Feeds

Carrier IQ VP: App on millions of phones not a privacy risk

Like tiny fish through a net, key taps dropped from memory

Security for virtualized datacentres

More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy threat to handset owners.

Yes, Carrier IQ is a vast digital fishing net that sees geographic locations and the contents of text messages and search queries swimming inside the phones the software monitors, the company's VP of marketing, Andrew Coward, said in an extensive interview. But except in rare circumstances, that data is dumped out of a phone's internal memory almost as quickly as it goes in. Only in cases of a phone crash or a dropped call is information transferred to servers under the control of the cellular carrier so engineers can troubleshoot bottlenecks and other glitches on their networks.

“To answer your point, we're on a fishing boat out at sea and we're catching fish that are too small and they go back in,” Coward explained. “And they go back in for two reasons: One, the holes in the net don't catch small fish, i.e. the filtering, and/or the fish is the wrong type and it gets thrown out of the boat, hopefully while it's still alive.”

The interview came as Carrier IQ faced four lawsuits and a request by a US lawmaker for an investigation by the Federal Trade Commission. US Senator Al Franken has already demanded the Mountain View, California-based company answer a battery of questions, including whether it violates federal wiretap statutes.

The reason the SMS contents and key taps are monitored at all is so they can be used to invoke Carrier IQ programming interfaces, he continued. Messages or key sequences that contain proprietary tags can be used to manually upload diagnostic information. Those that don't contain the special formatting (such as key taps shown in the developer's demo) dissolve into the ether as soon as they come in.

“The content of the SMS is never stored and never transmitted,” Coward said.

His version of the software has been confirmed by Dan Rosenberg, an Android security researcher who has reverse engineered Carrier IQ and examined the underlying machine language. He said he took the undertaking after viewing a video demonstration posted on Monday that showed the software echoing the precise key taps developer Trevor Eckhart typed into his HTC EVO handset.

“What the video is depicting is the application printing out what are known as bugging logs,” he said. “It's a way that applications keep a temporary record of the things they were doing so if anything were to break, a developer could go and read that record and figure out what went wrong. That's very different from the application actually recording that information and sending it off to the carrier.”

What follows are highlights from The Register's interview with Coward:

Secure remote control for conventional and virtual desktops

Next page: Carrier IQ speaks

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.