mobile, rants, smartphones

Android and Carrier IQ: alarming claims, immediate questions

The claims of security expert Trevor Eckhart regarding data collection by Carrier IQ are among the most alarming of any I can recall in the IT industry. I dislike the way Facebook gets you to publish data about yourself almost without realising it, and the amount of personal data collected by Google, for example, but this is more worrying.

Eckhart says:

The very extensive list of Android security permissions granted to IQRD would raise anyone’s eyebrow, considering that it’s remotely controlled software, but some things such as reading contact data, Services that cost you money, reading/edit/sending sms, recording audio(?!??!?) and writing/changing wireless settings seem a bit excessive

and

The only choice we have to “opt out” of this data collection is to root our devices because every part of the multi-headed CIQ application is embedded into low-level, locked regions of the phones.

So what does Carrier IQ gather? Eckhart lists webpages visited, location statistics, media statistics, SMS texts, keys pressed, apps opened and focused, and even text sent over SSL (HTTPS) in browser sessions that you thought were secure.

If these claims are correct, then nobody who deals in confidential information should use an Android mobile with this installed. Since most of us have online bank accounts or other secure logins that we use on our mobile, that makes an Android phone a risky proposition for almost anyone.

My immediate questions:

  • Which Android devices have this software installed?
  • How soon will the affected operators give us a way to remove or disable it?
  • How can a concerned user discover whether or not his mobile is leaking private information?

Finally, now is the time for rivals such as Apple, RIM, or Microsoft and its partners, to explain in plain English how their devices compare in terms of privacy. What data is gathered in the interests of:

the Carrier IQ solution gives you the unique ability to analyze in detail usage scenarios and fault conditions by type, location, application and network performance while providing you with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components carrying it.

as Carrier IQ puts it.