Carrier IQ: What it is, what it isn't, and what you need to know

Carrier IQ has recently found itself swimming in controversy. The analytics company and its eponymous software have come under fire from security researchers, privacy advocates and legal critics not only for the data it gathers, but also for its lack of transparency regarding the use of said information. Carrier IQ claims its software is installed on over 140 million devices with partners including Sprint, HTC and allegedly, Apple and Samsung. Nokia, RIM and Verizon Wireless have been alleged as partners, too, although each company denies such claims. Ostensibly, the software's meant to improve the customer experience, though in nearly every case, Carrier IQ users are unaware of the software's existence, as it runs hidden in the background and doesn't require authorized consent to function. From a permissions standpoint -- with respect to Android -- the software is capable of logging user keystrokes, recording telephone calls, storing text messages, tracking location and more. It is often difficult or impossible to disable.

How Carrier IQ uses your behavior data remains unclear, and its lack of transparency brings us to where we are today. Like you, we want to know more. We'll certainly continue to pursue this story, but until further developments are uncovered, here's what you need to know.

What is Carrier IQ, anyway?

Privacy concerns surrounding Carrier IQ were initially brought to light by Trevor Eckhart, a security researcher who became alarmed by the extent of information accessible by the analytic software. In the following video, Trevor presents much of his findings, which seemingly demonstrate Carrier IQ's keystroke logging, location tracking and ability to intercept text messages. Even information that should be transferred only within encrypted sessions is captured in plain text by Carrier IQ. During the entire demonstration, Trevor's phone was in airplane mode, operating only over WiFi. Although his actions were outside the scope of his wireless carrier (Sprint), the software continued to monitor his every key press. On his Android device, it's evident that Carrier IQ is running, even though it does not appear in the list of active processes. Further, the application doesn't respond to "Force Quit" commands, and it's set to startup when Android launches.

After watching Trevor's video, it's easy to form opinions that Carrier IQ may be the omnipresent snoop. In some ways, it is. The software has the ability to record nearly every action you perform with your phone. The actual data logged, however, isn't determined by Carrier IQ, but rather its clients. The system enables manufacturers and carriers to examine how phones are used, how they behave and to aid in resolving issues that customers may experience. Clients are able to define specific parameters they wish to track, and also set events that would cause the device to report this information back to Carrier IQ. For instance, a manufacturer may wish to know which currently installed applications use the most battery life, while a carrier may choose to query the devices that experienced a service outage in a particular region during a given time frame.

Unfortunately, without Carrier IQ or its clients being explicit in the information it tracks, there remains a very real concern for individual privacy. As of present time, nobody is handling this quite well.

The company

Carrier IQ was founded in 2005 in Mountain View, California. It's a privately held operation, with investors including Accel Partners, Bridgescale Partners, Charles River Ventures, Mohr Davidow Ventures and Natua Capital. Intel Capital is known to be a prior investor as well, although it's unclear whether it still holds equity in the firm. Carrier IQ's management of these privacy concerns so far has been a mess, to say the least. After Trevor Eckhart reported his findings, which included the company's training materials, Carrier IQ attempted to silence him with a cease-and-desist letter, demanding he replace his analysis with a statement disavowing his research. The company has since retracted its threat and apologized for its behavior, but not without first earning a black eye in the process.

The company's newly appointed CEO, Larry Lenhart -- who remains part of Mohr Davidow Ventures -- recently published a video to YouTube explaining the firm's stance on privacy, in which he outright denies that Carrier IQ records keystrokes or provides tracking tools. Perhaps the company is truthful in its assertion, although the statement seems to contradict the design and capabilities of its software.

The software

For some further insight into Carrier IQ, we'll examine some of these aforementioned training materials that we obtained from Trevor Eckhart's website, along with one of the company's patents concerning data collection. On the analytics end, the software features a portal that allows administrators to create events that would trigger a Carrier IQ-enabled device to "phone home," and choose the data which is to be sent. Alternatively, admins may also submit queries to individual devices, either by using an equipment or subscriber ID -- or, they may choose to query pools of handsets by inserting wildcards into the string. The extent of information available to administrators upon querying a specific device is unknown.

