Deconstructing Carrier IQ’s Press Release

I couldn’t find this press release on their website, and it’s a couple of weeks old, but I thought it worth deconstructing anyway. My comments in quotes. The rest is from the release. I don’t pretend to have got anything right here, but these might be the starting points for deeper questions.

Carrier IQ Says Measuring Mobile User Experience Does Matter! – MarketWatch:

MOUNTAIN VIEW, Calif., Nov 16, 2011 (BUSINESS WIRE) — Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices.

Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices — feature phones, smartphones and tablets.

operational information is a very vague term. And it’s clear from this comment that it’s not just smart phones that have the software installed. Feature phones and tablets also have it.

This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.

It calls it a diagnostic tool, but most people’s understanding of a diagnostic tool is one that runs in diagnostic mode. This doesn’t. It runs all the time–even on WiFi and airplane mode. But this comment also hints that there are other tools and software installed by manufacturers too.

While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools.

‘Recording’ keystrokes could be as it looks, or it could be weasel language, given the fact that keystrokes are definitely logged. Logging could be considered different to recording in this context.

The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools.

But they clearly do, so is that a bug? Is the word deliver here key, as in not designed to deliver such information to certain parties?

The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties.

This doesn’t really help. Not only was it not really the issue that Carrier IQ was selling the data–it was assumed the carrier would be, if anyone was–and the term personal subscriber information is quite possibly a weasel term, as personal has tended to mean to include the actual subscriber’s name. But we know now that even anonymized data can be mined so it is quickly connected to a specific person.

The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.

I don’t know enough about this, but I’m guessing these are weasel words too. The key word is within. It seems pretty clear that most if not all of the Carrier IQ data is in plain text, so presumably the encryption and securing is only when that data reaches the customer’s network (i.e. this doesn’t include the external network, but the customer’s own computer network.) It also makes clear that the data, whether encrypted or not, also resides within Carrier IQ’s systems.

Our customers have stringent policies and obligations on data collection and retention. Each customer is different and our technology is customized to their exacting needs and legal requirements.

Except that at  no point was any customer, as far as we know, actually asked whether they approved this data being collected about them. In fact, we don’t even know who those customers are in order to be able to verify this.

Carrier IQ enables a measurable impact on improving the quality and experience of our customer’s mobile networks and devices. Our business model and technology aligns exclusively with this goal.

Don’t get me started on the word ‘experience.’ It covers a multitude of sins and can mean more or less anything. My experience of call dropouts? Yes, sure, fix that. My experience of what services I use, how many times I enter my password, whether I’m buying something in Starbucks or Coffee Bean, how many people are in my address book etc. No. Not what I want you to log.

I think there’s another element at play here. Clearly the device manufacturers have allowed this to happen since the software is installed at the point of manufacturer. A carrier can use the service because whatever device their customer uses, they can be pretty confident that the Carrier IQ software is embedded. So one has to ask what data are being shared between carrier, Carrier IQ and manufacturer? And how does this work?

SOURCE: Carrier IQ

01. December 2011 by jeremy
Categories: Privacy | Tags: , , , , , , , , , | 1 comment