Carrier IQ isn't the bad guy. The mobile device and network diagnostic firm issued a detailed report earlier this week explaining what its software does and how the data is used. However, benign intent doesn't change the fact that the Carrier IQ software infringes on privacy and exposes personal data to unnecessary risk.
On the surface, the Carrier IQ agent sounds like an awesome diagnostic tool for smartphone vendors and wireless carriers. Data such as battery temperature, battery voltage, current location--including altitude, performance metrics, and more, is made available through the Carrier IQ agent so it can be collected and logged for analysis.
I'll say it. I completely understand why my smartphone vendor and wireless carrier would be interested in this sort of information, and--as a customer--I want them to gather data like this to troubleshoot issues and make improvements in the hardware and wireless network infrastructure for the future.
When it comes to security and privacy breach claims, Carrier IQ seems to be employing the "We don't fire the gun, we just supply the bullets" defense. Carrier IQ doesn't log the data--it just makes it possible for smartphone vendors and wireless carriers to do so.
I agree in part with that defense. It seems to me that Carrier IQ is just providing a service, or a framework for a particular function, and that it has no malicious intent. However, there are still elements of the Carrier IQ relationship that it is at least an accomplice to which put privacy and personal information at risk.
A blog post from security vendor Fortinet explains why the Carrier IQ agent is really just a rootkit despite the allegedly good intentions behind it. The CIQ service runs with root privileges on the device, hooks basic functionalities like keys pressed, and actively works to hide its existence. Fortinet points out "CIQ does not display any application icon, it is not listed in installed application, and does not come with any policy."
For example, as Trevor Eckhart--the researcher that discovered the Carrier IQ behavior in the first place--points out, activity monitored by Carrier IQ on Android devices can be displayed in the Logcat tool. Fortinet concedes that Logcat is an Android system tool, not a part of the Carrier IQ software per se, but stresses, "if someone has access to Logcat, he/she can still monitor all our actions--which is a threat to your privacy and confidentiality."
Fortinet also expresses some concern over the temporary log file used by Carrier IQ. Carrier IQ claims the data is not in plain text, but little else is known about how well protected the data contained in that file is.
As I said, I am a fan of the underlying premise of Carrier IQ, and I appreciate that my smartphone vendor and/or wireless carrier might be working proactively to improve mobile devices and networks for the future. But, the data should not be collected in the shadows, and it needs to be better protected to ensure it can't be accessed by others with less benign intentions.
A request for comment from Carrier IQ was not returned in time for this article.