Carrier IQ
A few days after the Carrier IQ controversy broke with the aid of Trevor Eckhart, there’s been… more controversy and a little more information.
If you’re an iOS device user, things are pretty straightforward. When you buy an iPhone or iPad, what you get is down to Apple, not the carriers. Certainly, Apple lets carriers (via a kind of provisioning profile) dictate certain settings on an iPhone, but they don’t get to preload the devices with any applications—and certainly no background daemons, so anything sitting there on a non-jailbroken iOS device was put there by Apple.
Apple released a slightly oddly-worded statement (odd because it starts with “We stopped supporting CarrierIQ with iOS 5 in most of our products” — my emphasis), but the most important part is that it’s used as part of the explicitly opt-in “Send diagnostic data to Apple” option, and “We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.” So, not quite the same as that demonstrated by Eckhart. My suspicion is that “most of our products” refers to the CDMA iPhone on Sprint.
Of course, some of you will be reading this and saying “but what about Locationgate? wasn’t that just as bad?” — well, no, not really. Eckhart showed logging of every single keystroke (including those sent to HTTPS websites, for example). “Locationgate”, on the other hand, was a timestamped log of cell tower IDs which wasn’t emptied properly.
For its part, Carrier IQ has denied that it actually receives the sorts of information that Eckhart showed. Various other researchers have suggested that what Eckhart was showing was debug-logging, rather than the data being sent to Carrier IQ’s servers, and this theory stacks up. However, the information which is collected is done so without explicit consent and without an option to disable it.
In the UK (and the rest of the EU, in fact), this isn’t a huge concern: this degree of data collection on the device without an explicit opt-in stands a good chance of breaching several different laws, and proceedings for breaching them would be costly and a publicity nightmare. By all accounts this controversy, such as it is, appears to be restricted to the US.
HTC—the manufacturer whose model was featured in Eckhart’s video—says that Carrier IQ has nothing to do with it, and that it will be looking at ways to prevent it from being used in the future, although given the nature of Android, this is either going to be pretty ineffective or the start of an arms race which doesn’t reflect well on anybody.
Google, like HTC, places the blame at the door of the carriers. They are, after all, free to install anything they like — and in this case they have.
Some carriers have moved to distance themselves from Carrier IQ, too. Verizon has said that Carrier IQ isn’t on any of its devices, although — rather unsurprisingly — demo instances of Carrier IQ targeting Verizon do exist.
If you’re using an Android, Nokia or RIM device in the US on AT&T or Sprint, then you’re left with a whole load of question-marks.
The bottom line is this:
If you buy an Android device and didn’t “root” it, then you’re putting your trust in whomever you bought it from — be that a carrier, a manufacturer, or Google. Android can’t both be open source and prevent this kind of thing from happening.
If you buy an iOS device and didn’t “jailbreak” it, then you’re putting your trust in Apple.
Much the same applies to buying a PC: if you buy a PC from Dell and roll with the bundled operating system installation, you’re trusting Dell that the preloaded crapware won’t do anything terrible; if you reformat and install… well, anything, then it’s in your own hands.
