Feeds

Does your smartphone run Carrier IQ? Find out here

Apple, AT&T, Sprint confirm; Nokia, RIM, Verizon deny

The Essential Guide to IT Transformation

The roster of confirmed smartphone manufacturers and network providers using the controversial Carrier IQ tracking software has grown to include Apple, AT&T, Sprint, HTC, and Samsung. Verizon, Nokia, and Research in Motion, meanwhile, have denied reports saying they employ it.

In a statement that was widely reported on Thursday, Apple confirmed that some undisclosed products use the software, which an independent researcher has documented secretly monitors users' key presses even when they're entered into webpages protected by the SSL protocol.

Apple didn't say which devices still use the diagnostic software or how long the company has relied on it. But according to a report published on Thursday by Ars Technica, the only iOS 5 device that runs Carrier IQ is the iPhone 4. "Other devices running iOS 5, such as the iPad, the new iPhone 4S, and older iPhone models updated to iOS 5 have had Carrier IQ stripped out," the report said, citing Apple.

The Apple statement, as reported by AllThingsD read:

We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

Apple's admission, which leaves open the possibility that earlier iDevices still contain Carrier IQ, contrasted with blanket denials from Verizon, Nokia, and Research in Motion, all of which were named by Trevor Eckhart as providing devices that had the software installed.

“The reports we have seen about Verizon using Carrier IQ are false,” Verizon spokeswoman Debi Lewis wrote in an email to The Register.

In his own email, Nokia spokesman Mark Durrant wrote: “Further to your piece, CarrierIQ does not ship products for any Nokia devices, so reports that they have been found on Nokia phones are wrong.”

A statement from RIM, reported by IDG News, was even more categorical.

"RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution," the company said in a statement. "RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app.”

The denials contradicted research findings Eckhart published last month that claimed phones made or used by all three companies contained the tracking software. In an interview on Thursday, Eckhart conceded he had no hard proof. But he stood by the assertions that Verizon and Nokia had ties to Carrier IQ and cited links on Carrier IQ's website as support.

Eckhart said pages here and here both include executable files that install Carrier IQ on a variety of Nokia handsets. He also dug up this page, which appears to show IP address lookups for the subdomains vzw-collector.demo.carrieriq.com, vzw-dis.demo.carrieriq.com and hupload-vzw99.carrieriq.com. None of the three URLs responded to pings at time of writing.

A statement from Sprint, meanwhile, said:

Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can determine when issues are occurring and how to resolve them. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint.

A key element of our privacy practices involves communicating with our customers about our information privacy practices. The Sprint privacy policy explains that certain data is collected automatically by Sprint including how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance.

An AT&T spokesman, meanwhile, said only: “In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance.”

Both HTC and Samsung, according to IDG, said they add Carrier IQ to their phones as required by unnamed carriers who buy the devices. An HTC statement went on to say that HTC isn't a Carrier IQ customer and receives no data from the app.

With a chorus of companies coming out of the wings to confirm or deny their use of the software, Carrier IQ's reticence is becoming deafening. If the software is really as innocuous as Android security researcher Dan Rosenberg suspects, it should be relatively simply for the Mountain View, California-based company to provide documentation that will put the matter to rest.

Instead, Carrier IQ representatives have have maintained radio silence for more than a week now. ®

This article was updated to add details in the third paragraph about the iPhone 4.

Follow dangoodin001

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.