There is a brewing controversy surrounding the data that cellular operators and cellphone manufacturers know about users. It has started with researcher and coder Trevor Eckhart, known as TrevE on the XDA Developer forums, digging into the code of a company called Carrier IQ (CIQ). According to Eckhart’s research, CIQ has the ability to know just about everything a user does with a cellphone, from when and how a dropped call took place at a certain time and location to what input method a consumer is using and even what they user is inputting.
The depth of the allegations are startling. Does CIQ really have the ability to key log everything that a user types? The fight has now gone legal with CIQ sending Eckhart a cease-and-desist letter and removal of his research while the Electronic Frontier Foundation (EFF) has come to his aid. CIQ claims copyright and false allegations of Eckhart’s research while the EFF says the researcher is protected under Freedom of Speech and Fair Use doctrines. Make no mistake, this battle is more than just about copyright and the free speech. It is the first step of unveiling exactly what companies know about their cellphone customers and how they use that data.
[Update Nov. 23, 7:24 PM EST — The EFF is reporting that Carrier IQ has dropped its cease-and-desist suit against Trevor Eckhart as of this afternoon. There are likely two reasons for this: A) CIQ realized that they had very little of a legal case and B) this was about to get very public. At this point the news had been relegated to developer and technology circles but when it comes to data and privacy issues, nothing brings out the mainstream media like a lawsuit. Especially one being defended by a powerful civic organization like the EFF or ACLU, both of which use the press to drum up support for their clients and expose the plaintiff companies.
See the fax from the CEO of CIQ to Eckhart himself here.
Research: Root Code, Device Access & System Admin
It appears that the initial cease-and-desist letters from CIQ have worked. The original material from Eckhart’s research, posted in various Android security and file hosting sites, are no longer published. (here and here you will find the 404 not found to those articles). Eckhart also published the companies training manuals. All of this information was found for free on open sources, according to Eckhart and the letter sent to CIQ on his behalf from the EFF.
What Eckhart found was a series of code used by CIQ to track the behavior of users baked into the root and skins of HTC smartphones. Research on Samsung devices was done by XDA member k0nane. Both instances foundn that CIQ had code that had device access with the purpose of tracking data that can be accessed by a system administrator. Essentially what that means is that all the data in a device, including all personal data, messages, input methods, calls received (and dropped), media usage (app) statistics and more can be accessed by an admin with access to the CIQ data. That means that CIQ and its partners basically have access to your entire smartphone.
Image: Capabilities found in the CIQ code. Source: XDA Developer blog.
The outcry over mobile data tracking has been heard loud and clear this year. We saw that with the iOS/Android/Windows Phone location tracking “scandal” earlier in the year and other flares ups through the summer. Yet, that does not mean that what CIQ does is inherently wrong. It may have a little too much access to the device but the service it provides is helpful to the OEMs and carriers in creating better user experiences.
What Does CIQ Actually Do?
In a media advisory posted to CIQ’s website, the company defends its practices. The note, posted from the company’s headquarters in Mountain View on Nov. 16 is titled “Measuring Mobile User Experience Does Matter!” and outlines what the company does and does not do. Here are the pertinent paragraphs:
Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices – feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.
While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.
Our customers have stringent policies and obligations on data collection and retention. Each customer is different and our technology is customized to their exacting needs and legal requirements. Carrier IQ enables a measurable impact on improving the quality and experience of our customers’ mobile networks and devices. Our business model and technology aligns exclusively with this goal.
Eckhart’s research is basically saying that CIQ is lying in that it does not track some of the functionality that it denies tracking and believes he has found the source code to back up those claims.
CIQ is a venture-backed company that raised its Series C funding in 2009. It was named as an Innovative Business Analytics Company Under $100M to watch by IDC in late October of this year. In addition to Samsung and HTC, CIQ has published relationships with Nielsen, Vodafone Portugal, Huawei and the entire Android platform among several others.
This is an ongoing story. What does CIQ really know about users? What is it sharing with the OEMs and carriers? We will attempt to follow up with pertinent parties to get a more accurate view of what CIQ is up to and report our findings as soon as we have more information.