From training documents found we get an insight to the Carrier IQ Portal. Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs. The “portal administrator” can put devices into categories and see devices in California that have dropped calls at 5pm.
The down side to all of this is the “portal administrator” is also able to “task” a single phone with a profile containing any combinations of metric and trigger. From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more. So instead of seeing dropped calls in California, they now know “Joe Anyone’s” location at any given time, what he is running on his device, keys being pressed, applications being used.
Later on, after receiving the cease-and-desist letter, the researcher defended his position and was backed by the Electronic Frontier Foundation (EFF). Carrier IQ seemed to be breaking the First Amendment granting the right to free speech. Swiftly after, the company withdrew the letter and issued an apology. What followed then was a “Media Alert” press release titled with the exclamative “Measuring Mobile User Experience Does Matter!” (you can find the full PR at the end of the article).
The press release contains a lot of sweet PR talk and denies allegations about Carrier IQ's possible use for logging keystrokes and tracking the user. The vague excuse of only gathering “operational information” to improve the network experience however doesn’t directly answer Eckhart’s fact-based findings, and details have continued surfacing since then, and the scandal is just escalating.
Carrier IQ itself says its app is present on more than 141 million devices and while the scandal broke around the app on Android handsets, there’s more evidence pointing out that it’s also on iOS, other platforms and feature phones. The big question then is: who’s responsible for this piece of software silently ending up on your smartphone?
Here’s the company’s position on that: “Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.” Does it reflect reality?
To answer that question first, though, we should mention that not all Android devices have it. Interestingly, devices from the Nexus line including the Samsung Galaxy Nexus and ones in which Google has a more direct participation like the Motorola XOOM don’t have Carrier IQ’s software. The Verge confirmed this with an inside scoop from reportedly a reliable source (could be someone at Google).
Just recently, Apple hacker chpwn found traces of Carrier IQ in iOS. Particularly, there seems to be a daemon which is reportedly not logging any sensitive information, but we’re yet to have final clarity on that. Moreover, it seems that on iOS you can choose to opt out via Settings -> General -> About -> Diagnostics & Usage, where you should turn off “Send Automatically.”
Additionally, various people have chimed in on the debate agreeing that we shouldn’t blame the device manufacturer but the carrier. Apple enthusiast Seth Weintraub wrote:
“Carrier IQ is something that Carriers put on phones as part of their OEM software. This is out of the hands of both Google and the manufacturers.”
Kyle Sluder on Twitter pointed out that “this CarrierIQ story has been wrongly turned into an Apple vs. Android battle. It’s all about the carriers.”
Those findings and opinions round up everything we know so far, but we’ll definitely be hearing more about the scandal soon. In the meantime, though, feel free to check out the initial report that triggered all of this, then Carrier IQ’s response and its subsequent withdrawal.
You can view and download all of the related documents below, most of them are in a convenient to read PDF format: