The recent Carrier IQ fiasco has brought more drama to the mobile industry than we saw in some of the final episodes of Friends. (Wait, you guys aren't too young for that reference, right?) The constant back and forth and passing of the blame is utterly nauseating. It was a wild ride for a while but things seem to have settled down just enough for us to take a good look at the facts and statements we've heard so far. In all of this, Carrier IQ has been the bad guy; the 'evil empire' that was meticulously watching everything we do with our phones and using the data to- well, I don't know what but something bad. The reality - the truth - is that Carrier IQ is just the chump that got stuck with the bill. The carriers are the ones who ran up the tab with careless execution and a misplaced sense of entitlement and immunity.
The government is in the process of conducting an investigation of Carrier IQ's methods and practices. Until that investigation is complete, all we have to go on is statements from the company itself, which they have willingly made in a few interviews conducted over the past week or so, and a 19-page report released by the company detailing what their service is and what you should know about it. This document sheds new light on the company and might change your perception of the parties involved.
Carrier IQ is a "Mobile Service Intelligence solution" that offers deep insight into the end user experience of mobile products in the areas of network management and customer care. Basically, Carrier IQ software analyzes data from phones and other mobile devices and sends it to the carriers so they know about any problems consumers are having with their products.
As the company's name suggests, its customers are wireless carriers. Carrier IQ works with the carrier to decide how much and what data to report to the carrier's servers and then it works with the manufacturers to see how they can make that happen. There are two ways they can do this. One way is to have the software built directly into the OS, embedded into it. This allows the software to have access to virtually everything. It's not keeping track and logging everything, it just has access to it. A second way, one that the company just recently introduced, is for the software to be installed after the device is manufactured, as a sort of third-party application. There are actually two implementations of this method but they both function in basically the same way. According to Carrier IQ's report, "Network Operators [the carriers] typically prefer the embedded version of the software as it provides the most comprehensive diagnostic set." As Andrew Coward, Carrier IQ's VP of Marketing put it, "With the downloadable, we know what happened. With the embedded version, we know why it happened." This takes us to the next major question:
Like I said before, Carrier IQ works for the carriers so the reason it gathers data is because the carrier it has a client wants it to. We can all see the benefit in doing this even if we don't agree with the method. When a customer calls Customer Service and wants to know why his battery only lasts three hours or why his phone keeps crashing or why his calls are being dropped, Carrier IQ allows the agent to quickly pinpoint which device the customer is using and view data that will help him figure out what is causing the problem. Otherwise, the agent may spend ten minutes simply trying to figure out what phone the customer is using not to mention how long it would take to actually figure out what the problem is. (It's like when a relative calls you on the phone and wants you to figure out why their computer isn't doing something properly. You have absolutely no information about what's going on so it's difficult to figure out a solution.)
A sample signal strength map created with the aid of Carrier IQ's software (Via Understanding Carrier IQ Technology by Carrier IQ)
Carrier IQ's software also helps with Network Management. It allows the carrier to see data on "when and where calls fail; where customers have problems accessing the network; the reliability and battery performance of their make and model of device; and the interaction of the mobile network with your mobile device."
The problem, though, is not just what Carrier IQ is doing, the problem is transparency, or rather, the lack of it. This falls squarely on the shoulders of the carriers.
Wouldn't a simple opt-in feature have solved the problem? Yes, it probably would have. And Carrier IQ thought of the same thing. In an interview with The Verge, Andrew Coward, quoted earlier, said that the software does have an opt-in feature and the carriers are shown how to implement it. However, Carrier IQ doesn't force them to implement it. Carrier IQ felt that, because the carriers are the ones who are providing the wireless service, it is their responsibility to notify customers. Apparently, the carriers chose to not tell us. Coward brings about a good point, "If you think about it from the operator's perspective, they're kind of stuck between a rock and a hard place. If the phone calls drop, or you call customer service and spend ten minutes telling them the make and model of the phone you've got, they're not giving good customer service. So when they try to solve for that, they end up getting shouted at for getting information that enables them to deliver a better service and customer care. So you can't really win." It appears that the carriers are simply worried that most customers will opt-out and they won't receive enough data to continue to improve their network.
Ah, the famous Eckhart Video. That's what started all of this. The video shows keystrokes, call data, phone numbers, text messages, and more being logged by what was then presumed to be Carrier IQ's software. Carrier IQ has an explanation for this. Now, it's up to you to decide if you believe it or not, but this is what they're saying. Referring to the logfile that was capturing every keystroke, Carrier IQ says, "That log file is not our log file. It's just a standard, Android system logfile. What goes in that logfile is up to the manufacturer." Apparently, the problem lies with HTC (the phone used in the video was an HTC device) and the way it implemented Carrier IQ's software into its hardware. So, if Carrier IQ isn't logging every keystroke, then what are they logging or recording?
First of all, Carrier IQ makes a distinction between content and information, and there is a difference between the two. Consider the usage case of carriers wanting to know why a text message is not received or sent properly. In order to gather this information it is not necessary to gather (or record; log) the content of the text message. Neither Carrier IQ nor the carrier itself cares what your text message says nor is it efficient for Carrier IQ to record that. Carrier IQ is simply interested in the data (information) that tells them things like when the text was sent, where you were located, which cell tower your device was using, etc. The content (what the text message says) makes no difference to them because it makes no difference in whether or not the text was sent or received properly. Obviously, the software has to "listen" to keystrokes and other actions to know when you're sending a text message, when you're calling someone, or when you open a particular app as well as the location of the person you called and the name of the app you opened, but that doesn't mean that all of that is logged and sent to the server.
Experience summary for a specific customer (Via Understanding Carrier IQ Technology by Carrier IQ)
Now, yes, that does still mean that your location is known, the URLs of the websites you visit are known, and the phone numbers you dial are known, among other things. However, for the most part, your carrier already has access to that information anyway even without Carrier IQ's software; it's just easier for them to use Carrier IQ rather than gather it all themselves.
The next logical question is How secure is this data? In the report by Carrier IQ, the company emphasizes that "the security of the systems [used by Carrier IQ or their customers to store and transmit data] is paramount and customers audit the protections we [Carrier IQ] place in these systems and facilities." Carrier IQ goes on to say that "to date we have not experienced any known data breaches." Any computer-wiz will tell you, though, that nothing is completely hacker-proof.
The bottom line is that Carrier IQ is not the 'evil empire'. Sure, maybe not everyone is okay with the kind of business they run, but the carriers are the ones who chose to use their services. If you want to be mad at someone, be mad at the carriers for not being open about it, not using the opt-in feature that is provided, not being careful enough about how the software is implemented, and being arrogant enough to think they could get away with it. This certainly doesn't make it a non-issue. Even Carrier IQ admits that some of their customers are not as careful as they should be with the data and that they probably should use the opt-in feature that is provided. But, again, that carelessness is on the part of the carriers and manufacturers.
Andrew Coward explained in the previously mentioned interview that "ever since the invention of the telephone, we've been placing this huge trust with every employee of that telephone company in securing and not interfering with what we do." This is a fact, whether we realized it or not. It's not a new idea that our personal information is available to someone, whether it be a business or government agency, but we always trusted that they would do the right thing with it. With this new scenario that has recently come up, we have to learn perhaps a higher level of trust in the carrier we choose. The problem is, and I think we can all agree on this, wireless carriers haven't exactly gained our trust over the past few years. Hiding this practice from us is certainly not going to help.