Monday, January 23, 2012
Carrier IQ: Cell Phone Data Snooping Revealed
Earlier this week, a 25-year old security researcher named Trevor Eckhart posted a YouTube video detailing a program called “HTC IQ Agent” that was installed on his cell phone. Trevor showed that the program was recording every action taken on his phone, including key presses, text messages, and passwords - and then transmitting this data directly to the offices of the company Carrier IQ. The program started automatically with the phone, ran in the background, and could not be turned off. It wasn’t a virus, nor was it installed by an outside vendor; it came pre-installed on his phone.
The revelation that a company was extensively tracking cell phone users actions lit off a firestorm of controversy. Numerous technology blogs decried Carrier IQ's actions. Carrier IQ soon threatened Mr. Eckhard with legal action, but then apologized after Mr. Eckhard sought the protection of the Electronic Frontier Foundation.
In its defense, Carrier IQ claims that all of the recorded data transmitted is anonymous. The company provides a valuable service to many U.S. cell phone carriers, who contract with Carrier IQ to provide specialized diagnostic, trending, and troubleshooting data for the devices on their network. The issue is the sheer volume and depth of data being recorded, which seems unnecessary for purely diagnostic or reporting purposes.
Whenever I accept a terms of service or license agreement on a website, I assume that I'm giving up all of my rights related to content and privacy. However, even in this digital age, I still consider my right of privacy to extend to my personal belongings; the information in my wallet, my documents, and even information stored on my cellphone. As cellphones have become more powerful and increasingly connected, they have become personal organizers. My calendar, contact list, Christmas shopping ideas, and other personal information are all stored on my cellphone. Given that I've tapped all this information into my cell phone at some point, it is likely that this information is also now stored somewhere on Carrier IQ's servers.
So far, Carrier IQ software has been found on both Android and iOS cell phones for several U.S. carriers. Many guides and how-to documents have been posted with instructions on how to disable the software. The Senate has even gotten involved, giving Carrier IQ until December 14th to address privacy concerns. In addition, it's possible that Carrier IQ has violated federal wiretapping statutes, and already there are rumblings of class action lawsuits.
It's also quite possible that this story has been overblown. Many journalists have noted that the data stored are purely anonymized metrics that carriers use to improve their service, ultimately benefiting consumers. There is no evidence that personal, identifying information has been used in an improper manner. However, given the amount and type of data being recorded, I am uncomfortable with any company having this information on their servers. A line has been crossed, and thanks to Trevor Eckhart, the world knows.
© Copyright 2010 The Journal of High Technology Law, Suffolk University Law School
Suite 450B | 120 Tremont Street | Boston | MA | 02108-4977 | Legal and Copyright Information