Monday, December 12, 2011

Does Carrier IQ Record Text Messages and Emails?

There are now conflicting analyses regarding whether Carrier IQ's software (that was kept secret from consumers) goes as far, and captures as much, information as initially suspected. Now, this is NOT to say there aren't all kinds of questions that remain unanswered, nor is this to say that there still aren't deeply disturbing components to this story (See my past two posts for a complete detailing of this continually evolving story).

But, we now have heard from Carrier IQ's Vice President and a Linux kernel hacker who just completed his own analysis of the software, and they say its incapable of recording keystrokes or "perusing SMS messages and e-mail correspondence."

These assertions contradict the initial claims made by Android developer Trevor Eckhart (and demonstrated on video). Before I get to them, let's be clear on some of the real concerns and questions that remain, including: what the company does with all the data they've been collecting (even if they can't read emails and texts...they still know your searches, location, and app purchases...and more), what kinds of data it collects, why the software was buried so deep within the operating system and without consumer knowledge (or choice), what devices have this code installed, what carriers are aware of it (and what they might be doing with it, if anything), whether government/law enforcement has had any role in this process (including requests for access to data), and many more.

With that said, let's get to the latest analysis of this code from Cnet:

He found that contrary to what a slew of initial -- and erroneous -- reports claimed, the Carrier IQ software is not a keylogger and "cannot" be configured as one. "CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so," Rosenberg concludes. "There is simply no metric that contains this
information."


...

Rosenberg determined that Carrier IQ can, as a YouTube video by Trevor Eckhart indicated, record what digits are pressed in the dialer application. But it "cannot record any other keystrokes besides those that occur using the dialer," wrote Rosenberg, who says he has no affiliation or relationship with Carrier IQ.

...

Rosenberg suggested that carriers need to let consumers "opt out of any sort of data collection," that there should be "more transparency on the part of carriers in terms of what data is being collected from users," and that there "needs to be third-party oversight on what data is collected to prevent abuse." 

...

It's true that carriers already know what URLs you're visiting when you use their network--meaning that, in many cases, Carrier IQ can be configured to send them data they already have. Privacy concerns arise when a list of URLs is stored on the device and accessible to forensic analysis, when a list of URLs visited on a Wi-Fi network is transmitted, or when encrypted HTTPS URLs are leaked.

Sprint and AT&T, which have acknowledged they use Carrier IQ, have not elaborated on what options they have chosen to enable, except to indicate that the use is consistent with their privacy policies. 


Click here to read more.

Network World has a lot more:

In his blogpost, a table lists the metric ID, the metric itself, the data sent, and the "situation" that triggers the metric:

* browser page render event

* location event, which can use GPS or other location data
* HTTP request sent, or response received (the URL, request type, content length, and so on but not page contents)

* network state changes, sending an "internal identifier"

* a range of telephony and radio events (such as a dropped call,  service issues, and so on)

* hardware event, sending data such as voltage, temperature, battery level

* key presses, but only in the phone dialer application

* miscellaneous GUI state changes, such as battery state

* starting or receiving a call or a failed call, which sends CallerID, state, and phone number

* application events such as a stopped app, or a new app, sending the application name

* questionnaire event, used when Carrier IQ is configured to present the user with a service questionnaire

* SMS message received or sent, which includes message  length, phone, number, status, but no text from the body of the message.


...

HTC's failure to disable the display of the debug statements constitutes a legitimate potential security threat to user information. These are a "risk to privacy," Rosenberg says, and HTC should mitigate that risk by disabling these debugging messages. But it's not a risk created by the CIQ software or the data it is able to collect.

In his blogpost, Rosenberg spells out what the deconstruction of the CIQ code reveals about how the application actually works, as revealed by the metrics enabled for his Samsung phone. 

"Taking this information into account, all of the data that is potentially being collected supports Carrier IQ's claims that its data is used for diagnosing and fixing network, application, and hardware failures," Rosenberg concludes. "Every metric in the above table has potential benefits
for improving the user experience on a cell phone network. If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential."


...

Nonetheless, Rosenberg is critical of the way the Carrier IQ application has been implemented in the carrier-manufacturer relationship. End-users should be able to opt out of any sort of data collection; carriers should be clearer and plainer about what data is being collected from the phone, and why; and "there needs to be third-party oversight on what data is collected to prevent abuse."

Finally, he says, the "legality of gathering full URLs with query parameters and other data of this nature should be examined."


Click here to read more.

Due to time constraints, I'm going to have to discuss the interview with the VP of Carrier IQ in a future post, but you can check it out here...its very comprehensive. What I will include is the conclusion reached by reporter Sean Hollister after conducting the interview (who's been all over this story from the outset):

Carrier IQ claims that it is not the source of the insecure log files discovered on HTC devices. Other technical details — including how exactly Carrier IQ stores and transmits its data and how carriers utilize it — are both comforting and disquieting by turns. Although more secure and less nefarious than originally feared, there may still be ample opportunity for malware to access its data. At the very least, how Carrier IQ’s software is implemented on various devices needs wider scrutiny from both security experts and regulators.

...the biggest takeaways are that Carrier IQ and its client operators have logical reasons for taking most of the information they do — and mind you, many forms of personal data, like the contents of SMS and emails, aren’t being tracked at all, and no data is tracked in real time — but by the same token, it feels like there may be a lack of oversight when it comes to mobile privacy.


We are slowly beginning to see a clearer picture of what this all means and what the potential threats to privacy really are...at this point, I think its safe to say that the Carrier IQ software isn't as outwardly nefarious as initially suspected, and perhaps erroneously claimed by Mr. Eckhardt. On the other hand, this in no way should dissuade anyone from demanding more questions be answered - particularly how this code, with this kind of tracking capabilities, EVER could have been slipped into these products without the consumer's knowledge or ability to opt-out (let alone opt-in). This, in itself, is a dangerous precedent.

I think its also important to point out that even the VP of Carrier IQ and the Linux hacker were clear in their support for a consumers right to opt-in to such tracking, as well as their dismay they weren't even given this choice, and the code was kept secret.

Clearly, this entire episode, with its many questions still unanswered, points to the need for GREATER consumer control over data, which could be achieved, at least partially, through a Do Not Track mechanism. Another takeaway from this whole controversy is the need for improved transparency.

Jonathan Zittrain, Harvard Law School professor and cofounder of the Berkman Center for Internet and Society, has an idea for addressing this concern, stating, "It would be good to have some form of auditing function built into our devices. The auditing function can be implemented by Apple and by handset makers through Android. Make it part of the 'About' tab. And it would show with whom the phone has been communicating and the sorts of things it has been sending."

I will continue to follow this story here...

No comments: