Blog Post

Why Both You And Carrier IQ Are Pawns In The Fight For Mobile Data

There is no question that we love our mobile devices. There’s also no question that we are paranoid about how much of ourselves we pour into the most personal computers ever created, which is why that even if some of the initial concerns were overblown, this week’s flap over the Carrier IQ software shows that the mobile industry still hasn’t learned its lessons about honesty, disclosure, and respect for its users and that those users still don’t understand that their mobile experience is controlled by data-hungry corporations.

By now the basics are probably familiar to most anyone who made it past the first paragraph: early in the week Wired published the account of Trevor Eckhart, a 25-year-old system administrator from the great state of Connecticut who created a video outlining his alarm over Carrier IQ, a hidden application on several Android phones. Eckhart demonstrated how an HTC phone running on Sprint’s network appeared to capture individual keystrokes as part of its otherwise routine data collection about items like dropped calls, incomplete text messages, and application crashes.

A predictable outcry followed, as mobile companies scrambled to distance themselves from Carrier IQ or hoped to reassure customers that they didn’t purchase a $199 mobile spying machine. Carrier IQ finally answered its critics late Thursday, telling the public that its software only recorded data that carriers requested as part of quality-assurance checks, and that the software did not “record, store or transmit the contents of SMS messages, email, photographs, audio or video.” Other security researchers asserted that the software was not actually transmitting that keystroke data off the phone to Carrier IQ’s customers.

An awful lot of questions remain. Carrier IQ’s statement was oddly specific about the type of data it did not “record, store, or transmit:” “SMS messages, email, photographs, audio or video.” However, the Carrier IQ software is in a position to capture just about every action performed on a smartphone, such as search terms, frequently visited destinations entered into mapping software, or even the books and magazines you’re reading.

So what of that data? Carrier IQ did not respond to a specific list of questions along those lines submitted by paidContent. In a follow-up interview with Wired, Carrier IQ admitted it was sitting on “a treasure trove” of data but said it was up to its carrier customers to determine what is collected and stored. That echoes its statement from Thursday, where it said “Carrier IQ acts as an agent for the operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile operators. Carrier IQ does not gather any other data from devices.”

And this is where the industry is failing the consumer, in refusing to acknowledge just how personal an item one’s smartphone has become. Instead of outlining exactly what types data they collect, Carrier IQ, Sprint (NYSE: S), and AT&T (NYSE: T) have chosen to issue carefully worded statements about the type of data they don’t collect.

Educated mobile users know that providing some level of data back to the carrier, operating system vendor, or app developer does really improve the experience. The issue raised by the Carrier IQ software is that it’s impossible to know exactly what you’re sharing: you either agree to provide diagnostic data to third parties or you don’t, instead of being able to opt into sharing things like dropped call locations and opt out of sharing other things that carriers might want to know, such as which applications are used most frequently.

In other words, Carrier IQ and its partners may not be reading your texts or carefully curating your wild pictures from the bar, but are they able to put together a demographically interesting portfolio of you without your knowledge? Data is the lifeblood of computer science, and without a little help carriers can’t compete with companies like Apple (NSDQ: AAPL) and Google (NSDQ: GOOG) when it comes to amassing data on usage habits and computing trends. This data is extremely valuable for mobile companies, law enforcement authorities, and advertisers.

In its privacy policy, Sprint declares the following: “Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit.”

Just what exactly does “how you are using it” mean? Somehow I don’t think it refers to whether or not you’re holding it in portrait mode or landscape mode; that’s an incredibly vague statement that seems to give Sprint carte blanche when it comes to capturing what you do on a phone they’ve sold to you.

And it’s not just your carrier, with whom you have at least entered into a business relationship. Nielsen is a partner of Carrier IQ’s, according to a press release from October.

“Together, they will deliver critical insights into the consumer experience of mobile phone and tablet users worldwide, which adhere to Nielsen’s measurement science and privacy standards,” the companies said in that release. “This alliance will leverage Carrier IQ’s technology platform to gather actionable intelligence on the performance of mobile devices and networks.” Actionable, eh?

(Update 12/5: In another example of how companies have become extremely sensitive regarding links to Carrier IQ, Nielsen reached out to say that Carrier IQ’s software would only be used in conjunction with its opt-in survey panels, which was not clear in its release from October. The company also said it has yet to actually do anything with Carrier IQ but continues to “explore these opportunities.”)

Additionally, what of nationalized carriers in countries with less-than-enlightened views on civil liberties and privacy rights? Does Carrier IQ, in its mission to “act like an agent for the operators,” provide whatever data a carrier requests with no questions asked?

There is only one way to operate a mobile business in a paranoid age: full and complete disclosure written in plain language as to what data is being collected along with clear options for how to control the data your customers share. Installing clandestine software on devices that rarely leave one’s person is simply not a long-term strategy for building trust, especially for a carrier like Sprint that needs every customer it can get. (Verizon gleefully pointed out this week that it has never used Carrier IQ, and people expect this sort of underhanded thing from AT&T.)

It’s not hard to feel like a pawn of big business in the 21st century. Mobile computers have the potential to unlock so much human potential by giving us access to the world’s information nearly anywhere we go, but more and more people are starting to wonder about the cost of having access to that information.

After all, you don’t really own a smartphone in the U.S.: you’re essentially leasing a subsided device based on the promise that you’ll pay back the acquisition cost over a two-year period. One day component costs will come down to the point where someone can make money selling a capable low-cost smartphone that doesn’t require a two-year contract and a data-mining operation to make money. Those days are not here yet.

And if you’re not paying for it, you’re the product. It’s a little scary to imagine what the modern-day Internet would be like had we all been forced to buy subsidized PCs from Internet service providers.

5 Responses to “Why Both You And Carrier IQ Are Pawns In The Fight For Mobile Data”

  1. reneemjones

    This is what you get when companies are allowed to write their own laws into contracts and force you to accept them with no recourse.

    The solution is simple.  Prohibit these one-sided, non-negotiated contracts.  When you buy a banana there is no contract.  When you buy a phone there should be no contract.  Copyright still protects the software.  No contract is needed for that.  The contract is needed to strip customers of the rights that they would ordinarily have under the law.  The contracts claim to “give” you things, but only the right to “use” the device.  You would have this right anyway! You don’t get anything.  They just take.  These contracts must be stopped.

  2. Yeah, that’s example that I give to whoever defeats Carrier IQ. I’m not a programmer, so I don’t know if it being sort of being a debugger defends Carrier IQ (time will tell what it records anyway), but the way they treated Eckhart speaks volumes about company’s attitude and I’d love them to go down for that reason alone. So everytime other company CEO tries to play scare-tactics with customers, a little advisor will suddenly pop up above his shoulder and say “remember Carrier IQ?”.

  3. Great post.

    I continue to be surprised (well maybe no longer) at companies that think they can intimidate others into not “divulging” information that is negative about them.

    In an earlier time, this story would have died.   If it were not for the internet and YouTube (showing us the key strokes !) Carrier IQ would have gotten away with their cease and desist intimidation strategy (according to other articles they did intimidate several other “researchers” and they did remove their blog posts).

    But, now, they are being asked to answer questions from every tech reporter in the world and the US Senate (Franken).

    If they had been transparent from the start, none of this would have occurred.

    This will be a case study in crisis communications for years to come.

    Shaun Dakin
    Founder @PrivacyCamp:twitter
    Founder #PrivChat – a weekly chat on twitter about privacy every Tuesday at Noon ET