So, this has been causing a bit of a major dungstorm – and rightly so. As it turns out, many carriers are installing a piece of non-removable privacy-invading spyware on their smartphones called CarrierIQ. It doesn’t matter whether you have a
webOS, Android, BlackBerry or iOS device – carriers install it on all of them. Luckily though, it would appear it really depends on your carrier – smartphones in The Netherlands, for instance, are not infested with CarrierIQ. Update: As John Gruber rightfully points out, ever so verbosely, the headline here isn’t particularly well-chosen. The article makes all this clear, but the headline doesn’t. It’s my birthday today, so my head wasn’t totally in it – my apologies! Update II: Just got a statement from an HP spokesperson: “HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices.”
So, what is CarrierIQ? It’s a rootkit carriers and some handset makers in some markets install on their devices to track just how you use these devices. They record keystrokes, usage patterns, and all manner of other information, on your device. Many versions of the rootkit even send this information to your carrier where they can pinpoint your exact device, what you’ve been up to, what you’ve been typing, and so on.
The exact purpose of the rootkit was uncovered by Trevor Eckhart – he was then served a cease & desist notice from CarrierIQ demanding he remove the information. Eckhart immediately received support from the Electronic Frontier Foundation, after which CarrierIQ did a 180 and retracted the legal threat.
So far, CarrierIQ’s rootkit has been found on devices running BlackBerryOS, Android,
and webOS. It’s been found on iOS as well, but on iOS it stores less information, and it doesn’t seem to be sending anything as long as ‘Diagnostics and Usage’ (iOS 5) is turned off – which is the default (you are asked to enable it during the iOS5 setup). So far, Windows Phone 7 and Bada appear to be not infected with the rootkit. In addition, Nokia has stated none of their phones have ever had CarrierIQ installed.
This is pretty bad, but luckily, it would appear this is very much a carrier-specific thing, and not a device-specific thing (except for iOS, where it’s always installed, but as said, turned off). For instance, carriers in The Netherlands do not install it at all, so it’s very well possible that it’s mostly a US-thing. On top of that, smartphones from Google’s Nexus programme do not contain the rootkit either. In the US, Verizon has come out as well, stating their devices do not include CarrierIQ.
You can easily check whether your Android device has CarrierIQ installed. All you need to do is install TrevE’s Logging Test App, and hit the CIQ Checks button. My Dutch T-Mobile-branded Samsung Galaxy SII does not have CarrierIQ installed.
This is a pretty big deal, and a serious privacy violation by any standard, and I’m pretty sure this is going to lead to some serious lawsuits.
As a sidenote, it amuses me to no end how someone like John Gruber has mysteriously and quite suddenly adopted the “it’s the carrier’s fault!”-mantra now that iOS has also been found to include CarrierIQ. Which is ironic, since it appears that Apple is the only one including CarrierIQ (slightly butchered, but still) within the operating system itself, whereas on Android, it’s a carrier thing.
In any case, I’m going to play with my Galaxy SII some more – without my carrier peeking over my shoulder. And in case T-Mobile NL uses some other method, I just typed in “I SENSE YOUR PRESENCE” exactly 17 times, just to mess with some heads.
I’m surprised to learn that such a thing is on BlackBerry devices, considering RIM’s position that they have the most secure hardware and software combination. The fact that they would knowingly install a rootkit at the carriers’ behest is quite telling.
I’m also relieved to learn that it may not be included in Windows Phone 7 devices at this time. I say “may not” because I do know that Microsoft has their own supposedly anonymous usage tracking and feedback feature. It is opt-in which was a welcome sight, and of course I left it off. Whether it is powered by CarrierIQ, I do not know.
I do know that the Privacy Statement in the phone’s Settings area is quite forthcoming about past and current privacy issues, even going into detail about issues they plan to fix with the next upgrade. That really impressed me, given Microsoft’s history regarding privacy issues.