12/05/2011 12:49 pm ET

Carrier IQ: Security Researcher Dan Rosenberg Defends Mobile Tracking Software

Last week, the controversy over Carrier IQ, a software installed on millions of smartphones that monitors details about users' activities, reached a fever pitch.

After security researcher Trevor Eckhart posted a video explaining how the software logs every text message, web search and phone number typed on a wide variety of smartphones, Sen. Al Franken (D-Minn.) called on the software's developer to explain, Rep. Ed Markey (D-Mass.) asked the Federal Trade Commission to investigate, and the company was hit with a class-action lawsuit.

But in a blog post Monday, security researcher Dan Rosenberg defended the software, saying it helped improve mobile phone performance and asserting there had been "a lot of misinformation" about who was collecting the data stored on the phones.

“Since the beginning of the media frenzy over Carrier IQ, I have repeatedly stated that based on my knowledge of the software, claims that keystrokes, SMS bodies, email bodies, and other data of this nature are being collected are erroneous," Rosenberg, a security consultant for Virtual Security Research, wrote in a post titled "Carrier IQ: The Real Story."

Based on his analysis of the Samsung Epic 4G Touch, Rosenberg said the software collects data from the phone and uploads it for analysis by mobile carriers, who may request data on dropped calls to improve their service.

At the request of mobile phone carriers, Carrier IQ can record GPS location, the URL of websites visited and which dialer buttons are pressed to determine the destination of a phone call, Rosenberg said. But he added that the software does not record text messages, web page contents, or email content, even if carriers and handset manufacturers request it.

Rosenberg's findings echo a statement last week by Carrier IQ, which asserted that its software, which is installed on 150 million devices but not easily removed by the average user, is merely a diagnostic tool used by its mobile operator customers to assess and improve the quality of a network's services.

Rosenberg says:

"All of the data that is potentially being collected supports CarrierIQ’s claims that its data is used for diagnosing and fixing network, application, and hardware failures. Every metric in the above table has potential benefits for improving the user experience on a cell phone network. If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential. Consumers will have their own opinions about whether the collection of this data falls under the terms set by service agreements, but it’s clear to me that the intent behind its collection is not only benign, but for the purposes of helping the user."

That analysis contrasts with Eckhart's findings. He claims the software logs every text message, Google search and phone number typed on a wide variety of smartphones and reports them to the mobile phone carrier.

In his video, Eckhart asserted the application, which was labeled on his HTC smartphone as "HTC IQ Agent," also logs the URL of websites searched on the phone, even if the user tries to encrypt that data using a URL that begins with "HTTPS."

In a post about Carrier IQ on his website, Eckhart called the software a "rootkit," a security term for software that runs in the background without a user's knowledge and is commonly used in malicious software.

Earlier this month, Carrier IQ sent Eckhart cease and desist letter, claiming he had violated copyright law by publishing Carrier IQ training manuals online. But after the Electronic Frontier Foundation, a digital rights group, came to Eckhart’s defense, the company backed off its legal threats.



Check out our slideshow (below) to see what mobile carriers and manufacturers have to say about Carrier IQ software.