An Android developer has revealed information that a spyware app made by Carrier IQ has been embedded in millions of Android devices and has been logging the keystrokes of its users.
On Monday, Trevor Eckhart, an Android app developer from Connecticut, posted a video on YouTube divulging how the software from Silicon Valley-company Carrier IQ recorded each of his keystrokes in real time.
The 25-year-old systems administrator pressed the keystrokes into a stock HTC EVO handset that had been reset to factory settings. He used a packet sniffer while his device was in airplane mode to demonstrate how each numeric tap and every received text message is logged by the software.
Eckhart typed in the words hello world. The Carrier IQ software recorded the words dispatch even before it was displayed on the handset.
He said that the HTC device was purely for demonstration purposes and that this software is a danger to Blackberrys and many other Android-powered smartphones.
The Carrier IQ software even recorded Eckhart's physical location after he connected the device to Wi-Fi and denied the Google request to share his geographical position.
We can see that Carrier IQ is querying these strings over my wireless network [with] no 3G connectivity and it is reading HTTPS, he said.
Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, spoke to Forbes about the issue and underlined that this is not just creepy but potentially illegal.
If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap. he said. And that gives the people wiretapped the right to sue and provides for significant monetary damages.
Ohm emphasizes the illegality shown in the YouTube video, citing the Wiretap Act under the Electronic Communications Privacy Act of 1986.
Because this happens with text messages as they're being sent, a quintessentially streaming form of communication, it seems like exactly the kind of thing the wiretap act is meant to prevent, he said. When I was at the Justice Department, we definitely prosecuted people for installing software with these kinds of capabilities on personal computers.
The Carrier IQ software is reportedly so deeply embedded in millions of devices that it is hard to detect and even harder to remove.
Carrier IQ VP of Marketing Andrew Coward denied any allegations that the software posed a privacy threat because of its keystroke logging. Our technology is not real time, he said to The Register. It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.
The company has not publicly responded to the issue, but has posted a memorandum on its Web site.
Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices - feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.
The company claims that it is counting and summarizing performance, not recording keystrokes or providing tracking tools. It cites the stringent policies and obligations on data collection requested by their customers.
The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer's network or in our audited and customer-approved facilities.