Quite a kerfuffle blew up during the past week over privacy and what happens to information about your mobile phone usage that, unknown to you, is captured on your device by logging software made by US diagnostics and analytics firm Carrier IQ and then transmitted to their servers.
The story so far:
1. A security researcher published a report on November 30 alleging that Carrier IQ’s software is a rootkit and secretly transmits data – including personally-identifiable information – from your phone to Carrier IQ without your knowledge or permission. The researcher made a video illustrating his concerns which he published on YouTube on November 28.
In essence, what the video and the report mean is broadly this: because a mobile phone user hasn’t given explicit permission for such data sharing (and doesn’t even know this software is on his or her phone) and they can’t opt out of it, surely it’s a violation of your rights to privacy.
2. Uproar ensues, with mainstream and social media alike posting critical commentary and opinion on the Big Brother-like evils of such behaviour, which is possibly illegal depending on jurisdiction and matters that could keep lawyers busy for months. The Electronic Frontier Foundation, the non-profit digital rights advocacy organization, rallied to the researcher’s support to counter legal threats from Carrier IQ that the researcher had breached their copyright.
Vilification of Carrier IQ was well underway within hours of publication of the researcher’s report.
3. On December 1, Carrier IQ issued a press release “to clarify misinformation on the functionality of Carrier IQ software”:
[…] While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
Notwithstanding Carrier IQ’s attempt to logically explain what their product does – and perhaps of equal significance, what it doesn’t do – the kerfuffle continues with “yes it does / no it doesn’t” arguments being conducted by pundits and opinion leaders alike that muddy the waters of clarity to stir up a huge amount of FUD.
Interestingly, Carrier IQ isn’t anywhere to be seen in those online conversations: no comments to blog posts, tweets of engagement, or Facebook and Google+ comments.
Observing developments these past few days reminds me of other crises of confidence that threaten reputations that erupted quickly and before you knew it, an unplanned-for crisis had presented itself to you to deal with right now.
- Healthcare company McNeil’s baptism of digital fire over the Motrin Moms debacle – the communicators weren’t paying attention to a groundswell of critical online commentary about a marketing video promoting their market-leading over-the-counter ibuprofen pain reliever that erupted over a weekend until it reached the mainstream media and sucked in parent company Johnson & Johnson.
- Domino’s Pizza’s education regarding the social media effects from employees doing disgusting things with food products and posting the videos they made to YouTube – company executives were paying attention to increasing criticism in social media and calls for a response from the company but a senior executive had dismissed social channels like blogs as “unimportant.”
To be fair to these two companies, those events happened in late 2008 and early 2009 respectively – a time when many people in companies large and small were still trying to figure out social media. If mistakes were made, they tended to be hugely visible and high profile, as these two cases certainly were (and, in the case of Domino’s Pizza, subsequently resulted in a direct negative impact on their financial results).
If those events had happened today, I believe the ways in which both companies addressed the issues and how they made use of social media – the whole spectrum, from listening to engaging – would have been far more effective, probably ensuring that what were issues to manage didn’t develop into actual crises.
Which brings me back to Carrier IQ and their present kerfuffle. It seems to me that they’re exhibiting some of the characteristics of head-in-the-sand behaviour, even perhaps thinking that the way to get your point of view out there and influence opinion is simply a reactive press release or other command-and-control type of communication. I don’t wish to second-guess what they might be planning from now on, but I would say to them: use your champions – you do have some – and seek out friends in your online communities.
And what of the mobile carriers, the operating companies who might make use of the processed and analysed data that Carrier IQ obtains from users’ handsets – over 140 million of them according to a counter on the company’s website? As Carrier IQ say, such data is of significant commercial value to a mobile operator as it provides them with very useful and specific information on their customers’ habits as well as the technical stuff about their network and how they’re working.
While the kerfuffle has focused on the United States and mobile operators there, I wondered whether operators here in the UK use Carrier IQ’s software and services. As I have contract and PAYG relationships with Vodafone, O2 and Three, I asked them whether they use Carrier IQ in the UK.
Vodafone was unequivocal in its reply.
The user-forum post by Community Manager Tom that Vodafone referred me to says:
We can confirm that Vodafone UK doesn’t add or use Carrier IQ software on our customers’ handsets.
O2 was equally clear in its reply.
