Carrier IQ representatives have released another public statement this week defending the company's data collection processes, reiterating its stance that the software is only used for quality control purposes.
But is the fact that this information is available at all a privacy concern, and a potential compliance violation? Some experts say yes.
"The most important aspect of any privacy violation is not necessarily that the information is out there, but whether the individual consented to the use of that information," said Claudia Rast, a partner with Ann Arbor-based law firm Butzel Long. "It could be a compliance violation if people are not aware of the information that is being collected."
The flak surrounding Carrier IQ began after a video went viral claiming that Carrier IQ software logged phone user's activity, including phone numbers dialed, Web searches and text message content. Critics claimed the software violated wiretapping laws and Carrier IQ has been forced to publicly defend its data collection practices after drawing ire from the likes of Google, senators and mobile phone consumers.
Carrier IQ representatives defended the company's tactics in a press statement Dec. 1, saying its software "does not record, store or transmit the contents of SMS messages, email, photographs, audio or video." Instead, the software is only used as a quality and customer service tool that delivers intelligence on the performance of mobile devices and networks to help the operators provide service efficiency, according to Carrier IQ.
People now have a concrete example of what really is complete and total access to our mobile devices from a carrier's perspective.
Jeff Schmidt, CEO, JAS Global Advisors LLC
Despite Carrier IQ's best intentions, just the fact that this information exists could create privacy concerns. Rast says while there is little doubt that much of the information Carrier IQ collects is used for diagnostics and customer service, that information could prove invaluable to those looking to use if for more nefarious purposes.
"The dark side of that is when you can connect that information with any personally identifiable information of the owner of the device," Rast said. "Ad people and marketing people really love that kind of information. When that can get connected up, that can be a privacy violation."
Jeff Schmidt, founder and CEO of Chicago-based information security firm JAS Global Advisors LLC, said one question surrounding the Carrier IQ's data collection processes is how it relates compliance with the Payment Card Industry Data Security Standard. Schmidt used the example of technology that allows payments by using your phone as you would a credit card.
"Even if the device is encrypting the credit card numbers, at that moment something like Carrier IQ could always see it before (the encryption)," Schmidt said. "I think the credit card example is an interesting one, and is going to get some additional scrutiny."
Carrier IQ and BYOD
Bring your own device (BYOD) policies have been the rage since the explosion of personal device use in the workplace, and these policies are designed to protect exactly the type of information Carrier IQ is collecting. As a result, the information could end up posing problems down the road for those that use devices with the Carrier IQ software.
Companies could be caught off guard by this development, especially in regards to disclosing their own privacy policies to employees, Rast said.
"I would venture to say that many companies with mobile devices don't have privacy policies that explicitly let their employees know that those devices are gathering that type of information," Rast said. "If there is no policy that notifies them of that -- that can be a potential privacy violation."
And what if this information gets in the hands of hackers? It's one thing for Carrier IQ to use its software on the up and up, but as hackers get more sophisticated what is to stop them from attacking Carrier IQ's software to gain access to this litany of personally identifiable information?
"I guarantee you now that people are looking for that now that they know it is available," Schmidt said of the potential attention from hackers. "I think that's a secondary concern that is rising from this."
Hands are tied, for now at least
Security technologist and author Bruce Schneier says simply that if CarrierIQ collects confidential information, it is certainly a privacy violation. However, he quickly adds that there is little regulators and consumers can do about it, at least for now.
"CarrierIQ works in the background and cannot be turned off," said security technologist and author Bruce Schneier. "No language in any document -- I suppose language in a new law would be an exception -- makes any bit of difference."
Schmidt agrees, noting that mobile device carriers have always had a wealth of usage and location data so it is technically possible for them to do "pretty much whatever they want" with respect to monitoring and collecting information.
But up until Carrier IQ came on the scene, this fact has largely stayed under the radar.
"If someone really started asking what kind of data they (carriers) have access to, it might be uncomfortable," Schmidt said. "I think this is the opening of Pandora's box -- people now have a concrete example of what really is complete and total access to our mobile devices from a carrier's perspective."
Let us know what you think about the story; email Ben Cole, Associate Editor.