I received a security alert about Carrier IQ yesterday evening and it seems well on the road to hitting the mainstream media by the end of the day. In a nutshell, a researcher, Trevor Eckhart, found that hidden software on his Android phone was reporting back pretty much everything that he did with his phone to a company that he had never heard of (Carrier IQ). The hidden software lied about its presence and when found could not be stopped or otherwise prevented from running on the phone. Eckhart classified it as a rootkit, posted his findings (apparently about a week ago) and then, as the saying goes, "things got interesting". The company, Carrier IQ, tried to shut him up by threatening him with lawsuits and heavy fines. Eckhart turned to the Electronic Frontier Foundation (EFF) for help and they backed him up, forcing Carrier IQ to back down. Eckhart's story and video showing the software at work has gone viral, exposing the fact that this software is being installed by many US carriers and is on Android, Blackberry and while initially thought not to be the case, even Apple iPhones. Windows phones do not appear to be affected and some of the Google experience devices ( Google Nexus One, Galaxy Nexus and Xoom ) also do not have Carrier IQ running.
Clearly Carrier IQ is facing the prospect of some serious class-action lawsuites, if not criminal charges (wiretap laws do still exist) and of course the carriers that installed this (unless they can throw Carrier IQ under the bus and somehow claim lack of knowledge) are also going to be facing some tough legal action. Of course if it turns out that this is an outgrowth of the older NSA warrantless surveillance suites that got AT&T into trouble then they will face no legal action as they can just say the government told us to this so you can't sue us (the government gave the carriers a get-out-of-jail-free card for things like this) and that would of course make us all feel so much better right?
One other issue that may come about is a return to the question of the carrier data usage discrepancies. A number of people and researchers have shown that they have been charged for far more data usage than they have actually used and the carriers have always denied that there is a problem. Of course this was before Carrier IQ but now that we know that the carriers have also installed hidden software that can send every button push, text message, email, web click or URL that you visit even when you are on WIFI and not supposed to be using the cellular connection then you have to wonder, privacy concerns aside, who is paying for that bandwidth and will there be other lawsuits for the overcharges?
Interesting times - Don't Blink.