Carrier IQ Smartphone ‘Spyware’ No Threat to Privacy, Experts Say

A YouTube video that shows hidden smartphone software called Carrier IQ logging keystrokes and text messages has sent the security and privacy communities into a frenzy, and drawn concern from Capitol Hill. But a researcher versed in the software says people are overreacting.

"The time hasn't come to panic about a massive exposure of really sensitive data," Dan Rosenberg, senior security consultant with Boston-based  Virtual Security Research, told SecurityNewsDaily.

The video in question was made by Trevor Eckhart, a Connecticut systems administrator, and shows how Carrier IQ records his keystrokes and encrypted Web searches.

Rosenberg told SecurityNewsDaily that he's been working on reverse-engineering the Carrier IQ software for the past few weeks. Although he has not "exhaustively covered it," he's "seen no evidence that they're recording keystrokes."

Carrier IQ's marketing communications representative, Mira Woods, directed SecurityNewsDaily to the company's media alert, which explains that Carrier IQ only collects data used to "improve the quality of the network, understand device issues and ultimately improve the user experience," and that the company does not employ any tools to record keystrokes.

[Does Hidden Smartphone Software Threaten Your Privacy?]

'Big Brother' or helpful family member?

It's unfair to jump to conclusions and label Carrier IQ as a Big Brother, Rosenberg said, until there is proof that the company is harvesting smartphone users' data for anything else than improving the phone's performance.

"The work Trevor Eckhart has done raises some legitimate concerns regarding what this software does on your phone," Rosenberg said. "I agree that carriers and Carrier IQ should be held accountable and users should be given more insight into what data is being collected.

"On the other hand," he continued, "the research presented so far is not conclusive as to what data is actually being collected and sent back to Carrier IQ. There is no evidence provided that the information Carrier IQ is logging is actually stored in any way, much less transmitted back to Carrier IQ. There's a big diff between saying 'Carrier IQ doing something when you press a key,' and 'Carrier IQ logs all your keystroke[s] and sends them to the carrier.'"

Where's the proof?

John Graham-Cumming is the vice president of engineering for the San Mateo, Calif., and London-based software firm Causata. On his blog, Graham-Cumming found it worrying that a smartphone could log his personal information and send it to a third party. But, like Rosenberg, he wants people to see through the fear and look at the facts.

"If you watch the 'security researcher's' video, you'll find that nowhere does he make the claim that content that the application sees is leaving the device," Graham-Cumming wrote. "And from the video, he doesn't appear to try. At no point does he enter a debugger and look inside the Carrier IQ application, and at no point does he run a network sniffer and look at what data is being transmitted to Carrier IQ."

Graham-Cumming added that this "would be a huge story if millions of smartphones worldwide were secretly sending the content of text messages to a U.S.-based company. But that's not the story here, because the 'security researcher' does not appear to have tried to find out."

How anonymous is the data?

Anonymized metrics data, which is what Carrier IQ says it collects, means that any number of statistics and log files, including calls made and websites visited, are stripped of all personally identifiable data before they're transmitted back to the company.

Despite the prevalence and value of such anonymized metrics data from smartphones — Google maps' real-time traffic maps rely on similar data, for example — it does not automatically mean that someone is tracking you.

Such misplaced fears came to light in April, when news broke that the iPhone tracks its users, and more recently when Sen. Chuck Schumer, D-N.Y., halted holiday-period test trials of a smartphone-tracking system for shopping malls that had been set to begin on Black Friday (Nov. 25).

Rosenberg said he has concerns about whether Carrier IQ is properly anonymizing the data it receives. But again, he's not quick to "drink the Kool-Aid" and assume Carrier IQ is at fault.

"I don’t think the proof is there yet that they're violating the privacy to the extent that it's been described," he said.

How much data is needed?

"I can certainly see how some of the information that Carrier IQ can collect may be useful for diagnosing and planning related to coverage and capacity," Chester Wisniewski, security specialist for the Britain-based firm Sophos, told SecurityNewsDaily. "The application itself goes way beyond what is necessary and collects far more than necessary for simple network troubleshooting."

Carrier IQ's own communications policies, which included suing Eckhart last month and then just as quickly withdrawing the lawsuit, don't do the company any favors.

"The simple act of hiding [the software], not providing a clear, concise privacy policy and hooking the Android kernel for deeply sensitive information casts an awful lot of suspicion," Wisniewski added. "To quote Ricky Ricardo, they got lots of splain'in to do."

It's not wrong to be especially sensitive about such issues, he pointed out.

"Privacy should always be a concern," Wisniewski said. "It is sort of like virginity — once you've lost it, it's gone."

Senator Franken gets involved

Just as he did in May following the accusations that Apple and Google tracked their smartphone users, Sen. Al Franken (D-Minn.), is demanding answers.

Franken sent a letter to Carrier IQ's president and CEO, Larry Lenhart, yesterday (Nov. 30) seeking clarification about the specific information the company records and receives, and how it stores the data.

"I understand the need to provide usage and diagnostic information to carriers," Franken wrote. "I also understand that carriers can modify Carrier IQ's software. But it appears that Carrier IQ's software capture[s] a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics — including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit."

Franken gave Carrier IQ until Dec. 14 to respond.

Article provided by SecurityNewsDaily, a sister site to

Image provided by Shutterstock and Tischenko Irina.

SecurityNewsDaily Staff Writer