Security Researcher Says Carrier IQ Charges Contain 'Misinformation'
Even as government officials around the world are beginning to investigate the Carrier IQ software installed on millions of smartphones, a security researcher is saying that claims the company had been improperly collecting personal data are "erroneous." Dan Rosenberg of Virtual Security Research, who says he has no professional ties to Carrier IQ, wrote that the reaction to the software contains a lot of "misinformation."
In a posting Monday on his security research blog, It's Bugs All the Way Down, Rosenberg said Carrier IQ "is a piece of software installed on phones that accepts pieces of information known as metrics."
Some 'Important Conclusions'
Rosenberg said that the software decides if a submitted metric is "interesting," based on the current profile on the device. The profile determines the relevance by assessing whether the information assesses a given aspect of phone service, such as reception or battery life. The software's determination of relevance also determines if the metric is sent to the carrier or not, in order to evaluate, say, dropped calls.
After a detailed analysis of Carrier IQ on a Samsung Epic 4G Touch, Rosenberg wrote that he reached a "number of important conclusions."
For one thing, he said, he found that the Carrier IQ software on the phone could not record textual content from SMS messages, Web pages, or e-mail, even if that carrier wanted the information, because there is no metric for it.
He found that the software can record dialer buttons, and speculated that carriers already have legal access to that data. But, Rosenberg said, the Carrier IQ application on the Epic 4G Touch cannot record non-dialer keystrokes, such as inputting a text message. However, the software can record GPS location data "in some situations," and can record URLs that are visited.
Although Carrier IQ is citing Rosenberg's investigation to support its position that user confidentiality is not being violated, his posting does not let them off the hook completely. He notes that, for instance, metrics are determined by carriers, consumers should be able to opt out of any sort of data collection, and "there needs to be third-party oversight on what data is collected to prevent abuse."
The controversy exploded recently after Connecticut-based security researcher Trevor Eckhart posted a video that he said showed the Carrier IQ software, pre-installed on as many as 140 million Android, BlackBerry, and Nokia smartphones, sending text messages, searches, and other user actions to the carrier without the user's knowledge or consent. Eckhart said that "every button you press in the dialer" is sent even before a call is made, and even when the owner is using Wi-Fi and not the carrier's network.
In the furor that has erupted, some observers have suggested that federal wiretap laws may have been violated. But Mountain View, Calif.-based Carrier IQ has denied Eckhart's charges.
In a statement on its Web site, the company said that, while there is a "great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the content of SMS messages, e-mail, photographs, audio or video." As examples, the company said that its software knows that a SMS was sent accurately, but it does not record or transmit its content.
Several class-actions lawsuits against Carrier IQ, phone makers and carriers have been filed in the U.S. Privacy regulators in various countries, including Germany, the U.K., and France, are looking into possible violations, and, in the U.S., Sen. Al Franken, D-Minn., has sent letters to Carrier IQ, Sprint Nextel, AT&T, HTC, Samsung, and Sprint to find out exactly what data is being collected and how it is being used.
Sprint, for one, has replied that the data is being used to "analyze network performance" and that the software does not and cannot "look at the contents of messages."