Facebook and other online services have come under increasing pressure to provide users with greater visibility and control over how their information is shared. A glance at their FTC Settlement describes the policy changes they are required to make to respect consumer privacy rights. That’s a pretty big deal for a service built entirely around the notion of sharing information!

But while we’ve been fixated on the motivations of Facebook, Google+ and others, it turns out that a violation of our privacy rights has happened with cell phone information.

A recent discovery by security researcher Trevor Eckhart reveals that perhaps 150 million cell phones carry software from a company called CarrierIQ which he alleges behaves like spyware. The stated purpose of the software is to allow carriers and handset makers to collect diagnostic data that helps them improve the user experience. Sounds reasonable in theory. But as demonstrated in Eckhart’s video, the type of data collected goes way beyond what you might reasonably consider legitimate for diagnostic purposes. Phone numbers, text messages and -- perhaps most shocking of all -- web browsing information including passwords even if submitted to websites over encrypted https connections.

Here is a summary of how the software behaves from Eckhart’s perspective:

  • You don’t even know it exists: It is effectively invisible to all but the most knowledgeable users. It doesn’t show up anywhere in the start up sequence or in the app launchpad. There are no terms & conditions or privacy policy for the user to consider and opt-out. It effectively behaves like a rootkit.
  • You can’t get rid of it: It is configured to start automatically when the phone is switched on and remains a running application without the ability for the user to quit.
  • Everything is captured: It logs each and every keystroke made on the phone regardless of which application is being used; call dialer, text messenger, web browser or other. In some instances it logs the contents of a text message before the user even receives it.
  • Connection security is undermined: Since it captures keystrokes, it can capture data entered into web forms regardless of whether the website forces an encrypted https connection. This means sensitive information like user names & passwords can be logged in the clear.
  • You don’t even need to be on the carrier’s network: It captures keystrokes and data even when connecting over a wifi connection.

Vendors collecting information in order to improve customer experience is common practice, but they typically only collect diagnostic data, and they typically require user consent and have visible opt-out and privacy policies.

We should note that the exact behavior of the CarrierIQ software still remains a little murky. For example even though data is logged within the device, it is unclear what is sent back to the company or its customers. But as demonstrated by Eckhart, the data he collects is clearly more than diagnostic, and there is no opportunity for a user to opt-out or review a privacy policy.

However you cut this story people are quite rightly responding to what appears to be a major compromise of their trust, and this is true regardless of what we ultimately learn about the type of data that is being relayed and the intentions of those collecting it.

It's an unfortunate reality that users trust vendors too easily, and vendors invariably let users down. It has become reflexive to click “yes” to software fine print and ignore poorly written privacy policies. It’s not that people don’t care -- as evidenced by the outrage over this incident (search for #CIQ on Twitter). But perhaps lacking any better alternative, we gain confidence via social proof (everyone else trusts service x) and ethics at scale (they're a big company, they'll do the right thing).

At the end of the day, we need to be better custodians of our information, and vendors need to be transparent and speak simply about their policies. To date, it’s not clear that either side is taking its obligations seriously.