The firestorm surrounding the Carrier IQ software built into Android and other smartphones may have been just a wee bit overblown, according to security researcher Dan Rosenberg. The software (or "rootkit") -- deemed highly intrusive in a recent report by Trevor Eckhart -- cannot record the content of text messages, Web pages, or email, "even if carriers and handset manufacturers wished to abuse it to do so."
Rosenberg, who works for application security company VSR, independently conducted an in-depth test of the Carrier IQ software, investigating the software's hooks into Android, what sort of data the software can collect, and in what situations. In a nutshell, Rosenberg concludes that Carrier IQ shows no sign of "evil intent" -- and provides a potentially valuable service in helping to improve mobile users' experience on cellular networks.
[ See Paul Venezia's post "The Carrier IQ scandal: Enough is enough." Check out "Is a privacy backlash brewing?" by InfoWorld's Eric Knorr. Galen Gruman reveals the even worse privacy invasions occurring today. And Roger A. Grimes reveals how the government is amassing huge amounts of citizens' information. | Get a digest of the key stories each day in the InfoWorld Daily newsletter. ]
Rosenberg did observe that Carrier IQ -- like any mobile app -- could be modified for nefarious actions. What's more, Rosenberg says that Carrier IQ -- and more so, smartphone manufacturers and carriers -- need to do better at protecting user privacy.
For his test, Rosenberg examined the version of Carrier IQ software that comes built in to the Samsung Epic 4G Touch. The researcher notes that the versions of Carrier IQ differ from device to device; and that carriers and smartphone makers ultimately decide just what sort of data the software records and reports. As an example, AT&T might want to gather data about dropped calls or battery life. The company relays its desires to smartphone makers, who in turn tweak the Carrier IQ software to send along data pertaining to dropped calls or battery life when certain criteria are met.
The specific situations or types of data that Carrier IQ collect and sends varies from smartphone to smartphone, though remain constant on a particular smartphone model. But in general, Rosenberg's findings are as follows:
- Carrier IQ cannot record SMS text bodies, Web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.
- Carrier IQ (on this particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call. I'm not a lawyer, but I would expect cell carriers already have legal access to this information.
- Carrier IQ (on this particular phone) cannot record any other keystrokes besides those that occur using the dialer.
- Carrier IQ can report GPS location data in some situations.
- Carrier IQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data.