What can only be described as “growing consternation” has resulted from revelations by a developer, Trevor Eckhart, that a large number of mobile phones are secretly monitoring users’ actions on the phone and sending the data back to the phone provider.
The software, which has been dubbed “The Rootkit of All Evil” after both its secretive operations and the seemingly unlimited access it has on the phone, is produced by a company called Carrier IQ. Ostensibly, the software collects data that allows carriers and phone manufacturers to monitor how their phones are used, and detect problems and issues with the phones or the network.
But the capabilities of the software allow for much more, including the ability to record keystrokes and so perform a data logging function.
Although the software had been highlighted some time ago, the matter came to the public’s attention when Carrier IQ sent Eckhart a cease-and-desist letter threatening legal action if Eckhart didn’t retract his claims that the software was a “rootkit” and didn’t take down training manuals from his site that he had obtained publicly from Carrier IQ’s own site.
The use of the term “rootkit” is normally used to refer to software that is maliciously installed on a computer at the system level and assumes control of the system. Eckhart maintained that this was an accurate description of the Carrier IQ software as that was in essence what it did.
On November 21, the Electronic Frontier Foundation provided legal assistance to Eckhart and responded to Carrier IQ stating that Eckhart’s claims were protected under free speech.
Realising they had – classically – increased attention to their activities rather than what they had set out to achieve in keeping it quiet, Carrier IQ then issued a retraction of its demand for Eckhart to cease-and-desist and apologised to him for the letter.
Since then, of course, the story has been picked up globally and the company has come under increasing scrutiny. As always with these stories, it has been sometimes difficult to distinguish the fact from exaggeration and wildness of the claims. Stories with headlines such as “Carrier IQ Tracking Scandal Spirals Out of Control” suggest that “nearly all Android devices” have the software installed and that it has “huge implications for user privacy”.
Well, actually, not really.
Even though the software seems to have the capability of recording the content of SMS messages and track the websites you have visited, it’s not clear that this is necessarily sent back to the Carrier IQ servers or that it is then passed on to the phone providers or anyone else.
The Carrier IQ software is also installed on iPhones but doesn’t seem to be active unless the user enables “Diagnostics and Usage”. In this case the information collected is more limited than in the case of the HTC phones tested running Android.
The major complaint is that Android users are not told about the monitoring or given an option to opt out. It’s very difficult to stop the software or remove it from the phone without technical knowledge. In the US at least, this has led to the suggestion that users may launch a class action suit against carriers and/or phone manufacturers (even possibly Google) for breaking the Wiretap Act (Electronic Communications Privacy Act, 1986) and illegally collecting information without the users’ consent.
Already companies such as Nokia have issued statements denying their handsets are loaded with the Carrier IQ software. Of course, this doesn’t necessarily mean Nokia doesn’t have its own version of the software that actually allows it to do the same thing.
Phones that are either free of Carrier IQ software or have the facility to control whether it is run or not include the Google-specific versions of the Android phone (Google Nexus One, Nexus S, Galaxy Nexus), the iPhone, and Windows Phone 7 phones
Verizon in the US has detailed what information they collect and what they use it for – apparently for targeting “relevant ads” to the user. They offer an opt-out clause, but not a way for disabling the software on the phone.
Andrew Coward, Carrier IQ’s VP Marketing, has insisted the company might “listen” to a smartphone’s keyboard, but only for very specific diagnostic information, and that it isn’t doing anything sinister with people’s text messages. “We don’t read SMS messages. We see them come in. We see the phone numbers attached to them. But we are not storing, analysing or otherwise processing the contents of those messages.”
As with all issues around privacy and confidentiality, it is not necessarily what is currently being done with our personal information that is the issue but rather what “could” be done in the future.
The possibility exists, for example, that governments and law enforcement agencies could co-opt the key-logging capabilities pre-installed on all handsets to actively log everything someone was doing. As with the recent revelations that the German Government is using Trojan software installed on PCs to spy on its citizens, the convenience of having this software pre-installed on all phones is obviously huge.
There is already evidence of the US security agency NSA working with the telephone carrier AT&T to carry out warrantless wiretaps on domestic communications.
Many other countries have set up monitoring facilities to carry out country-wide surveillance of their citizens, in many cases using technology that was obtained from western companies prohibited from dealing with those countries.
In the meantime, should you be concerned? Well, it depends if you still hold a view that we are capable of living a private life. The answer to this question, increasingly, is probably not. Certainly not from companies whose services we use, nor from our governments or their agencies.
But it’s possible to make active choices to limit the potential for “privacy leakage” – in this case by not using phones that have the software enabled by default with no option to switch it off.
This might persuade companies to be more open with their customers.
Read more on Carrier IQ here.