CarrierIQ — The Latest Defining Privacy Moment

CarrierIQ is a company that exists deep in the plumbing of telecommunications.  Its business is to license software to mobile phone companies that is installed on your phone to assist the phone companies in understand the performance of their phones and network.  CarrierIQ claims it is used in over 141 million phones, with a new phone added about every second (there is a rolling count on its homepage: http://www.carrieriq.com/).

On November 16, a researcher, Trevor Eckhart, reviewed CarrierIQ manuals and claimed that CarrierIQ sofware was capturing:

the manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device. … When a user browses a webpage, HTTP header information can be grabbed along with detailed information on the page, or CarrierIQ can log keypresses made on what webpage. When location is changed the phone can report in. When a call is placed or data is started any metrics can be queried (see: http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/).

This posting was alarming and the news travelled fairly quickly creating more bad news as it spread.  Professor Paul Ohm, a noted privacy scholar, opined that it appeared CarrierIQ was violating wiretap statutes (see: http://www.informationweek.com/news/security/privacy/232200565),  CarrierIQ received a letter from Senator Al Franken (see: http://franken.senate.gov/?p=press_release&id=1868), and then the inevitable class action lawsuits: (see: http://www.forbes.com/sites/andygreenberg/2011/12/02/and-now-the-lawsuits-class-actions-hit-carrier-iq-htc-and-samsung/).

CarrierIQ, while first trying to silence Mr. Eckhart with a cease and desist letter (those always go over well . . .) but backed off after the Electronic Freedom Foundation stepped in to Mr. Eckhart’s defense.   Last Thursday, CarrierIQ tried a different tactic.  It issued a defense, stating:

                . . . While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen . . “  (see: http://www.carrieriq.com/CIQ_Press_Statement_DEC_1_11.pdf)

CarrierIQ also hired several independent researchers who found that CarrierIQ was not capturing keystroke information and transmitting it back to the carriers  but was reporting software used and URL’s visited (see CNET’s Declan McCullagh’s article at: http://news.cnet.com/8301-31921_3-57335715-281/how-carrier-iq-was-wrongly-accused-of-keylogging/?tag=mncol%3btxt. )

The comments following the CNET article are telling in that you have numerous people claiming technical knowledge disagreeing with each other as to what is going on with the CarrierIQ programming and what may or may not be collected or even transmitted.  It seems the technical questions around CarrierIQ are still foggy.

As to what CarrierIQ may be doing, in its webpages, CarrierIQ state the following:

1. It is a tool, an agent, for the phone/network providers (that is, it is an extension of each of their phone/network provider customers)
2. CarrierIQ, “uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network.” (see: http://www.carrieriq.com/overview/IQInsightExperienceManager/index.htm)
3. CarrierIQ helps the phone/network provider, “Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline. Identify problems in service delivery, including the inability to connect to the service at all.”  see: http://www.carrieriq.com/overview/IQInsightExperienceManager/index.htm)

From CarrierIQ’s own statements it is clear that they are collecting individual data as to what phone carrier customers are doing with their phones both when they are on and off the network.   This raises the question as to why a phone/network provider should need to know about how a subscriber is using the phone off the network.   Some of these questions may be answered in the mobile phone provider’s terms of service.

T-Mobile, for example, states, “T-Mobile may retain, use, and share information collected when you download, use, or install some Content & Apps, may update your Content & Apps remotely, or may disable or remove any Content & Apps at any time.”  T-Mobile also has me agree that it may use my personal information to  “anticipate and resolve actual and potential problems with our products and services; create and improve products and services; suggest additional or different products or services; make internal business decisions about current and future offers; provide personalized service and user experiences. . .”  These terms imply use of software such as CarrierIQ.

In the end, the key questions may revolve around what is necessary for a carrier to provide you with services, how transparent must those practices be (similar to some of the issues around network neutrality) and who has what rights to your phone?