Carrier IQ moves to allay fears of its tracking software
- 14 December, 2011 07:11
Carrier IQ last night released a document describing its technology in what appears to be a belated attempt to quell continuing concerns over its controversial tracking software.
The 19-page Carrier IQ document offers the most detailed explanation yet of how the tracking software works and how wireless carriers are using it.
The move is the latest by Carrier IQ to rebut a report published late last month by security researcher Trevor Eckhart contending that wireless carriers could use the Carrier IQ software to conduct surreptitious and highly intrusive tracking of Android, BlackBerry and other smartphone users.
The Carrier IQ document lists specific information that wireless carriers can gather from mobile handsets using the Carrier IQ software. It also provides details on how the software is deployed on mobile devices.
In the document, dubbed Understanding Carrier IQ Technology, the company said it "wants to let consumers know exactly what it is that our software does, the security measures we have in place, and our commitment through our software design and processes to protecting consumers' privacy while improving consumers' experience."
Experts say that it remains an open question as to whether that assurance is enough to quell the concern.
Carrier IQ controversy began with Eckhart's disclosure that the software could be used to gather and track all sorts of personal data from Android-powered handsets and virtually any other mobile device.
In a video posted on YouTube , Eckhart displayed what he said was evidence of Carrier IQ's software capturing his every keystroke and even recording the content of his SMS messages and his search queries.
Eckhart's disclosure ignited an immediate firestorm of concern and criticism from consumers, U.S. lawmakers and European Union regulators.
Carrier IQ and several wireless carriers and handset makers have admitted that the software is installed in handsets sold to sonsumers, but insist that it is benign and designed primarily to collect data for optimizing network and device performance.
Carrier IQ has said its software is typically either preloaded on handsets supplied by wireless carriers or is more deeply embedded into the device by the device makers.
Both the preloaded version and the embedded version are designed to allow wireless carriers to capture certain metrics, such as dropped calls, service interruptions or battery use, the document said.
The embedded version of the technology can be used to gather a lot more detailed information from the device than the preloaded version, and requires a Carrier IQ API to interface with the mobile device, according to the company.
Carrier IQ lists more than 225 separate pieces of information that wireless carriers can gather from mobile devices using the software -- all of it strictly related to network and device performance, the document says.
Wireless carriers don't require or use all of the available metrics all the time; Carrier IQ's technology lets them create "profiles" of specific information they might want for a specific reason.
In most cases, the information gathered via such profiles represents a only a small subset of the information that could be gathered by the software, according to the company.
The company rebutted Eckhart's claim that the can be used for keylogging purposes. According to Carrier IQ, the data capture shown in Eckhart's video resulted only because debug messages were switched on in the Android handset used for the demo.
"Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software," the company said.
Carrier IQ added that the software does not collect information from Android log files. However, the document left open the question of whether its software can read from a log file, if a carrier wanted to gather that data.
Carrier IQ is working to convince handset manufactures to switch off debug messages containing personal data, thus preventing it from being written on to log files as happened in Eckhart's demo, the document said.
It's too soon to say whether the explanations will assuage critics who have said that some carriers used the Carrier IQ software to gather information from mobile devices without the user's knowledge or permission. Carrier IQ's own document makes it clear that users cannot uninstall the embedded or preloaded version of the software from their handsets.
Concerns about the software being misused to gather other information are also likely to persist, especially because Carrier IQ said it found a bug in the software while reviewing the technology.
According to Carrier IQ, the bug allows the content of SMS messages to be recorded and transmitted to network operators along with other Layer 3 signaling traffic.
"Carrier IQ has discovered that due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent," the company said.
The contents however would have been "encoded" and wireless carriers would need Carrier IQ to write specific software in order to read the contents the company claimed.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.