Software that comes preinstalled on Android, Blackberry and Nokia phones might secretly be logging every keystroke users make, according to researcher Trevor Eckhart.
The “rootkit” software, made by Carrier IQ, logs nearly everything users type in to their devices, Eckhart reports. The researcher posted a 17-minute clip explaining about the software and showing how it logged a Google search he did on an HTC phone -- even though he used HTTPS encryption. Wired first reported Eckhart's findings on Tuesday night.
There is no way to disable Carrier IQ short of installing a new operating system, according to Wired.
Should Eckhart's report prove correct, Carrier IQ might have violated wiretapping laws, according to University of Colorado law professor Paul Ohm. “Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too?” Ohm tweeted.
The report sparked much discussion on Wednesday; Twitter users thought the issue warranted its own hashtag: #CIQ.
Privacy researcher Ashkan Soltani tweeted about a tool that lets people test whether Carrier IQ software is installed on their phones.
Some commenters appeared to think the report was more outrageous than others. One programmer who posted to Pastebin said that there was no evidence that Carrier IQ transmitted data back to the carriers. “Dear Internet,” started the post. “CarrierIQ does a lot of bad things. It's a potential risk to user privacy, and users should be given the ability to opt out of it. But people need to recognize that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn't happen).”
This isn't the first time Eckhart has taken on Carrier IQ. Earlier this month he said the company's software logs mobile users' activity, Wiredreported. He also posted training manuals that were then on the company's site.
Carrier IQ threatened to sue him for copyright infringement, but retreated after the digital rights group Electronic Frontier Foundation got involved.
Carrier IQ apologized to Eckhart and also issued a statement in which it denied spying on smartphone users. “While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools,” the company said in a statement dated Nov. 16.
Carrier IQ hasn't yet addressed Eckhart's new report.