Mashable has an excellent summary of CarrierIQ, including what it is and why there is an uproar about it. The even more summarized version is that CarrierIQ, software made by a company by the same name, runs in the background of many smart phones and tablets tracking performance and relaying that information to the wireless carrier. The initial controversy flared up when a researcher, Trevor Eckhart, noticed CarrierIQ and what it was doing and wrote a paper questioning whether what it was doing was acceptable, and then the company threatened him with a lawsuit to keep him quiet. Thanks to the intervention of the EFF, that situation resolved. But we are still left with the basic questions of is what CarrierIQ doing in any way ok, legally or otherwise.
Regarding the former quality, as the Mashable summary notes, some think what it’s doing may amount to an unlawful interception under the already-existing US Wiretap Act statute. Dating back to 1968, with a few major updates since, the Wiretap Act basically made it civilly and criminally impermissible for either state or private actors to intercept communications. If CarrierIQ is doing what has been alleged, including tracking keystrokes and relaying the information it discovers to another, it may well be doing exactly the sort of interception of communications the Wiretap Act prohibits.
As will inevitably be discussed on this blog further, the Wiretap Act has substantial weaknesses in how it applies to electronic, rather than traditional telephonic, communications. Updated in 1986 to specifically incorporate electronic communications, the statute is now bloated with language that doesn’t clearly and obviously apply to the electronic communications of the 21st century. Properly amending it so it does extend the basic privacy protections incorporated in the original Wiretap Act to these communications is a topic most certainly relevant to the discussion here.
But the CarrierIQ situation raises an interesting issue that could easily be lost in the discussion: when, if ever, is it reasonable for communications to be intercepted? Even the original Wiretap Act has a maintenance exception, allowing for a telephonic provider to essentially eavesdrop on communications to the extent necessary to maintain the function of the network. What would such an exception reasonably mean in the digital age?
In answering that question it may be worth thinking about the CarrierIQ example and what feels so wrong about it. Much of the criticism seems to boil down to people being upset that more of what they were communicating was being captured and shared than they were aware of. It’s not just a privacy issue, it’s also a transparency issue. People are also unhappy to find that they had so little control over their own devices, as this software was installed not only without their knowledge but in a way that made it difficult to discover and remove.
These would all seem to be valid objections and ones that future regulation should take into account. But perhaps not at the complete expense of legitimate network maintenance concerns. The right law will understand the realities of the technology well enough to allow for minimal and carefully defined exceptions to make sure the technology can continue functioning while protecting the historically-recognized import of communications privacy.
UPDATE 12/14/11: BoingBoing reports that the FBI has admitted to using CarrierIQ for law enforcement purposes, but is refusing to say exactly how. Meanwhile the EFF has posted an analysis of how CarrierIQ seems to work, while the company itself is denying that it purposefully captured any data.