Carrier IQ issues lengthy report on data collection practices, sticks to its guns
After having already tried to explain itself with metaphor, Carrier IQ is now taking its floundering PR campaign back to basics, with an ostensibly thorough primer on its practices and a slightly less convoluted defense of its privacy standards. This morning, the controversial analytics firm released a lengthy, 19-page document that attempts to explain "what Carrier IQ does and does not do." In the report, titled "Understanding Carrier IQ Technology," the company explains the benefit it offers to its clientele of network operators, many of whom rely upon Carrier IQ's diagnostic data to make sure their infrastructure is up to snuff. It also provides a breakdown of how it collects data, as well as a defense against Trevor Eckhart's findings, though, as you'll see, these arguments likely won't put this saga to bed anytime soon. Read more, after the break.
The key ingredient here is the company's so-called IQ Agent -- mobile software that's responsible for "identifying, storing and forwarding diagnostic measurements and data." This agent collects data from a user's handset "once per day" and synthesizes these metrics into user profiles. When embedded, the IQ Agent can capture any URLs a user visits on his or her smartphone, but it cannot "read or copy the content of a website." As Carrier IQ points out, "what is actually gathered by a Network Operator is based on their business requirements and the agreements they form with their consumers on data collection." This is the same strain of "us and them" argumentation used to counter Eckhart's findings, later in the report:
We cannot comment on all handset manufacturer implementations of Android. Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software's debug capabilities remained "switched on" in devices sold to consumers.
The firm went on to argue that in Eckhart's video, keystrokes and text messages were being written to Android log files, which the IQ Agent does not use to "acquire or output" a user's diagnostic data. Eckhart only discovered this, Carrier IQ says, because of a handset setting that "should be classified as a vulnerability." The company also provided a list of the data it actually does acquire, and was quick to point out that it never collects nor distributes the "content of multi-media messages (MMS), emails, photos, web pages, audio or video." As for the keystroke logging dimension of this debate, the company is sticking to its guns, claiming that IQ Agent only uses this ability to pick up on specific numeric codes. "Carrier IQ has never intentionally captured or transmitted keystrokes and is not aware of any circumstances where this has occurred," the report states. "Carrier IQ is not a keylogger and no customer has asked Carrier IQ to capture key strokes."
Carrier IQ did issue a small mea culpa in this report, acknowledging an "unintended bug" in a particular diagnostic profile used to determine why voice calls may fail. With these profiles, the IQ Agent gathers so-called "layer 3" signal traffic between a phone and a radio tower. Over the past week, the company discovered that "in some unique circumstances," SMS information "may have unintentionally been included" in this collected data. These messages, Carrier IQ insists, were embedded, encoded and not "human readable." The firm says it has notified its clients of this bug, and that it's already been patched up.
While this report may offer more concrete detail than some of Carrier IQ's previous statements, it's hard to see how a nearly 20-page document could do much to ease the concerns of an already confused Joe Consumer. But with the FTC already on its doorstep and the specter of an investigation looming in Europe, perhaps today's report represents Carrier IQ's attempt at a preemptive strike ahead of any regulatory showdown. Its release is even more intriguing in light of a recent report that the FBI may be involved in the case, as well. According to Muckrock News, the Bureau has received an FOIA request for the "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ." In response, the FBI said that it has the documents, but confirmed that it could not disclose them, on the grounds that doing so may jeopardize an ongoing investigation. It's unclear whether the FBI is investigating Carrier IQ itself, or whether it's simply using the company's software to pursue a different beat, but either way, it looks like this tale is far from over.
Read Carrier IQ's full report at the source link below, along with the FOIA request from Muckrock News.
Update: Carrier IQ reached out to clarify its involvement with the FBI explaining:
Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ. Carrier IQs data is not designed to address the special needs of law enforcement. The diagnostic data that we capture is mostly historical and won't reveal where somebody is and what they are doing on a real-time basis.
