The half life of the CarrierIQ “rootkit” scandal proved to be a little more than a week. That’s about how long it took for Trevor Eckhart, a young, Connecticut-based Android developer to begin raising questions about some stealth software he discovered running on Android phones by HTC and speculation in the media and online to run rampant about what kinds of spying said software might be engaged in. It was time enough for CarrierIQ to issue a lawyer letter threatening to sue the Eckhart and the Electronic Frontier Foundation to come to his defense and even for Congress to get involved – each of which ensured even more news cycles would be taken up with the mini-controversy. And it was time, at long last, for more information to become available about what was really going on with CarrierIQs software, and for cooler heads to prevail on both sides. The question, now, is why incidents like this provoke our anger so – and what we can do to stop them from happening again. 

For those of us in the digital peanut gallery, the firestorm around CarrierIQ’s software may have seemed like déjà vu. Wasn’t it just a few months ago that we were in the middle of a similar media firestorm about another rootkit-like feature, this one hidden away on Apple iPhones?  If you’ve been around for a while, you also recall the infamous Sony DRM rootkit scandal, in which that company secretly pushed rootkit-like content protection software onto customers computers. That scandal began with a tell-all blog post by security researcher Mark Russinovich in October, 2005 and ended 15 months later with the FTC’s announcement of a settlement with Sony for violations of Federal law.

The details of each of these cases are different even if the outcome (lawsuits) is the same. What is similar in each is the public outrage and the backlash that resulted after they came to light. Why? you might ask. After all, Internet users willingly surrender all manner of personal information to advertisers, social networking companies and retailers every day, don’t they?

The truth is that each of these cases are sterling examples of technology firms overreaching badly. CarrierIQ may merely be an arms dealer, but its customers, like Sony before them, took a corporate mission to serve customers, protect shareholders or, merely, to move product as a wide ranging mandate to violate the privacy of consumers who were guilty of nothing more than using what is, after all, a ubiquitous piece of technology (laptop CD players in one case, and smart phones in the other). (A Sony executive famously told a National Public Radio reporter that most users “don’t even know what a rootkit is… so why should they care?”) Presented with Eckhart’s findings, venture-funded CarrierIQ didn’t distinguish itself. Instead, its first thought was to summon attorneys to try to scare Eckhart to cease and desist, threatening to charge him with copyright infringement under the Digital Millenium Copyright Act. 

In the end, the company backed off, especially after receiving a letter from Mr. Eckhart’s counsel – the Electronic Frontier Foundation calling attention to the fact that Mr. Eckhart was permitted to discuss his work under the principle of Fair Use and, oh yeah, the First Amendment, too!

Let’s be fair here. With the benefit of hindsight, it seems likely that Mr. Eckhart overstepped his bounds in calling CarrierIQ a keystroke logging rootkit. But he probably didn’t overstep by much. True, subsequent analysis by respected security folk support the company’s attestations that it isn’t logging phone users’ keystrokes. That means CarrierIQ’s software doesn’t read your text messages or e-mails.

But CarrierIQ has been careful about not denying that it is collecting all manner of other information for the use of its customers. As this article in Wired, based on a one-on-one meeting with CarrierIQ executives, makes clear: the company’s software collects all manner of information about the device, including what applications are installed and running, its CPU output and data connectivity.  What else? How about website addresses that a phone users visits and even the content of encrypted searches that users do. As Wired points out, that’s a boon to carriers and other CarrierIQ customers, who would be shielded from the content of those searches without the CarrierIQ client running on the device. 

“We do recognize the power and value of this data…We’re very aware that this information is sensitive. It’s a treasure trove,” Andrew Coward, CarrierIQ’s Chief Marketing Officer told Wired.

The responses of CarrierIQ’s various customers in the wake of the Eckart revelations are also no cause for relief. Carriers and handset makers alike queued up to swear they used CarrierIQ in keeping with their corporate privacy policies, didn’t collect or read the content of customers communications, and didn’t resell the information they gathered. Apple, caught with its hand in the privacy cookie jar, said it did use CarrierIQ’s software, but didn’t monitor text messages and, besides, it was going to stop using it…really soon!

The whole spectacle brought to mind the scene from the Bill Murray classic “Stripes” in which an Army recruiter asks Murray’s character John Winger if he’s ever been “convicted of a felony?” To which Winger replies, cryptically, “Convicted? No…never convicted.” Its the right answer, of course, but you don’t feel better for having heard it.

