You’ve probably seen some of the media frenzy surrounding CarrieriQ and its potential privacy implications. We recently spoke with Andrew Coward, Vice President of Marketing at Carrier iQ, about Security Researcher Trevor Eckhart’s recent findings and security concerns regarding CIQ. It has come to light that Carrier iQ has now issued Trevor a cease-and-desist order to remove his finds from his website, along with copyrighted material that Trevor is publicly distributing on his site. Skip past the break if you’re curious about what Carrier iQ has to say about the situation.
Andrew Coward is a network industry veteran with global executive leadership and innovation experience in technical development, sales, and marketing. He has held various global Vice President positions at Juniper Networks, including VP Market Intelligence, VP Service Provider Marketing, and VP Technical Operations. Prior to Juniper Networks, Andrew co-started the Asia Pacific offices of Unisphere Networks, a Siemens-funded start-up company that Juniper acquired. In these and other positions, Andrew consulted with a wide variety of service providers, enterprises, and governments for whom he designed and planned some of the largest networks in APAC and the first government backbone IP networks in the United Kingdom.
Andrew and I were both well aware of what the interview’s subject would be. The first question I asked was what Carrier iQ is all about, and what is its purpose. Carrier iQ is software that allows companies and carriers to see data on their devices in the wild. What areas have weak coverage? Which devices are not getting the proper battery life as expected? Carrier iQ provides answers to these questions and more by collecting data to help their clients see their products in action.
So what is the big deal? CIQ, typically provides an opt-out program in their standard application, and the feature is prominently shown in their videos. Recently, cell phone manufactures such as Samsung and HTC have built CIQ into their software at their own or the carriers’ discretion. This isn’t the problem. Rather, the issue is that Carrier iQ’s clients have been removing the ability to “opt-out” of the service.
When I questioned Andrew about this concern, he stated that the changes were their clients’ prerogative. The clients of CIQ have the ability to use their software and collected data in whatever way they see fit, without CIQ involvement. CIQ does offer to analyze the data if their clients allow, but all data collected by the CIQ software is sorted, then forwarded to their clients for their usage. Essentially, CIQ’s clients can make any changes to their software as they please. (We will go into detail about this later.)
So I pressed on, asking why isn’t Carrier iQ more involved in the installment of their software into devices. Andrew said that it hasn’t been necessary in the past. Carrier iQ has been around for years within our devices, dating back to just simple feature phones, and it has never been a problem before. Recently there has been a shift in the public’s awareness of their data being used to help improve their devices and software without their “acknowledged consent.”
This led to what the software itself, and what it exactly collects from our devices. Many have been considering a “rootkit” type application, and with the findings of Trevor about the keylogging of CIQ, I questioned the need to even collect such information. Andrew clarified that CIQ tracks the keys pressed so it can detect when not to record private, unnessary information. (This is contradictory to the CEO Larry Lenhart’s video response.) It also requires the need to track when you are dialing on your phone so it knows when you are trying to make a call. CIQ doesn’t run constantly. Rather, it kicks in when certain criteria is met so it can begin to record data in burst.
Andrew was unable to speak about CIQ’s clients due to NDAs, but he did mention that manufacturers, in addition to carriers, were clients. In other words, this is not just limited to the carriers.
Andrew did want to clear the air, and fix some misconceptions about Carrier iQ as a malicious “rootkit.” Carrier iQ is simply a tool used by carriers, manufactures, and their operators to help facilitate the ability to collect data that is unattainable by their clients without CIQ. CIQ collects data as specified by their clients. Andrew was clear to say that the data is anonymized to a certain extent. The alleged lack of anonymity was a major concern for the developer community. The data is in fact wiped of any personal identification information, but it does keep track the location of the device, what type of device it is, and when phones calls and SMS messages are made and received. This information is crucial to the improvements of networks—without this information, the data would be useless.
But then the table turned, in a good way. Andrew decided to ask me about what is the problem with the situation. So here is my explanation of the problem currently:
Many people, including me, don’t have a problem with the fact that Carrier iQ is collecting data, and essentially the companies and carriers are using said data to improve the devices and network. What we all have a problem with is the part about “opt-in.” We have had a growing concern for violation of privacy, and distribution of our data for the past year. Starting with the Facebook scandal of them sharing all of our information with whoever was willing to pay enough for it to “Location Gate” with Apple and Google. So by forcing us into this opt-in without our acknowledge consent is truly a violation of our right to privacy.
Not only is privacy being violated, but we aren’t even getting a say in whether we allow Carrier iQ to take our data. The clients of Carrier iQ are removing the one thing that is essential in the collection software, the choice to “opt-in” or “opt-out.” It may not be Carrier iQ’s fault, but their clients are abusing their software and dragging their name through the mud by doing so. And since they are Carrier iQ’s clients, they are directly responsible for their actions.
Occupy Wall Street is about how only 1% of the country has a say in what we do, while the rest of other 99% does not. This is an uprise that is spreading across the nation, and spreading at an exponential rate. People want a say, it’s natural, and it’s why the United States was founded. When the manufactures and carriers, the 1%, make a decision for us, the 99%, it may not be something we want. Developers have joined together to fight numerous battles: Locked Bootloaders, Location Gate, and GPL Violations. All of which were things no one had a choice in deciding, but the “99%” fought against them anyways.
Carrier iQ needs to fix a wrong. By allowing their clients to take away the rights of their costumers is just as wrong as what they are doing now. Carrier iQ’s name will continue to get bad PR if something does not change, and change soon.
Andrew took to this well. He was thankful for my input, and I think it was a great summary of this has proceeded. Hopefully this argument does produce results. We are already planning a follow-up in a few weeks to get an update on the situation. As for Trevor, due to the current legal proceedings, Andrew could not comment of the specifics. However, he did mention that Carrier iQ does like having control of how their training material is distributed, and how it is being used.
Thank you Andrew Coward for your cooperation on this interview.