The clue to what Carrier IQ does is in its name. Carrier IQ markets itself as a company whose technology can help carriers understand and monitor the performance of devices, apps and services.
To do this, it installs its technology on a device. Carrier IQ has not been shy about this, although some of its customers may have been. If you look at its press announcements page, you will see that where it has customer approval it will release who it is working with. Over the past couple of years, the company has mentioned NEC, Huawei and Vodafone Portugal as customers. It has said publicly it is working in the mobile broadband space, in other words in dongles (Keystroke logging your laptop? Head for the hills…) as well as smartphones. And also that it is developing for Android.
If you look at the Android release, it talks of “on-device measurement of the user experience”, and says that Carrier IQ can “provide direct insight to end customers’ experience to facilitate some of these focus areas.”
Carrier IQ also says how its data can be used – taking data from its Mobile Service Intelligence Platform and feeding that into software modules such as IQ Insight Device Analyzer, Inisght Experience Manager and so on. These modules are designed to help a carrier deploy a device or service, or gain a better understanding of the customers’ user experience.
The problem for Carrier IQ, as I see it, is in its utterly cack-handed response to the recent accusations levelled against it by Trevor Eckhart.
At first, Carrier IQ issued a cease and desist notice to Eckhart. And on 18 November, Carrier IQ issued a statement that said “we are counting and summarising performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools.”
Then, on 23 November, the company took the step of publicly withdrawing its action against Eckhart. It also took the opportunity at this point to outline what it does and doesn’t do. It reiterated its claim that “it doesn’t record keystrokes, provide tracking tools, or inspect or report on the content of your communications”. Instead, it said, “our software makes your phone work better” in a number of ways.
On 28 November, however, Eckhart released a second video on YouTube that appeared to show keystrokes being logged to the application data files. (It starts to get interesting at about 9 minutes in.)
Since then there has been silence from Carrier IQ, with a string of “unavailable for comments” appended to reports, and no further public comment through its website. That looks bad.
And into the vacuum has flooded alarmed comment and insinuation about what it is exactly Carrier IQ is doing. A couple of operators have been more quick to respond. T-Mobile Holland and Vodafone UK have used their community forums to state that they are not using the technology.
Now, here’s the thing. There’s a lot of data out there on you as a mobile customer. At a very simple level, there are your call records. Yes, shock horror, your mobile operator knows who you called, when and for how long. If it really wanted to, if could figure out where you were when you made the call. Shared with the wrong person, that could be damaging information.
Mobile operators are also investing in systems that correlate and analyse network and device performance data, and investing into DPI engines that can see what data packets you are sending, to give them as near a real time view of customer experience as possible. This means they know stuff about you.
The issue is not the collection of data – it is about how that data is collected, and what then happens to that data. As the mobile “hacking” enquiry in the UK shows – if that information is leaked (as is suspected to have happened in the UK) by bribed or duped staff to private investigators or journalists, then at that point your privacy has been compromised.
So the questions around Carrier IQ are these. Both the carrier customers of Carrier IQ and the company itself need to be answering these questions, and quickly, to step into the vacuum that has been created.
1. Can you explain the difference between keystroke logging and tracking, and what your technology actually does?
2. How is the data that you capture used? Where is it sent? Can you guarantee that it is anonymised, and that its integrity is not in any way in doubt?
3. Why is the application “hidden” on the phone, and hard to remove? Should there be a level of opt-in, as with location data on other apps, for example? (At this point you could explain what the tool is for and what it does, and does not, do.)
4. And for CarrierIQ only. Do you need the number of a decent crisis management PR team?