Carrier IQ has found itself amid a privacy controversy that it just can't escape. But that doesn't mean it isn't trying.
The company yesterday issued a wide-ranging document (PDF) summarizing its services in the hope of clearing up some of the concerns people have with its product. But whether critics will be satisfied with what they learn remains to be seen.
"In this document, we want to let consumers to know exactly what it is that our software does, the security measures we have in place, and our commitment through our software design and processes to protecting consumers' privacy while improving consumers' experience," the company wrote.
Carrier IQ's troubles started last month when Android researcher Trevor Eckhart posted video and documentation showing . Eckhart blasted the service and called it a rootkit, due to its ability to run in the background without users explicitly allowing it to happen. Soon after, Carrier IQ delivered a cease-and-desist letter to Eckhart, requiring him to take down his research. After the Electronic Frontier Foundation came to Eckhart's aid, .
showing, what he said, was IQ Agent recording keystrokes, phone numbers, and user location.
Debate rages over whether the software does, in fact, do that, and Carrier IQ claims it doesn't violate user privacy. But that hasn't stopped lawmakers and privacy watchdogs from stepping in.
Sen. Al Franken (D-Minn.) last week asked wireless companies and hardware makers to hand over information related toin their products or services. The companies were asked to furnish that data by tomorrow, but they have no legal requirement to do so.
Carrier IQ's latest document appears to be a preemptive strike on that. In fact, the company uses the document released yesterday to address each point Eckhart made in his videos--the trigger for government intervention.
"Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software," Carrier IQ wrote in response to Eckhart's video. "Specifically it appears that the handset manufacturer software's debug capabilities remained 'switched on' in devices sold to consumers."
In other words, handset makers should be turning debug messages off when written to log files, Carrier IQ says, since it can be a potential privacy problem. However, the company pointed out that it doesn't collect data from "Android log files," which means the information shown in Eckhart's video is not actually seen by the service provider.
Carrier IQ did, however, admit to a flaw in its software that is allowing it to unintentionally see information.
During the company's audit of IQ Agent, it found a "bug" that allows the company to receive an SMS message during a call or when there is a "simultaneous data session." However, the message is transmitted through so-called "layer 3" signaling traffic, which is encoded and "not human readable."
"No multimedia messages (MMS), email, web, applications, photos, voice or video (or any content using the IP protocol) has been captured as a result of this profile bug, as only SMS traffic is embedded in layer 3 signaling messages to deliver SMSs to/from devices," the company wrote in the report, adding that it has worked with customers to address the issue.
In addition, Carrier IQ acknowledged that its software can collect URLs if its customer asks for that data, and phone numbers are recorded "as a consequence of generating billing records" and diagnosing potential network problems.
Getting the software
What's interesting about Carrier IQ's document is that it shows just how much control its customers--typically carriers and handset makers--have over the information collected.
According to Carrier IQ, it provides several IQ Agent deployment options to customers. An after-market solution is "installed by the end user, just like any other after-market mobile application, it may be deleted by the consumer." However, it would seem that most of the company's customers go with two other options: preloaded and embedded.
Carrier IQ says that the preloaded option is installed on a device before it's shipped and is done so at the request of the carrier. The embedded option is added by handset makers to provide the "most comprehensive diagnostic set."
So, once the software is on the platform, what happens? According to Carrier IQ, it all depends on what the customers want. Companies will form an agreement with Carrier IQ "based on their business requirements" and establish several "profiles" that, when implemented on devices, tells Carrier IQ what to collect. The company says that its customers must determine if they want information to be collected anonymously or not; how frequently information should be collected; what kind of data they want; and how they want metrics handled "to create summary information."
"The profiles are written by Carrier IQ based on information requested by our customers (predominantly Network Operators)," Carrier IQ says. "Each Network Operator typically has multiple profiles that are created to provide answers to specific problems. A new profile can be downloaded to a mobile device when it periodically checks-in with the network server. After receiving the new profile from the network server, the device will begin gathering the metrics and pre-processing according to these instructions."
The stakes are high for Carrier IQ. Currently, the company provides its service on over 100 million devices worldwide. Apple, which has acknowledged using Carrier IQ's software, has said that it will be removing it from iOS in a future software update. If the situation gets out of hand for Carrier IQ, other firms might follow suit.
That said, it appears at least some companies are sticking with Carrier IQ. In a statement to CNET earlier this month, Sprint said that it uses Carrier IQ's service, and it does so to improve the overall customer experience.
Sprint said it uses Carrier IQ data "to analyze our network performance and identify where we should be improving service." Sprint added: "We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc. using this tool."
Those guarantees aside, there's a possibility Carrier IQ might not be out of the woods just yet.
Government watchdog site MuckRock reported yesterday that it had recently submitted a Freedom of Information Act (FOIA) request to the FBI, asking the organization for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ." The FBI denied the request, saying that the documents are relevant to a "pending or prospective law enforcement proceeding."
For its part, MuckRock believes that could mean the FBI is investigating Carrier IQ or is using the software in its own investigations. The FBI, however, did not given any indication that that's the case.
But even with this and other possible threats to its business, Carrier IQ has stayed strong and on-message.
"Carrier IQ and our customers believe the analytics our software delivers has a direct impact on the operation, maintenance and reliability of networks and the ability of Network Operators to actually understand and solve consumer problems when they call for help," the company said in its document.