Software recording data & keystrokes on millions of smartphones. Windows Phone exempt?

If you haven't been following the Carrier IQ saga, let us try to re-cap it for you. Going back to October, it was reported that software on HTC Android phones was recording data and as Android Central lightly put it, "storing it sloppily". Information that was collected included phone numbers, geolocation and account names. It doesn't identify you per se with your name, but rather your device ID. Still, people rightly raised a storm. Turns out that software had a name: Carrier IQ.

Fast forward to last week when Trevor Eckhart -- aka TrevE -- wrote in detail what Carrier IQ was actually doing on the phone. The company Carrier IQ did not like this, made some legal threats against him, prompting the Electronic Frontier Foundation to step in. Carrier IQ (or just CIQ) quickly backed down and things looked to be at a stand off. CIQ then put out a press-release stating that their software

  • Does not record your keystrokes.
  • Does not provide tracking tools.
  • Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
  • Does not provide real-time data reporting to any customer.
  • Finally, we do not sell Carrier IQ data to third parties.

Now, Eckhart has just published a second video (after the break) in response to CIQ's press release which seemingly contradicts just about all of the above. In the 17 minute long video (it gets good at about 8 minutes), Eckhart goes through and in real-time shows how keystrokes are recorded including phones numbers dialed, HTTPS data is sent unencrypted, text message data is accessed and of course that you really don't know that this app is running. All of this is performed on a stock Sprint EVO 3D and EVO 4G. What makes all of this troubling is the fact that (a) you aren't told about it (b) can't uninstall the software. You need to root the phone and load on a new, custom OS to get rid of it...

The software has, perhaps unsurprisingly, been found on mostly Android devices but also BlackBerry and Nokia (presumably Symbian). The company Carrier IQ states that their software is mostly a tool for the carriers to understand how phones are being used to better improve the experience, but obviously what's been revealed in the video below is a tad alarming, to say the least.

At this time, Windows Phone seems to be exempt from such software as we have seen no reports nor evidence to make us believe this is an issue with our OS. That seems to be because Windows Phone OS is controlled by Microsoft directly and OEMs/Carriers cannot significantly alter the base code. Still, we're contacting some people who may know more on the topic, so we'll keep you posted.

Update: We pinged ChevronWP7 member Rafael Rivera on the matter. He chimed back noting he has found no evidence for CIQ on Windows Phone, so we look to be in the clear. Once again, we can leave this to the Android crowd to sort out.

In the meantime, bust out your tinfoil hats and sound off in comments.

Source: Android Security Test, YouTube; via Wired

Daniel Rubino

Daniel Rubino is the Editor-in-chief of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft since 2007 when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, laptops, next-gen computing, and for some reason, watches. Before all this tech stuff, he worked on a Ph.D. in linguistics, watched people sleep (for medical purposes!), and ran the projectors at movie theaters because it was fun.

