Carrier IQ will not name companies using its softwareImage: Fotolia/Aaron Amat
December 6, 2011
US vendor Carrier IQ says it is only providing software to mobile carriers to improve service. But German, Irish, and UK officials say they are looking into possible breaches of data protection law.
As a result of the ongoing worldwide scandal stemming from possible privacy breaches on little-known monitoring software installed on over 140 million mobile phones worldwide by an American company, Carrier IQ, European data protection authorities and consumer advocacy groups have now taken early steps toward investigating a possible breach of local and European Union data protection laws.
On Tuesday, Thomas Kranig, head of the Bavarian State Office for Data Protection in southern Germany, told Deutsche Welle he had sent a letter of inquiry to Apple's Munich office.
"I've only asked if they use it, and if so, how they use it, and nothing else," Kranig said.
Meanwhile, Irish authorities said they had contacted local mobile providers with similar questions. And a representative from the British data protection authority said on Tuesday it would soon be contacting UK-based carriers.
In November, an American computer security researcher, Trevor Eckhart, showed on his website a hidden application that runs on millions of smartphones monitors,tracks various actions on the phone and is difficult to remove.
Eckhart demonstrated his finding on an HTC Android phone, but various other mobile phone makers and carriers have admitted to currently or previously using the software.
Nokia, of Finland, HTC of Taiwan, and RIM, the Canadian company behind BlackBerry, have said they are not customers of Carrier IQ, but added that some carriers, at least in the United States, have required the software to be used.
Verizon, the largest American mobile carrier, said it does not use the software, but T-Mobile USA and AT&T say that they use it "[solely] to improve wireless network and service performance."
In a statement published on its website on December 1, Carrier IQ wrote that says its software is designed only to "measure and summarize performance of the device."
"Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the statement continued. "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."
Data protection authorities preparing inquiries
Last Friday, the Bavarian State Office for Data Protection sent a letter to Apple questioning the company about its use of Carrier IQ's software. Apple's German headquarters is based in Munich, in the state of Bavaria.
Kranig, the office's head, stressed that similar letters of inquiry were sent out by his office "every day" and that this did not mean that Apple was under a formal investigation.
Kranig noted that he expects a response via Apple's headquarters in California to take around two weeks, and then his office will re-evaluate what its next steps would be.
Apple recently said in a statement that it did previously use Carrier IQ in older iPhones but stopped supporting it the latest version of iOS 5, and "will remove it completely in a future software update."
"If that is right, then I think it's no problem, but I will wait and we'll see," Kranig said.
The data protection chief added that he would soon be corresponding with his counterparts in Germany and Europe to ask them if they have begun inquiries and if so, what information they have uncovered.
"As a general principle, however, if any data amounting to personal data was transmitted, it would require an explicit consent from the phone user," wrote Lisa McGann, a compliance officer at the Irish Data Protection Commissioner's office, in an e-mail to Deutsche Welle.
In a 2009 press released published on its website, Carrier IQ also announced a deal with Vodafone Portugal, but the company now says that press release is inaccurate.
As of press time, the Portuguese Data Protection Authority did not reply to inquiries as to whether or not it had begun any inquiries or investigations against Carrier IQ or Vodafone Portugal.
In an e-mail sent to Deutsche Welle, Deutsche Telekom said does not use Carrier IQ software in Germany or elsewhere in Europe.
Meanwhile, on Twitter, representatives from O2 Ireland and Three UK both said they don't either. In a posting on its community forum, a representative from Vodafone UK said it does not "add or use Carrier IQ software on our customers' handsets."
Carrier IQ says information access and level of service is a 'tradeoff'
In an extensive interview published on Monday with The Verge, an American technology blog, Andrew Coward, a Carrier IQ vice president, said that the company does most of its business in North America today, but added that "we are spending quite a lot of time in Europe and hope to grow our business there."
In the interview, Coward also responded to a question about whether or not the company's monitoring practices "crossed the line into collecting content," by saying that this was a "philosophical question."
"There's a high level of trust between the operator and the consumer, and that extends into 'Why the hell is my phone not working properly' and not being able to ask those questions, he said. "The tradeoff for sharing information enables those answers to be provided quickly and efficiently."
Coward also declined to name which carriers and manufacturers were using his company's software, citing "contractual obligations."
In a written introduction to the interview transcript, the authors of The Verge interview, Sean Hollister and Dieter Bohn, wrote that "it's seriously troubling to hear a company flat-out refuse to tell you on which phones its tracking software is installed and with which carriers and OEMs it has partnered. All too often, on issues of disclosure, data privacy, and technical implementation, Carrier IQ shifted responsibility onto its un-named partners."
Likewise, this lack of transparency and obvious disclosure to actual mobile phone users is something that seems to be of the most concern to privacy watchdogs.
"I think [Carrier IQ] has to inform the customers what kind of software they use, and they have to give the customers the possibilities to use it or not to use it," Kranig added. "That's the most important. Maybe for some reasons it's necessary to have the software, but the customer must know happens with his or her smartphone."