Eckhart's clip illustrated how the company's "experience insight" program, shipped on Android and Apple iOS devices sold by several carriers, can surreptitiously track all mobile user activity - even keystrokes - without user knowledge or permission.
CIQ denies Eckhart's claims, and the full extent of its program's operation and use continues to unfold. But this incident should be a wake-up call to every mobile user and employer: does any of us really know or control what's running on our smartphones and tablets?
Every Breath You Take...
Every Move You Make...
When Eckhart first published his report CIQ filed a cease-and-desist order, which it retracted under pressure from the Electronic Frontier Foundation (EFF). The company disputes Eckhart's characterization of CIQ as a rootkit and claims not to record keystrokes or content. According to the firm's statement, CIQ "makes your phone work better by identifying dropped calls and poor service, identifies problems that impede a phone's battery life, makes customer service quicker, more accurate, and more efficient, and helps [to] quickly identify trending problems."
I'll Be Watching You?
Eckhart's video clearly shows numbers entered on the dial keypad, SMS content, location, and search strings conveyed to CIQ. But the video can't show us what CIQ does with that information. Since we can't see metric profiles sent to the mobile network operators, we can't know which data are ignored, recorded or relayed.
This brings us to the heart of the issue: lack of transparency and control, for both end users and their employers. Fuss over Eckhart's report sent handset manufacturers and wireless carriers scrambling, anxious to offer reassurances and clarify their use of "experience insight" data. As of this writing, AT&T, Sprint, T-Mobile, HTC, and Samsung reportedly have issued statements describing their use of CIQ. Verizon Wireless, RIM, and Nokia have reportedly denied using CIQ. Another researcher reported finding CIQ installed on iOS3, iOS4 and iOS5 devices.
Instructions are circulating for disabling CIQ. However, caution should always be exercised when installing apps or changes from unverified sources, especially if rooting/jail-breaking is involved.
The good news is that we know more today than we did two weeks ago about what our smartphones and tablets can monitor and what our carriers claim to be tracking. The bad news is that we still have little insight into what software arrives on mobile devices at the time of purchase or via updates.
Oh, Can't You See You Belong to Me?
Carriers might argue that end users don't have the expertise to understand what's running on their handsets. And manufacturers may maintain that they only provide tools for data collection; it's up to the carrier to decide whether and how to use them.
But these arguments don't absolve manufacturers and carriers of their obligation to disclose how they collect and use personal information and potentially sensitive interactions. If the CIQ incident shines a bright light on industry practices, prompting more prominent disclosure and effective "opt out" mechanisms, all the better.
However, there's a broader lesson here for employers wrestling with smartphone and tablet support and security. While mobile device and application management systems can help IT regain visibility over software and processes running on these devices, subscribers are still beholden to manufacturers and carriers for creating and pushing firmware and OS updates.
The mobile world needs the transparency and control already present in the server and laptop world. There should be an easy way for employers to determine whether software like CIQ is present in carrier-supplied builds. Where tracking occurs, IT should be able to verify exactly what is collected and transmitted, to whom, when and how. Accomplishing this disclosure shouldn't take running a debugger or triggering a legal firestorm.
(Ed. Note - By now you surely have that song by Sting and The Police in your head. Here's a link.)