Exclusive Interview: Carrier IQ Gets Transparent About Its Mobile Monitoring

It’s been a tumultuous few weeks for Carrier IQ, the mobile analytics outfit at the center of a continuing privacy brouhaha over what its diagnostic software does and does not do. Since late November, when CIQ was first accused of keylogging all sorts of potentially sensitive information on the 150 million devices it is deployed on worldwide, the company has been scrambling to explain that its software doesn’t log or even understand keystrokes. It is simply monitoring handset behavior and network performance so that the carriers who use it can improve their service.

Now, as the company prepares to answer the questions put to it by the U.S. Senate Judiciary Committee, it’s hoping to set the record straight, once and for all, by publishing a definitive report (embedded below) on the functionality of its software, including an in-depth analysis of the video that inspired the allegations against it.

In an exclusive interview with AllThingsD, Carrier IQ CEO Larry Lenhart, and Andrew Coward, the company’s VP of marketing, discuss that report, why its software isn’t opt-in, and how it handles law enforcement requests.

John Paczkowski: Tell me about the new document you’re publishing. This is your third official statement on this debacle. Why is it necessary?

Larry Lenhart: I think over the last few weeks we’ve learned a lot about transparency. And we’ve spent a lot of time thinking about it, how we can reach out to everyone — consumers and carriers — and help them understand in more depth what we do and how our software works. This is an ongoing document. It took a lot of time and effort, based on meetings with industry experts, security experts, and Trevor Eckhart, who published the video that brought this issue to everyone’s attention. Of course, we also knew that we were going to have some conversations on Capitol Hill, and drafting the answers to the questions that were asked of us helped inform the document, as well.

Andrew Coward: Well, from our perspective, some of what was shown in the video was erroneous and wrongly attributed to Carrier IQ, so we obviously wanted to correct those misperceptions, and that took some effort. And, of course, there’s been a continuing clamor for understanding more about what Carrier IQ does. So we thought we’d put together a definitive document that says “Look, this is what we do, and we do want you to understand it and how we do it.”

You folks have been relatively transparent about this whole thing, once it blew up in the press. Your carrier partners have not. Do you feel the carriers have done you a disservice by not clearly disclosing their relationship with you to their customers?

Coward: Many of our customers have gone out on the record and described how they use our technology, and we have worked on this document with our carrier customers.

You say your software doesn’t keep a log of location, keylog and SMS information, yet Trevor Eckhart’s video appeared to show that. What was going on there?

Coward: What he was looking at there was an Android log file. And to be blunt, there was information there that shouldn’t have been. In order for Carrier IQ to get information off a device, we work with the manufacturers to deliver that information through an API. That information shouldn’t show up in an Android log file. We don’t read from Android log files; we don’t see Android log files. That info just shouldn’t be there. And, ultimately, what goes in that log file is up to the manufacturer.

So that’s not your log file in the video?

Coward: No. It’s just an Android system log file. And one of the problems with that video, and something we’ve been working to clear up, is that, while you could see that information had been passed to Carrier IQ, there was no video of what happened to that information afterwards. Was it actually captured by Carrier IQ; was it stored or taken off the device? No. And that’s really what we’re trying to clarify with the document we’re publishing.

The document you’re releasing today says that a bug in your software may have caused some SMS messages to be unintentionally collected. Can you talk about this a bit? Should we worry?

Coward: As we went and did a deep dive into our technology to prove to consumers that there is nothing untoward in it, we found a bug. We found that if an SMS was sent simultaneously while a user is on the phone, the SMS would be captured by our software. Obviously, this is something that doesn’t happen very often, but we discovered that it could happen, and we caught it. Now, that information was never used. It wasn’t decoded. It sat on a server in encoded format, and no one could really get to it.

Lenhart: We didn’t even know the data was being captured. The actual information is in nonreadable format. And our customers didn’t know it was there. So it was never looked at. Over the past few weeks, we worked with our customers to resolve the issue.

