Even as government officials around the world are beginning to investigate the Carrier IQ software installed on millions of smartphones, a security researcher is saying that claims the company had been improperly collecting personal data are "erroneous." Dan Rosenberg of Virtual Security Research, who says he has no professional ties to Carrier IQ, wrote that the reaction to the software contains a lot of "misinformation."
In a posting Monday on his security research blog, It's Bugs All the Way Down, Rosenberg said Carrier IQ "is a piece of software installed on phones that accepts pieces of information known as metrics."
Some 'Important Conclusions'
Rosenberg said that the software decides if a submitted metric is "interesting," based on the current profile on the device. The profile determines the relevance by assessing whether the information assesses a given aspect of phone service, such as reception or battery life. The software's determination of relevance also determines if the metric is sent to the carrier or not, in order to evaluate, say, dropped calls.
After a detailed analysis of Carrier IQ on a Samsung Epic 4G Touch, Rosenberg wrote that he reached a "number of important conclusions."
For one thing, he said, he found that the Carrier IQ software on the phone could not record textual content from SMS messages, Web pages, or e-mail, even if that carrier wanted the information, because there is no metric for it.
He found that the software can record dialer buttons, and speculated that carriers already have legal access to that data. But, Rosenberg said, the Carrier IQ application on the Epic 4G Touch cannot record non-dialer keystrokes, such as inputting a text message. However, the software can record GPS location data "in some situations," and can record URLs that are visited.
Although Carrier IQ is citing Rosenberg's investigation to support its position that user confidentiality is not being violated, his posting does not let them off the hook completely. He notes that, for instance, metrics are determined by carriers, consumers should be able to opt out of any sort of data collection, and "there needs to be third-party oversight on what data is collected to prevent abuse." (continued...)