Last week, an Android hacker named Trevor Eckhart posted a video showing that an unkillable application running on Android smartphones is logging just about every action taken on the phone. In essence, it appears to be a built-in and sanctioned keylogger that delivers all that personal info to ... someone (presumably Carrier IQ). It may even be happening in real time, although Carrier IQ disputes that -- and notes the data is only transmitted in small doses, as if that makes it OK.
Eckhart's video demonstration reveals the logging output of an HTC Android device, which clearly shows that Carrier IQ's software is called when most buttons are pressed, when an SMS is received, and when a website is visited. Importantly, he demonstrates that visiting a supposedly encrypted SSL-secured site still delivers the URI to the Carrier IQ agent. The information given to Carrier IQ's agent on the phone occurs prior to the actual request, as a keylogger would do.
[ See Paul Venezia's post "How to stop Facebook, Google+, and Twitter from tracking you." Check out "Is a privacy backlash brewing?" by InfoWorld's Eric Knorr. And Galen Gruman reveals the even worse privacy invasions occurring today. | Get a digest of the key stories each day in the InfoWorld Daily newsletter. ]
So far, AT&T, Sprint, T-Mobile, HTC, and Samsung have confirmed that their phones include the tracking software; it appears to be disabled on the iPhone, and RIM has denied that the Carrier IQ software is on the BlackBerry. Nonetheless, it seems clear that a whole bunch of smartphone users have been carrying around a device that has been watching their every mobile move -- including their location. Armed with this information, it's trivial to know where any given person carrying that phone is at any given time, who they're calling, what they're texting, and so on and so forth. Essentially, it's not just a keylogger -- it's a lifelogger.
Ostensibly, the Carrier IQ software enables carriers to gather data about the performance of their network, which could be considered a useful and pertinent tool. However, collecting data on the user's every move -- including unencrypted URI strings used on SSL sites -- goes way too far. But heck, Carrier IQ even boasts about that on its site:
IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network. ... Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline.