Carrier IQ VP says software poses no threat to user privacy, backs up his argument with metaphor
The final chapter of the Carrier IQ saga has yet to be written, but at this juncture, even the rosiest of rose-tinted observers would be hard pressed to find a silver lining. The specter of federal investigation looms larger by the day. Implicated carriers and manufacturers are washing their hands with Macbethian fury. Al Franken is on the verge of going Al Franken. And at the epicenter of all this sits Carrier IQ -- a California-based analytics company that has already gone to great lengths to defend its innocence. First, it sought to discredit Trevor Eckhart's ostensibly damning research with a cease-and-desist letter. Then, CEO Larry Lenhart flatly denied Eckhart's findings with an impassioned YouTube address. In recent days, the company has markedly softened its stance, arguing that its apps are only designed to meet operator demands and to "make your phones better." Now, Carrier IQ has elaborated upon these arguments with a more detailed breakdown of how its software functions, and a more substantive defense of its practices. Head past the break to read more.
During a recent interview with the Register, Carrier IQ VP of marketing Andrew Coward acknowledged that his company's mobile software logs keystrokes, intercepts text messages and gathers geographic data, but insisted that the overwhelming majority of this information is discarded almost as soon as it comes in, thereby posing virtually no threat to user privacy. To illustrate his point, Coward likened Carrier IQ's software to a giant fishing net:
"We're on a fishing boat out at sea and we're catching fish that are too small and they go back in. And they go back in for two reasons: One, the holes in the net don't catch small fish, i.e. the filtering, and/or the fish is the wrong type and it gets thrown out of the boat, hopefully while it's still alive."
According to Coward, Carrier IQ only retains text messages or keystroke patterns that carry proprietary tags. These tags identify all transmissions that could be used to populate analytic data, including some that may be considered sensitive. If a user drops a call, for instance, the system will note his or her location, and the numbers of each party. In other cases, the company may receive a special SMS (or "control message," as Coward describes it), which provides Carrier IQ with important diagnostic information (e.g., data on failed SMS transmissions). The company collects data on the number of successfully delivered texts and the phone numbers of users who send these texts, but the contents of an SMS, Coward insists, are "never stored and never transmitted."
Key taps, meanwhile, are monitored because certain sequences can trigger responses from the software. If a user is on the line with technical support, for example, he or she may be prompted to type in a code in order to upload diagnostic data to Carrier IQ's system. As with text messages, though, only earmarked keystroke sequences are copied. All the others -- including the keystroke patterns displayed in Eckhart's demo video -- are filtered out. According to the Register, Coward's claims have been corroborated by Android security researcher Dan Rosenberg, who reverse engineered Carrier IQ's software.
Detailed as Coward's arguments may be, the thrust of his defense rests upon Carrier IQ's earlier assertions that service providers retain ultimate control over consumer information. "The data that's being gathered is commissioned by the operators to be gathered," Coward explained. "It's under their control, albeit sometimes in our data center, sometimes in their data center. We have no rights to that data."
For more details, check out the Register's full report, linked below.
