Is Carrier IQ a keylogger installed on 145 million phones?

by Kieran Healy on November 30, 2011

While you have to ask carefully if you want family-planning advice from Siri, owners of Android, BlackBerry and Nokia phones may be facing other problems. According to this report in Wired, Trevor Eckhart, a security researcher in Connecticut, has found that third-party performance- and usage-monitoring software installed by default on millions of Android-based handsets sees every user action and—possibly, because I’m not sure based on the video whether this part has been demonstrated—logs and transmits it to the software maker, Carrier IQ. A video made by Eckhart (see below) shows the Carrier IQ process seeing Eckhart’s Google search of “hello world.” David Kravets’ Wired Story continues:

That’s despite Eckhart using the HTTPS version of Google which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. Cringe as the video shows the software logging each number as Eckhart fingers the dialer. “Every button you press in the dialer before you call,” he says on the video, “it already gets sent off to the IQ application.” From there, the data — including the content of text messages — is sent to Carrier IQ’s servers, in secret.

This is frankly astonishing if it turns out to be true. Carrier IQ’s own website proudly announces, via a rolling counter on its front page, that it is installed on over 141 million phones. If they are logging and especially sending any data of this sort of granularity back to Carrier IQ’s servers routinely—text messages, web searches, numbers dialed—it’s hard to see how this won’t be an enormous scandal. You may recall Apple’s Locationgate scandal earlier this year, when it was found that iPhones were locally caching fairly coarse-grained location data based on cell-tower proximity (though not sending that data back to Apple). This seems orders of magnitude more severe than that—real tinfoil-hat stuff.

A Carrier IQ press release from earlier this month denies that their software is logging or transmitting keystrokes or user actions in this sort of detail:

Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices – feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3 parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.

This denial was explicitly reiterated by the company in a release retracting a cease-and-desist letter to Eckhart that it had issued in response to some of his earlier work.

The video does appears to show that, at a minimum, Carrier IQ’s software has access to the user’s searches, text messages, and other keystrokes. (Skip to 8:40 or so for the guts of the demonstration.) The real question now is determining what the application does with that sort of access—how much of the user’s behavior is actually logged, at what level of detail that logging happens, and what is subsequently transmitted anywhere. This is what’s still not clear to me from the video. Automatic third-party access to all user actions, even if there is subsequent picking-and-choosing about what to log and what to send, seems bad enough in the absence of explicit permission from the user. And of course if Carrier IQ’s software turned out to actually be transmitting much or all of what it saw—well it’s hard to see how that would be legal. So I await further developments with interest.

I copied the heading of Megan Carpentier’s original story word-for-word, because it’s hard to capture the issue better in a sentence than she did. (Tx @zephoria.)

In related news, take a look at Mike Ananny’s piece in the Atlantic last Spring about The Curious Connection Between Apps for Gay Men and Sex Offenders. Also, Ted Striphas talks more generally about the idea of “algorithmic culture” and “algorithmic literacies” here. Over a decade ago I wrote a few papers about the power of portals (remember that term?) and search engines to channel user attention, it’s fascinating- and rather disturbing at times – to watch the evolution of that issue.