Carrier IQ’s Opt-Out Data Collection Patent

ZDNet writes here about an Carrier IQ patent that outlines keylogging and ability to target individual devices . Which is interesting. But Carrier IQ owns a dozen patents, including this one, which to me is much more interesting. This patent indicates what Carrier IQ software could do—not what it does—but it is revealing nonetheless:

A communication device and a data server record and collect events and event-related data to create an activity record. A user of the communication device may request that events and related data be recorded and collected using a configuration option on the communication device or through an interaction with the data server. Data are grouped into data sets and uploaded to the data server either automatically or upon user approval. The data server uses the uploaded data to create an activity record which the user may access through a website. The user uploads additional data which are associated with the activity record. In some instances, the data server embeds a link pointing to the additional data in an entry in the activity record corresponding to an event associated with the additional data.

Basically this patent offers a way for a “user”—which could be either the user of the device or the service—to have a record of everything they do:

image

While most of the patent is clearly about a product that would create a ‘lifestream’ for the user—where they can access all the things they’ve done with the device, including photos etc, in one tidy presentation, there’s clearly more to it than that. Buried in the patent are indications that it could do all this without the user asking it to. It’s paragraph 0023 which I think is most interesting:

A user of a mobile device requests that events and event-related data be collected by a data server and data collection begins. Alternately, data collection may be a default setting which is turned off only when the device user requests that data collection not occur. In yet another embodiment, a request from a server can initiate, pause, or stop data collection. The mobile device is configured to record events performed by the mobile device as well as event-related data. Typical events that the mobile device records include making or receiving a phone call; sending or receiving a message, including text, audio, photograph, video, email and multimedia messages; recorded voice data, voice messages, taking a photograph; recording the device’s location; receiving and playing an FM or satellite radio broadcast; connecting to an 802.11 or Bluetooth access point; and using other device applications. The data most often related to an event include at least one of: the time, date and location of an event. However, other event-related data include a filename, a mobile device number (MDN) and a contact name. Commonly, the mobile device records events and provides a time, date and location stamp for each event. The events and event-related data can be recorded in sequence and can be stored on the mobile device.

This seems to suggest that

  • basically all activity on the phone can be logged
  • the software can be turned on by default
  • the software can be turned on and off from the server

All this information would be grouped together and uploaded either with the user’s permission or without it:

[0025] The mobile devices may be configured to store one or more data sets and upload the data sets to the data server. In one embodiment, the data sets are uploaded automatically without user intervention, while in other embodiments the mobile device presents a query to the user beforehand. When the mobile device is ready to upload one or more sessions to the data server, a pop-up screen or dialog may appear and present the user with various options. Three such options include (1) delete session, (2) defer and ask again and (3) upload now. The user interface may present the query every time a session is ready to upload, or the user may be permitted to select multiple sessions for deletion, a later reminder or upload all at once. In another embodiments, the uploading of sessions may occur automatically without user intervention. Uploads may also be configured to occur when the user is less likely to be using the device.

This point—about the option to collect such data without the user’s say-so—is confirmed in [0030]:

Although typically the device and the server do not record, upload and collect data unless the user requests it, in other embodiments the communication device and the server automatically record, upload and collect data until the user affirmatively requests otherwise.

And in [0046]:

In embodiments where participation in the data collection services is the default configuration for a mobile device (e.g., an “opt-out” model), it is not necessary to receive a request from a user prior to recording data.

An ‘opt-out’ model is hard to visualize if this is a product that is a user-centric lifestream.

While patents only tell part of the story, there’s no evidence of any such consumer-facing product on Carrier IQ’s website, so one has to assume these capabilities have been, or could be, wrapped into their carrier-centric services. In that sense, I think there’s plenty of interest in here.

04. December 2011 by jeremy
Categories: Phones, Privacy | Tags: , , , , , , , , , , , , , , , , , , , | Comments Off on Carrier IQ’s Opt-Out Data Collection Patent