Posted by Greg Mills
I contacted Apple Media Relations Thursday morning requesting comment on the Carrier IQ privacy issue on Apple products and got a phone call back with an official statement from Apple, at 4:30 Central time. This is Apple's Official Statement on Carrier IQ:
"We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."
Apple iOS users can turn off diagnostic software on their devices. Go into the Settings menu and follow these instructions. On an iPhone or iPad with the 3G radio, turning the Carrier IQ software off is very simple. Go to Settings/General/About/Diagnostic and Usage, then select either Automatically Send or Do Not Send. Done deal, no information will be collected or sent. Doing this with an Android phone requires using a large hammer and a concrete floor and sweeping up the resulting mess.
What we know now:
The Carrier IQ diagnostic software seems able to either collect and report on every single keystroke, app, phone call and text message that is entered on certain smart phones before it is even sent or be much more limited in what it does. It also can be opt in or opt out depending on what the networks and handset makers decide. See http://www.geek.com/articles/mobile/security-researcher-responds-to-carr... .
Sprint and AT&T have admitted they use the Carrier IQ diagnostic software service whereas Verizon denies they are involved in the newest mobile privacy scandal. See http://www.CarrierIQ.com for a scary countdown of the smartphones that have Carrier IQ software on them.
The Carrier IQ Keystroke Logger found on Android Phones and almost all other phones as well may have been added by the cellular networks before they sell the phone or simply baked into the operating system by the people who write the operating systems. RIM has already denied they have had anything to do with putting Carrier IQ on their various Berries.
I have been unable to get any new information on Microsoft's Mobile OS or Nokia's older OS, Symbian, but rumors are that Nokia is one of the companies that uses the key logger software. Android as an OS seems to be the worst offender as the Carrier IQ software on Android is fully functioning and has no easy way to be turned off. Google seems to be front and center in this most recent privacy flap.
The legality of the phone handset makers installing the key logger, the carriers in adding the software and the Carrier IQ company in collecting the data is very close to felony criminal wiretapping activity. Some legal experts think class action lawsuits and even criminal charges might put Carrier IQ company out of business and perhaps put those responsible in jail. Carrier IQ may have violated federal wiretap laws with penalties of up to US$150,000 per violation! The wiretap issue will be related to the data being general or specific for a certain individual. But, in any case, it feels like I ought to know what is encoded in my iPhone and what it does. Apple has done that, in my opinion, very quickly.
Wow, if only Congress was so fast in other issue. US Senator Al Franken, an outspoken mobile privacy critic has demanded that Carrier IQ CEO Larry Lenhart provide specific information about how the keystroke software is used. Senator Franken is quoted as saying "Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information." He said in a statement, "The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling."
The Privacy and Security statement at the Carrier IQ web site states:
Carrier IQ enables mobile operators, mobile device manufacturers, application vendors and other participants in the Mobile Ecosystem to deliver high quality products and services, based on what you want, where you want and to work and perform the way you expect.
In providing our products and services, Carrier IQ enables our customers to gather information on Mobile User Experiences. Carrier IQ's products were developed from inception to respect and protect user privacy and security. We have established "Best Practices" approach to privacy and security. Our products are designed and configured to work within the privacy policies of our end customers and include functions such as anonymization and encryption. When Carrier IQ's products are deployed, data gathering is done in a way where the end user is informed or involved.
With deployment on over 130 million phones globally, we have considerable experience in protecting the privacy of the end user and doing so in a highly secure manner. Information transmitted from enabled mobile devices is stored in a secure data center facility that meets or exceeds industry best practice guidelines for security policies and procedures.
Our data gathering and data storage policies are built from industry best practice. Our products allow us to address privacy & security requirements that vary country-by-country and customer-by-customer. There are a variety of techniques involved in protection of privacy and in implementation of security policy, including anonymization of certain user-identifiable data, aggregation of data and encryption of data, etc.
We work in partnership with our customers to ensure compliance with their data collection and protection policies. While much of the data we gather data is already available through alternate methods, we make it more efficient and useful – aimed at improving products, services and quality for the end user.
An interesting side note: the Wiki leaks gadfly with the white hair stated that as many as 150 organizations have access to you data already including governments. It feels like you might as well walk around with a flashing strobe light on your head and a loud speaker spewing out everything that happens on your smart phone. Not a nice feeling at all. This is sure to generate a lot of buzz. I will try to keep readers up to date on the most important information as it becomes available.
FaceBook has recently settled with the FTC on violating user privacy, Apple got busted for the location data "bug" and now secret keystroke software is found on potentially the majority of smartphones in use. My wife's throwaway TracPhone is looking more secure than my iPhone all the time.
That is Greg's Bite out of Carrier IQ's hide.