By Harry McCracken | Wednesday, November 30, 2011 at 8:41 am
Android developer Trevor Eckhart says that Carrier IQ, a piece of software preinstalled on millions of smartphones to help wireless carriers monitor the quality of their service, secretly monitors users’ activities, records keystrokes, and transmits them to the company. I’m not a security expert, so I can’t judge the accuracy of his claims. But I do know this: The Carrier IQ folks need to clearly and honestly explain what’s going on. So far, their response has consisted mostly of threatening Eckhart and releasing a defensive-sounding statement that’s rife with buzzwords.
How about a calm, plain-English FAQ on what the software does and doesn’t do?
November 30th, 2011 at 9:33 am
Just throw on a sniffer. You'll know pretty quick.
November 30th, 2011 at 9:43 am
I actually watched the entire 17-minute video and this guy is making a big deal out of basically nothing. Eckhart's analysis shows that he isn't a technically savvy as his geeky video might suggest. For example, he doesn't understand how Carrier IQ can see his encrypted web traffic. Well, that's simple: Carrier IQ is "wired in" to the browser events, not the network stack.
It looks like CarrierIQ is foolishly not sanitizing its log entries. I believe the company when it says that it is aggregating information and not providing specifics (like actual keystrokes) to carriers.
A common version of this "problem" is found in eCommerce where servers naively log transactions including full credit card numbers (a no-no). The degree of hysteria over this is a PR nightmare for Carrier IQ — but it's just that: hysteria.
I agree completely with Eckhart that users should be able to remove this application (in fact, it should be an opt-in, not an opt-out).