Carrier IQ: The Sony rootkit all over again

Can someone legally record almost everything you do on your phone without telling you? Yes. Meet Carrier IQ, whose software is installed on nearly 142 million handsets

It turns out your phone may be spying on you even more than you thought.

Android developer Trevor Eckhart was tooling around with his HTC smartphone a few weeks ago when he discovered an unfamiliar app on it from a company called Carrier IQ.

[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]

That bit of code appeared to be capturing everything his phone did -- all numbers dialed, text entered, websites visited, buttons pressed, and so on, even while he was only using Wi-Fi -- and phoning home with that data.

The software was running in secret, not listed among his other running Android apps, and Eckhart could not force it to quit. In short, it was acting just like a rootkit used to hide malware.

So Eckhart posted his findings on his Android Security Test blog, along with training manuals he found on Carrier IQ's own site that explained how the software works, and called the Carrier IQ app a "rootkit."

Carrier IQ reacted to Eckhart's post by trying to squelch it. Its attorneys issued a nastygram to Eckhart, demanding that he take down the manuals (that CIQ had already made public) and threatening to sue him for $150,000 in damages, the maximum the law allows for a single copyright violation.

Carrier IQ also demanded Eckhart provide them with the names of everyone to whom he's provided the manuals (that CIQ had already made public), as well as personally retract the characterization of its software as a "rootkit."

Eckhart told CIQ to take a long walk off a short pier, more or less, and enlisted the Electronic Frontier Foundation to defend him.

Wired's Threat Level blog has a fascinating series on the battle between Carrier IQ and Eckhart, including a longish video on how the CIQ software works. Carrier IQ marketing manager Andrew Coward (no, I'm not making that up), told Wired that the software is used for:

...gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.

We're not looking at texts. We're counting things. How many texts did you send and how many failed. That's the level of metrics that are being gathered.

Coward answered "probably yes" when asked whether the company could read the text messages if it wanted.

Who uses Carrier IQ's software? Everybody. According to the company's own site, it's installed on nearly 142 million handsets.

Following the brouhaha, Carrier IQ decided it was better to switch than fight. CEO Larry Lenhart offered Eckhart a personal apology (there seems to be a lot of that going around these days) and withdrew the company's legal complaints. The company also issued a statement detailing all the things its software does not do -- record keystrokes, emails, or real-time data -- though Eckhart's video suggests otherwise.

Per the letter:

We are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart, and in retrospect we realize that we would have been better served by reaching out to Mr. Eckhart to establish a dialogue in the first instance....

In addition, we would welcome the opportunity to start a discussion with you about these issues that we believe will be helpful to us, to our customers and to consumers that use mobile devices.

It turns out Carrier IQ's human IQ is higher than it first appeared.

Personally, I don't think CIQ set out to do anything other than measure carrier and handset performance. But using a piece of software that acts like a piece of malware is entirely the wrong way to go about that. Did they learn nothing from the Sony rootkit debacle of 2005? Hello?

CIQ's attempt to use a ridiculous legal threat to suppress this information is equally troubling. Then there are all these unanswered questions: What data does it actually capture? What data does it have the potential to capture, if the company wanted to? How is the data stored? Is it tied to unique user identities? How long does the company keep the data? Who else has access to it?

The issues are huge and the potential for abuse is enormous. How does CIQ mitigate all of this?

The apology was a decent start. Now it's time for some answers.

Do you have a spy in your pocket? Share your fears below or email me:

This article, "Is Carrier IQ spying on your cellphone?," was originally published at Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.

Copyright © 2011 IDG Communications, Inc.