In a case of a paranoiac actually being right about someone following them comes word that certain cell phone carriers are monitoring every action you take on certain smart phone models.
As if sending sensitive personal and financial information coursing over the Internets don't make you queasy and paranoid enough – all on top of Android's other security issues ("Android Virus Epidemic: Is Your Phone Infected?").
This latest privacy violation comes from something called Carrier ID. It's a piece of software running in the background on certain Samsung and HTC smart phone models from Sprint and AT&T; according to a CNN Money article, the Carrier ID software is installed on more than 150 million phones.
CIQ apparently records everything you do on your phone – keystrokes hit, Web pages visited, text messages, et al.
That can't be good, right?
Big Brother or babysitter?
Carrier ID (the company) insists CIQ (the software) is simply a diagnostic tool, that no information is actually stored or used for/against you. The company released a statement yesterday, noting:
While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS…
…Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the operators provide optimal service efficiency.
And Sprint told CNET that "We do not and cannot look at the contents of messages, photos, videos, etc., using this tool."
So is CIQ benign, just a way for carriers, according to Carrier ID, "to diagnose operational problems on networks and mobile devices"?
Well, the security researcher, Trevor Eckhart, who discovered and first investigated CIQ, was hit with a Cease & Desist letter from Carrier ID, which doesn't bode well for Carrier ID's claims of inncuousness.
Stop looking at me!
I'm an iPhone user, so apparently I have no CIQ worries. Apple issued this statement to the Wall Street Journal:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
So, if you're an iPhone user, just update your phone's software to the latest version (which you should have already), and you can rest your sphincter.
As for other devices, Eckhart told CNET "HTC Android devices have no on-off switch for Carrier IQ, while Samsung devices do, but it is not easily accessible or pointed out to users." Perhaps the carriers, worried about user backlash, will enable consumers to more easily opt out of this digital voyeurism.
Personally, I subscribe to the theory of technical trade-offs proffered by Henry Drummond, the Clarence Darrow stand-in in the play/movie Inherit the Wind:
Progress has never been a bargain. You have to pay for it. Sometimes I think there's a man who sits behind a counter and says, "All right you can have a telephone but you lose privacy and the charm of distance…Mister, you may conquer the air, but the birds will lose their wonder and the clouds will smell of gasoline."
To extend this metaphorical musing, we can instantly communicate with anyone on the planet at any time and can access the accumulated knowledge of humankind, all from a pocket device – but as everyone and everything is accessible to us, we must accept our accessibility to others.
When is privacy invasion okay?
That doesn't mean I'm in favor of blindly accepting all these privacy intrusions – as in all things, each individual situation requires its own examination.
For instance, we all know, whether we admit it or not, that companies have always wanted to know as much as possible about their customers and that they'll skirt the unguarded border of propriety and legality to get it. Intellectually we understand this rationale, but as Americans we're naturally suspicious and crotchety about it.
And not all personal data capture is necessarily an invasion of our privacy. After all, how often have you given your credit card to a scruffy gas station attendant? Given a restaurant your address and phone number when you order food? Supplied a cash register attendant with your phone number and Zip Code? Poured your heart out to someone on a second date? In many ways, you've armed nearly complete strangers with as much information as CIQ collects.
What's disheartening isn't necessarily Carrier ID's data capture, it's the surreptitious nature of its behind-the-scenes collection method. We should have been told – more openly than the stacks of permissions and legalese we blindly accept when we download an app.
You want us to trust you? Then trust us with all the information we need – expressed in plain English – and the means to make a decision about just what personal data we are willing to let you capture.
