CarrierIQ is frightening, and not at all surprising to know is there, to be honest. I’d long heard the stories of how smartphones were giving up all their secrets through geolocation metadata and now to know that something is actively parsing all that data, and doing it regardless of an SSL connection, you have to hand it to this company, for being in as deep as they are they seem to know how to play this game. Deny Deny Deny.
Carrier IQ Continues to Dodge the Truth
The Wall Street Journal’s AllthingsD blog just posted an interview with Carrier IQ CEO Larry Lenhart and VP of Marketing Andrew Coward in which the two execs attempt to come clean about just what the heck Carrier IQ is doing with our sensitive mobile information.
The company has been in the middle of a PR nightmare wrought by the revelation last month that its data-tracking software was secretly installed on more than 140 million cellphones. Its reps have been caught off guard by the wave of attention, which has included letters from Sen. Al Franken and Rep. Ed Markeydemanding answers on how the Carrier IQ software works and what data it is tracking on people’s phones. The result has been a series of interviews and press statements that have only further muddled things up.
This new interview provides a few more answers, raises a couple more questions and points a whole lot of fingers.
The questions that journalists, activists and members of Congress have been asking of Carrier IQ can be boiled down to “What data are you collecting, and what are you doing with it?”
Carrier IQ hasn’t been able to provide adequate answers. In an earlier interview, Lenhart said (emphasis mine):
[Carrier IQ’s] software receives a huge amount of information from the operating system… But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.
But now Lenhart and Coward have altered their positions on what Carrier IQ does and doesn’t do. Inconsistencies remain:
We absolutely do not intend to capture content from subscribers… It is not our intention to capture information that might be confidential.
We’ve gone from “Carrier IQ receives the information” to “We do not intend to capture content.”
Now Lenhart, from later in the interview:
We don’t want content, and we don’t have the ability to capture it.
So what is it? Are you inadvertently collecting our data — even if you don’t want it — or aren’t you?
It appears that Carrier IQ’s official position is that it has no interest in actually capturing sensitive data. Lenhart then points to the carriers:
Remember, the information that’s captured off a user’s device is determined by the carrier, according to their privacy agreement.
While Carrier IQ may not be intentionally gathering sensitive data, the carriers themselves may be using its software to do it.
When asked how it deals with law enforcement requests for data, Lenhart again punts to the carriers:
We would refer [law enforcement officials] to the carriers, because the diagnostic data collected belongs to the network operators, not Carrier IQ.
The point about law enforcement isn’t hypothetical. Journalist Michael Morisey filed a Freedom of Information Act request to the FBI for “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ.” While the FBI denied that request, it did confirm that it had such documents, but the docs were “exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation.”
So the FBI is clearly getting some Carrier IQ data from someone— we just don’t know who.
At this point, a picture of the relationship among Carrier IQ, the carriers and the public is emerging. Carrier IQ sells powerful tracking software to AT&T, Sprint and T-Mobile to help those companies diagnose problems with networks, applications and handsets. Those companies install the software on handsets after receiving the devices from the manufacturers (HTC, Samsung and others). The carriers sell these devices to unsuspecting customers, using Carrier IQ for network diagnostics and who knows what else. Carrier IQ points back to the carriers whenever privacy or law enforcement questions arise.
Meanwhile the public is busy getting hosed by everyone involved.