Trevor Eckhart, a Torrington security researcher, has set off a firestorm over his allegations that a diagnostic software company, CarrierIQ, is capturing the content of text messages and other personally identifiable information on hundreds of millions of mobile phones running the Google Android operating system.

Eckhart alleged that the Carrier IQ software is often enabled by default on many phones, running as a “rootkit” that does not show up on a list of active tasks running on the device.  Further, he showed that the software has the potential to transmit personally identifiable information back to carriers and/or manufacturers, including text messages, location data, and URLs of websites visited. 

Eckhart’s findings raised concerns that the data collected could be linked to specific users should carriers choose to collect information in that manner.  Additionally, Eckhart discovered the software has the ability to log individual keystrokes and that it could capture private data sent to secure websites prior to the information being encrypted and transmitted.

Following Eckhart’s publication, Carrier IQ issued a cease and desist letter threatening him with legal action if he did not remove his post.  Eckhart reached out to the Electronic Frontier Foundation, a non-profit organization that protects free speech online, who took up his case and forced Carrier IQ to retract its demands.  Carrier IQ has since issued an apology.

For its part Carrier IQ claims that it is not transmitting all of the data its software has the potential to collect.

“While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen,” the company said in a statement.

Despite that assurance, Eckhart released a YouTube video that shows SMS data is in fact logged by the software.  That video has been viewed more than 1.3 million times since its release on November 28.

Carrier IQ’s website includes a running ticker of the 141 million installations of its software on mobile handsets.  The ticker adds about one device per second to that figure.  Carrier IQ claims they are a “consumer advocate to the mobile provider” in their statement, stating they help carriers identify problems related to dropped calls and battery life. 

Adding to the complexity of the story is that each manufacturer and carrier can choose to use the software in different ways.  Nearly all major manufacturers, including Apple, HTC, and Samsung, currently or have used the company’s software to log issues with their handsets.  Apple said it stopped supporting the software in its latest version of its operating system but it still may be installed on older devices even with the new upgrade.  A future version will remove it completely. 

Carriers are also chiming in.  Computerworld reports that Verizon has denied using Carrier IQ for data collection, but Eckhart said in his initial publication that he has found it installed on Verizon handsets.  AT&T and Sprint both acknowledged to Computerworld they use the software to track performance of its network.

Senator Al Franken issued a letter to Carrier IQ asking the company to clarify what data it collects and how.  Franken set a deadline of December 14 for the information.  A number of class actions lawsuits have already been filed against the company, manufacturers, and carriers.