Last week all hell broke loose over a little piece of surreptitious smartphone software apparently capable of gleaning everything about your mobile maneuvers from the websites you choose to visit using your phone’s browser, to which buttons you’ve been pressing on the physical device itself. The man ostensibly pulling back the curtain: Trevor Eckhart, a Connecticut-based systems admin, who posted a video demonstrating the so-called tracking capabilities of a metrics-driven software agent from company Carrier IQ.
Let’s be honest, the reporting on Carrier IQ’s been a little hysterical, with several sites echoing a few tech Cassandras uncritically, highlighting bell-ringing terms like “key-logging” before handing the microphone over to passerby (“So dear reader, what do you think?”) and letting waves of understandably paranoid commenters go nuts.
In my own piece, I pointed out that Eckhart’s video only showed how button presses could be captured, not that they actually were, or what Carrier IQ’s agent was (or wasn’t) doing with them.
Now Dan Rosenberg, a security consultant with Virtual Security Research, writes on this blog that “based on [his] knowledge of the [Carrier IQ] software, claims that keystrokes, SMS bodies, email bodies, and other data of this nature are being collected are erroneous.”
Rosenberg has performed his own independent analysis of the Carrier IQ software and produced what appears to be a detailed breakdown of the agent’s metrics—sorted by ID, metric type, data sent, and situations in which the latter would occur—and created a list of claims that contradict much of what’s been reported about Carrier IQ’s activities to date.
Rosenberg claims Carrier IQ is incapable of recording SMS information and cannot record keystrokes “besides those that occur using the dialer.” It can report GPS locations “in some situations” and record URLs visited, but “not the contents of those pages or other HTTP data.” Rosenberg also points out that his findings are based on code used by Samsung specifically—what is or isn’t collected and sent back is done at the behest of each carrier, not Carrier IQ.
In Rosenberg’s view, nothing nefarious is taking place here—it has the potential to, and in that sense I’d argue all of this coming to light is important and the press reaction at the level of “bears further investigation” is more than justified, but Rosenberg believes that at this point, “the data that is potentially being collected supports CarrierIQ’s claims that its data is used for diagnosing and fixing network, application, and hardware failures.”
Every metric…has potential benefits for improving the user experience on a cell phone network. If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential. Consumers will have their own opinions about whether the collection of this data falls under the terms set by service agreements, but it’s clear to me that the intent behind its collection is not only benign, but for the purposes of helping the user.
Rosenberg’s takeaways sound reasonable enough: Carrier IQ isn’t as deeply embedded as you’ve heard, and whatever data’s being gathered is at the discretion of carriers, which–if there’s blame to go around–is where our scrutiny really belongs. Each carrier’s probably using Carrier IQ’s agent uniquely, and what we’re agreeing to let them do relates back to our service agreements, each of those in turn being distinct.
What’s more, I fully agree with Rosenberg that customers need to be allowed to “opt out” of these tracking metrics and that there needs to be some sort of independent oversight process for how the data’s used.