Carrier IQ Gets Scrooged For The HolidaysCarrier IQ Gets Scrooged For The Holidays

Imagine this scene: You're the CEO of a hot company that makes diagnostic software for smartphones. Your software is used by some of the biggest carriers in the world--including Sprint and AT&T--to maintain the quality of their subscribers' calls, improve smartphone battery life, and troubleshoot any other problems with their handsets. But your diagnostic app is always installed on handsets by manufacturers and carriers in a manner that makes it difficult to remove, if it can even be detected.

But a respected security researcher does detect your software, and with good reason. He's watching the packet traffic inside an enterprise network that he manages, and he finds something unknown exfiltrating data. Chasing down the source of the communications, he finds that employees' phones are literally phoning home over Wi-Fi, via his networks, to your company: Carrier IQ.

The researcher, Trevor Eckhart, isn't the first one to spot the Carrier IQ software and wonder what it's doing. In February, a security researcher who goes by the name "k0nane" found it on the Samsung Epic 4G and released a SyndicateRom Frozen update for the Epic 4G to remove it. Likewise, a concerned Tim Schofield of the Android Creative Syndicate team detailed what Carrier IQ seemed to be doing. This would have been a great point for you to reassure Android fans about how your software could make their lives better.

Instead, Eckhart tries to determine what's going on. He reviews your company's privacy policy, which says that your products "work within the privacy policies of our end customers." For a company that's receiving phoned-home data from smartphones operating inside his business, that lack of clarity is both suspicious and alarming to Eckhart. So he begins digging and finds publicly accessible training manuals on your website.

In the spirit of full disclosure, Eckhart then openly publishes his research on Carrier IQ, backing it up with copies of the research manuals. He also invites anyone to comment on or refute his work.

Eckhart has two big concerns: First, your app appears to be seeing everything he does, from HTTPS strings in the browser to actual keystrokes. He wonders if the app logs this sensitive data, or transmits any of it to your servers? Second, he's concerned that the data being tracked by your servers could easily identify individual handset users. Accordingly, "I would like to know exactly who has seen this data, what data has been recorded, and who has recorded it. This data should also be subject to some clear privacy policy," Eckhart says. Without that clarification, he argues, the software is simply a rootkit: unwanted, hidden, hard to delete, but running with root-level access.

But instead of embracing the spirit of full disclosure, you send Eckhart a draconian cease and desist letter, threatening him with $150,000 per count of copyright violation (for the manuals) and warning that unless he bends over backwards to take back everything he's said about your company, you'll make him pay--big time. The effort has the effect of silencing other researchers, such as k0nane, who immediately deletes the research comments he has recently added to news stories about Carrier IQ. In short, everyone moves on.

Of course, the story doesn't actually end this way. Instead, Eckhart turns to the Electronic Frontier Foundation, which quickly steps in with a reminder that Eckhart's research enjoys free-speech protections. On the eve of Thanksgiving, you issue a statement in agreement, and with an apology. On Thursday, meantime, after new questions have emerged about whether your software might break wiretap laws and lead to class action lawsuits--not to mention queries about who exactly pays for the network bandwidth consumed by the Carrier IQ app--you issue another statement, answering many, but not all, of the data-collection questions that Eckhart and others had posed.

That's the present. Now, what might happen in the future? Here's one scenario: Based on a mounting level of concern about your software--largely installed by manufacturers on behalf of carriers, but written by your company and sending data to your backend data servers--you fly out to meet Eckhart in Connecticut with your top developers in tow. You walk Eckhart through a demo of your software, the kind of demo that you give to prospective customers.

Better still, show Eckhart exactly what data you've collected from his HTC phone. Invite him to amend his research, based on what he sees. Meantime, rewrite your privacy policy to clearly detail what you're doing. Borrow from the detailed analysis of your data collection practices that Sen. Al Franken (D-Minn.) has demanded by the middle of December.

Next, let all handset owners see a copy of everything you've collected about them, and also ensure they know when your app is running on their phones. Finally, give them the freedom to deactivate it. Maybe they--or their network administrators--would choose to do so only when connected to the corporate network, or if they change carriers. But at this point in the story, it's up to you to convince smartphone users why they should trust your software.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)