The Electronic Frontier Foundation, an advocacy group dedicated to protecting users’ digital rights, on Tuesday posted an enormously helpful blog entry describing and illustrating in basic terms the various versions of the controversial Carrier IQ software installed in the background on upwards of 140 million mobile phones worldwide.
The post, by EFF Technology Projects Director Peter Eckersley, clarifies that the conflicting reports that have come from the company and independent security researchers regarding the full range of Carrier IQ’s capabilities have arisen because everyone isn’t referring to the same thing when they are referring to “Carrier IQ.”
In fact, as Eckersley points out, this is due to the fact that software takes different forms on numerous different phones and due to custom implementation and other software added onto it by three major wireless companies that have admitted to using the software: AT&T, Sprint and T-Mobile (Carrier IQ’s customers). As Eckersley explains:
The complexities of this situation explain the apparent contradiction between claims by Carrier IQ Inc. and researchers examining code written by the company, who have said that the company does not collect full keystroke data or the content of text messages, and others who say that they have observed this happening. People on all sides of this debate may be simultaneously correct.
The EFF provides a helpful breakdown and corresponding diagram of the “four levels” of Carrier IQ references. (We’ve added numbers to the diagram to correspond to the levels, with permission from the EFF.)
In level one, people are referring solely to the company, “Carrier IQ.”
In level two, the reference is to “a core software library that is written by Carrier IQ Inc. and which is present on all of the 150 million handsets,” also known within the company as “IQ Agent.”
Level three becomes more complex, as the original Carrier IQ software code is often augmented by “porting code,” that is, custom features and implementation, written by other companies, Carrier IQ’s customers, including the nation’s wireless giants, the phone manufacturers and manufacturers of baseband chipsets, phone “modems” that allow devices to communicate with each other and towers and enable multimedia features.
Level four is the most complex of the references, including all of the aforementioned levels but also additional software not made by Carrier IQ, such as the phone’s operating system (Android, iOS, Symbian etc.) or the baseband processor operating system, which still nonetheless communicates with Carrier IQ.
Still, the finding — which the EFF gathered from the research available out there and made privy to the organization by researchers — hardly absolves the company or its industry customers from any wrongdoing. In fact, as Eckersley points out:
“Unfortunately, our current belief is that the layer-4 logging that has been observed, which goes to Android system logs, is in fact being inadvertantly transmitted to some third parties and otherwise made available to other applications on the device.”
Furthermore, Eckersley states that far more data is needed from the wireless companies: “The information that we need now is a complete history of all of the Profiles that carriers have ever installed on their customers’ phones, to learn what the carriers meant to collect.”
The EFF has from the start been involved in the controversy over the software’s apparent capability to surreptitiously record and transmit most of a user’s activities on his or her phone to third parties. Trevor Eckhart, the Android researcher who first demonstrated the software in action with a notorious YouTube video, sought the EFF’s legal counsel after Carrier IQ sent him a cease-and-desist order threatening to sue Eckhart if he didn’t take down his research.
The EFF’s response to that order got Carrier IQ to back down from that stance and indeed, even apologize and attempt to make nice with Eckhart. In their latest report describing their software in detail, Carrier IQ even goes so far as to thank Eckhart for “for sharing his findings with us through a working session that helped us to identify some of the issues highlighted in this report.”
Eckhart has been conspicuously silent since the controversy went mainstream in late November and has not yet responded to repeated inquiries from TPM.
However, as Eckersley told TPM via email, “EFF is still representing Mr Eckhart. He has been busy extending and documenting his research, and I expect that he will have more to say soon.”
