[Article first published as Smartphone Spy - Mobile Carriers Caught Secretly Skimming Android User Info on Blogcritics.]
While I enjoy the increasing number of things I have been able to do with each iteration of mobile technology on the market, I’ve always held a dark spot in my heart for wireless carriers. First there’s the financial factor – the amount of money they charge for what should be no additional charge, caps on tiered data, or even just cost to the user in general (I enjoy a $100+ per month phone bill for all the crap I have).
As mobile technology has become more developed though, the prices seem to be going up, and what the consumer is getting seems to be less. On top of that there’s the creep factor, which is really nothing more than privacy and business practices. Recently Verizon Wireless sent me a letter about an opt-out option for their new ad tracking system that would serve to provide me better targeted ads based on my activity and location. I opted out due to a certain level of discomfort with privacy when I had the chance, but I give Verizon credit for voluntarily saying “Hey Tushar, here’s some things that what we want to do, are you in?” They laid out what they were doing, and after understanding it I had a choice. Now granted any doctors or lawyers reading this are going to cringe at the phrase I’m about to use, but if the activity has the informed consent of the consumer (yeah I said it) then that’s something I may be able to get on board with. I would assume that other carriers do something similar as far as activity-based targeted ad programs. After all, ad revenue does make the world spin ‘round.
But then I read today about something that could be a tremendous breach in privacy and almost tantamount to data theft, perpetrated by mobile carriers against their customers. This revelation came from security researcher Trevor Eckhart concerning a software package called Carrier IQ, which seems to be embedded in at least some phones on major U.S. carriers. Carrier IQ claims that their software gathers “information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.” Turns out that while it wasn’t really a secret that this function was installed on many Android phones, no one really knew any of the inner workings of the software and what kind of data it actually captures. That is, until Eckhart found some things that can only be described as suspect at best last week. Carrier IQ tried to hand him a cease and desist letter to quiet him down a bit, but with the help of the Electronic Frontier Foundation, Carrier IQ not only backed off but issued an apology (in which they lay out their argument above). He followed up by releasing a video playing around with it on his HTC Evo. You can see the video on YouTube here.
The video paints a pretty creepy picture about what kind of data this software is able to pick up and I warn you, you may feel a little ill watching it. Eckhart uses a factory-reset, non-rooted HTC Evo (as he says, not to single out HTC but it was just what he had on hand) to show not only how the software is hidden and unable to be shut down, but how it appears to also have a built-in keylogger. Each key press looks like it has its own code, so anyone taking a look can see what letters and numbers are being entered.
The killer is that this also covers passwords, browser entries, and even HTTPS browser entries, which is supposed to be encrypted. HTTPS browsing is designed to encrypt data so anyone planning to pick up any data would be thwarted. Oh right, text message and SMS content counts too. Data from messages gets sent off to Carrier IQ’s servers without anyone being the wiser. Eckhart classifies this as a rootkit, which is a label I wholeheartedly agree with. It gets into your system, acts with administrator privileges, and you can’t get rid of the software unless you void the warranty and do the rooting yourself. But it gets even worse. Even as Eckhart was running in airplane mode (cellular radio off) and on wifi only, the app still logged everything that was going on while “disconnected” from the Sprint network. It’s the sort of thing that makes me wonder if all the conspiracy theorists are right and that I should be equipped with a tinfoil hat.
So where do we go from here? No users were ever explicitly told that data would be collected down to the keystroke and screen tap – if that had been the case no one would have a smartphone right now. And that leads into what may be the inevitable fallout. Paul Ohm, a former prosecutor for the Department of Justice and current professor at the University of Colorado, weighs in with his professional opinion. “If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap.” he says. “And that gives the people wiretapped the right to sue and provides for significant monetary damages.”
Without a law degree, I came up with pretty much the same thing. There wasn’t even an attempt at corporate transparency to the consumer here. A “no, it’s cool guys we’re not doing anything wrong” issued only after they were caught just isn’t enough. From what I’ve determined this seems to not affect all Android devices, but I can confirm that Carrier IQ has dealings with both Sprint (from the video) and T-Mobile (via a T-Force poster on their support forums). I personally have not found any such software on my Verizon Wireless Droid X, so can only speak to that from personal experience.
If this video holds water, consider the game changed. By Professor Ohm’s argument, the people wiretapped includes every single Android user on carriers that do business with Carrier IQ. As of yet I don’t have a complete list of affected carriers and models, but that number still has to register pretty high. After the class action lawsuits all hit and the smoke clears, maybe then we’ll be able to have some sort of serious discussion in this country on the internet and cellular networks at large, specifically concerning user privacy in the digital age. People do a lot of stuff on mobile – important password protected stuff – now that we have these super fast 4G speeds mobile carriers are all-to-quick to advertise. That only bolsters the point that privacy is the single greatest challenge we have to solve with current technology.
So even if Carrier IQ only uses the information for aggregate reporting and even if Sprint does actually only use it for diagnostic purposes without any malicious endgame, what happens when someone that does have less than noble intentions figures out how to control it? There goes your money. There goes your credit. There goes your reputation. There’s just too much at risk.