Welcome to Securitynightmareville. Population: You, thanks to Carrier IQ

Around 150 million smartphones out there have software that's secretly logging detailed user activity and information.

As if IT admins didn't have enough to worry about with all this consumerization stuff: Around 150 million smartphones out there have software that's secretly logging detailed user activity and information.

That's according to security researcher Trevor Eckhart, whose "What is Carrier IQ?" report shook the smartphone market this week. Turns out that Carrier IQ is, according to his research, a company whose software runs in the background of smartphones and accesses all sorts of data, including keystrokes, browsing history and even the content of text messages. That's scary enough if you're a consumer using your phone for personal tasks. But imagine if you're an IT guy and all your employees are using their personal devices to read and write emails, access and modify corporate documents, etc. Welcome to Securitynightmareville. Population: You.

Not surprisingly, Carrier IQ downplayed these concerns, telling AllThingsD that its software ignores personal information and only pays attention to data that helps diagnose handset and network problems.

"The software receives a huge amount of information from the operating system," marketing vice president Andrew Coward told the blog. "But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier."

Still, the fact that the software receives any personal or corporate data at all should be alarming -- especially if your company is subject to compliance regulations, where just the fact that a third party could access protected data can land you in hot water. The news about Carrier IQ shows that IT really needs to pay attention to what devices their employees are using, what corporate data and applications they can access and what systems are in place to prevent unauthorized access.

But even then, a lot of issues are out of IT's control. If you're worried about Carrier IQ, you can try to stop employees from using devices that have the software. Oh, wait. We still don't know exactly which phones run Carrier IQ. Apple said the iPhone used to use Carrier IQ but doesn't anymore. AT&T, Sprint, T-Mobile, HTC and Samsung said some of their devices use it, and Verizon Wireless, Nokia, Research in Motion, Microsoft and Hewlett-Packard said theirs don't, but some people aren't 100% sure and others think these companies might just be using other technology that does the same thing. Got that?

The only real solution for IT is to prevent all employees from using personal phones for work until this all gets sorted out. But any solution that enrages your users and decimates productivity isn't really much of a solution at all, now is it? Consumerization is going to give rise to all sorts of issues like this one, where IT really has no appealing options.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I wonder when the first blockbuster case of corporate or international espionage will come up. I'm sure some smaller cases have already appeared here and there, but as far as I know nothing has been big enough to headline CNN. I have to think it's only a matter of time.


Oh please, I had expected some more nuance in this report. Worried about people reading your text messages? Don't trust your telecom provider then, they have access to our call history, the content of text messages, and even our voice data if they wanted too. I really hope a piece of diagnostic software is not going to upset security admins, because assuming that anything a user does on a semicontrollable device could even be secure, is the wrong assumption to start with.


With all the hem-haw'ing and double-talk here, I think it's safe to say that current versions of iOS 5 do in fact have some chunk of CarrierIQ in them...



From a federal IT agency perspective, it would appear that this will end pretty quick.  Our OCISO's are circling the wagons on this one.  Any data collection from a federal device not specifically agreed too, will not end well

And let's not even mention HIPPA regulations.

Good intentions or not, Carrier IQ is DOA by 2012.