If you haven’t been living under a rock and have read any tech news on the Internet in the past week or so, then you’ve probably heard about the fiasco that is Carrier IQ. Carrier IQ produces software that is running on millions of cell phone devices from various carriers. Trevor Eckhart, a security researcher, noticed odd traffic on his network and tracked it down to something that was happening on his smartphone. What he discovered was software on his phone that was capturing data – phone call data, sms data, even keystrokes, and it was sending the information out of his network.
Trevor released his findings online, going so far as to paint Carrier IQ’s software on smartphones as a rootkit. Carrier IQ reacted badly, sending Trevor a cease and desist letter stating that he was in copyright violation because he posted some of their training materials online. Trevor contacted the Electronic Frontier Foundation, which communicated with Carrier IQ on his behalf stating their claims were baseless.
Carrier IQ changed their tune after the bad press started piling up. They admitted they reacted badly to Trevor’s claims and should had handled the situation differently. They pointed out that they themselves did not collect any data from the phones. The purpose of the data collection software was for the carriers to track specific information on their phones for quality assurance purposes. Profiles designed by the carriers and placed on the phones by Carrier IQ are used to track battery life, call drops, GPS location data, etc. The carriers steadfastly claim they are not capturing SMS texts, email, or website information with Carrier IQ’s software. Independent research has verified that of the SMS data that is collected, the body of the SMS text is not. Nor is the body of an HTTP request, just other information such as type of request, port, status, etc.
Unfortunately, Carrier IQ’s knee jerk response to Trevor’s findings as well as the carriers’ ineptitude of not providing transparency as to the information that phones on their networks actually collect has given cause for the federal government to take notice. Senator Al Franken and the FTC are launching an investigation into the nuts and bolts of what is really happening here. On the surface, Carrier IQ and the carriers themselves could possibly be violating federal wiretap laws. At the very least, it should weaken the already fragile relationship that the carriers have with their customers. When will these companies learn that being open and honest with their customers is the best thing for them and that hiding potentially suspicious activities make them more so when they are discovered?