In an interview with AllThingsD today Carrier IQ, the company accused of creating spyware software for mobile carriers, cleared the air and explained in detail what their software does and does not do.
Carrier IQ explained the reasons behind the appearance of keystroke logging in their software. Their software is configured to monitor, not log the keystrokes looking for particular sequences that the carrier can instruct a user to enter to send diagnostic information back to the carrier.
The data the application is gathering is primarily related to battery usage, signal quality, software crashes, failed transmission of SMS messages and failed calls.
One thing that is still concerning about the application is that it does collect URLs visited by the users, which presumably includes HTTPS URLs.
According to AllThingsD:
The same is true of Web site URLs. CIQ has the ability to capture them, but not the associated content. So it might note a device having trouble accessing Facebook, but not the content on Facebook itself.
While it might seem harmless, we just raised concerns about this same situation regarding the Amazon Kindle Fire tablet and its use of the Amazon cloud logging all URLs being visited.
While websites should not assume HTTPS URLs are always encrypted, some do. This can lead to usernames, passwords and other unique identifiers being embedded in a URL and accidentally disclosed to cell phone carriers through applications like Carrier IQ.
It would be preferable from a privacy perspective if software used to assist with troubleshooting network problems and software bugs were configured not to report back URLs that are intended to be transmitted over HTTPS.
Carrier IQ also stated that the information collected is sent directly to the carriers who are their customers.
RIM released a statement today clarifying their position:
RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution.
Verizon also made a statement denying the use of Carrier IQ, despite the fact that they do collect much of the same information for marketing purposes.
So why all of the fuss? I think the community is becoming fed up with being spied upon, our personal lives and habits being invaded through secret programs and increasingly complicated and confusing privacy statements.
It is unfortunate that Carrier IQ didn’t simply disclose this information when Travis published his research. It is also sad that the mobile phone carriers involved didn’t make it possible to opt-out of sending this information.
When I purchased my current Android phone it prompted me asking if I wanted to enable location services. It proceeded to then ask if I wanted to share my location information with Google. What’s so hard about that?