Security Experts Dispute Spying Claims Against Carrier IQ
Carrier IQ data shown on the YouTube video was diagnostic information that would be valuable only to application developers and carriers, the experts said. The data shown by Trevor Eckhart, a Connecticut systems administrator, would not be stored on the phone or sent from the device.
"What he (Eckhart) is looking at there is referred to as a debug output," Dan Rosenberg, a senior consultant at Boston-based Virtual Security Research, said. "It's essentially a temporary output that is used by developers to diagnose problems with applications."
Such diagnostic information is common in application development. "That's very different from Carrier IQ actually writing down keystrokes," said Rosenberg, who claimed to have reverse-engineered Carrier IQ's application to satisfy his curiosity as a security professional.
Among the allegations stemming from Eckhart's research was that Carrier IQ's software, used in more than 141 million mobile phones, was capable of logging keystrokes, which would essentially record user activity; and capturing text messages and user location. The disclosure prompted U.S. Sen. Al Franken, D-Minn. and chairman of the Subcommittee on Privacy Technology and the Law, to demand that Carrier IQ explain its software's capabilities and how it is used.
Critics of Eckhart's work contend it doesn't prove there is anything nefarious about the company's software. "The Carrier IQ app simply doesn't meet the requirements in terms of functionality or intent to be classified as a 'keylogger,'" Jon Oberheide, a co-founder of Ann Arbor, Mich.-based Duo Security, said in an e-mail.
Mountain View, Calif.-based Carrier IQ has denied its product gathers anything more than diagnostic information to help carriers spot issues that could lead to problems, such as dropped calls and battery drain. AT&T and Sprint Nextel use the company's software. Both said the diagnostic data collected is in line with their privacy policies are not shared with other companies.
Eckhart's finding that text messages were captured made no sense to Rosenberg, given that carriers already have the technology to read phone messages, but are prohibited by federal law from doing so. "If they wanted to they could do that without Carrier IQ," Rosenberg said. "So that doesn't make a whole lot of sense as an accusation."