Of course, carriers are well within their rights to monitor the performance of their cell phone networks, as their customers experience it. And it makes sense that having eyes and ears on customers’ phones can make troubleshooting support calls like “I can’t get Facebook to run on my Android phone” easier. What’s disturbing in the CarrierIQ case is the presumption that customers had no say in the kinds of monitoring their cell provider could perform, or that – by merely agreeing to use a smart phone – they tacitly condoned a wide range of onerous monitoring. Many of us have the experience of clerks in checkout lines who might ask us for store reward cards or even our phone number as a courtesy. In theory, this allows the store to keep track of our buying habits and better tailor offerings to us. Few of us, however, would also agree that its ok for that store to surreptitiously reach into our wallet, phone or laptop to grab our Social Security Number and home address, our annual income, what we’ve searched for, what other purchases we’ve made and so on.

And, as Eckhart rightfully points out in his analysis, CarrierIQ monitors activity both when the phone is connected to the carrier’s network – and when it isn’t. While we might allow that telcos have a right to monitor the performance of their network, its not clear that knowing what Web sites you surfed to over Starbuck’s Wifi is their pervue.  Should CarrierIQ and its clients really be surprised that the public is outraged when its revealed that they’ve been doing just that to 150 million smart phone users in the U.S.?

What’s the proper course of action? Well, its disclosure and transparency, of course. And, in this case, we’re inclined to forgive CarrierIQ which is, after all, merely a tool maker. The onus lies on carriers and handset makers to disclose in clear and unambiguous language to customers that they’re using software like CarrierIQ’s, what that software does (not what it “might” do), the upside and downside to enabling the software, and then giving customers the ability to enable, disable or otherwise tweak the kinds of monitoring that happens on their phone. Things being as they are, its likely that a vast majority of mobile phone users could care less what kind of device monitoring is happening on their phone, but at least they’re making an informed decision (or non decision), not merely having their consent assumed. As then-FTC Chairwoman Deorah Platt Majoras pointed out to Sony in settling the government’s case over the DRM rootkit. “Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customer use of their products so consumers can make informed decisions regarding whether to purchase and install that content.” Amen.

Finally, the CarrierIQ bruhaha is also another clarion call (how many do we need?) to lawmakers in Washington D.C. of the need for comprehensive data privacy legislation that will clarify the privacy rights that consumers are entitled to, and impose harsh penalties for software makers, telecommunications companies and marketers who are want to violate those rights. In the wake of the CarrierIQ incident, as well as other recent exposes by the Wall Street Journal, New York Times and other able news outlets, its no longer credible for law makers to claim that they haven’t been warned of the scourge of commercial snooping that’s going on in the fast-paced world of mobile phones and smart phones. Its now time for them to step up, do their job and impose order on a market that’s in danger of spinning out of control.

Categories: Apple, Hacks, Mobile Security, Social Engineering

Comments (5)

  1. David
    1

    Is it a rootkit and does it have keylogging capability?

    If it does is there a possibility that a hacker could take control of it or the device it is running on  and divert information to the hacker?

  2. Anonymous
    2

    Love the Stripes analogy.

    All of these telcos and their executives belong behind bars, and the last administration. Their blatant statements that they were breaking privacy laws in the US and were going to continue doing so is despicable.

  3. Anonymous
    3

    Not sure if anyone else noticed, but Verizon is already playing CYOA. I recieved a letter in the mail the other day that was a disclosure basically telling me that they were allowed to collect my web usage to better serve the advertising industry and informing me that there is an opt out program.

    In my opinion this is illegal. Due to that fact that my device has WiFi they are collecting personal information that they have absolutely no right to. Even on the carrier network they do not have a right to it unless they are going to give me some sort of discount for proving the feedback to them. Big companies wont be happy until they make enough money from all the spying to cover operational costs and your bill is pure profit.

    Congress needs to end it now. 0 is my toleance level for this.

  4. Anonymous
    4

    I worked in an ex soviet republic for 12 years.  I noticed that you advertise Kaspersky.

    I found a keylogger on an internet cafe, wih Kaspesky installed, that was allowed ot run by kaspersky, but immediately picked up by AVG after I copied it and took it home.

    A day after I challenged the owner, the cafe disappeared.  Seems like a KGB payout. I don’t trust Kaspersky.

  5. Paul Roberts
    5

    Would be interested in seeing the letter. Do you know if others received it? Anyone posted it online? 
    -Paul 

Comments are closed.