Carrier IQ Revelations and Smart Phone Privacy

by Zack Kaldveer, CFC Communications Director, Privacy Revolt/Consumer Federation of California

By now, many are aware of some of the privacy related concerns with smart phones, the public policy (or lack thereof) addressing it, and the legal battles being fought over it. Examples of these debates include government/law enforcement tracking the location of smart phone users and or searching through the content of these products without a warrant or even probable cause, as well as questions regarding the enormous amounts of data this product can gather and store, and then how this data might be shared and profited from.

Now, however, we find that every concern regarding this technology, one that is becoming increasingly ubiquitous and frankly useful, has been validated by the discovery of a secret code (Carrier IQ) that allows your smart phone (and who knows what else) to not only track you at all times, but in fact, every key stroke made is monitored and stored ‘ including the content of text messages. And perhaps most incredible, the ability to opt-out, let alone opt-in, of this kind of ‘super surveillance’ was not made available, as the fact that this code even existed, or was being utilized, wasn’t even shared or made known to the consumer.

This represents a virtual treasure trove of information for those seeking access to it, particularly advertisers and the government. And we know how willing the telecom industry was to give up such private information to the government in the past, just as we know how the government used the Patriot Act, not to catch terrorists, but rather, to target peace protesters and suspected drug users/dealers (think Occupy).

But government desire to access this data aside, what about the fact that a corporate entity is tracking/recording EVERYTHING you do (i.e. where you shop, when you shop, while you shop, what you search for on the internet, who you talk and text, and what you say and write), then turning that information into a detailed digital profile (98% of Google’s profits come from advertising) that they can then sell ‘ for huge profits – to third party advertisers so they can market their products to you more effectively (without your say)’

Since this Carrier IQ story broke last week, we’ve learned that the company’s spying technology is present on 141 million phones, including Androids and iPhones and possibly models made by BlackBerry, Nokia and other manufacturers.

If these revelations don’t demand an opt-in, Do-Not-Track mechanism available to all consumers, whether online or using something like a smart phone, I don’t know what does.

As Adam Clark Estes reports:

The reason for this invasive Android app seems reasonable enough at face value. Even though it’s on most Android, BlackBerry and Nokia devices, most users would never know that Carrier IQ is running in the background, and that’s sort of the point. Described on the company’s website as software to gain “unprecedented insight into their customers’ mobile experience,” Carrier IQ is ostensibly supposed to help mobile carriers and device manufacturers gather data in order to improve their products. Tons of applications do this, and you’re probably used to those boxes that pop up on your screen and ask if you want to help the company by sending your data back to them. If you’re concerned about your privacy, you just tap no and go about your merry computing way. As security-conscious Android developer Trevor Eckhart realized, however, Carrier IQ does not give you this option, and unless you were code-savvy and looking for it, you’d never know it was there. And based on how aggressive the company has been in trying to keep Eckhart quiet about his discovery, it seems like Carrier IQ doesn’t want you to know it’s there either. ‘

This week, Eckhart fired back with a 17-minute long video showing in painstaking detail how much data CarrierIQ collects, effectively undercutting the company’s denial. It was even logging contents of text messages! Wired posted the video on Tuesday night and cemented CarrierIQ’s status “as one of nine reasons to wear a tinfoil hat.” The magazine explains how CarrierIQ even undercuts other companies’ security measures…

Tracking is creepy. In an Orwellian kind of way, it makes people nervous — especially Americans — that the government or the corporations or the system is closing in on them and stealing their freedom. Of course, not everybody feels so strongly about privacy, but as long as you can opt out, it should be fine. This seems be where privacy agnostics as well as advocates both get concerned. Some people don’t mind being tracked, but nobody wants to be tricked. Last week, Sen. Charles Schumer spoke out about a program at some malls in Virginia and Southern California that were anonymously tracking shoppers’ movements by tracking their cell phone signals, and the only way to opt was by not going to the mall. Schumer did not approve. “Personal cell phones are just that — personal,” the New York senator said in a statement. “If retailers want to tap into your phone to see what your shopping patterns are, they can ask you for your permission to do so.” The CarrierIQ software is not dissimilar to the shopper tracking program. In fact, it’s arguably worse since it follows you everywhere. In the age of social media, everybody is becoming increasingly aware of and often angry about the amount of private data companies are scooping up with or without their consent.

 

Thankfully, it didn’t take long for the Free Press to urge its members to take action. You can do that here: ‘Tell Congress and the Department of Justice: My mobile phone is mine, and I have the right to be free from being spied on.

Similarly, it didn’t take long for privacy stalwart, Senator Al Franken, to demand answers, stating, ‘Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information. The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer.’

In his letter to Carrier IQ President and CEO Larry Lenhart, he writes, ‘I am very concerned by recent reports that your company’s software’pre-installed on smartphones used by millions of Americans’is logging and may be transmitting extraordinarily sensitive information from consumers’ phones, including:

‘           when they turn their phones on;
‘           when they turn their phones off;
‘           the phone numbers they dial;
‘           the contents of text messages they receive;
‘           the URLs of the websites they visit;
‘           the contents of their online search queries’even when those searches are encrypted; and
‘           the location of the customer using the smartphone’even when the customer has expressly denied permission for an app that is currently running to access his or her location.

It appears that this software runs automatically every time you turn your phone on.  It also appears that an average user would have no way to know that this software is running’and that when that user finds out, he or she will have no reasonable means to remove or stop it.

He goes on to ask a series of pointed questions in which he demands answers by December 14th, including (among many), ‘Is that data transmitted to Carrier IQ?  Is it transmitted to smartphone manufacturers, operating system providers, or carriers?  Is it transmitted to any other third parties? If Carrier IQ receives this data, does it subsequently share it with third parties? With whom does it share this data?  What data is shared’?

Mark your calendars’