Tech researchers said Carrier IQ is installed on many smartphones without the owners' knowledge.

Story highlights

Fallout continues over smartphone info-tracking app

Many smartphone users express concern over Carrier IQ

Researchers say the app can track keystrokes, Web surfing and other user behavior

Some analysts say concerns about the app are overblown

CNN  — 

The Web fallout continued Friday over news that a hidden app could be tracking smartphone users’ activity.

Many bloggers and smartphone customers fretted about the privacy issues raised by Carrier IQ, an information-mining app secretly installed on many phones. But at the same time, other tech observers were beginning to say that some of those concerns may have been over the top.

First, a recap: On Monday, researcher and developer Trevor Eckhart posted a 17-minute YouTube video apparently showing how the software – designed as a diagnostic tool to find and help fix mobile network problems – runs on his smartphone and logs every keystroke, every text and the full URL of every website he visits.

News of the app’s existence on millions of phones had bounced around on tech blogs for a while. But attention skyrocketed this week when Eckhart posted his video.

By Thursday, it had turned into a rapidly developing story in which new information seemed to surface hourly. Mobile carriers and smartphone makers rushed to dispute claims made by Eckhart and others who said they confirmed his findings, explain their use of the app or announce that they once used it but plan to get rid of it.

And Friday morning, the controversy made its way into the courts. A lawsuit was filed in the U.S. District Court for the Northern District of California against Carrier IQ, and phone makers Samsung and HTC, claiming that the app violates customer privacy.

“Given our dependence on smartphones, we rely on the assumption that our personal information is protected from third parties,” attorney Steve W. Berman said in a written statement. “Yet, it appears that Carrier IQ has violated this trust.”

Berman’s firm is representing several customers and is seeking to turn the complaint into a class-action lawsuit.

The potential ramifications obviously had other privacy-minded folks concerned as well.

“A couple of things seem pretty clear,” Jay Stanley, a senior privacy and technology analyst with the American Civil Liberties Union, said Friday. “We don’t know what the company was storing or accessing or what their clients were storing or accessing, but they seem to at least have the capability to store and access a lot of very personal information.”

Many mobile customers seemed to focus their concerns on the fact that the software runs without their knowledge and appears difficult, if not impossible, to uninstall.

For example, on Sprint’s community forums, several topics had been created to discuss the issue. And customers weren’t happy.

“There’s no excuse to knowingly and willingly want to have that kind of invasive software, that potentially puts customers sensitive information at risk, on the phone,” one customer wrote. “This software may violate multiple privacy laws, and that alone ought to void our contracts.”

Sprint said it uses the app to root out network problems but can’t see user activity. Other wireless carriers and smartphone manufacturers also responded. Verizon said it doesn’t use the app, and Apple said it has stopped supporting it and plans to eliminate it altogether.

By Thursday morning, some on the Web were trying to put the brakes on the fears, though.

“Okay, folks, before we complete this public lynching, is there any evidence that Carrier IQ actually transmitted inappropriate data?” tweeted Declan McCullagh, a correspondent for tech site CNET.

In a message posted to Pastebin, Dan Rosenberg, an analyst with Virtual Security Research, wrote that some of the fears about Carrier IQ have been overblown.

“After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data,” he wrote. “There’s a big difference between ‘look, it does something when I press a key’ and ‘it’s sending all my keystrokes to the carrier!’.’”

“In my opinion, the media has made it more malicious than it really is and I am not concerned about my phone usage at all,” wrote Matthew Miller, a columnist with tech site ZDNet. “It sounds to me like the software is designed to BENEFIT consumers and is not being used to track and target you.”

But the ACLU’s Stanley remains concerned. He cited promotional material on Carrier IQ’s own website that notes its ability to track users’ activities.

“If you look at their website, we don’t know what their clients were buying, but we do know what they were selling,” he said. “What they’re saying to the media doesn’t seem to comport to what they tout on their own website.”

Carrier IQ says the core purpose of its tool is to uncover broad trends across a network. Its software can help carriers find out where calls are dropping and why, and zero in on device glitches.

For at least some of those who remain concerned (and there are no doubt many), there may be some hope of at least finding out if the app is running on their phones.

A new app in the Android Market, Voodoo Carrier IQ detector, is designed to help you simply find the kit on your phone if it exists. It’s only a day old and not perfect, developers say, but will continue to be tweaked.