While everybody is busy flipping out about the Carrier IQ smartphone spying controversy, more and more data security experts are raising their hands with a calming comment: It's not necessarily a good thing, but it's not that bad.
The recently revealed details of Carrier IQ data collection practices scaring to privacy advocates for a few reasons. The fear largely stems from mobile security researcher Trevor Eckhart's suggesting earlier this week in YouTube video that the company's software recorded every keystroke -- also known as "keylogging" -- on all kinds of smartphones, even the content of text messages. It also appeared to save large amounts of user data, including information about encrypted Google searches, and it wasn't clear with whom they shared the data. Ultimately, the biggest concern involved the apparent inability to block the service. There's no way to opt out and because Carrier IQ exists practically hidden in the phone's firmware, deleting it requires advanced coding skills.
In covering Eckhart's discovery we went with the headline "Your Smartphone Is Spying On You," as speculation mounted that Carrier IQ was breaking federal wiretapping laws. A threatening-sound letter from Senator Al Franken and a class action lawsuit later, Carrier IQ told its side of the story. In an interview with The Atlantic Wire, Carrier IQ's vice president of marketing Andrew Coward, who's understandably working hard to contain the explosion of negative press, admitted that Carrier IQ monitors a huge amount of data but denied the idea that they were keeping tabs on mobile phone users. We now know a bit more about how Carrier IQ works.
The Keylogging Problem
This is probably the most hot button issue. Besides the very creepy idea that any company is keeping track of every button touched on your phone, keylogging is also a popular technique that hackers use to steal account information. Although Eckhart's video shows the software registering keystrokes, Carrier IQ denies that it's using the information in any meaningful way. "There is a level of sensitive information that we are seeing and gathering and providing to the network," Coward told us. "What we're not doing is collecting keystrokes and looking at SMS traffic."
Several independent security experts have weighed in on this point to explain how diagnostic software like Carrier IQ's actually works. One anonymous security researcher told ZDNet that the reports about Carrier IQ -- and by proxy, their clients, who are mostly mobile carriers -- spying on users are "mostly exaggerated." He said, "Carriers already have access to a lot of information on what its subscribers are doing simply because it’s their network being used." Another data security researcher, Dan Rosenberg, posted his thoughts in an open letter to all the scared privacy advocates out there, explaining the difference between standard data-logging and spying. "After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data," wrote Rosenberg. "There's a big difference between 'look, it does something when I press a key' and 'it's sending all my keystrokes to the carrier!'"
The Text Message Problem
Some believe that Carrier IQ is learning their deepest darkest secrets by collecting text message data. This is the 21st-century of Cold War-style phone bugging, and it is, if true, disconcerting at best. Carrier IQ admitted that their software gathers more information than competing services -- one can imagine how this would be a competitive advantage -- but similar to the point he made about keylogging, Coward said it's not as Stasi-esque as it sounds. "We are not gathering and transmitting the content of your emails, the content of your SMSes or the screenshots of your photos," he said. "Do we store the content? No," he said. "Do we see the content? No." He hammered the point home: "Our whole aim is to throw away as much information is possible. The volume becomes very large and so if we were doing everything that is alleged we'd be outcompeting Google for data centers."
As a rule, we're pretty skeptical of marketing executive doing damage control. The software's job is to watch the torrent of code surging through your phone, spot when errors happen and report back to the carrier so they can fix it. We asked Coward to provide us with a real world example. "If you send your friend an SMS, we would simply count the fact that you sent an SMS and if it failed or why it failed," Coward said. "We would not record or transmit the contents of that SMS." However, smartphones do a lot more than send emails, text messages and take pictures. Bear with us.
The Encrypted Google Search Problem
It would take hours run through an itemized list of all the information that Carrier IQ monitors, and Coward would only speak to us for a few minutes. The company's press contact explained that their day was packed with interviews and we got a five minute warning about five seconds into the call. We weren't able to get a clear explanation about why Carrier IQ appeared to log a Google search over an encrypted Wi-Fi network as Eckhart's video shows, but Steve Kovach at Business Insider, who also spoke with Coward on Friday, made a bullet point list of what Carrier IQ (or, CIQ) admits to collecting. Kovach's post is worth a read, but these three details stand out:
- CIQ's software can take URLs you visit on your phone and report that information to your carrier, but it's up to the carrier to decide whether or not it wants that information.
- CIQ can see the apps on your phone and determine how they perform. These analytics are delivered to carriers so they can help customers troubleshoot problems with phones. It also helps carriers identify "problem apps" that negatively affect smartphone's battery life or causes them to crash.
- CIQ can provide your location to carriers, letting them know where you were when your phone had a dropped call, failed text message, etc.
Here's where we start to gain some clarity behind what Carrier IQ does with the data. They send it to carriers. Exactly how much, we don't know beyond what Coward denies. Kovach flagged the collection of URLs as particularly concerning but emphasized, "Please note that just because CIQ offers these features, doesn't mean your carrier or device manufacturer is using them." You'll read lots of Carrier IQ critics calling the mobile carriers the true villains. So far, Sprint and AT&T have confirmed using the service, but insisted it was only for quality control purposes. Verizon denies using Carrier IQ altogether. The questions keep coming, though, and we're sure to learn more about the mobile carriers role in this whole scandal.
The Opt-Out Problem
What remains a mystery is why Carrier IQ doesn't just have an off switch. Everyone seems to agree that even if Carrier IQ isn't spying on users, their service lacks transparency. As the prominent iPhone hacker that discovered Carrier IQ on Apple devices wrote, "I am completely fine with this data being sent off (especially if it helps AT&T’s network improve), but I would definitely prefer if it was more transparent." It's difficult to find the Carrier IQ software on your phone, much less remove it if you're not interested in sending your data to your mobile carrier. The main thrust of Sen. Al Franken's concerned letter -- Carrier IQ is working on a response -- demanded some specifics on what data was being collected and why. "I understand the need to provide usage and diagnostic information to carriers," he said. "I also understand that carriers can modify Carrier IQ’s software. But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics -- including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit." We're hoping that the company's response with be even more detailed.
It feels like there's an easy answer to everyone's concerns: Just let people opt-out. We're living in an increasingly data-driven world, and the specifics of how data's collected, used and stored is confusing to non-experts. Confusion leads to fear which leads to anger which leads to clients running for the door. Like we've said before, some people don't mind being tracked if it's going to improve technology, but pretty much everybody seems to mind being tricked.
We're still awaiting an answer to the opting-out question from Carrier IQ -- their press team is very busy lately -- and we'll update you when we hear back.
This article is from the archive of our partner The Wire.
We want to hear what you think about this article. Submit a letter to the editor or write to email@example.com.