Embedded Analytics Company Under Fire Amid Privacy Concerns

Over the last several days, a new tracking scandal has been raising issues and eyebrows across the smartphone landscape. Initially cropping up in Android circles, the now-public privacy fiasco concerns a little-known industrial player by the name of Carrier IQ. On its website, the company describes itself as "the leading provider of Mobile Service Intelligence Solutions to the Wireless Industry" and "the only embedded analytics company to support millions of devices simultaneously." However, though its very existence is just making headlines this week, Carrier IQ has been doing its thing since 2005, when cellular handsets were really beginning to introduce PDA-like multifunction into the hungry mobile space. Thus, because usage scenarios were changing from the old established call-and-text norm, the firm sought to give carriers and handset manufacturers a decided leg up in understanding that shift. Their sales pitch is compelling:

Carrier IQ’s Mobile Service Intelligence solution eliminates guesswork by automatically providing accurate, real-time data direct from the source – your customers' handsets. Our powerful platform aggregates, analyzes and delivers that data via easy-to-use web applications that help wireless carriers make smart business decisions. The kind that can dramatically accelerate time to market, reduce operating costs and increase customer satisfaction across every division – marketing, sales, development, customer service, operations, and executive management – and every business unit – device, network and application.

Pretty standard stuff. Not a big deal, right? Maybe six years ago it wasn't. Today, however, personal privacy and security concerns are something of a hot-button issue, with breaches of the public trust--whether intentional or unwitting--making regular headlines in the mainstream media. So, when Android researcher Trevor Eckhart uncovered the heretofore unknown procedures used by Carrier IQ's pre-loaded software, outlets of all kinds were quick to take note. From Chris Velazco of TechCrunch:

According to Eckhart’s research, Carrier IQ is capable of monitoring everything from where the phone is to what apps are installed, and even which keys are being pressed. Carrier IQ says that the information is collected to give carriers insight into how the mobile use experience can be improved. It sounds like a noble enough goal, except Eckhart found that the software could run without the user’s knowledge or consent as was the case with the HTC phones he tested.

And that runs contrary to Carrier IQ's own stated "Best Practices" guidelines, which state that,

[w]hen Carrier IQ's products are deployed, data gathering is done in a way where the end user is informed or involved.

At first, the issue was thought exclusive to Sprint's HTC and Samsung Android offerings. But, though the wireless provider is Carrier IQ's largest US partner, Sprint isn't the only one using the service. And Android is far from the only operating system affected. According to Eckhart, Samsung, Verizon, Nokia, and BlackBerry are also potentially involved, and hacker chpwn writes in his blog that the iPhone also carries the code. Still, there is much doubt about who is actually participating in the secret harvest, and official explanations (and some outright denials) are already pouring in. Naturally, Sprint and HTC have both issued statements that paint Carrier IQ's implementation as altogether upstanding and completely sans controversy. Ditto for AT&T. Meanwhile Verizon, Nokia, BlackBerry (and Microsoft) all deny using the service at all, while Samsung simply offers the end-user a choice to activate and run the software. Concerning Apple, previous versions of iOS did in fact support Carrier IQ, but--as with Samsung--it was explicitly optional (though whether such was device-specific or carrier-dependent remains unknown). However, the Cupertino company minutes ago released the following announcement through AllThingsD:

We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

Furthermore, the service is not used on any UK network, nor is it likely even legal throughout most of Europe. Of course, it may be illegal here in the States, too. University of Colorado Law School Professor Paul Ohm (formerly of the Department of Justice) says the software may have run afoul of federal wiretap laws, opening itself up for a possible class action lawsuit. Engadget quotes his prediction:

"In the next days or weeks, someone will sue, and then this company is tangled up in very expensive litigation. It's almost certain."

The US Senate has also stepped in, giving Carrier IQ until December 14 to fully address questions regarding its purported handling of any governmentally-deemed sensitive information. To us, though, all this seems like a big stink about nothing. Or, at least, about very little. Sure, if Carrier IQ has actually been collecting the contents of texts and recordings of calls, they'll obviously be held appropriately accountable. But that's likely not the case, as the company's own VP of marketing, Andrew Coward states (via CNET):

"We are not interested and do not gather the text or the text message and do not have the capacity to do that," he said. Processing specific data like that from millions of devices would be impractical to do, he said.

That seems pretty reasonable, and based on everything that's come out so far, we find ourselves falling in fair agreement with Forbes' Tim Worstall when he says,

It’s entirely possible that the concerns are really about a particularly klutzy implementation by certain service providers rather than anything else. But who knows how much further this story has to run?

Quite a long ways, probably. Update: It is worth mentioning that Apple's now-deprecated Carrier IQ implementation was limited to collecting data on call time and duration, battery strength, and signal intensity. This is in stark contrast to the unchecked Android usage indicated by Eckhart, which is ostensibly capable of logging all keystrokes, passwords, visited URLs, location data, and other sent or received data, including pictures and videos. So, for iPhone users at least, this hooplah is even more of a non-issue. Still, if you're running a version of iOS prior to 5.0, you can disable Carrier IQ by going to Settings > General > About > Diagnostic & Usage > Don't Send.

Related articles