Carrier IQ's response answers nothing
We have some division here at BetaNews regarding Carrier IQ and reporting about its tracking software. On one side there's the "me-too" defense -- that software stealthy hidden on smartphones sending information back to Carrier IQ or cellular carriers is no worse than what other companies do. That it's irresponsible to report keylogging behavior based on researcher Trevor Eckhart's blog post and YouTube video. That early reporting was "sloppy" and Eckhart is suddenly "quiet". Dog poop.
Over the last couple days, Carrier IQ finally responded to the maelstrom of controversy. But the response falls short. Carrier IQ fails to address the most troubling aspect about Eckhart's demonstration: Capturing data from keystrokes, nor does it answer why so much information is collected. Carrier IQ's defense is something like: "We don't look at the naked person. Not us". It's the "if a tree falls in the forest" defense. "We didn't listen, so it didn't happen". If there's anything "sloppy" about the news reporting, it's that not enough journalists dig deep enough. There's nothing unfair here.
Some background: I respond here directly to a Google+ post by my colleague Ed Oswald, who I encourage to write for BetaNews a response to my commentary. That we disagree about Carrier IQ, its defensible position and reporting about it stabs to the heart the kind of privacy issues this incident raises. What reasonable expectation do you have to privacy and how much should you give away and who should inform you when your information is mined.
Ed writes: "Carrier IQ's activities are no different than the 'customer experience' surveys many of us have already opted in, and why I refused to write any type of piece that suggests there is something nefarious here. Some journalists look for drama". He's right about that refusal. I assigned Ed the second-day news story on Carrier IQ, which I had to write instead. I commend Ed's taking a stand on principles, but, unfortunately, he's picked quicksand, not bedrock.
The "me-too" defensive is ridiculous, more so because Carrier IQ software is so deeply embedded in handsets and meets just about any reasonable definition of spyware or rootkit. In comments on Google+, software developer Joe Groner rightly strips the "me-too" defense bare: "Google, for example, there is a quid pro quo involved with letting them scan your email and show you relevant ads. In the case of Carrier IQ, I get no direct benefit and I can't remove it or disable it. And I am sorry, the software doesn't need to be reading input buffers to report on dropped calls".
My colleague calls news reporting about the Carrier IQ scandal "total hysteria, mainly due to some sloppy reporting and titling of those stories". I disagree. Much of the reporting is exceptionally restrained, particularly in context of Carrier IQ's official responses. Worth your time: John Paczkowski (for AllThingsD); Matthew Schwartz (Information Week); Larry Greenemeier (Scientific American); and David Kravets (Wired).
Paczkowski and Kravets have official responses from Carrier IQ. Schwartz observes that Eckhart isn't the first researcher to uncover the software/service, just the first to thoroughly document it. Greememeir addresses the topic bothering me from the start: Potential exploitation by cybercriminals.
Paczkowski quotes Andrew Coward, Carrier IQ marketing veep: "The software receives a huge amount of information from the operating system. But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier". This is the aforementioned "we don't look at the naked person with spycam hidden in the room" defense (that's not a quote but quotation for emphasis). Carrier IQ installs software that records pretty much everything, but doesn't use it all -- not even most of it. The obvious question: If you don't need all that information, why record it?
Unfortunately, Paczkowski doesn't directly quote Coward about keylogging. Instead he paraphrases: "While CIQ might 'listen' to a smartphone’s keyboard, it’s listening for very specific information. Company executives insist it doesn’t log or understand keystrokes". That reads likes semantics to me. Ed links to the AllThingsD story to show that Carrier IQ is acting responsibly and that reporters covering it are not, which is why I respond to it.
Carrier IQ invited Wired to its headquarters, and Kravets shares first-hand, but again fails to directly quote Coward: "The data they vacuum to their servers from handsets is vast -- as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things". Coward tells Kravets that "'it's a treasure trove'" but "they are not logging every keystroke as a prominent critic suggested". Again, the unasked and so not answered question: Why is so much information collected, if it's not being mined? Then there's semantics about "every" keystroke. Not "every" doesn't mean none, and Eckhart's video clearly shows data logged as he hits the keys.
I searched this morning and could find no explicit quote where Carrier IQ denies capturing keystrokes. If you've seen something, please link in comments. The company does quote Infidel research Rebecca Bace in a press release: "Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous". But that's not the same as an explicit denial by a Carrier IQ executive. Using a third party gives Carrier IQ plausible deniability in court.
If there's sloppy reporting here it's journalists meeting with Carrier IQ failing to directly quote Coward about keylogging. So I must assume the marketing exec didn't provide usable quotation -- that he engaged in the kind of doublespeak and semantics that are common among companies' crisis responses. I've seen the behavior hundreds of times over the years and there are consistent patterns across companies, in part because of human nature and the media-response training execs receive. Either that, or the reporters failed to quote where they should have.
It's important when reporting on so controversial news to quote the executives as much as possible. Kravets writes: "Other carriers collect data that lets them drill down to the individual phone". That clearly indicates that Carrier IQ collects customer identifiable information as does: "On Carrier IQ’s end, while it might hold a vast amount of a user’s data, it does not know the names of the people whose data it controls. That data is simply linked to chip and phone identification numbers, Coward said". That actually means the collected cellular customer information absolutely is identifiable, since some carriers (I know AT&T and T-Mobile do) track smartphones' IMEI numbers as part of the process registering to them for network services. There should be direct quote on something as important as this.
Circling back to that "treasure trove", let's assume Carrier IQ records but doesn't look. If data is captured, someone can get it. That's the point Scientific American's Greememeir makes. One remote-access Trojan is enough. So even if Carrier IQ really doesn't peek at the naked person with its hidden spycam, there remains the enormous amount of data collected that cybercriminals could mine, if no one else.
Something else, and I haven't seen anywhere Coward or his colleagues address: If Carrier IQ is doing nothing unethical or illegal, meaning it has nothing to hide, then why is the software hidden and nearly impossible to remove? Reporters should always look first to a company's actions, not its words. Surely hidden means something.
These are the questions I asked Coward (I couldn't find email address so posted to Google+). If I get response(s), there will be follow-up story.
1. Does Carrier IQ software track any keystrokes?
2. If yes, how many?
3. Why does Carrier IQ collect so much data -- a "treasure trove" as Andrew Coward is quoted by Wired -- if it's not used?
4. Why is Carrier IQ software/service hidden from smartphone subscribers?
5. Does Carrier IQ provide a utility that lets smartphone users turn off the software?
6. Does Carrier IQ provide a mechanism that lets smartphone users remove the software?
7. If answer yes to questions 5 or 6, how?
8. Which carriers currently use Carrier IQ software/service?
Wrapping up, we live at a time where privacy mores are changing. People share all kinds of personal information on Facebook or their locations using services like Foursquare. Meanwhile, ATM, traffic and retail cams surveil us without permission. It's one thing to choose to disclose information or to be monitored in public. Collecting data from the most intimate device most people use, without their permission, is privacy abomination. Carrier end-user agreements that most nobody reads is no excuse for stealth tracking. You disagree?