We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Carrier IQ Poses a Threat Despite Good Intentions

Carrier IQ has offered reasonable explanations for how and why its tool does what it does--but it is still putting privacy and data at risk.

Carrier IQ isn't the bad guy. The mobile device and network diagnostic firm issued a detailed report earlier this week explaining what its software does and how the data is used. However, benign intent doesn't change the fact that the Carrier IQ software infringes on privacy and exposes personal data to unnecessary risk.

On the surface, the Carrier IQ agent sounds like an awesome diagnostic tool for smartphone vendors and wireless carriers. Data such as battery temperature, battery voltage, current location--including altitude, performance metrics, and more, is made available through the Carrier IQ agent so it can be collected and logged for analysis.

I'll say it. I completely understand why my smartphone vendor and wireless carrier would be interested in this sort of information, and--as a customer--I want them to gather data like this to troubleshoot issues and make improvements in the hardware and wireless network infrastructure for the future.

When it comes to security and privacy breach claims, Carrier IQ seems to be employing the "We don't fire the gun, we just supply the bullets" defense. Carrier IQ doesn't log the data--it just makes it possible for smartphone vendors and wireless carriers to do so.

I agree in part with that defense. It seems to me that Carrier IQ is just providing a service, or a framework for a particular function, and that it has no malicious intent. However, there are still elements of the Carrier IQ relationship that it is at least an accomplice to which put privacy and personal information at risk.

A blog post from security vendor Fortinet explains why the Carrier IQ agent is really just a rootkit despite the allegedly good intentions behind it. The CIQ service runs with root privileges on the device, hooks basic functionalities like keys pressed, and actively works to hide its existence. Fortinet points out "CIQ does not display any application icon, it is not listed in installed application, and does not come with any policy."

For example, as Trevor Eckhart--the researcher that discovered the Carrier IQ behavior in the first place--points out, activity monitored by Carrier IQ on Android devices can be displayed in the Logcat tool. Fortinet concedes that Logcat is an Android system tool, not a part of the Carrier IQ software per se, but stresses, "if someone has access to Logcat, he/she can still monitor all our actions--which is a threat to your privacy and confidentiality."

Fortinet also expresses some concern over the temporary log file used by Carrier IQ. Carrier IQ claims the data is not in plain text, but little else is known about how well protected the data contained in that file is.

As I said, I am a fan of the underlying premise of Carrier IQ, and I appreciate that my smartphone vendor and/or wireless carrier might be working proactively to improve mobile devices and networks for the future. But, the data should not be collected in the shadows, and it needs to be better protected to ensure it can't be accessed by others with less benign intentions.

A request for comment from Carrier IQ was not returned in time for this article.

IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...