Los Angeles Times
LOS ANGELES — A little-known California software company that can monitor every keystroke that consumers make on many popular smartphones struck back at critics who accused it of violating customers’ privacy, saying it doesn’t record or store users’ private messages.
The company, Carrier IQ Inc. in Mountain View, Calif., found itself in the middle of a national privacy furor this week after an amateur security researcher posted a video purporting to show its software logging every key press, as well as the content of text messages and search engine queries.
Consumers, politicians and privacy advocates quickly sought to learn how the company had gained near-total access to users’ private data on 140 million mobile phones, including many popular devices from AT&T Inc., T-Mobile USA and Sprint Nextel Corp.
“What is true is that there’s a huge amount of information available to us on the device,” Andrew Coward, Carrier IQ’s vice president of marketing, said Friday.
“But capturing keystrokes and (text) messages, email, audio and video is not what we do, and we’ve been absolutely adamant that we don’t do these things,” he said.
Mobile security professionals said the video made by security researcher Trevor Echkart, 25, of Connecticut did not prove Carrier IQ was transmitting and storing users’ every move. But that didn’t relieve concerns.
“A company no one’s ever heard of having the capacity to look at everything you do on your mobile device is a reason to be nervous,” said Justin Brookman, the director for consumer privacy at the Center for Democracy and Technology.
“This is highlighting that when people buy a smartphone, it’s not just one company they’re dealing with that has access to their data, but possibly dozens,” Brookman said.
According to a promotional document on Carrier IQ’s website, the company’s software can “capture a vast array of experience data including screen transitions, button presses” and “device feature usage, such as camera, music, messaging, browser and TV.”
In a test of an Android smartphone from Sprint, an application from Carrier IQ lists that it is able to access “your personal information,” ”your messages” and “your location,” as well as “intercept outgoing calls” and “read contact data.” There is no clear way for users to stop the application or opt out of the data collection.
The company has acknowledged that it collects a wide variety of smartphone usage data on behalf of carriers and phone manufacturers, but says reports about its data collection have been overblown.
Coward acknowledged that the company had developed software to “count” how many times specific buttons are pushed — including the power button — in order to help carriers understand how customers are using devices.
He said, however, that the key-press counting feature had been advertised to clients but was not yet present in current smartphones.
T-Mobile, AT&T and Sprint acknowledged that they used Carrier IQ’s software to collect information about customers’ phone use and to improve service quality. Verizon Wireless, the largest U.S. wireless provider, said its phones do not use Carrier IQ.
Apple Inc. said its iPhone and other devices had used Carrier IQ software but had stopped supporting it recently. It planned to remove the software in a future update to user devices. Apple said it had never recorded user keystrokes.
Sprint and AT&T said the data collection was in line with their privacy policies, which note that they may employ other companies to help collect and analyze customer usage data.
Suspicion about Carrier IQ’s practices and the wireless providers’ involvement has generated outcry from privacy advocates and politicians.
Advocacy groups such as Free Press in Washington, D.C., and Consumer Watchdog in Santa Monica, Calif., called for congressional and regulatory probes into Carrier IQ. And on Friday, Rep. Ed Markey, D-Mass., asked the Federal Trade Commission to investigate the company. Sen. Al Franken, D-Minn., sent the company a letter requesting information about its data collection practices.
Consumers in Missouri and Illinois on Thursday filed class-action lawsuits against Carrier IQ, as well as against smartphone makers Samsung Telecommunications America Inc. and HTC Corp., which use the software.
The suits allege that the companies violated federal wiretap laws by “unlawfully intercept(ing) private electronic communications emanating from private mobile phones, handsets and smartphones.”
Carrier IQ declined to comment on the lawsuits.
The uproar started in mid-November after Eckhart posted information and documents about Carrier IQ’s application on smartphones and called the software a “rootkit” — a term generally used for malicious software that embeds itself deep in a computer system to monitor, record or alter what users are doing.
The company immediately sent a cease-and-desist letter to Eckhart, accusing him of violating copyright law by posting the documents without permission and demanding that he remove the materials and retract “unsubstantiated allegations” about the company’s practices.
Soon after, the online legal advocacy group Electronic Frontier Foundation said it would represent Eckhart in the matter. The foundation said Carrier IQ’s allegations against Eckhart were “entirely baseless” and were “motivated by a desire to suppress Mr. Eckhart’s research conclusions, and to prevent others from verifying those conclusions.”
Two days later, Carrier IQ withdrew its cease-and-desist letter to Eckhart and apologized.
Eckhart did not respond to multiple requests for comment.