An Android developer recently discovered a clandestine application called Carrier IQ built into most smartphones that doesn't just track your location; it secretly records your keystrokes, and there's nothing you can do about it. Is it time to put on a tinfoil hat? That depends on how you feel about privacy. In the nearly 20-minute video clip, Eckhart shows how software developed by mobile-device tracker Carrier IQ logs each keystroke and then sends them off to locations unknown. In addition, when Eckhart tried placing a call, Carrier IQ's software recorded each number before the call was even made.
What is Carrier IQ, exactly?
The software is hidden inside phones there is little you can do to detect that it’s even installed, let alone remove it, and it tracks everything. Keystrokes, browsing and surfing habits, Google searches, and basically every single thing that you are doing on your phone and every button that you press is logged by this software. Jump to 9:00 in the YouTube video below for the proof this is basically a keylogger running on your phone that you didn’t know about.
The company that’s creating this software claims that the point of the software is to deliver “analytics” about devices to the carriers to help them provide better service to their users. But is recording every keystroke really necessary for that information? Does not telling the users about this and making it near-impossible to opt out seem a bit fishy to anybody else? This software is on almost all Android phones made by the big names (HTC, Samsung, Motorola), and is even on BlackBerries and Nokia devices, as well.
"Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," the company said in response to the EFF's letter. "We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."
HTTPS? Nothing Is Safe From Carrier IQ
For those unaware, the S in HTTPS stands for secure. It's what keep your passwords and other sensitive data safe when sent across the web. It's provides encryption for said information, so whilst it's traveling through the airwaves, it's safe and snuggly, away from the awful people who want to steal your info.
Just because a website is using a secure connection doesn't mean it's one-hundred percent safe from end-to-end, though. You see, some information, including usernames and passwords, can still be sent plain text. For example, the username and password can be used in the address of the site, like www.mysite.com?username=MYNAME&password=MYPASS (Trev's example). Sure, it's encrypted while going down the tunnel, but guess who gets to see the raw link? Did you guess Carrier IQ? If so, go get yourself a cookie. You earned it. [Source]
Let's think about the name of this thing for a minute - Carrier IQ. So, it's probably safe to say that this is all about the carriers, right? If that were true, then why would CIQ remain active once a device no longer has carrier service?
Let me back up for one second, CIQ claims that its services are stopped the second the SIM card is removed from the device, which is all fine and dandy... if you're on a GSM network. Those of us on CDMA networks aren't so lucky, though, because we don't use SIM cards. Thus, even when a device is deactivated from its network, it continues to send data back to the carrier, CIQ, and whoever else whenever you're on a Wi-Fi connection.