuration, Carrier IQ recorded which numbers were being pressed to dial the phone but didn't record any other keystrokes. It could record GPS location data and the URLs of sites visited by the phone's browser, but not the contents of the pages. That said, it's certainly true that the program could collect compromising information. After all, it's watching everything, all the time. Carrier IQ has filed a patent application that might allow less-benign uses in the future. But then so could many other programs, including the operating system itself. Lessons from the Carrier IQ revelations Obviously — and most importantly — consumers have a right to know what's being sent from their phones. They should also have the ability to turn off the parts that aren't vital to connecting through the network. That said, chances are good that when you signed the contract with your service provider, you agreed to the data collection. (How many of us bother to read most user-license and service agreements?) Fifty years ago, telephone users probably didn't care that phone companies probably collected the phone numbers of all outgoing and incoming calls. But nowadays, with far more sensitive information flowing from phone to phone and between phones and network servers, consumers do need to be more savvy and skeptical. And carriers need to be more up-front about the kinds of data they're using — with opt-out options clearly available. There should also be some sort of third party involved in monitoring what information our phones are transmitting to our service providers. Nevertheless, the recent and widespread coverage of this story reminds me of the breathless stories three weeks ago about the Illinois water-plant pump "destroyed by Russian hackers." The FBI got in on that one — as did the Department of Homeland Security and ICS-CERT. The media jumped to the conclusion that America's infrastructure was under attack by Russian hackers, as if Russian hackers had nothing better to do than burn out a water pump. Wired has the full, sordid story. I think the best analysis of the situation comes from Galen Gruman, who has listed some real privacy threats in a Dec. 2 InfoWorld story. He says these hyped-up threats "are relatively benign compared to what people are not talking about: software and devices that not only monitor individuals but feed that data to insurers and others who could use it to determine rates, deny coverage, and otherwise control people's behavior." That's where the real problems lie. Woody Leonhard writes computer books, primarily about Windows and Office, most recently the award-winning Windows 7 All-In-One For Dummies. He's a Senior Contributing Editor at InfoWorld, where his Tech Watch columns bring some common sense — and a jaundiced eye — to the latest industry shenanigans.