The popular blog Talking Points Memo (TPM) has done yeoman’s work in keeping on top of this shocking story.
The culprit is a inconspicuous piece of code called Carrier IQ.
Last month, several online technology news sources revealed the existence of what TPM calls “the whopper of all real-life tech conspiracies.” The little piece of surveillance software remotely and real-time tracks the location of users, as well as every keystroke, every text message, and every word or phrase searched using the device’s browser. All of this is recorded without even the tacit consent of users.
The smartphone companies responsible for burying this noxious bit of programming in their firmware include all the biggies: iPhone, Android, Nokia, and BlackBerry.
As shocking (and illegal — more on that later) as this revelation is, there is an aspect of the story that is still a mystery and could be more unsettling than the discovery of the code’s existence. The as yet unanswered question: Who is gathering and collecting this crucial and personal user data?
The manufacturers of the handheld devices are blaming the cellphone companies, who in turn deny any knowledge of the tracking software’s inclusion in their products.
Regardless of where the finger of blame should rightly point, the creator of the program (a company appropriately named Carrier IQ), AT&T, Apple, Inc., Sprint Nextel Corporation, and T-Mobile USA are now defendants in a class action suit filed by customers in federal district court in Delaware. The service providers, Carrier IQ, and Apple are accused by the plaintiffs of violating several federal statutes prohibiting wiretapping and computer fraud.
Applicable provisions of the relevant laws forbid willful interception of wire or electronic communication. The penalty for breaking this law is $100 a day per violation.
Details of the complaint were reported by Business Week online:
Four consumers filed a complaint yesterday in federal court in Wilmington, Delaware, seeking to block the carriers and phone makers from using the software.
The customers who sued seek compensatory and punitive damages on behalf of all others whose devices contain the so-called rootkit software from Mountain View, California-based Carrier IQ, which is also named as a defendant in the suit. The software is currently installed on 150 million phones worldwide, according to the complaint.
Upon being served with a copy of the complaint, none of the named defendants made any public comment on the merits of the case; however, AT&T and Sprint issued statements last week explaining that the data that is tracked and collected is only used to improve service performance.
The improvements in service must not be that important, however, as Apple has announced that it will program a future software update to completely remove the Carrier IQ code from all its devices. The following statement from Apple was provided to TPM:
We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
Other companies quickly issued similar denials of any cooperation with Carrier IQ. TPM reports:
As Research in Motion, the manufacturer of the BlackBerry, told TPM in a vehement denial via email:
RIM is aware of a recent claim by a security researcher that an application called “CarrierIQ” is installed on mobile devices from multiple vendors without the knowledge or consent of the device users. RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution. RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to CarrierIQ.
Nokia and HTC released issued similar statements denying that they have any relationship with Carrier IQ. Nokia told TPM via email that “Carrier IQ does not ship any products for Nokia devices. Nokia devices do not contain Carrier IQ.”
Verizon emailed TPM the following statement: “Verizon Wireless does not add Carrier IQ to our phones, and the reports we have seen about Verizon using Carrier IQ are false.”
The spark that ignited this firestorm came late last month after a video demonstrating the scope of the information being recorded was posted to YouTube. Almost immediately, Carrier IQ issued a statement claiming that its product was installed on smartphones in order to “improve user experience” and “help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain.”
Additionally, the Carrier IQ announcement promised consumers that none of the information collected by its program is sold to third parties.
The YouTube demonstration also compelled the Senate Judiciary Committee to request information from Mountain View, California-based Carrier IQ. Specifically, the Committee is concerned about the alleged violation of federal laws protecting consumer privacy.
Senator Al Franken (D-Minn), Chairman of the Senate's Subcommittee on Privacy, Technology, and Law, has also demanded in a letter to the company's CEO that Carrier IQ precisely define the limits of what the program can and cannot do.
Originally, Carrier IQ’s response to the video laying bare its allegedly law-breaking product was belligerent. The company served the creator of the video, Trevor Eckhart, with a sternly worded cease-and-desist letter. In the letter, Carrier IQ warned Eckhart than unless the video was removed from YouTube (and other sites), it would sue him for copyright infringement.
The privacy rights organization Electronic Frontier Foundation (EFF), rode to Eckhart’s defense, sending its own missive to Carrier IQ insisting that they company had no legal ground to stand on.
TPM quotes the EFF letter to Carrier IQ as saying:
Given that there is no basis for your legal claims, we must conclude that your threats are motivated by a desire to suppress Mr. Eckhart’s research conclusions, and to prevent others from verifying those conclusions.
Mr. Eckhart stands by his research and, accordingly, declines to meet your demands. We ask that you immediately withdraw your allegations in writing.
The company quickly simmered down and penned a new, conciliatory letter to Eckhart, apologizing to him and to EFF. Further, they retracted the demand that Eckhart cease and desist his activities regarding their software and reaffirmed their commitment to “protecting free speech in a rapidly changing technological world.”
The world is certainly changing. The ubiquitous use of smartphones seems to make life easier, putting the world at the user’s fingertips. Now that the formerly hidden Carrier IQ code has been discovered, it seems that unbeknownst to owners of the devices, their private online activities as well as their exact real-time locations are being put at the fingerprints of cellphone service providers, device manufacturers, and who knows who else.