see YouTube video) that performance measurement software installed by carriers on Android phones record dialer keystrokes, resulted in the almost autonomous generation of Web stories asking rhetorical questions, in the vein of, "Is your smartphone spying on you?" Web publications have a tendency to ask such questions without particularly being interested in whether anyone actually comes up with an answer. So it's almost no surprise that when another security researcher did find the answer, few publications actually noticed.The revelation two weeks ago from security researcher Trevor Eckhart (
What we now know from security researcher Dan Rosenberg's subsequent analysis of Carrier IQ software are these important facts: 1) It records only keystrokes made through the phone dialer software, not any other software including SMS, texting, or apps; 2) it does not appear to use stealth other than the protection methods already built into the operating system; 3) it stores the logs of those keystrokes using not enough stealth, thus potentially exposing users to privacy risks. But these are not the three most important lessons of this story.
Now that the facts are in front of us, we have the opportunity to take a more sober assessment of their actual meaning:
Metrics must never be taken without the user's knowledge.
Prior to Eckhart's discovery, the problem with Carrier IQ was not that it was used to assess the performance characteristics of Android (and other) phones, and the differences between them. If engineers are ever to normalize the operation of the various Android versions over as many devices as possible, they need this data, otherwise performance will only get worse.
The problem was that folks did not know that this measurement was taking place, or why. Carriers do make their phone customers sign agreements, and for legal reasons, they presume that customers have actually read them. Some of those agreements may imply that carriers retain the right to use their choice of software to monitor performance characteristics on their phones (which are, after all, leased to customers, not sold). The integrity of a contract should never hinge upon what a clause may imply. If Carrier IQ were explained to customers, even by way of a pre-recorded video - simply, factually, briefly - most customers would probably accept it. Those who do not, however, should have the right to reject just the software and opt out.
It may be our data, but it's not our phone.Telecommunications and the Internet and the Web are all being marketed and sold to us as though they constitute some collective birthright, perhaps even something our Constitution guarantees. "Americans have a right to an open Internet," says the first paragraph of KeepTheWebOpen.com. "Our duty is to protect these rights."
We need to come to the realization that this is a load of bull. We own very, very little of what constitutes the Internet or any broad telecommunications network, besides perhaps a few PCs, a couple of hundred feet of Ethernet cable, and an infinite, unfathomable, and increasing quantity of data. Some of that personal data is indeed the material upon which our lives, our livelihoods, and even our identities are based. And that part is priceless, at least to each of us. But we are entrusting its care to an infrastructure we do not fully or even partly comprehend. Our privacy depends on the integrity of the contract between the true owners of our data - us - and the companies that provide Internet services to which we are not by birthright entitled. If we were, privacy would not be an issue; because we are not, it is.
The gap is growing between what we know and what we think we know.In an earlier era, the decisions about which stories were published for public consumption were made by humans who, rightly or wrongly, estimated their relative informational value to the reader or viewer prior to printing them. They may have been small stories, many of which did not involve global conspiracies, but they might have taught us something anyway, and thus they were printed.
In the modern age (described by some using the adjective "open") the newsworthiness of a story is judged with respect to the probability you will find it amid other stories with the same topic. Thus if a story were to assert an evident fact (e.g., Carrier IQ has not endangered anyone yet), it would substitute the larger, more visible topic ("Is Your Android Phone Spying On You?") with a smaller, less visible one ("Measurement Tool Assesses Android Performance Using Dialer Strokes"), which would not only lower the probability that you'd ever read it, but statistically increase the probability of you reading something with the larger topic.
As a result, the Web tends to elevate unsubstantiated speculation to the level of evident fact. As such, it then becomes reported or at least presented by traditional media at the same level as fact (see example above, from NBC Nightly News last December 1). Thus the public at large - for whom the Web is not yet an established authority - perceive this presentation by pre-established, authoritative media as confirmation. And in turn, continuing the strange, self-consuming lifecycle, the Web accepts that confirmation as the substantiation it was previously lacking.
The Web is a colossal data routing service whose content is largely about technology itself. The Carrier IQ episode demonstrates the Web's growing ratio of noise to information - of the extent we discuss technology, to the true knowledge we actually obtain from that discussion. If the Web truly does belong to us - to "We, the People" - then we should not expect Carrier IQ or Google or Apple or anyone else besides ourselves to solve this problem.