In the document you’re publishing today, you describe three scenarios for how your software gets on user’s phones: Preloading, where manufacturers install it on devices prior to shipment at the carrier’s request, and it has access to no more data than any other app on the device; aftermarket, where the consumer downloads and installs it at the carrier’s request; and embedded, which requires actual integration work by a device manufacturer, again at the carrier’s request. You say carriers more often than not choose the embedded option over the others you provide. Why do you think that is?

Coward: Really, it’s because embedded was the first option we offered. We’ve only added the others this year.

Why isn’t Carrier IQ opt-in? Shouldn’t it be?

Lenhart: Our technology is defined to do either opt-in or opt-out. But it’s the carrier’s call on whether or not they’re implemented.

Okay. But shouldn’t they be implemented?

Lenhart: Well, the carriers have the privacy relationships with the end user. But we’re certainly supportive on the dialogue going on around this issue.

Coward: We think there’s a quid pro quo between consumers and operators. Consumers expect their phones to work. They expect that if they have problems with their phones, the carriers will do something about them. They also expect that if they call in for help, the carrier will actually have a clue about why their phone is crashing or their calls are dropping. So there’s an implicit understanding that the carrier knows enough to be able fix the problem.

But wouldn’t it be better to just ask consumers to agree to that quid pro quo right up front?

Coward: Well, that’s a good question for the industry. Should there be opt-in/opt-out? And if there is, what does that mean for customer service; what does that mean for the end-user experience?

Why do the carriers need you? Couldn’t they capture a lot of this information themselves?

Coward: Certainly, the network provides a huge amount of information. But the network can’t tell you why your battery won’t hold a charge or an application is crashing. So there’s a missing piece here in the diagnostic puzzle, and that’s what we provide. And what you need to understand is that this is a technology that’s hard to implement. If you’re a handset manufacturer, it’s much easier to work with an industry player like Carrier IQ.

Who decides what your software does and does not track?

Coward: We work with the carrier to determine that. There is a line in the sand between what we would collect and what we would not collect. And we draw that line at content. We absolutely do not intend to capture content from subscribers. We collect information about their mobile phone experience, and about what happens.

Have you been asked to collect content?

Coward: We’ve not been asked, nor would we do it if we were.

How does Carrier IQ handle the usernames, passwords and other personal information that is embedded in an HTTP’s URLs?

Coward: We’re investigating that issue at the moment. And we recognize that it’s a sensitive one. It is not our intention to capture information that might be confidential.

So you have about two more days before you have to answer the questions put to you by Al Franken and the Senate privacy panel. Can you give me an idea of what you’re going to say?

Lenhart: Well, if you read the document we’re publishing, I think you’ll find answers to most of the questions that Senator Franken asked. … We’re actually in Washington right now, and we’ll be meeting with the folks that have asked for information about Carrier IQ over the next few days.

Are people right to be concerned about Carrier IQ? Could your software be misused?

Lenhart: No. We’re a diagnostic software company. We love diagnostic information. We are not interested in content. And that’s where we draw the line. We don’t want content, and we don’t have the ability to capture it. Remember, the information that’s captured off a user’s device is determined by the carrier, according to their privacy agreement.

You say you are not permitted to analyze, resell or reuse any of the information gathered for your own purposes, or to pass it to any third party, unless required by law. Do you know if law enforcement uses Carrier IQ data, and in what manner?

Lenhart: We have been approached by law enforcement about using our technology, and every time it’s happened, we’ve determined that that’s not an appropriate use of it. A lot of data that we capture is historical, so if you really want to find out where somebody is and what they’re doing, our technology isn’t going to give you that. Remember, this is diagnostic data. And we don’t share it with anyone.

But you do say that you would hand over data if required by law.

Lenhart: We would refer them to the carriers, because the diagnostic data collected belongs to the network operators, not Carrier IQ.

How damaging has this whole ordeal been to Carrier IQ? Or has it been damaging at all? Certainly, a lot more people know who you are today than did a few weeks ago.

Lenhart: Our world has been turned upside down. We love what we do, and we have a lot of passion for it. And to see it misunderstood like this has been painful. We want to make sure people really understand who we are and what we’re doing.

Read Carrier IQ’s report on the functionality of its software: