An Android developer recently discovered a clandestine application called Carrier IQ built into most smartphones that doesn't just track your location; it secretly records your keystrokes, and there's nothing you can do about it. Is it time to put on a tinfoil hat? That depends on how you feel about privacy.
The reason for this invasive Android app seems reasonable enough at face value. Even though it's on most Android, BlackBerry and Nokia devices, most users would never know that Carrier IQ is running in the background, and that's sort of the point. Described on the company's website as software to gain "unprecedented insight into their customers' mobile experience," Carrier IQ is ostensibly supposed to help mobile carriers and device manufacturers gather data in order to improve their products. Tons of applications do this, and you're probably used to those boxes that pop up on your screen and ask if you want to help the company by sending your data back to them. If you're concerned about your privacy, you just tap no and go about your merry computing way. As security-conscious Android developer Trevor Eckhart realized, however, Carrier IQ does not give you this option, and unless you were code-savvy and looking for it, you'd never know it was there. And based on how aggressive the company has been in trying to keep Eckhart quiet about his discovery, it seems like Carrier IQ doesn't want you to know it's there either.
Eckhart first raised a red flag about Carrier IQ about two weeks ago when he started investigating reports that a software update on the HTC EVO 3D included "user behavior logging" code. The code had worried some geek bloggers when it showed up a couple months ago, but HTC and Sprint insisted that it wasn't much different than normal error-logging software and certainly didn't gather granular data like "contents of messages, photos, videos, etc." Eckhart wrote an exhaustive blog post about his startling findings: CarrierIQ collected lots data, including keystrokes, and there's no way for the user to opt out "without advanced knowledge." CarrierIQ flipped out. The company sent Eckhart a cease-and-desist letter demanding that he keep his mouth shut and threatening legal action. But after the Electronic Frontier Foundation (EFF) took a look at the case and determined that Eckhart was working within his First Amendment rights, CarrierIQ backed off but still denied that its software recorded keystrokes.
This week, Eckhart fired back with a 17-minute long video showing in painstaking detail how much data CarrierIQ collects, effectively undercutting the company's denial. It was even logging contents of text messages! Wired posted the video on Tuesday night and cemented CarrierIQ's status "as one of nine reasons to wear a tinfoil hat." The magazine explains how CarrierIQ even undercuts other companies' security measures:
Oh, we're definitely in tinfoil hat territory now. CarrierIQ and the carriers have yet to respond to the latest claims -- we're doing our best to chase them down -- but if past smartphone tracking scandals are any precedent, they could end up answering to Congress.
Like many things in life, there are a couple of different ways to think about smartphone tracking. One way approaches privacy from a forward-thinking, technology-trusting and, heck, even progressive perspective. GPS-equipped smartphones are incredibly powerful tools that enable mankind to do all kinds of amazing things, thanks to the perpetual stream of data from the Internet. However, that stream flows both ways, and sometimes, the folks that build and maintain the network need to monitor your data in order to improve the technology. Who wouldn't want better service?
This brings us to the second approach. Tracking is creepy. In an Orwellian kind of way, it makes people nervous -- especially Americans -- that the government or the corporations or the system is closing in on them and stealing their freedom. Of course, not everybody feels so strongly about privacy, but as long as you can opt out, it should be fine. This seems be where privacy agnostics as well as advocates both get concerned. Some people don't mind being tracked, but nobody wants to be tricked. Last week, Sen. Charles Schumer spoke out about a program at some malls in Virginia and Southern California that were anonymously tracking shoppers' movements by tracking their cell phone signals, and the only way to opt was by not going to the mall. Schumer did not approve. "Personal cell phones are just that -- personal," the New York senator said in a statement. "If retailers want to tap into your phone to see what your shopping patterns are, they can ask you for your permission to do so."
The CarrierIQ software is not dissimilar to the shopper tracking program. In fact, it's arguably worse since it follows you everywhere. In the age of social media, everybody is becoming increasingly aware of and often angry about the amount of private data companies are scooping up with or without their consent. This week, the Federal Trade Commission and Facebook came to an agreement that the social network must make all of their new programs opt-in so as not to break the law by violating users' privacy. Even Mark Zuckerberg admitted in a sincere-sounding blog post that his company had "made a bunch of mistakes" on the privacy front in the past. He went on to detail how "offering people control over the information they share online" was a top priority. This is Mark "Privacy Is Over" Zuckerberg we're talking about here. With Facebook reportedly building its own mobile phone platform, wouldn't it be super ironic if people started defecting from the Android army and switching to the Facebook phone in the name of privacy?
Your move, Google.
This article is from the archive of our partner The Wire.