Carriers are piling in to insist that they’re not snaffling user data by using Carrier IQ’s tracking software.
Developer Trevor Eckhart says he’s discovered that spyware from the company is pre-installed on millions of phones worldwide and monitors location even when location services are disabled.
Apple’s been first off the mark to distance itself. It admits it supported the Carrier IQ in earlier versions of its operating system, but says it’s stopped with the release of iOS5 – for most products, at least. The rest will be cleaned up with a future software update, it says.
“With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information,” says the company.
“We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”
Meanwhile, BlackBerry manufacturer Research In Motion has also moved to distance itself from Carrier IQ.
“RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution,” it says.
“RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app.”
However, T-Mobile, AT&T and Sprint have all confirmed to the Washington Post that they do use the software – although all three say they use it simply for network monitoring purposes.
But Chester Wisniewski of security firm Sophos says that worries do remain.
“One thing that is still concerning about the application is that it does collect URLs visited by the users, which presumably includes HTTPS URLs,” he says.
“While websites should not assume HTTPS URLs are always encrypted, some do. This can lead to usernames, passwords and other unique identifiers being embedded in a URL and accidentally disclosed to cell phone carriers through applications like Carrier IQ.”
In any case, with privacy such a burining issue for many users, the industry needs to be like Caesar’s wife – above suspicion.
“I think the community is becoming fed up with being spied upon, our personal lives and habits being invaded through secret programs and increasingly complicated and confusing privacy statements,” says Wisniewski.
“It is unfortunate that Carrier IQ didn’t simply disclose this information when Travis published his research. It is also sad that the mobile phone carriers involved didn’t make it possible to opt-out of sending this information.”
Rob Brosnan of research firm Forrester agrees.
“Customer Intelligence is not a spying operation. The promise of CI is not reductively commercial. Instead, proper CI practices help businesses – with their customers’ consent – to understand the preferences and needs of their customers,” he says.
“If CI pros don’t take a stand, the result will be a tragedy of the commons, through either customer backlash or legislation.”