Blog Post

Carrier IQ Responds More To Privacy Allegations, But Many Questions Remain

As more detail unfolds of companies swearing off any involvement with Carrier IQ (and some admitting using it for diagnostics) amid allegations over privacy on mobile device use, Carrier IQ has released a new statement to try clarify and defend its position — although some pretty big questions remain about what data Carrier IQ can seen, where it is used, and why.

After a couple of days of increasing scrutiny over the service and how the data it can read gets used, Carrier IQ enlisted the help of an independent security analyst to try to get on top of the conversation.

As you would expect in a press release from the company itself, that security analyst determined that the claims involving such actions as keystroke collection and other kinds of surveillance were “erroneous.”

It also addressed claims about specific content that gets touched by Carrier IQ analytical software. It’s position is that it only looks at the behavior of content, not the content itself: “Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen,” the statement says.

Carrier IQ also took the opportunity to also “vigorously disagree” with claims that it is violating wiretapping laws, and went into a bit more detail about how its services actually get used by mobile carriers.

According to the statement, one way it gets used is in the area of customer care: when someone calls, for example, to complain about dropped calls, the operator’s service team use the data to figure out how the device has been used and what may be causing the call problems, as a route to solving the issue. (Insert joke here about how this confirms that Carrier IQ couldn’t possibly be working with AT&T (NYSE: T) and the iPhone.)

Ironically, one of the several operators we spoke to yesterday about Carrier IQ — an operator that said it does not work with the company at all — cited this very kind of diagnostic use as something it does regularly. But it does so within a specific service, which a user has to opt in to (and pay to use) in order for it to work. The operator claimed that otherwise, that data does not get collected and used.

The problem, however, remains that there are still questions that have been raised, initially by Trevor Eckhart, and later by others.

We’ve put the full statement from Carrier IQ at the bottom of this post. First, here are the follow up questions that we have put directly to Carrier IQ

Encrypted search terms. Was Eckhart right about his analysis of your ability to see this, or not? This is not addressed in the most recent statement released by Carrier IQ, although it’s a key issue given how search queries have been used by law enforcement authorities.

Regarding the list of content that is not covered by Carrier IQ’s service (SMS, photos, email, audio and video). Is that the full list, or is there more? Does Carrier IQ have access to application-related data, such as how long apps are used and in what manner? Does it record, store or transmit that data to carriers upon request? Does it monitor e-book usage, or what locations have been entered on a map?

Information requests from carriers and other entities. If a carrier or other entity, such as a government, does ask for any of the above, does Carrier IQ provide it or refuse? What’s Carrier IQ’s position on this matter in other jurisdictions outside of the U.S. — since it appears that the software is used around the world.

Opting in and opting out. Do you have a Carrier IQ-approved method for removing your software from handsets, if a user chooses not to allow this information to be collected, regardless of how it might affect handset performance? Trevor Eckhart and others have suggested ways of eradicating it, but it seems that there are complications around several of the methods (not everyone wants to to to the trouble of rooting or jailbreaking their devices, for example).

We have put these questions to Carrier IQ and will update the story as we learn more. The company’s statement in full:

We measure and summarize performance of the device to assist Operators in delivering better service.

While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.

“Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous,” asserts Rebecca Bace of Infidel Inc. a respected security expert.

Privacy is protected. Consumers have a trusted relationship with Operators and expect their personal information and privacy to be respected. As a condition of its contracts with Operators, CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities.

Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions.

Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency. We are deployed by leading Operators to monitor and analyze the performance of their services and mobile devices to ensure the system (network and handsets) works to optimal efficiency. Operators want to provide better service to their customers, and information from the device and about the network is critical for them to do this. While in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service – the mobile device itself.

Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile Operators. Carrier IQ does not gather any other data from devices.

CIQ is the consumer advocate to the mobile operator, explaining what works and what does not work. Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators’ customer service more quickly identify the specific issue with the phone.