Carrier IQ — a program accused of snooping on the some 140 million mobile phones worldwide it’s installed on — isn’t the villain that it has been made out to be by the media and consumer advocates, according to an independent researcher.
After performing an analysis of the software on a Samsung Epic 4G
Touch smartphone, Dan Rosenberg, of Boston-based Virtual Security Research, observed in an online blog that “based on my knowledge of the software, claims that keystrokes, SMS bodies, e-mail bodies, and other data of this nature are being collected are erroneous.”
He did acknowledge, however, that the data collected by Carrier IQ can vary depending on its carrier and phone maker.
“Consumers will have their own opinions about whether the collection of this data falls under the terms set by service agreements, but it’s clear to me that the intent behind its collection is not only benign, but for the purposes of helping the user,” he maintains.
From his research, Rosenberg determined the following about Carrier IQ:
It cannot record SMS text bodies, web page contents, or e-mail content even if carriers and handset manufacturers wished to abuse it to do so.
It can record dialer keystrokes to determine the destination of a call, but it can’t record any other keystrokes on a phone.
It can record GPS data.
It can record web addresses, or URLs, visited from the phone, but no content from the sites.
Rosenberg asserted that the metrics from his research supports Carrier IQ’s claims that its software is used for diagnosing and fixing network, application, and hardware failures. “Every metric…has potential benefits for improving the user experience on a cell phone network,” he wrote.
He explains that if carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, they need to know which applications consume the most battery life.
“However,” he cautions, “I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right.”
He makes several recommendations for preventing a recurrence of this kind of brouhaha in the future. Consumers should be allowed to opt out of data collection activities, he suggests, and more transparency is needed about what data is being collected by carriers.
He also advocatesthird-party oversight of data collected by the carriers and a study of the legality of collecting URLs with search parameters.
The flap over Carrier IQ broke last week when a researcher Trevor Eckhart discovered the program was logging keystrokes and collecting web surfing information from a number of smartphones, including those made by Research In Motion and HTC. (See )
Since that discovery, calls for federal investigations into the matter have been sounded by Consumer Watchdog and Congressman Ed Markey (D-Mass.). In addition, a class action lawsuit has been filed against Carrier IQ and HTC alleging embedding the data collection software on smartphones violates the federal wiretap law.