Carrier IQ

If you haven't been following the Carrier IQ saga, let us try to re-cap it for you. Going back to October, it was reported that software on HTC Android phones was recording data and as Android Central lightly put it, "storing it sloppily". Information that was collected included phone numbers, geolocation and account names. It doesn't identify you per se with your name, but rather your device ID. Still, people rightly raised a storm. Turns out that software had a name: Carrier IQ.

Fast forward to last week when Trevor Eckhart -- aka TrevE -- wrote in detail what Carrier IQ was actually doing on the phone. The company Carrier IQ did not like this, made some legal threats against him, prompting the Electronic Frontier Foundation to step in. Carrier IQ (or just CIQ) quickly backed down and things looked to be at a stand off. CIQ then put out a press-release stating that their software

  • Does not record your keystrokes.
  • Does not provide tracking tools.
  • Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
  • Does not provide real-time data reporting to any customer.
  • Finally, we do not sell Carrier IQ data to third parties.

Now, Eckhart has just published a second video (after the break) in response to CIQ's press release which seemingly contradicts just about all of the above. In the 17 minute long video (it gets good at about 8 minutes), Eckhart goes through and in real-time shows how keystrokes are recorded including phones numbers dialed, HTTPS data is sent unencrypted, text message data is accessed and of course that you really don't know that this app is running. All of this is performed on a stock Sprint EVO 3D and EVO 4G. What makes all of this troubling is the fact that (a) you aren't told about it (b) can't uninstall the software. You need to root the phone and load on a new, custom OS to get rid of it...

The software has, perhaps unsurprisingly, been found on mostly Android devices but also BlackBerry and Nokia (presumably Symbian). The company Carrier IQ states that their software is mostly a tool for the carriers to understand how phones are being used to better improve the experience, but obviously what's been revealed in the video below is a tad alarming, to say the least.

Rivera on Carrier IQ

At this time, Windows Phone seems to be exempt from such software as we have seen no reports nor evidence to make us believe this is an issue with our OS. That seems to be because Windows Phone OS is controlled by Microsoft directly and OEMs/Carriers cannot significantly alter the base code. Still, we're contacting some people who may know more on the topic, so we'll keep you posted.

Update: We pinged ChevronWP7 member Rafael Rivera on the matter. He chimed back noting he has found no evidence for CIQ on Windows Phone, so we look to be in the clear. Once again, we can leave this to the Android crowd to sort out.

In the meantime, bust out your tinfoil hats and sound off in comments.

Source: Android Security Test, YouTube; via Wired