Seemingly contradictory to Carrier IQ's assertion that it does not collect keystrokes is the company's patent application #20110106942, published May 5, 2011. An excerpt of the claims follows:

2. A method for collecting data at a server coupled to a communications network, comprising: transmitting to a device a data collection profile, wherein the data collection profile comprises a plurality of parameters defining a set of data to be collected by the device, a first condition under which the set of data is to be collected, and a second condition under which the set of data is to be transmitted; and receiving from the device the set of data collected in response to the second condition.

10. The method of claim 2, wherein the set of data relates to an end user's interaction with the device.

11. The method of claim 10, wherein the interaction with the device comprises the end user's pressing of keys on the device.

The response

For its part, Sprint has denied any foul play:

"Carrier IQ is used to understand what problems customers are having with our network or devices so we can take action to improve service quality. It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems. We do not and cannot look at the contents of messages, photos, videos, etc., using this tool."

HTC also insists it's benign:

"HTC, like most manufacturers, has an opt-in error reporting function built in to our devices. If your phone experiences an error, you have the option of 'Telling HTC' so we can make improvements to our phones. Details about this are in our privacy policy on each device and in order for data to be collected, you have to opt-in. If you do opt-in, we protect your privacy by de-identifying and encrypting the data. HTC is committed to protecting your privacy and that means a commitment to clear opt-in/opt-out as the standard for collecting any information we need to serve you better."

As the Carrier IQ controversy comes to a boil, it's not only privacy advocates that are taking notice. Paul Ohm, a former prosecutor for the Department of Justice and current professor at the University of Colorado Law School believes the software may violate federal wiretap laws, based on its perceived collection of text messages without users' consent. If so, says Ohm, then there are sufficient grounds for a class action lawsuit. He adds, "In the next days or weeks, someone will sue, and then this company is tangled up in very expensive litigation. It's almost certain."

There's no denying that lawsuits can be a royal pain for everyone involved, but if it escalates to that level, a good possibility exists that Carrier IQ will be required to disclose the extent of its data collection in the discovery process. Our take? If it requires a courtroom battle to force transparency about the collection of your information and usage habits, then bring it.

In an industry where the protection of intellectual property is paramount, it seems that so much of this controversy could have been avoided with a simple opt-in policy. Executed properly, Carrier IQ has the potential to improve the quality of service for millions of mobile customers -- provided that the data collected stays on the up-and-up. What remains clear is that until Carrier IQ or its partners address these privacy concerns with explicit evidence and formal policies to the contrary, this issue isn't going away.

What you can do

If you're curious about the existence of Carrier IQ on your current Android handset, a simple application from Trevor Eckhart will give you the answer. His Logging TestApp requires that your phone be rooted, but thankfully, once you've gone that far, you've got a decent shot of removing the software from your phone entirely. Perhaps the most direct way to distance yourself from Carrier IQ is by installing a custom ROM that's built from the Android Open Source Project (AOSP.) Alternatively, the pro version of Logging TestApp -- available in the Android Marketplace for $1 -- has also proven successful in most situations. Methods also exist for manually removing Carrier IQ from individual devices, which can be found within the forums of xda-developers.

Naturally, we're going to treat this as a developing story, and will continue to provide more information as it becomes known.

Latest updates
  • Jeffrey Nelson of VZW corporate communications has confirmed that Carrier IQ isn't on any of its handsets.

  • All Things D has gotten a statement from Apple on the Carrier IQ situation. It says that it "stopped supporting CarrierIQ with iOS 5 in most of our products," and that it will "remove it completely in a future software update." The company's full statement is as follows:

    We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

  • In addition to Sprint, AT&T has now also confirmed that it does indeed use Carrier IQ on its handsets, but both carriers insist that it is solely being used to improve network performance. For its part, Microsoft has confirmed that Windows Phones do not have Carrier IQ on them -- that word comes straight from Joe Belfiore.

  • And the statements keep on coming. Here's the latest word from HTC, which lays the blame squarely on the carriers:

    Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier.

    It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.

  • Like clockwork, Carrier IQ has re-reiterated its stance:

    Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions. Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency. We are deployed by leading Operators to monitor and analyze the performance of their services and mobile devices to ensure the system (network and handsets) works to optimal efficiency. Operators want to provide better service to their customers, and information from the device and about the network is critical for them to do this. While in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service - the mobile device itself.

[Gavel photo via Shutterstock]