Carrier IQ Demonstrates Why We Need Better Industry Regulation

Admittedly, Facebook isn't the bastion of Internet privacy that Mark Zuckerberg would like us to believe it is.  The CEO of Facebook has publicly decried his company's policies of old and has pledged a new allegiance to ensuring that it's 600 million users will not have their sensitive information handled so thoughtlessly.  Earlier this week, the Federal Trade Commission stepped in, requiring stringent guidelines such as periodic audits of how user data is handled and secured by Facebook, and for the time being, it seems that the company has had it's hand bitten enough to where it may just start to fall in line with what users really want, and not just what the company is willing to provide.

All of this has me thinking about user privacy in the digital age.  A blog post by Dwight Silverman on The Houston Chronical's TechBlog says that Android app developer Trevor Eckhart found that Carrier IQ was "transmitting all kinds of data back to the company [Carrier IQ] - even information which is entered into secure websites."  According to information on Eckhart's website, he states that Carrier IQ deals in rootkit software "included on many US handsets sold on Sprint, Verizon and more."  Devices include a range of Blackberries, Nokias and a variety of Android phones.

What's more appalling is that when Carrier IQ found out about Eckhart's discovery, they threatened him with legal action saying Eckhart breached U.S. copyright laws by posting its training manuals for public view.  Furthermore, Carrier IQ pulled those manuals from its own website after the discovery.  On November 22, the Electronic Frontier Foundation came to Eckhart's assistance, claiming the fair use doctrine applies since the documents were publicly posted for the purpose of criticism and to allow for verification of research conducted by Eckhart.

All this leads me to believe that some kind of privacy audit needs to be done, similar to that of what the FTC will now do with Facebook.  The American consumer has been either too trusting or too oblivious to what kind of information their cell phone gives about them and how that information is being used.  Certainly customers have the right to expect that no one is eavesdropping on their calls, but I doubt that those same customers have ever given a thought to the privacy of their text messages or other data that is transmitted between their handset and the carrier.

I liken this behavior to a man-in-the-middle attack.  Mobile service providers are between you and the receiving party, whether it be a phone call, text message or download being transmitted.  They have the power to shape, store, and read the data that you transmit across their network - all without your permission.  Regardless of the privacy policies available on their websites, mobile service providers are not obligated by law to tell you how they use the data they obtain from your network activity.  The Electronic Communications Privacy Act of 1986 (ECPA) only applies to restrict the Federal government from wiretapping and other electronic surveillance of telephone communications and includes electronic transmissions of data made by computer.  This includes the provisions under the Stored Communications Act (in the ECPA).  By definition, only the Federal government must exercise restraint in obtaining your mobile data transmissions, but not the carriers themselves. They are essentially free to do whatever they see fit with their customer's information because there is no legal restraint in place to force them to take action. Their privacy polices exist for the sole purpose of preventing lawsuits, in effect, having them say "we told you so" when you sign on with them. The fact is that no one reads EULAs, Privacy Policies or any other such indemnification.  As always, it's a classic case of caveat emptor.

Or is it?

Should mobile service providers be obliged to have your best interest in mind?  I believe so.  A good comparison is when you use location-based services that require you to check in to a location and give up some privacy in order to benefit from using the service.  That's a trade off that is inherent of using that service.  However, is a privacy trade off inherent when using your smart phone?  It's one thing to trade privacy for a free service - Foursquare, Pandora, etc - but when you're paying for something, I would think consumers have the inherent right to privacy in exchange for the tidy sum they pay to providers.

It's important to note that while laws do exist to prevent data brokers form bartering for your personal information from cell phone companies, there is no provision in any existing law to prevent carriers form using this information themselves for purposes other that what it was originally intended for - to comply with legal requirements regarding law enforcement.  Carriers are legally permitted limited use of customer information for marketing purposes, but that activity is regulated by the Federal Communications Commission, not the FTC.

Your telephone company or VoIP prover may use your customer information, without your approval, to market enhancements to services you already use.

This means that your carrier can market services to you without your permission.  No marketing they do to their existing customer base is opt-in. They have the inherent right to bombard you with ads for additional services because you already pay them a fair chunk of change each month. That's a little like saying that the company that you just purchased your car company from has the inherent right to splash ads all over your on-screen navigation because you paid them for the privilege.

I would be remiss in my ethics if I didn't mention that cell phone manufacturers, most notably Apple, have been caught with their pants down regarding the privacy of their customers' information.  Remember the big fluff back in April when it was discovered that Apple was inherently tracking cell phone tower data (and by association, your geolocation) through having Location Services turned on.  While this was a minor

example (the data was only stored locally and not actually transmitted back to Apple), it still raised questions about the privacy of data being stored without the users knowledge and without any kind of encryption.  At that time, the only way to secure the information was to manually turn on encrypted backup.  Most people overlook any kind of encryption setting because it's either too complicated to understand or it takes too long to back the information up.  It is unclear what, if any, of this data is being backed up to Apple's iCloud service when you choose to have backups directed to the service instead of on your computer.

In our society, it seems that the focus is put on the prying eyes that might access our data from a stolen phone, iPad, or laptop.  Too little do we give pause to think about the potential liability we have concerning our "private data" when it comes to the companies that power our mobile devices.  After all, passwords and PIN codes do little to stop those who already have access to the inner workings of our devices.  Until the FTC steps in to place tighter restrictions on what information can be inherently tracked and stored, cellular customers have little to rest easy about.