Quite a kerfuffle blew up during the past week over privacy and what happens to information about your mobile phone usage that, unknown to you, is captured on your device by logging software made by US diagnostics and analytics firm Carrier IQ and then transmitted to their servers.
The story so far:
1. A security researcher published a report on November 30 alleging that Carrier IQ’s software is a rootkit and secretly transmits data – including personally-identifiable information – from your phone to Carrier IQ without your knowledge or permission. The researcher made a video illustrating his concerns which he published on YouTube on November 28.
In essence, what the video and the report mean is broadly this: because a mobile phone user hasn’t given explicit permission for such data sharing (and doesn’t even know this software is on his or her phone) and they can’t opt out of it, surely it’s a violation of your rights to privacy.
2. Uproar ensues, with mainstream and social media alike posting critical commentary and opinion on the Big Brother-like evils of such behaviour, which is possibly illegal depending on jurisdiction and matters that could keep lawyers busy for months. The Electronic Frontier Foundation, the non-profit digital rights advocacy organization, rallied to the researcher’s support to counter legal threats from Carrier IQ that the researcher had breached their copyright.
3. On December 1, Carrier IQ issued a press release “to clarify misinformation on the functionality of Carrier IQ software”:
[…] While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
Notwithstanding Carrier IQ’s attempt to logically explain what their product does – and perhaps of equal significance, what it doesn’t do – the kerfuffle continues with “yes it does / no it doesn’t” arguments being conducted by pundits and opinion leaders alike that muddy the waters of clarity to stir up a huge amount of FUD.
Observing developments these past few days reminds me of other crises of confidence that threaten reputations that erupted quickly and before you knew it, an unplanned-for crisis had presented itself to you to deal with right now.
- Healthcare company McNeil’s baptism of digital fire over the Motrin Moms debacle – the communicators weren’t paying attention to a groundswell of critical online commentary about a marketing video promoting their market-leading over-the-counter ibuprofen pain reliever that erupted over a weekend until it reached the mainstream media and sucked in parent company Johnson & Johnson.
- Domino’s Pizza’s education regarding the social media effects from employees doing disgusting things with food products and posting the videos they made to YouTube – company executives were paying attention to increasing criticism in social media and calls for a response from the company but a senior executive had dismissed social channels like blogs as “unimportant.”
To be fair to these two companies, those events happened in late 2008 and early 2009 respectively – a time when many people in companies large and small were still trying to figure out social media. If mistakes were made, they tended to be hugely visible and high profile, as these two cases certainly were (and, in the case of Domino’s Pizza, subsequently resulted in a direct negative impact on their financial results).
If those events had happened today, I believe the ways in which both companies addressed the issues and how they made use of social media – the whole spectrum, from listening to engaging – would have been far more effective, probably ensuring that what were issues to manage didn’t develop into actual crises.
Which brings me back to Carrier IQ and their present kerfuffle. It seems to me that they’re exhibiting some of the characteristics of head-in-the-sand behaviour, even perhaps thinking that the way to get your point of view out there and influence opinion is simply a reactive press release or other command-and-control type of communication. I don’t wish to second-guess what they might be planning from now on, but I would say to them: use your champions – you do have some – and seek out friends in your online communities.
And what of the mobile carriers, the operating companies who might make use of the processed and analysed data that Carrier IQ obtains from users’ handsets – over 140 million of them according to a counter on the company’s website? As Carrier IQ say, such data is of significant commercial value to a mobile operator as it provides them with very useful and specific information on their customers’ habits as well as the technical stuff about their network and how they’re working.
While the kerfuffle has focused on the United States and mobile operators there, I wondered whether operators here in the UK use Carrier IQ’s software and services. As I have contract and PAYG relationships with Vodafone, O2 and Three, I asked them whether they use Carrier IQ in the UK.
Vodafone was unequivocal in its reply.
The user-forum post by Community Manager Tom that Vodafone referred me to says:
We can confirm that Vodafone UK doesn’t add or use Carrier IQ software on our customers’ handsets.
O2 was equally clear in its reply.
“O2 doesn’t collect data via Carrier IQ,” the mobile operator said.
In contrast to its two peers, though, Three was not so forthcoming. At first, the company said “Currently not.”
“Currently”? That seems a bit equivocal, I said.
Three wouldn’t clarify that, saying only “I can’t speculate at the moment I’m afraid.”
Little to add to that in a Twitter conversation other than note my disappointment.
So where does this exchange on Twitter leave things? While two UK mobile operators clearly say they don’t use Carrier IQ, one isn’t so clear, leaving doubt. Indeed it adds to the overall FUD: no one said they don’t track users’ usage behaviours at all – and I think it would be naive to imagine that tracking of some sort doesn’t happen, and for perfectly legitimate reasons.
The issue, though, is one of perception – what reasonable people might suspect is going on in this age of suspicion of big organizations and their motives when you have a kerfuffle like this. Indeed, fear, uncertainty and doubt – FUD – rule the roost in such instances.
Meanwhile, if you don’t trust what anyone is saying about Carrier IQ and how or whether they use it or not, if you have an Android phone you could try an app such as Voodoo Carrier IQ detector that checks your phone to see.
Given Three’s less than stellar response, and that my newest mobile device – a Samsung Galaxy S II – runs on Three’s network, I installed and ran the app on that device to check.
“Carrier IQ was not found” said the result. Great!
Still, I imagine FUD will continue until someone paints a much clearer picture of what’s going on behind the scenes.