John Graham-Cumming is vice president of engineering for software vendor Causata, as well as a programmer, blogger and author with a doctorate in computer security. In a recent blog post, he noted the extravagant allegations made against Carrier IQ on the basis of Eckhart's video, such as this one by Geek.com's Russell Holly: "This video has demonstrated a truly significant volume of information is being recorded. Passwords over HTTPS, the contents of your text messages, and plenty more are recorded and sent to the customers of Carrier IQ.
"That would be worrying if true, but if you watch the 'security researcher's' video you'll find that nowhere does he make the claim that [the] content that the application sees is leaving the device," Graham-Cumming wrote. "And from the video he doesn't appear to try. At no point does he enter a debugger and look inside the CarrierIQ [smartphone] application, and at no point does he run a network sniffer and look at what data is being transmitted to [the server component of] CarrierIQ.
"And I don't understand why," he continued. "It would be a huge story if millions of smartphones worldwide were secretly sending the content of text messages to a US-based company. But that's not the story here because the 'security researcher' does not appear to have tried to find out."
We asked Graham-Cumming via email if this was a complex process. "It would not be complex for a competent Android programmer to use a debugger to examine the CIQ application and/or sniff its network traffic to see what it is doing," he says via email.
Based on what he saw in Eckhart's video, Graham-Cumming says Carrier IQ's software apparently can see at least some user activities. "But until I understand what they are doing with the data and what leaves my phone I'm not going to panic," he says. "For example, my antivirus sees everything on my machine, all my mail, all my files, all my web browsing, but I'm ok [with that] because I trust what it does with the data."
"That's a good analogy," agrees Rosenberg. "It's absolutely true that antivirus has just as broad access to your system."
Yet there is a critical difference, he says. "What makes [Carrier IQ] different is that this program was not installed by the users, and they weren't given the chance to make a trust decision," Rosenberg says. "Presumably, your antivirus program is software that you've installed or have a trust relationship with the vendor."
"There's one good thing to come out of this," Rosenberg says. "A greater awareness that this software exists. We need more awareness of what it can do and the ability to opt out of it."
Apple seems to have taken a different approach than Android vendors HTC and Samsung with its integration of Carrier IQ. Apple this week announced that it had discontinued Carrier IQ support with the release of iOS 5 some weeks ago. Grant Paul, a well-known iOS programmer, analyzed the program in a blog post, and noted what appear to be several differences from the Android implementation, at least on the HTC handset used by Eckhart.
For one thing, the user can disable Carrier IQ in earlier iOS versions by turning off "Diagnostics and Usage" in "Settings." For another, though the program "does access a reasonable amount of information," that information seems limited to telephony information, such as your phone number, carrier and country, active phone numbers (though Paul didn't see evidence that the dialed number was visible) and the user's location if the user enabled the iOS Location Services. He added: "Be sure to note that I have not confirmed which, if any, of this data is sent remotely."
"Importantly, it does not appear the [Carrier IQ] daemon has any access or communication with the UI layer, where text entry is done," Paul concluded. "I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely."
What's unclear is whether this "no access" to the UI layer is distinctive to the iOS implementation of Carrier IQ or, as the vendor seems to be saying, a characteristic of the application itself regardless of the operating system on which it runs.
In what seems to be the first public interview granted by Carrier IQ executives, to John Paczkowski of AllThingsD, the software vendor finally provided a bit more detail on what the program does and doesn't do.
"While CIQ might 'listen' to a smartphone's keyboard, it's listening for very specific information," Paczkowski writes, summarizing the claims. "Company executives insist it doesn't log or understand keystrokes. It's simply looking for numeric sequences that trigger a diagnostic cue within the software. If it hears that cue, it transmits diagnostics to the carrier."
Paczkowski notes that CIQ nevertheless has the ability to capture a wide variety of user data. So, he asks, who decides what data is collected?
"The carriers. They decide what's to be collected and how long it's stored -- typically about 30 days. And according to Carrier IQ, the data is in their control the whole time. 'It's the operator that determines what data is collected,' says Carrier IQ CEO Larry Lenhart. 'They make that decision based on their privacy standards and their agreement with their users, and we implement it.'"
In a statement issued Dec. 1, Carrier IQ repeated its assertions that the software does not log keystrokes. This time it added a comment by security expert Rebecca Bace, co-founder of Infidel, an information security consultancy: ""Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user's content are erroneous."
No other details were provided. As of this posting, Bace had not replied to an email request for more information.
John Cox covers wireless networking and mobile computing for Network World. Twitter: http://twitter.com/johnwcoxnww Email: firstname.lastname@example.org Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.
This story, "Skeptics Find Flaws in Carrier IQ Application Analysis" was originally published by Network World.