The Internet is buzzing over a researcher’s report that software from a company called Carrier IQ, installed on more than 140 million smartphones and difficult to detect or remove, collects and reports back to Carrier IQ detailed data on users’ activities.
According to researcher Trevor Eckhart, the company’s software logs keystrokes, text message content, location information, and browsing history — even when encrypted browsing is turned on. According to Eckhart, the software sends all this data back to the company — and, does so even when the phone is disconnected from any carrier’s network and is just using a local WiFi connection.
One researcher has been quoted as casting doubt on the accuracy of Eckhart’s claims, and Carrier IQ has professed surprise at what its own product has been found to do. But, Carrier IQ’s web site says the following:
Q Insight Experience Manager provides a level of visibility into true customer experience that was, previously unavailable in the mobile industry. . . . IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network. . . . Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline.
We don’t know what the carriers or other companies are buying, but it’s pretty clear what Carrier IQ is selling.
Carrier IQ and its customers — especially mobile providers — need to come clean about what information they have or have not been collecting from customers’ phones using this product. The carriers have begun to issue statements — Verizon, for example, says it does not use CarrierIQ, while Sprint says it does not look at any content but collects “enough information to understand the customer experience with devices on our network.”
There’s enough latitude in that statement — and in most of the carriers’ privacy policies — to allow for lots of possible privacy-invading practices that the public ought to know about. Mobile providers are not just regular companies — they run part of the infrastructure of our country, the machinery that people depend upon in their daily lives to an ever greater degree. Yet we can’t use the Freedom of Information Act to get to the bottom of their practices as we often can with government agencies. We need an investigation of this situation to get to the bottom of what exactly has been going on.
Sen. Al Franken (D-Minn.) has already made a good start toward that end by demanding information from Carrier IQ about what it is doing. We hope that others in Congress and the Obama administration will follow suit. Ultimately, as the questions around this company demonstrate, Congress needs to enact comprehensive privacy legislation that will create stable expectations for all parties about what can and cannot be done with this kind of personal information.
Everyone understands that carriers may need to access certain information in order to run their network on a technical level. But concepts such as “network management” and “optimization of the user experience” threaten to bleed into excuses for spying on customers for marketing or other purposes. In addition, there is no balancing mechanism in place — ensuring, for example, that companies don’t engage in massive invasions of privacy in order to receive relatively slight efficiency gains. (Speaking of massive invasions of privacy, we recently called upon the major carriers to stop routinely retaining tracking data about their customers’ locations.)
When we buy a desktop computer, we don’t expect that Apple, Dell, Sony, or other manufacturers will install software to transmit information about how we use our machines back to some company. Our smartphones are also computers, and it should be no different.