“O2 doesn’t collect data via Carrier IQ,” the mobile operator said.
In contrast to its two peers, though, Three was not so forthcoming. At first, the company said “Currently not.”
“Currently”? That seems a bit equivocal, I said.
Three wouldn’t clarify that, saying only “I can’t speculate at the moment I’m afraid.”
Little to add to that in a Twitter conversation other than note my disappointment.
So where does this exchange on Twitter leave things? While two UK mobile operators clearly say they don’t use Carrier IQ, one isn’t so clear, leaving doubt. Indeed it adds to the overall FUD: no one said they don’t track users’ usage behaviours at all – and I think it would be naive to imagine that tracking of some sort doesn’t happen, and for perfectly legitimate reasons.
The issue, though, is one of perception – what reasonable people might suspect is going on in this age of suspicion of big organizations and their motives when you have a kerfuffle like this. Indeed, fear, uncertainty and doubt – FUD – rule the roost in such instances.
Meanwhile, if you don’t trust what anyone is saying about Carrier IQ and how or whether they use it or not, if you have an Android phone you could try an app such as Voodoo Carrier IQ detector that checks your phone to see.
Given Three’s less than stellar response, and that my newest mobile device – a Samsung Galaxy S II – runs on Three’s network, I installed and ran the app on that device to check.
“Carrier IQ was not found” said the result. Great!
Still, I imagine FUD will continue until someone paints a much clearer picture of what’s going on behind the scenes.
Neville, Three’s answer was just as unequivocal as Voda and O2’s answer. All 3 carriers state that at this moment in time they do not use Carrier IQ. None of them state that they *will not* do so in future. Three’s statement that they “currently do not use Carrier IQ”, amounts to exactly the same response as Voda & O2 in that they use the present tense in their response, “O2 doesn’t collect data via Carrier IQ” and “We can confirm that Vodafone UK doesn’t add or use Carrier IQ software on our customers’ handsets.”
Have you asked Voda & O2 if they plan to use the CIQ in future?
Not sure why you believe Three “leaves doubt” as to whether they use Carrier IQ – they clearly state “…Currently, no.” in their response via Twitter, and are actually more transparently than the other carriers, stating that they cannot speculate on what the future brings. Personally I think that is a fair statement.
I appreciate your point, Illico, and indeed, perhaps I am looking too harshly at Three’s choice of words.
Yet compare the statements from the three operators. Vodafone and O2 said in effect “We don’t use Carrier IQ.” Very clear. Three could have been equally clear.
Yes, I could have asked further questions and taken this into a deeper area such as you suggest. But that’s wasn’t my purpose for what I was writing about. (Check The Guardian on Dec 1 – they asked a similar question as mine and appear to have got plain answers back.). And as I noted in the post, who knows what other means mobile operators might be using to track usage on handsets, for legitimate purposes. I’m certainly not focusing on conspiracies, as is pretty clear from my post.
The issue to me is one of transparency. I’d say you’ll have lingering suspicions about motives as long as the FUD continues.
having now read the Guardian piece you link to… “Vodafone, Orange and O2 told the Guardian on Thursday that they do not install the software in the UK and that to the best of their knowledge it is not shipped in any of the phones they sell.”
“… to the best of their knowledge…” now THAT leaves doubt in my mind! :)
In reality, none of the answers is wholly satisfactory. But “We don’t use Carrier IQ” and “[We] do not install the software in the UK” are pretty good ones in answer to the question posed.
Like I said, FUD reigns supreme at the moment.
Over in the US, the picture’s murky not only for Carrier IQ but also for mobile operators there now that the politicians have got involved.
Neville, perhaps Carrier IQ is keeping quiet because they have to, not because they want or though that this is the best way to handle the situation. The evidence is pretty bad and everybody (makers and carriers) is trying to distance themselves from CIQ as much as they can. Even CIQ is back pedaling is and blaming the makers now: http://www.theverge.com/2011/12/3/2608995/carrier-iq-denies-responsiblity-insecure-log-files-blames-manufacturers
Maybe they are, Luis, but I can’t see such an approach to the matter being of any help to them. I read the post you linked to and think that Carrier IQ is getting a bad press.
But if they don’t engage effectively in the conversation – taking charge of it themselves, for instance, rather than doing reactive interviews to someone else’s agenda – that isn’t likely to change imo.