The saga of Carrier IQ and its questionable data gathering antics continues today, as the company has released a document providing an insight into its practices. Spread over 19 pages, it covers everything from the company’s background to the individual metrics it examines for networks, while also responding to what it calls “recently discussed issues,” but everyone else calls “scandal.”
Carrier IQ first hit the headlines at the end of November when systems administrator Trevor Eckhart released a series of videos, each demonstrating that Carrier IQ’s software installed on his Android phone was sending sensitive information back to base.
Since then, phone manufacturers around the world have distanced themselves from Carrier IQ, and rumors of FTC investigations, breaches of the European data protection act and even the FBI becoming involved have circulated.
Presumably in an effort not to appear as a terrifying, Big Brother-like corporation, Carrier IQ has released a document entitled Understanding Carrier IQ Technology. It’s not the most consumer-friendly document in the world, but it should be accessible to anyone with a passing knowledge of how their phone operates. For everyone else though, it’s likely to leave them equally as confused and wary as before.
After thanking (through gritted teeth, we’d expect) Trevor Eckhart for sharing his discovery, they launch into an explanation of what the IQ Agent software is; calling it “the first stage … in identifying, storing and forwarding diagnostic measurements and data” from millions of devices. It uploads this data once a day, in a 200kb file that users aren’t charged for and never see on their bill.
It gets confusing when trying to explain the three different versions available to networks and manufacturers — pre-load, embedded and aftermarket — and the profiles that define the data (that they call metrics) which is sent back in the diagnostic file. The important section is the embedded part, as this is the type of IQ Agent installed on Mr. Eckhart’s device, and this is discussed next.
Here, Carrier IQ shifts a degree of the blame for the data being collected in Eckhart’s video onto HTC, saying the debug capabilities had been left switched on, and that the embedded version of the IQ Agent doesn’t take data from the Android log file. However, it’s added that a subsequently discovered bug would “in some unique circumstances” have “unintentionally included” SMS messages in the data collected.
It’s also hastily pointed out that the messages weren’t readable, and that Carrier IQ is working with customers to fix the bug. They’re also looking at changing the certification process to prevent debug modes being left enabled in the future.
If you want to read the document yourself it’s available here, and there is a handy summary at the end if you don’t want to wade through all 19 pages.
The question is, will it be enough to exonerate Carrier IQ?