The revelation that the National Security Agency is collecting our phone records has generated considerable outrage, but phone call metadata is just the beginning of what our nation’s spooks could gather from our mobile carriers if they put their minds and resources to the task.
The carriers don’t just know whom we are calling, when and where. They have the infrastructure in place that allows them to track the websites we visit and the applications we use on our phones and tablets.
They know all of this because it’s their job to know. When our phones connect to the internet they don’t just magically grok with Google or Facebook. That data is routed through carrier network cores, where packet-sniffing, traffic-shaping, and content optimization engines lie in wait. And — at least in the past — they’ve actually put such monitoring software directly onto our phones (more on that in a bit).
There’s nothing innately nefarious about such traffic management, though in some cases, such as speed-throttling and app-blocking, consumers aren’t happy with the results. The reason they’re manipulating our mobile internet traffic is to conserve limited wireless bandwidth, to provide a better customer experience, and to, yes, protect their own their own services and revenue streams.
The mobile internet has many eyes
Companies as diverse as Skyfire, Cirix Systems and Vasona Networks sell traffic optimization technology to mobile operators that lets them transcode video on the fly, tailoring it to the resolution and parameters of your phone screen.
Almost every major carrier uses some kind of policy engine, supplied by companies like Oracle and Openet. Those engines are the rule makers and the rule enforcers of the mobile internet. AT&T, Verizon Wireless use them to throttle back your speeds when they deem you’ve ‘abused’ your unlimited plan, while T-Mobile does the same when you’ve exceeded your data cap.
These technologies have been used for questionable purposes, for instance to enforce TeliaSonera’s short-lived fees on VoIP usage, but they’ll also become the basis of new forms of data pricing. For instance, Orange uses policy overseas to offer special social networking plans, giving customers unlimited Facebook access on what would normally be capped plans. AT&T and Verizon are both promoting the idea of a subsidized mobile internet where content providers like ESPN and Hulu pay the network freight charges for their content.
The point is that in order to apply these rules and optimize traffic, carriers need to know what that traffic is: which web pages are being rendered and which videos are being streamed. And ultimately they need to know to whose phone that content is bound.
The lesson of Carrier IQ
Mobile operators use of these technologies landed them in hot water two years ago, when a developer discovered a hidden mobile app on his Android device that appeared to log all of his smartphone activity and send it out to a company called Carrier IQ. It turned out that Carrier IQ’s software had been installed on millions of devices sold by Sprint, AT&T and T-Mobile.
Carrier IQ’s purpose was intended to be benign. It’s a diagnostic tool, used by operators to quickly identify and address network problems and to trouble shoot smartphone apps or services when customers called into customer service. But as Carrier IQ acknowledged its platform could collect some pretty specific data in pursuit of that diagnostic mission, including what URL customers were visiting and what apps they were using.
The controversy resulted in a firestorm of media coverage, a Congressional inquiry and led many U.S. carriers and device makers to excise Carrier IQ from their handsets. The scandal largely blew over after a few months, but the fact remains that carriers had installed hidden monitoring software on their customers’ handsets without telling them and without giving them a means to opt out.
(I reached out to Carrier IQ and was told that it has received no national security requests for its data, nor is it aware of any law enforcement agency interested in that data.)
Secretive operators and secretive governments make a scary combo
I seriously doubt that the operators have big gigantic databases storing every detail of their customers’ mobile internet habits. They have no reason to create them. Their interest in all of this data is to optimize their networks, bill for usage and making their customers stick the service rules they’ve set – all in real time. Most of that data becomes useless the moment after it traverses the network.
But it wouldn’t be difficult for the NSA to collect and aggregate that data from carriers networks, just it’s reportedly doing with web giants Google and the ISPs. The mobile operators are essentially ISPs that offer roving connections. It could get that information form multiple sources, gathered from within the network or on in some cases directly from our phones. All it would take, I assume, is the proper FISA order.
And there’s certainly precedence for governments going after such data before. In 2011, Nokia Siemens Networks attracted some unwanted controversy when it was revealed the mobile network it sold Iran’s state run telecom provider was being used to spy on its citizens’ IP communications.
Good technology can be used for bad purposes. That doesn’t mean we should toss out the technology. In the case of Carrier IQ, many consumers might welcome the idea of their carriers knowing the reasons why their phones aren’t working properly. Traffic optimization prevents an entire network cell from being bogged down streaming an HD video to a tiny phone screen. Policy servers could eventually lead to incredibly customizable cellular service and maybe even the widespread re-adoption of some form of inexpensive unlimited data plan.
But there’s also a very scary proposition here. We have a government with no qualms about secretly collecting information on its citizens. And we have a mobile industry that isn’t up front about what data it can and does collect from its customers. It’s bad enough information we know is tracked is being secretly shared with the NSA. But what about the information we don’t know carriers collect?