Carrier IQ: A privacy tempest in your pants pocket

Privacy and cyber law experts weigh in on the privacy implications surrounding the Carrier IQ mobile diagnostic software.

The lines at Carrier IQ haven't stopped ringing since accusations began flying that the mobile diagnostic company has installed rootkits on millions of phones around the world. Detractors have broadly claimed that the company's software, at best, violates end user privacy and, at worst, federal wiretap laws.

"This entire situation has touched a nerve with a lot of people beyond the IT industry," says information privacy, security, and compliance consultant Rebecca Herold. "People who don't normally pay attention to these issues are asking questions. People fear their identity data, texts, emails, keystrokes are being collected and sent to Carrier IQ."

These are claims, however, that Carrier IQ vehemently denies. "We measure and summarize performance of the device to assist operators in delivering better service," the company said in a statement issued late last week.

"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen," the company said.

Also see: FAQ: Behind the Carrier IQ Rookit Controversy

Sen. Al Franken (D-Minn.) isn't taking the company at its word. Franken has called on the company's president, Larry Lenhart, to detail precisely what the company's software records, transmits, and if the application violates federal law or poses a security or privacy risk.

In addition to questions surrounding the nature of the Carrier IQ software, the public outcry -- which was as swift as it was broad -- is interesting in itself. "I think much of the reaction has to do with the fact that people feel that they were not told the nature of the data collection occurring on their phones," says Herold.

Mark Rasch director of cybersecurity and privacy consulting at CSC, said based on what is known publicly, the jury is still out as to whether Carrier IQ has committed privacy violations, or is simply monitoring for quality of service.

"Carriers and handset companies want to know what their users' experience is like. When does the handset crash calls? And, if they have bad calls is there something that the user is doing that creates that condition? Are there hundreds of customers in an area that may need a new cell tower? Do certain applications affect the device performance? These are the things the software is seeking. They are trying to capture the behavior of the phone," says Rasch. "The trouble is that in capturing the phone experience it is operating similarity to a rootkit installed on the phone."

The challenge is that it's unclear what Carrier IQ and its carrier and handset customers are collecting. "There are still so many questions about the data, such as what is collected, who has it, how long it's stored by Carrier IQ or its customers. This is information we really need to know before we can make a judgement," Herold says.

Also see: How to Turn Off Carrier IQ on Your IPhone

For those answers, we may have to wait until Carrier IQ answers Sen. Franken's list of questions, most likely by the Dec. 14 deadline the senator imposed.

There is one thing we do know for certain now, and that's similar future incidents should be avoided by providing end consumers much clearer information about what data surrounding their phone usage is being collected. "Companies have to be much more transparent about the data that they are collecting and explain that it's diagnostic and how long it is kept. Just let people know what is going on," says Herold. "That doesn't mean burying the information in a terms-of-service contract."

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline