A cellphone eavesdropping scandal casts a shadow on Apple's competitors
Have you heard that every text message, every e-mail, every phone number, every keystroke made on a Google (goog) Android phone may be secretly recorded, logged and sent to your cellular provider by a tracking service called Carrier IQ?
No? That's a surprise, because it's a scandal that's been brewing for several weeks -- ever since security researcher Trevor Eckhart discovered Carrier IQ's analytics app on HTC phones running Android. The app comes pre-installed on more than 140 million handsets, including phones made by Samsung, Nokia (nok) and Research in Motion (rimm) -- but not so far by Apple (aapl).
[UPDATE: Traces of the app have been found in several versions of the iPhone's operating system, but preliminary reports suggest that it is used only in diagnostic mode, and that its default setting is off. See Apple's statement below.]
Carrier IQ's first response was to have its lawyers send Eckhart a cease-and-desist letter (since withdrawn, with an apology). Its second was to issue a statement that its software does not record keystrokes and that any information it gathers is "encrypted and secured."
It didn't take long for Eckhart to put the lie to those claims. On Monday he posted a 17-minute YouTube video that takes viewers step by step through the set-up and then, at the 13:45 mark, shows Carrier IQ recording his keystrokes -- in clear text -- as he performs a supposedly encrypted HTTPS Google search.
"As violations of privacy go," writes ExtremeTech's Joel Hruska, one of a handful of reporters who has covered the story, "this makes Apple’s 'locationgate' scandal from earlier this year look like nothing more than a minor hiccup."
On his Talk Show podcast Wednesday, Daring Fireball's John Gruber offered the fact that Carrier IQ-gate isn't headline news all over the world as proof of the media's anti-Apple bias. I wouldn't go that far; Apple probably gets more positive coverage that it deserves.
But I was struck by the workarounds Hruska offers Android users:
- Installing CyanogenMod, which removes the kernal hooks used by Carrier IQ's app
- Switching to an iPhone
"The CIQ software, as it currently functions," he writes, "blatantly violates both privacy agreements and security best practices. It’s also the best reason to buy an iPhone that we’ve heard in months. Given the choice between a closed software ecosystem and an open phone that spies on its user, we’ll take closed software every time."
- - - - - -
Apple's statement, released Thursday afternoon:
“We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”
Below: Eckhart's 17 minute video.