Carrier IQ denies the obvious in spyware scandal, avoids blaming the real culprits

Carrier IQ just makes the spyware; carriers (and the FBI) are the ones that use it

Carrier IQ – the fabulously successful mobile spyware maker that continues to deny it makes spyware – put out a report yesterday defending itself yet again by explaining none of the charges anyone has leveled at it are true. Largely true, essentially true, potentially true, but not actually true.

The gist of the report, Understanding Carrier IQ Technology is that Carrier IQ is not a privacy-invading, security busting maker of spyware to serve the needs of our corporate overlords.

Carrier IQ simply developed a utility that monitors, in real time, the health, connection quality and performance of smartphones whose prime data contracts are so expensive customers will put up with no rational restrictions, bugs or interruptions in service.

Carriers need the kind of system- and network-level performance data Carrier IQ provides simply to keep customers from rebelling and shifting en masse to another carrier whose service is equally bad, even more expensive and which has even less respect for their privacy or pocketbooks than the last carrier.

Carrier IQ is simply the victim.

Which is true. Largely.

Carrier IQ makes a piece of software the carriers use for the purposes Carrier IQ says they do. It serves a clear need for carriers who are constantly bombarded by complaints from smartphone users that they get no service from XYZ location, but great service from 10 feet away from location XYZ and they want an explanation or a new cell tower installed immediately.

(Which, btw, is also completely fair, and completely irrelevant. Carriers complain that user expectations are inflated and unrealistic and that their customer service reputations suffer for that. The truth is that customer expectations are set by marketing and advertising from the carriers, who talk a lot about the completeness of their coverage and quality of their service, but rarely mention dead spots, interference, frequency saturation, bandwidth bottlenecks or the likelihood of customer error in using devices that allow little room for error but function in chaotic and unfriendly netoworking environments.

If carriers want customers to have a more realistic expectation of the service they'll receive for the expensive, exploitive, inescapable service contracts they sign, the dialog on a few of those happy-time commercials should change a bit so the answer to "Can you hear me now?" is occasionally "No.")

Yes it's spyware; no it's not Carrier IQ's fault

In defending itself from accusations of prying, Carrier IQ's report just digs its hole deeper, though it does make a good point in saying the personal information discovered in log files by researcher Trevor Eckhart was not put there by Caller IQ. The information was "a result of debug settings remaining in production devices and should be classified as a vulnerability."

The rest of its defense is a little weak:

  • Carrier IQ doesn't intercept the text of text messages or emails, except in "unique circumstances described in this documents" in which a bug embedded the text of SMS messages in Layer 3 signaling (networking protocol) data.
  • Carriers define the data Carrier IQ (the software) collects and Carrier IQ (the developer) creates profiles that allow it to compile that data into databases used to diagnose network and application conflicts.
  • Carrier IQ is not a keylogger – yes, there is a numeric key code the user can enter that will start an upload to its server on the carrier's network. The client software listens to keystrokes to identify this code, but does not capture or transmit keystrokes, the company insists.
  • "Carrier IQ has never intentionally captured or transmitted keystrokes and is not aware of any circumstances where this is occurred…No customer has asked Carrier IQ to capture keystrokes." – Understanding Carrier IQ Technology, (PDF) Dec. 12, 2011. [Emphasis mine – KF]

Carriers are the real culprit; Carrier IQ just made their tools

That's really the point, isn't it? That customers haven't asked Carrier IQ to capture keystrokes, but it could if they wanted it to?

And if the functionality exists, it should be accessible to hackers, spies or, say, the FBI anyone who wants more detail on content than connection and has the resources to turn the function on surreptitiously using malware or physical contact with the device.

The problem with Carrier IQ is that carriers are so blasé about cradle-to-grave elimination of privacy it never occurred to any of them to mention to customers they were including monitoring software that looks so much like spyware the only actual difference is the purpose for which the data are used.

The problem isn't how the tool is made but in how it is used

Carriers are the ones who collect location data, usage data, personal demographics and assemble them into profiles.

Carriers are the ones who sell reports of the aggregated data to business partners that are also interested in exploiting that carrier's customers.

Carriers are the ones who denied the software existed, denied using the data, denied paying Carrier IQ and denied knowing anything at all about customers except the depth of love they feel for each and every customer from the bottom of their darkly amorphous corporate hearts.

Carriers are the ones so eager to cooperate with government requests for private personal data such as call logs the feds don't always even have to complete the minimal paperwork required to get it.

They're also the ones who, apparently, have been allowing the FBI to skim what information it likes from Carrier IQ agents on customer smartphones as part of surveillance operations. The FBI refuses to say anything about either Carrier IQ or what information it's after because the activity has something to do with investigating law breakers – unlike every other thing the FBI does in the public sphere or in its interest, one presumes.

So, yeah, Carrier IQ's protests that everyone has it wrong, that it's not a spyware company, it's just misunderstood, is accurate to a point.

Of course it's a spyware company. That's what its main product does – and extremely well, even for very large populations of users, judging by the uses to which carriers put it.

Even Eric Schmidt, top operative at the company that gathers more routinely privacy compromising data on end users than any other – said Carrier IQ is a keylogger.

Carrier IQ only makes the spyware. It's not individually to blame for the gaffes and privacy invasions of the carriers, just as the electronics makers who manufacture pinhole webcams that can be hidden in pens or teddy bears or the buttons on a suit aren't responsible for the wiretap and eavesdropping laws its customers violate.

By repeatedly and loudly defending itself, however, Carrier IQ distracts customers from the failure of any carrier to come clean about the data it's collecting, measures it takes to ensure that data isn't misused and offer customers the option of not being monitored.

Lawsuits on behalf of customers and investigations from Congress and various European law enforcement agencies will press carriers on the issue, of course.

It's just hard to take a Dept. of Justice investigation into the uses of Carrier IQ are a little hard to take seriously, though, if not even the FBI will admit what it's been doing with all that covertly gathered information.

The only thing we really know about that is that whatever the feds are doing, whoever they are surveilling, whatever rights they may be violating, is not – no matter what anyone says – Carrier IQ's fault.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon