Inside Carrier IQ-gate

What carriers and handset makers do with your personal info is none of your business

A scandal erupted this week around the discovery of secret software running on most smartphone handsets in the U.S. that tracks and logs personal activity on the phones.

The software is marketed to carriers and handset makers as a diagnostic tool that can be used to improve phone service. Critics say it's a hard-core violation of privacy. And the critics are right.

A security researcher named Trevor Eckhart posted a video Tuesday showing Carrier IQ software harvesting personal data without permission or even the option to turn it off.

According to the video, Carrier IQ gathers and logs every physical button pressed, phone number dialed, the full text of text messages, and even search data over https connections, which are supposed to be encrypted. The software can capture details about videos watched, apps used and the users' location.

It's unclear whether, when, or to whom this logged data is transmitted, or where it is stored and who has access to it.

Carrier IQ threatened to sue Eckhart, who turned for protection to the Electronic Frontier foundation.

Senator Al Franken wrote a letter to Carrier IQ president Larry Lenhart this week demanding that he specify exactly what's done with user data.

Carrier IQ software is installed on phones available from AT&T, Sprint and T-Mobile. Verizon said it does not use Carrier IQ, nor does Research In Motion or Nokia.

Apple said that iOS 5 doesn't fully use Carrier IQ software, for the most part, and that future versions wouldn't use it at all.

As Carrier IQ customers, carriers and handset makers are able to access data collected by the software. They can even specify "triggers" that when certain events occur, they can be specially logged, and the details of those logs sent to the carrier.

However, the larger risk is the existence of the harvested data. It's stored somewhere, and could be theoretically copied, accessed, hacked, stolen or leaked.

Carrier IQ has more or less admitted that the company could read the text messages of anyone using a phone that's running the software and read other data. But they claim the ability is largely theoretical.

Carrier IQ's VP of marketing, Andrew Coward, told AllThingsD this week that "We don't read SMS messages. We see them come in. We see the phone numbers attached to them. But we are not storing, analyzing or otherwise processing the contents of those messages."

Coward said, in a nutshell, that Carrier IQ is simply providing a service to the carriers, who are themselves only trying to improve service.

The cynical conspiracy to exploit your personal information

The guilty parties in all this are trying to frame the issue as a question over whether or not well-intentioned performance monitoring is an invasion of privacy.

That's a false issue.

The real issue is whether it's their decision -- Carrier IQ's, the carriers' or the handset makers' -- to choose whether your phone numbers, text messages, location and cell phone data is captured at all.

Carrier IQ says they can read your personal text messages, but it's OK because they don't. Imagine the U.S. Postal Service making copies of your personal letters, then telling you it's OK because they usually choose not to read them.

The question isn't whether they learned personal information about you or not. The question is: What gives them the right to make the copies in the first place? What gives them the right to choose whether or not to learn your private details?

The fact is they do not have the right. So why does Carrier IQ? Why do AT&T, Sprint, T-Mobile and some of the handset makers have the right?

In court, their lawyers will say they have been granted permission by the various terms-of-service contracts and end-user licensing agreements that users accepted.

But those contracts are merely ass-saving buckets of blather where everything under the sun that protects the companies and exploits the end users is dumped. Everybody knows that most users don't have the slightest idea what they've agreed to.

I conducted a poll on my Google+ profile this week, asking how many people read and understand these user contracts before agreeing to them.

At deadline, 624 said they click "Yes" even though they don't read the contracts at all; 56 click "Yes" even when they read but don't understand them; and 23 only click "Yes" if they both read and understand. I didn't ask how many of that last group remember what they read and understood.

The companies that force users to agree to such contracts know users don't read them. These contracts are a sham. They should be invalid in court.

Every single violation of privacy should be individually and explicitly approved or denied by the user, after being concisely explained in plain language that everyone can understand.

The truth is that the whole Carrier IQ scandal reveals a general industry contempt for the public and what users care about.

I believe that every one of the companies involved in this fiasco know most users wouldn't like it if they knew what was going on. They acted on that knowledge by hiding what was taking place.

And I suspect that most of the companies now distancing themselves knew about it, but kept the secret from the public.

RIM says it has nothing to do with Carrier IQ, and does not authorize carriers to install it.

Google says it has no affiliation with Carrier IQ, and that Android, as an open platform, is used by handset makers and carriers without Google control.

That's nice. But what I want to know is: Did RIM or Google know Carrier IQ was being used? If not, why not? If so, why didn't they tell us?

The answer, I suspect, is that these non-involved parties, knowing there's a conflict between the interests of partners and the interests of users chose sides. They're on the side of partners and against users.

Here's the problem from a user perspective. It's clear that carriers and handset makers are happy to install secret software on our phones that logs our personal data without our knowledge or permission. They've given themselves the power to decide whether or not to read our personal messages, read our encrypted web searches, know exactly what websites we visit and who we call.

Therefore, they have demonstrated that we cannot trust them. We can't trust Carrier IQ. We can't trust the carriers and handset makers that use Carrier IQ. And we can't even trust the companies that don't use Carrier IQ.

It's time for the whole industry to re-examine its relationship to the users who keep them in business.

Instead of thinking how to profit from our exploitation, these companies need to find ways to take our concerns seriously.

Instead of trying to see what sneaky transgressions they can get away with, they need to start competing with each other on user advocacy, transparency and the genuine protection of privacy.

Failing that, we need laws that make such abuses illegal.

Mike Elgan writes about technology and tech culture. Contact and learn more about Mike at Elgan.com, or subscribe to his free e-mail newsletter, Mike's List.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies