December 1, 2011
More Details On Your Phone Is Spying On You
The news on Carrier IQ software embedded in smart phones seems to be heating up. Carriers are starting to talk, a little, and Congress is taking notice. Senator Al Franken is asking pointed questions the company no doubt will not want to answer in any more detail than necessary:
I ask that you provide answers to the following questions by December 14, 2011.
(1) Does Carrier IQ software log users’ location?
(2) What other data does Carrier IQ software log? Does it log:
a. The telephone numbers users dial?
b. The telephone numbers of individuals calling a user?
c. The contents of the text messages users receive?
d. The contents of the text messages users send?
e. The contents of the emails they receive?
f. The contents of the emails users send?
g. The URLs of the websites that users visit?
h. The contents of users’ online search queries?
i. The names or contact information from users’ address books?
j. Any other keystroke data?
(3) What if any of this data is transmitted off of a users’ phone? When? In what form?
(4) Is that data transmitted to Carrier IQ? Is it transmitted to smartphone manufacturers, operating system providers, or carriers? Is it transmitted to any other third parties?
(5) If Carrier IQ receives this data, does it subsequently share it with third parties? With whom does it share this data? What data is shared?
(6) Will Carrier IQ allow users to stop any logging and transmission of this data?
(7) How long does Carrier IQ store this data?
(8) Has Carrier IQ disclosed this data to federal or state law enforcement?
(9) How does Carrier IQ protect this data against hackers and other security threats?
(10) Does Carrier IQ believe that its actions comply with the Electronic Communications Privacy Act, including the federal wiretap statute (18 U.S.C. § 2511 et seq.), the pen register statute (18 USC § 3121 et seq.), and the Stored Communications Act (18 U.S.C. § 2701 et seq.)?
(11) Does Carrier IQ believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. § 1030)? Why?
I appreciate your prompt attention to this matter.
Senator Franken and other members of Congress may want to ask similar questions to carriers as to what information they collect and what they do with it. As of now, any statements made so far point to user licensing agreements in accepting the phone. Look there, the phone companies say. We comply with that, and since our customers agreed to terms by using our phones and network, well, what’s the problem? Maybe they haven’t said that in exactly these words, but reports are coming out suggesting that is the essence of the response. Computerworld has a story where it asked each major company for comment. Let’s summarize what Computerworld found:
- AT&T admitted using the software, declined to say which phones had it, pointed to privacy policies and would state nothing further, probably on advice of counsel.
- Sprint says it collects information to understand the user experience but does not and cannot look at content. The “cannot” is not defined as a matter of law or capability. Just because we can doesn’t mean we will.
- Verizon, RIM, and Nokia say they do not use Carrier ID software, contrary to initial reports.
- Apple is another matter. There are reports that the software is there, but limited and turn-offable. If I had to guess, it’s more likely an AT&T move than something Apple would insist upon, and that’s based on the track record of the two companies. But again, who knows. As they used to say on the X-Files, the truth is out there.
- HTC and Samsung confirmed that they use the software.
I can understand carriers needing to diagnose their networks, possibly with a client on each phone to help. That makes some business sense. Microsoft does it with Windows error reports, though if anyone had noticed, they leave it to the customer/user to enable/decide whether a report is transmitted back to Redmond. Does AT&T et al. really need every phone forcibly enabled for network diagnostics to be effective? I’ll just note in passing that if any company’s cell and data network needs help, it is good old AT&T, which may explain why that company is so hot on the idea of Carrier IQ software. I speak from personal experience as an AT&T customer. I’ll also note that Verizon runs a large nationwide network successfully without Carrier IQ. What do they use?
But let’s come back to Senator Franken’s questions for a moment. I, for one, would very much like to know if any data has been shared with third parties and law enforcement. I’m not suggesting that law enforcement isn’t entitled to investigatory information. If we are wrangling over whether agents need a warrant to track cars 24/7 or gather cell phone tracking information via triangulation of tower data, then all of a sudden this treasure trove of tracking/information gets even more interesting in light of the Fourth Amendment.
Senator, don’t limit your questions to Carrier IQ. Ask their customers how they use the software, without allowing them to hide behind terms of service. And it’s worth asking, I suppose, what else is lurking in our phones? Any chance for a hearing? I understand it's a crime to lie to Congress when under oath.
Update: As I read Joe's post below, Lawyers and Firm C-Level Types Oftentimes are No Smarter Than the Ordinary Consumer: The Case of Mobile Phone Monitoring, I'll just remind everyone that the problem goes beyond lawyers. Federal law places certain non-disclosure obligations on student data maintained by schools. Anyone sending or reviewing senstive or confidential information protected by law needs to be concerned about the security of their phones. At least until it comes to this. Then it's really time to give up.
Update 2: CNET has published an article that contains more information about carrier responses to inquiries. AT&T, for example, stands by its privacy policies in the way that it uses the software. HTC stated it uses the software at carrier request and suggests contacting them for more information. Apple released a statement saying that they don't collect user data without an opt in and does not include it in iOS5. Future updates to iOS will remove the software from earlier versions. Carrier IQ (the company) has denied the wholesale collection of data as demonstrated earlier by researcher Trevor Eckhart. The CNET story contains mention of security researcher Dan Rosenberg having reverse-engineered Carrier IQ and his analysis shows that the company is telling the truth about its software. He says there is no code that collects keystrokes for data collection purposes. As nice as it is to be provocative about this software, there needs to be definitive, verifiable statements as to what this software does and does not do, statements that do not shift meaning depending on the context of who is making it.
The discovery of this software is disturbing, irrespective of the truth of what it does. Did any of the parties using it wonder what would happen if it eventually got discovered? Is corporate confusion the best response with some companies tersely admitting that they use it and others gleefully distancing themselves from the product? I asked earlier what else is on these devices? We rely on portable communication electronics too much to leave it as a matter of trust that what we do with them remains private when we want it to be private. At least that's what this disclosure means to me. Even if it turns out that Carrier IQ is benign, and the jury is still out on that, I'd rather know about it than not. Do we need an incognito mode just for phone calls? [MG]