This video by Trevor Eckhart, the security researcher who found this, is pretty clear. Even if you are not a techwiz, you can see the Carrier IQ software always running, and logging everything you do on your phone:
Now, what we do know is that Carrier IQ, which is on an abundant amount of devices at the behest of wireless service providers. What we do not know is whether Carrier IQ is recording everything it is logging. For a software program, it's quite possible to intake a great amount of data and have very little of it actually recorded or committed to memory. Indeed, that is how carriers and Carrier IQ say they are operating - that they are in fact not recording personal data or keystrokes. If that's the case, one wonders why Carrier IQ freaked out and threatened this young researcher with a cease-and-desist letter, only to back off when the Electronic Frontier Foundation, with their own lawyers, came to his defense.
But even assuming the claims of Carrier IQ is true, this should raise some critical questions:
- If they are not recording the keystrokes or other sensitive data, why are they logging it? I guess you "never know" when something useful will come up, huh?
- Software collecting any sort of data from someone's personal device that can be tracked to that specific device has no business getting on your device without your consent, let alone your knowledge.
- Why the first instinct to keep any information about Carrier IQ under wrap?
Based on that revelation, Carrier IQ may run afoul of federal wiretap regulations. "If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case," said Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, via Twitter. "Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too? Federal wiretapping is a 5-year felony," he tweeted.Sen. Al Franken, who is the Chairman of the Subcommittee on Privacy in the Senate Committee on Technology and the Law, has sent a letter to the CEO of Carrier IQ, demanding an explanation, and opening the door to just the questions I have asked above:
Ohm told Forbes.com. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," said Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."
I understand the need to provide usage and diagnostic information to carriers. I also understand that carriers can modify Carrier IQ’s software. But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics—including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit.I am not someone that gets alarmed at every 'privacy' scare. I do examine them all closely, and most of the time it turns out to be nothing more than alarmists running around with their hair on fire. Not this time. It's serious. Carrier IQ and your carrier (Sprint and AT&T has confirmed they use Carrier IQ, Verizon has said they do not) may have installed on your phone (depends on your phone - see this page for information on detecting Carrier IQ on your phone and removing it) tracking software that is prima facie illegal, and has given you no way to opt out or turn it off.
ACTION: Here is what you can do:
- Contact Carrier IQ and tell them you are aware of this, and you will do everything to put this software out of circulation. Here's the info:
CARRIER IQ, Inc.
1200 Villa Street, Suite 200
Mountain View, CA 94041 USA
Phone: +1 650 625 5400
Fax: +1 650 625 5435
- Contact your Senators and Representatives and tell them to sign on with Sen. Franken's effort to get to the bottom of this.
- Contact your wireless company and demand they (1) rid your phone of Carrier IQ, and (2) drop their contract with Carrier IQ or any other such product