Update 2:10 p.m.: On Thursday afternoon, Sen. Al Franken announced that he's demanded answers from Carrier IQ about their tracking user behavior in a very detailed letter (PDF) to the company's president and CEO Larry Lenhart. He did not go easy on him:
I understand the need to provide usage and diagnostic information to carriers. I also understand that carriers can modify Carrier IQ’s software. But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics -- including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit.
These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter.
The Senator explained why so serious in a press release. "Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information," said Sen. Franken. "The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer."
Original Post: An Apple hacker has discovered that Carrier IQ, the shady smartphone software recently found to be logging keystrokes on Android and BlackBerry devices, is also installed on the iPhone. Don't worry, fanboys. It's off by default -- probably. After
As on other smartphones, the presence of Carrier IQ in Apple's iOS firmware is difficult to detect. Prominent iPhone jailbreaker "chpwn" discovered traces of the code on Thursday, after Android security researcher Trevor Eckhart dug into the code of his Google-made operating system to discover that Carrier IQ was recording tons of user data, even the contents of text messages. Hacker blogs are referring to Carrier IQ as a "rootkit," a type of virtually undetectable software that provides privileged access to your data. In 2007, CNET reported that rootkits were "tops on the criminal hackers' To Do lists," though Carrier IQ markets its services to mobile carriers like AT&T and Sprint, as the name suggests. It's also not a new service, as chpwn explains in a blog post (emphasis his):
In fact, up through and including iOS 5, Apple has included a copy of Carrier IQ on the iPhone. However, it does appears to be disabled along with diagnostics enabled on iOS 5; older versions may send back information in more cases. Because of that, if you want to disable Carrier IQ on your iOS 5 device, turning off "Diagnostics and Usage" in Settings appears to be enough.
Let's reiterate chpwn's point that the existence of the Carrier IQ code does not necessarily mean that your iPhone is sending your deepest darkest secrets back to some database in Apple's Cupertino headquarters. Following a detailed, developer-oriented explanation of the code, chpwn goes on to defend the device manufacturers:
However, I think the blame here really belongs with the US carriers who obviously demanded this: personally, I am completely fine with this data being sent off (especially if it helps AT&T’s network improve), but I would definitely prefer if it was more transparent -- even if you can disable it with that toggle, Apple only explains that it "might contain location data".
So far, Sprint has defended Carrier IQ's aggressive data-collection practices, explaining that it was used "to understand the customer experience." That was two months ago, however, when the controversy first started, but it's exploded into a national news story since Eckhart's painstakingly illustrated just how much data Carrier IQ was collecting from Android devices in a YouTube video this week.
Now, folks are starting to wonder if Carrier IQ is in violation of federal wire-tapping laws. Andy Greenberg, a reporter on information security and privacy for Forbes, asked former Justice Department prosecutor Paul Ohn just that. "If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap," Ohn said. "And that gives the people wiretapped the right to sue and provides for significant monetary damages."
We made a tongue-in-cheek comment about Google in our first post about Carrier IQ being found on Android devices, but it now appears that the mobile carriers could be in the crosshairs. Both device manufacturers and mobile carriers are starting to push back against reports that they collect data through Carrier IQ, who says their software is installed on over 140 million devices, but we're guessing the scandal is just beginning. The issue of smartphone tracking is not a new one either. Apple and Google have already had their day on Capitol Hill, where they faced a grilling from Senators about their GPS-tracking practices and we're guessing that folks like Sen. Chuck Schumer, who stood up for Americans' privacy after malls started using cell phone data to track shoppers, will not be pleased to learn about Carrier IQ. This story is developing quickly, and we're doing our best to get in touch all parties involved. Until then, you might want to study Wired's reasons to wear a tinfoil hat.
This article is from the archive of our partner The Wire.