Unfortunately, as deployed by carriers, Carrier IQ's software is typically hidden on smartphones, and can't be deactivated or removed, except by advanced users. But everyone from consumers and legislators to network administrators and privacy advocates have been demanding that carriers and manufacturers offer smartphone users the ability to opt out of such data collection.
"The reason this is becoming an issue is simply because there is no opt-out option," said Tim Schofield, a member of Android Creative Syndicate, via email. Furthermore, there's no easy way to remove the software. In fact, the only known techniques are "to flash a custom ROM (such as Syndicate ROM Frozen) or flash one of k0nane's noCIQ mods (which always get built into other ROMs)," he said. (Syndicate ROM Frozen works on Samsung Epic smartphones.)
"My noCIQ series of mods are designed to work for anyone with a rooted device, and a deodexed ROM (stock or otherwise)," said the security researcher with the handle "k0nane," in an interview. "Mods are available for Epic 4G, Epic Touch, and SGS2 Skyrocket, though a new version for Skyrocket is in the works, and a new version for the latest Epic Touch update will be released soon. I do not supply mods for non-Samsung devices, or for devices which do not require edits to the system framework (thus allowing a more simple removal)," said k0nane.
K0nane's mods require first installing Clockwork Mod, which is a free tool for flashing the Android ROM, among other tasks.
[ How much of a threat is CarrierIQ, really? See Carrier IQ: Just A Little Evil? ]
Of course, less advanced users may not want to flash their ROMs. Likewise, owners of smartphones for which custom ROMs haven't been developed don't have any Carrier-IQ-eradication options. In those cases, Android smartphone owners will only be able to detect the Carrier IQ software. Look to these three tools--all free--to help.
1. Voodoo Carrier IQ detector. Created by software developer Francois Simond (aka supercurio), this app from the Android Market had been installed 158,067 times as of Friday, was actively running on 93,266, and by Wednesday had racked up a rating of 4.8 out of 5, based on more than 2,500 reviews. The software works on Android 2.1 and newer, and continues to be developed to detect Carrier IQ on more types of handsets. Simond--the driving force behind Project Voodoo, which provides enhancements for Galaxy S smartphones--may create a reporting feature so that people can publicly report what they've found, based on their make and model of phone as well as carrier. As with all detectors, however, the software won't remove Carrier IQ's software. For that, said Simond in the release notes, "Call your carrier."
2. Carrier IQ Detector. Built by mobile security software vendor Lookout Labs, this app--also available on the Android Market, will detect some installations of Carrier IQ on Android 1.5 and later, and has received strong reviews. To date it's been installed on at least 100,000 handsets.
3. Bitdefender Carrier IQ Finder. Also available from the Android Market, this app runs on Android 2.1 and later, has been installed over 10,000 times, and likewise garnered strong reviews.
Which detector should you use? Security researcher k0nane, who originally publicized the fact that Carrier IQ's software was running on handsets and then developed tools to help remove the software, has recommended the Voodoo detector. "Lookout and Bitdefender's apps provide semi-accurate results, but do not give any details, do not include a 'not active' option"--meaning the Carrier IQ software is present, but not currently running--"and are not open source," he said.
In addition, he noted that the Voodoo Carrier IQ detector doesn't include any advertising or user tracking, unlike Lookout's software, which uses Google Analytics. Furthermore, the Voodoo software "will be compatible with various CIQ removal mods, including my own, going forward," he said.
"As far as I know, no members of either company have reached out to the community to handle cases of CIQ removal mods," he said, referring to the software from Lookout and Bitdefender.
Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)