  • this is insane. This should be a lawsuit against carriers. I'm sure they are covered in the fine print as you sign and receive your new shiny track me device. Its a damn shame...
  • This doesn't surprise me. Android is the most unsecure system on the market. This is what you get when you go with an open source system.
  • He claims Blackberry's too, which are supposed to be the most secure smartphones.  I'd like to see that video though...
  • and now news of RIM's OS being jailbroken. good news that nothing seems to be on WP. fast becoming the primary device in my life.
  • Just the Tablet OS, not the phones.  And no specifics yet.  ;)
  • What amazes me is that CIQ actually thought they could get away with lying about data collection and then threatening TrevE  with legal action. Don't they know hackers live to uncover the hidden aspects of their devices?
  • It looks like this program can track every single thing you do right down to your every key press.  I don't think carriers/OEMs retrieve that much information from your phone - yet some random third party is recording it all.  That's going way too far.  What's most upsetting is that such a program didn't end up on the phone(s) by mistake.  The new commodity of the 21st century is our personal data.  This confirms that privacy isn't eroding... it's already gone. 
  • i love your last sentence
  • This video doesn't show what the app does with that data. I remember years ago people were talking about how Microsoft is collecting data on them in windows. it was also a ridiculous claim.
    The problem with collecting this data is the amount of data you'll need to handle. It's just too much. There's no way all of those keypresses and SMS messages are sent somewhere (and the video doesn't attempt to check that)
    What they might be doing is collecting usage statistics and sending the aggregated results. but even though those events in the log look fishy, the written posts on that over at XDA made it sound a lot more serious than what this video shows
  • The video shows clear text being recorded in an HTTPS session, by a 3rd party "service" that the vast majority of users don't even know exists, let alone being able to easy opt out of.
    That's pretty serious, no matter how you slice it.
  • You are right that it is a huge amount of data that would be sent to CIQ, but all they have to do is to archive any group of phones' data they would want to keep and delete the rest. They could then sell that information to anyone thy want. It is very nefarious and this should be immediately investigated by the DoJ.
  • I wouldn't be at all surprised if there were something similar on WP - and all mobile devices:
    "Settings">"Feedback" > "Enabled"...what the hell do you think that's doing? Telling mommie where you are?
    This is a VERY competitive environment and ~ as Windows Phone demonstrates so well to those of us who have drunk the cool aid ~ it's all about the experience. Anyone who doesn't understand that measuring that experience - by recording it - is key to improving it and growing the product's market share is naive - at best.
    Annonimity in the digital age is but a myth!
  • what in blue hell are you talking about? Opt-in/Opt-out feedback is completely different from oft-hidden carrier installed apps monitoring your specific location via GPS, key-logging and having the ability to record conversations *you can either watch Sassibob's video about this     
     or download Super Manager and view the permissions yourself, Android users*   Either way, I guess WP users are fortunate not to have this issue (yet). 
  • On your Windows Mango Phone, go to Settings-Keyboard-Typing Settings.  Hmmm what is that "Send keyboard touch information to improve typing and more"?  Click Learn More to read that WP also send keystrokes to improve experience, of course there is opt out, hopefully it works.
  •   Comparing this to Carrier IQ is just wrong on so many levels.  First, the fact that it's easy to turn off the Typing settings (disregarding your implication that MS is lying when they say you've really opted out).  
    These are agreements between you as an end user and the handset maker / OS maker, that you can easily choose to participate in or not.
    Users by definition establish a financial relationship with MS, Apple or HTC etc (Google not so much because of their distribution/business model) and have to trust that they're being honest when it comes to privacy and EULAs.  Over the past few years I've actually come to trust MS more than other software companies after reading privacy policies and EULAs, because they've often evolved (or are boilerplates) from their enterprise services, where privacy and security are of tantamount importance.  
    Carrier IQ is a completely different beast.  It's a 3rd party background task capable of recording everything you do including phone calls, that you as an end user didn't even know existed until TrevE posted his initial findings.  Even then, only those of us curious enough to follow sites like WPCentral, Android Central, XDA Devs etc are aware of it.  
    The existence of IQRD makes devices less secure, even if Carrier IQ isn't doing anything with the data, as it becomes a malware vector.  A clever hacker could write malicious code that only monitors for IQRD events and scoop that information, as opposed to developing its own full fledged rootkit.
    Sorry, but I don't think the Carrier IQ story should be brushed off so easily.
  • ''''-
  • I don't see where he proves anything here.  He's looking at a debug window, have any of you ever looked at a debug out window before?  Did you know that a computer is actually not magic and many things are going on behind the scenes?  It shows you everything that is happening internally to assist in troubleshooting.  How does this translate into anything be recorded or tracked?  I didn't see where it actually sends the data to a tracking site, did I miss something?
  • I'd say you missed some of the backstory, as pointed out via this link in the article...
    wrote in detail what Carrier IQ was actually doing on the phone
    TrevE made this second video only to demonstrate that CIQ does record just about everything your phone does.  In the link above, he further describes Carrier IQ's Process Flow and how much information remote "portal administrators" have...
    From training documents found we get an insight to the Carrier IQ Portal.  Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs.  The “portal administrator” can put devices into categories and see devices in California that have dropped calls at 5pm.
    The down side to all of this is the “portal administrator” is also able to “task” a single  phone with a profile containing any combinations of metric and trigger (bold added to point out any recorded by the IQRD process on the phone).  From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more.  So instead of seeing dropped calls in California, they now know “Joe Anyone’s” location at any given time, what he is running on his device, keys being pressed, applications being used.
    The initial post itself is very interesting.  A 3rd party you as an end user have no control over is able to record everything you do on your phone, and where you did it, even if you turned geo-location on your device.  It's also worth pointing out that while TrevE doesn't explore it since he doesn't actually make a call, the IQRD process even had root access to record audio.
  • We are in the age of well develpoed technology. I think every users should learn about the activities on their cell phone.