Carrier IQ 'may have' collected text messages

This is why software like Carrier IQ is a bad idea.

The Carrier IQ story just won't go away.

Earlier this month the tech world became aware of Carrier IQ - software installed onto millions of handsets designed to send usage and diagnostic data back to the carriers. Initially the company denied that there was anything sinister about the logging software, but it has now admitted that a bug in the software meant that SMS messages 'may have' been captured.

Here is the company's explanation:

Carrier IQ has discovered that, due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.

A couple of points worth making.

  • Saying that the captured SMS messages were 'not human readable' is invoking weasel words to try to downplay the severity of the matter. Binary is not human readable, but it's not hard to make it human readable. No mention is made of whether the diagnostic data was encrypted, so we can assume not.
  • Software bugs are a fact of life. They're not going to go away. However, what's worrying here is that this bug (and from a privacy standpoint, it's a pretty serious bug) went unnoticed until public attention was focused on Carrier IQ. No mention is made of how long this bug was in place.

And there are more weasel words from Carrier IQ:

Carrier IQ customers who have deployed the embedded version of the IQ Agent have been informed of this bug, and Carrier IQ has worked with customers to fix it and ensure that this information is no longer captured.  Only embedded versions of our software are affected by this bug.

'Customers' here are not people like you and me. They're the handset makers and network operators. Also, no mention is made of how many actual 'users' were affected by this bug, for how long they were affected, and how many handsets have been patched so far.

And this is why software like Carrier IQ is a bad idea. In principle, I'm not opposed to software installed onto devices for diagnostic and telemetry reasons because this serves a valuable purpose. But I do have a problem when users are not informed about the existence of this software and are not given the opportunity to opt-out.

Data leakage, whether that be deliberate or accidental, is a serious matter. It represents a breach of trust between consumer and service provider. While I can see the benefits that a tool like Carrier IQ bring to the networks and handset makers, we can't lightly abandon privacy for the sake of a better service.