A couple weeks ago, we ran a story examining the controversy behind tracking people's phones. In it, we talked about Carrier IQ, a startup that was allegedly tracking (on behalf of carriers) mobile phone users' locations, what input method customers were using, AND what customers were typing into their phones.
Naturally, the allegations ended up drawing a lot of media attention, with many accusing Carrier IQ of egregious violations of privacy.
One such commentator was Cornell University professor Stephen Wicker. "This is my worst nightmare," said Wicker, a professor of electrical and computer engineering, on NetworkWorld.com (Dec. 2). "As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention."
The company issued a statement last week (Dec. 1) saying it is committed to protecting consumers' privacy: "Consumers have a trusted relationship with operators and expect their personal information and privacy to be respected. As a condition of its contracts with operators, Carrier IQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities."
In the statement, Carrier IQ also denies violating any wiretap laws.
Professor Wicker says that's all fine and dandy, but asks just how "anonymous" this type of data (particularly what's being typed into the phones) can be. "How hard would it be to 'de-anonymize' a pile of text messages between me and my wife? My mother? My children? Banking IDs with passwords?"
Wicker makes a good point. The most serious charge against Carrier IQ is its ability to track what you're typing into your phone, a process known as "keylogging."
Recent reports claim the keylogging accusations against Carrier IQ are false. Security consultant Dan Rosenberg analyzed the company's assembly code language and told CNET News (Dec. 2) that "the application does not record and transmit keystroke data back to carriers."
CNET's Declan McCullagh today wrote a follow-up article on Carrier IQ, providing further evidence that it is not keylogging. Rosenberg says, "Carrier IQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information."
But even if Carrier IQ is incapable of capturing keystrokes, McCullagh writes, "other privacy concerns remain."
To address those concerns, Rosenberg suggests:
- Carriers should allow consumers to opt out of any form of data collection.
- Carriers should provide added transparency on what data they are collecting.
- A third-party agency should oversee what data is collected to prevent abuse.
I'm with Rosenberg on those three suggestions.