The digital rights watchdog Electronic Frontier Foundation has released an in-depth study of the corporate architecture of Carrier IQ in hopes of clarifying some of the difficulties and contradictions that have circulated in reports on the scandal involving Carrier IQ’s software in the two weeks. The report notes that, given some of the difficulties that have shown up in reports about Carrier IQ, it is possible for contradictory statements about Carrier IQ to be “simultaneously correct.”
The difficulty is apparently one of terminology. The term “Carrier IQ” has been used to mean different things in different stories about the scandal. The EFF report points out that the term seems to have four distinct layers. In the first layer, “Carrier IQ” refers simply to the company itself. The second layer is the core software written by the company and present on all 150 million handsets referenced in the counter on the company’s website. The third refers to the core software running on an individual phone, which includes not only the core software but also additional code written by handset or chipset manufacturers, as well as carrier networks. The fourth includes the core software, additional code from the manufacturers or carriers, and additional code within handset operating systems that sends data to the software in the third layer.
This lends credence to some of what Carrier IQ has been insisting all along: that they are not solely responsible for the level of data collection engaged in by the versions of their software that appear on smartphones from various manufacturers and carriers. In their original statement to the media in mid-November, the company claimed that “[t]he metrics and tools we derive are not designed to deliver such information [keystrokes or tracking data], nor do we have any intention of developing such tools.” They also point out that “our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.”
In a fuller statement issued yesterday, the company explains at some length exactly what their software is and how it works. They say that their focus has been on “building a solution capable of scaling to millions of subscribers,” and have tried to make sure that “the software gather only the critical diagnostic information and do so in a manner that protects consumers’ information.” The primary purpose of their software, they say, is as a tool for carriers to perform diagnostic services on their networks, and as a tool for assisting in customer care by diagnosing problems with handsets. The company also asserts that their core software, IQ Agent, is designed to gather as little data as necessary, and that it collects and uploads about 200 kilobytes of network and device perfomance summary data per day.
The second statement also responds more directly to the YouTube video by Trevor Eckhart that is primarily responsible for the scandal. They say that the data Eckhart shows the handset collecting, “location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufactuerer software.” In other words, the “manufacturer software’s debug capabilities remained ‘switched on’ in devices sold to consumers.”
Taken in tandem, all of this suggests that the Carrier IQ “spyphone” scandal may be far less serious than originally thought, and that the company itself may be less responsible for the collection of user data. Moreover, it seems likely that the manufacturers and carriers themselves may bear responsibility for more than simply installing the software on their phones, since it seems they are able to modify and add to the base code of Carrier IQ’s IQ Agent software.
Finally, Carrier IQ responded late this morning to controversy caused by reports that the FBI had denied a Freedom of Information Act request for files related to Carrier IQ, on the grounds that such data was part of ongoing legal proceedings and therefore exempt from FOIA requests. It was widely assumed across the internet that the reason for the denial was that the company had been providing consumer data to the FBI as part of its investigations. The company strongly denied this, and asserted that if they had ever received any requests from the agency, they would have directed investigators to the carriers. Moreover, they insisted again that the data they received from their software was diagnostic and primarily historical in nature and that as such it would not “address the special needs of law enforcement.”
What do you think? Does this new information change your opinion of the Carrier IQ scandal at all? Let us know in the comments.