Monday, December 05, 2011

Carrier IQ more benign than first thought, but consumers should rightfully still be upset

Carrier IQ is facing heat over its software, which monitors handset activity all in the name of improving the end user experience in terms of network issues, and more. They're facing so much heat that they reached out to us late Sunday night to inform us of a new report by an independent researcher, which seems to clear their name, for the most part.

Holiday Gift Guide 2011 at MacMall.com
The research is by Dan Rosenberg, an independent security researcher who voiced his opinion on Carrier IQ previously, saying he felt that all the bruhaha over the software was (mostly) much ado about nothing. In his new post, he went into great detail about his findings.

Earlier, Carrier IQ had Rebecca Bace of of Infidel Inc., "a respected security expert" look at their product, but for us, it's a lot better if the researcher involved is totally independent.

[This is why we find it laughable when someone who is hired by an oil company discounts global warming, or when research conducted by the mobile phone industry discounts any harm via cellular radiation.]

Rosenberg's key conclusion, and one that should calm folks down, is that "based on my knowledge of the software, claims that keystrokes, SMS bodies, e-mail bodies, and other data of this nature are being collected are erroneous." He said Carrier IQ doesn't have the capability to do so, even if OEMs or carriers wanted it to.

Other findings:
  • Carrier IQ can record dialer keystrokes to determine the destination of a call, but it can't record any other keystrokes on a phone.
  • Carrier IQ can record GPS data.
  • Carrier IQ can record web addresses, or URLs, visited from the phone (including HTTPS URLs), but no content from the sites visited.
Rosenberg did note that the capabilities of the software vary from carrier to carrier, based on what each carrier wants to see logged.

It seems that Carrier IQ is telling the truth about the logging being used for network improvement. Rosenberg said, "Taking this information into account, all of the data that is potentially being collected supports CarrierIQ’s claims that its data is used for diagnosing and fixing network, application, and hardware failures. Every metric in the above table has potential benefits for improving the user experience on a cell phone network."

He added the following warning: "I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right. "

These companies, including carriers, OEMs, third-party software developers of all types, etc. should not be surprised when consumers are up in arms when something like this happens. This sort of logging, benign as it might be, was hidden from consumers and even it passes the smell test of carriers' terms of service, people don't want to be surprised.

They also want an opt-out. Or, even better, they'd like something like this to be opt-in.

More transparency. Is that so much to ask?



No comments: