Sometimes when I read TechCrunch I’m not sure if they’re just trolling or accidentally “omit” certain aspects of story. You have probably seen enough Carrier IQ news everywhere — how it’s capable of recording everything on your Android phone but choses to only “help carriers to improve service”, how Apple turned out to also have Carrier IQ software on older iOS devices, and how they will quickly remove all remains in future update, and how security expert thinks that they are not purposefully tap your SMS chats, and stuff (which I guess is true).
Inevitably, there are now voices, saying how everyone is piling on Carrier IQ, who is poor little victim here and generally is a white and fluffy creature that serves evil overlords of cell phone carriers (see TechCrunch article). That strikes me as quite an odd position. Here are my objections:
– Carrier IQ actively advertises information gathering and “install base” (right on their front page). I don’t see all cell phone carriers suddenly getting an idea of putting essentially a rootkit (“with no visible impact” says their web site) on client’s phone at the same time. I do see Carrier IQ promoting their product and offering it to carriers (even then Verizon claims not to use it at all) and profiting from it. While originally idea might have originated from cell phone carrier (“Could we figure out what’s going on on handset when errors happen?”) the implementation certainly went beyond what the claimed purpose is.
– Stealth stealth and more stealth. When you are trying to help user, you don’t have to hide. Put a big banner and let user turn on your “information gathering” openly, to collect whatever information that is needed. “We’re sorry your battery performance is unsatisfactory, would it be okay if we check what applications are installed and are running on your handset to determine if one of the app is a problem?” There, your problem is solved. Windows has remote help, which is essentially used for the same purposes. Yet instead of “turn it on and we will help you” here we have “this is always on, gathering data, sending it out there for the case you drop a call, trust us” behavior. Very very odd.
– Catch everything, report something. This might be just a “shortcut” from development point of view. But in case of sensitive information nobody in their right mind should agree to that. “Let me track your every movement, check your passwords, bank account pins and observe all your conversations, which I am going to ignore, to figure out what kind of pavement results in your shoes being worn off excessively”. If you don’t want to record the content of the SMS, don’t record it. Don’t touch URLs of where browser is headed unless you actually plan to report it. Ask Google for reporting interface for certain functionality if it’s not there already.
– Don’t allow turning it off or uninstalling. “We will help you, wether you want it or not, and watch your every move”. Again, very unfriendly.
– Conflicting information about personal information. From one side press-releases keep stressing that it’s the aggregate information that gets transferred, from the other side their own marketing material says: “What’s more, the combination of the MSIP and IQ Insight lets you move seamlessly from broad trend data across many users, through comparative groups down to diagnostic data from individual devices.” I’m sorry, which is it then, aggregate or individual? Do try again.
So, anyways, I don’t think it’d be valid to say this little scandal is all carrier’s fault. Because of the sales, because of the offering, and the way that system seems to be constructed. Responsibility could be somewhat shared, but lion’s share lays on Carrier IQ’s shoulders.
Update Per Wired’s article Carrier IQ indeed can record the content of SMS (when delivered to wrong recipient?), URLs etc. On behalf of carriers, of course, because some users could misspell Facebook.com And everything is stored for 10 to 30 days.