updated 11:50 pm EST, Sat December 3, 2011
Carrier IQ puts attention back on phone firms
Carrier IQ followed up its technical discussion of how its system works with an implication that phone designers like HTC were compromising the security of its device tracking. In a chat with The Verge, marketing VP Andrew Coward was careful not to mention HTC by name but gave strong clues that a standard Android log file containing the normally unsaved information had to have been populated by HTC with the tracking data. HTC's software in this view was making copies of whatever the Carrier IQ programming interface saw.
The executive reiterated that the tracking only sits in RAM and is protected. It should only be viewable with Carrier IQ's own software. An app with strong permissions could read the standard log file, but this was an issue with Android, not Carrier IQ.
A worst-case exposure of the files would still leave data no more than a week old, Coward said. He had previously elaborated on this by mentioning that the tracking information was uploaded as sparingly once a week and included the last 24 hours of data up to that upload, making any week-old data itself just a small piece of the device's history.
HTC hasn't responded to the more direct accusation, but it has already said it was considering letting users opt out of tracking entirely. Other Android phone creators like Samsung have yet to fully take a stance. Apple, Nokia, and RIM have all said that they either stopped an already-limited use of Carrier IQ or never used it.
The core software is now generally thought to be benign and captures only anonymous carrier data, using any checks on keystrokes for short codes in voice or messaging. With carrier-badged Android phones not giving users a choice on whether they use Carrier IQ, however, it creates potentially very large security risks if the data escapes and hackers can assume that some phones are always vulnerable.