Indie Programmer Tries Debunking Phone Spying Myths

As lawmakers dispatch letters to cellphone-monitoring firm Carrier IQ, outraged over tales of the Silicon Valley company tracking callers' keystrokes, one independent programmer says the software is not capable of recording button-pressing beyond dialed numbers.

Carrier IQ provides wireless companies with reliability statistics based on data transmitted from Carrier IQ software installed in a user's device by the phone operator or manufacturer, according to the mobile intelligence firm.

Allegations of cellphone-spying arose after a young Connecticut software researcher demonstrated that the application inside his HTC Android smartphone was logging much of his typing. Sens. Al Franken, D-Minn., chairman of the Judiciary Committee's privacy panel, and member Richard Blumenthal, D-Conn., shot off letters to the company's president, demanding to know, among other things, what kind of data is being collected and whether the company discloses any of it to law enforcement officials.

On Tuesday afternoon, committee member Sen. Chris Coons, D-Del. announced he, too, had sent a letter with additional questions, such as:

-- Is Carrier IQ capable of obtaining, either through existing software or through software your engineers are reasonably capable of developing, any of the following:

  • Keystrokes?
  • Location?
  • The content of emails sent or received?
  • The content of SMS texts sent or received?
  • Websites visited?
  • Information entered into online forms?

-- Does your answer to any of the above questions depend on the platform (Android, Palm, BlackBerry, iOS, etc.) of the end user's device? If so, why do the capabilities of the software vary by platform?

-- What steps has your company taken to assure that third parties cannot access the information your software is capable of logging?

In response to a media frenzy over the matter, security researcher Dan Rosenberg attempted to separate fact from fiction about the data, or "metrics," tapped, at least on his Samsung Epic 4G Touch. After experimenting with the Carrier IQ program, Rosenberg concluded on his blog:

  1. CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.
  2. CarrierIQ (on this particular phone) can record which dialer buttons are pressed in order to determine the destination of a phone call. I'm not a lawyer, but I would expect cell carriers already have legal access to this information.
  3. CarrierIQ (on this particular phone) cannot record any other keystrokes besides those that occur using the dialer.
  4. CarrierIQ can report GPS location data in some situations.
  5. CarrierIQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data.

Of course, as he points out, any application can be modified after installation to do bad things.

"Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what's happening here is necessarily right," Rosenberg wrote. "Note that most of the burden in this situation falls not on CarrierIQ but on the handset manufacturers and carriers, who are ultimately responsible for both collecting this information and establishing service agreements with consumers."