Carrier IQ, the company that everyone -- for right or wrong -- has come to hate of late has released a document explaining in plain English how it does what it does. "Understanding Carrier IQ Technology -- What Carrier IQ Does and Does Not Do" was released on Carrier IQ's website late Dec. 12 and is a PDF that details what Carrier IQ is, how it's loaded on devices (and what kinds of devices it can be used on), what information is collected, how it can be used by Carrier IQ's customers, and how the data is protected in the process.
Let's break it down.
A few choice points
- Carrier IQ maintains that it's a provider of diagnostic data, and "that having an effective solution requires that the software gather only the critical diagnostic information and do so in a manner that protects consumers’ information."
- Carrier IQ has been used on feature phones, smartphones, data modems and tablets.
- Data is uploaded from the device once a day, at about 200kb a pop. The carrier absorbs the charge for the data.
Carrier IQ is loaded onto the phone as one of three ways
- Preload: Installed by the hardware manufacturer at the behest of CIQ's client -- the carrier, it's not considered a traditional app and is not easily removed by the consumer, but it only has access to data accessible through the system APIs.
- Aftermarket: Installed as a typical application, after purchase of the phone. Can be deleted by the consumer.
- Embedded: Installed using a specific API from Carrier IQ, and differs from Preloaded in that it can report radio signal information.
Explaining the video
Speaking on the now infamous video from Trever Eckhart, Carrier IQ says that while it can't comment on every manufacturer implementation of its product (really?) the company says it looks like a hook was left in place that allows the CIQ metrics being collected to be passed to the Android debugging software, which is exactly what we see in the video, and that it's possible for that to be turned off.
CIQ also contends that just because something was visible in the debugging screen (and, again, they're working to get that turned off), it doesn't mean it was necessarily being collected and/or transmitted by Carrier IQ. Think of it as the difference between being able to see something versus seeing, remembering and then sharing with someone else.
CIQ also explains that, indeed, it's possible to collect URLs that are visited -- if it's part of the data collection profile that the carrier put into place.
CIQ's also come clean about some unintended data collection. Apparently while collecting signal information (ie what's going on with the network when you drop a call), it's possible that if you're on a call and you receive an SMS message, that SMS "may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent." CIQ contends that "These messages were encoded and embedded ... and are not human readable," and that it's working with the carriers to make sure that information is no longer being collected. Only embedded versions of Carrier IQ had that problem.
Who owns the data?
Carrier IQ maintains that it has "no rights to the data that is gathered ... for any Carrier IQ customer." The servers that handle all of the data collection can be run by Carrier IQ, or by the carrier (or conceivably a third party). Carrier IQ says to its knowledge, it's never had a data breach.
The wrap up
There's more in the white paper regarding network analytics, and the entire thing is worth a read. You'll still have to come to your own conclusion about just how scary this whole thing is, and it's worth another mention that Carrier IQ doesn't exist in a vacuum. Carrier IQ is a customer of network operators -- the carriers you pay good money to every month.
And all that said -- we continue to believe that a simple disclosure and option to disable the analytics collection at initial startup would go a long way toward defusing this whole situation and restoring trust in Carrier IQ as well as in the carriers that hire its services.