As we do more and more on our smartphones, issues of privacy become more and more important. Yet the laws surrounding these issues are not up with the times. We have clearly defined decades−old laws establishing what phone companies are and are not allowed to keep track of when we call someone. But similar rules do not exist to protect our location, where we go on the Internet, etc.
Recent controversy erupted over the use of the Carrier IQ software, preinstalled on many smartphones to record much of what customers are doing with their phones. The debate over this one program is essentially resolved. Verizon confirmed that it never used Carrier IQ, Sprint is disabling it on the phones that do have it, and although AT&T didn't back down, it is doubtful that the company will expand the use of this software beyond the one percent of its devices that currently contain it.
Although there are allegations that the software is an illegal form of wiretapping, it seems likely that the current lawsuits against Carrier IQ will fail. Cell phone carriers did allow for this in contracts, as stipulated under current law. However, a draft of a new Mobile Device Privacy Act in Congress seeks to require carriers to get explicit consent from each customer to install such software. But what is Carrier IQ recording? What's so bad about it?
Most of the data actually collected and stored by the cell phone carriers until now were relatively harmless. Logs of whom you called and texted sound creepy, but are also available (and legally required to be stored) by cell phone towers. The most personal aspect of the data was what apps you had installed, so that customer service could, for instance, recommend that you uninstall a specific app to increase your battery life.
However, what's more important is that carriers could have asked for what the program had accessed. Recording what comes through a cell tower allows a certain degree of privacy, notably via encryption. When you access an encrypted site like Gmail.com, the first thing your computer or phone does is establish a secret number with Gmail that you will both use to encrypt and decrypt messages. Anyone trying to look at what Gmail is sending you without this secret number sees gibberish.
An aside: Not all websites are encrypted! An encrypted website begins with https:// instead of http://. Encryption hides what you type into forms and which specific pages on a site you visit. For example, if you view https://nytimes.com, a snooper knows that you are visiting that site, but not which articles you are reading. Likewise, until Facebook quite recently changed its policy, people surfed using http://facebook.com, meaning anyone looking at your Internet traffic could read all of your messages, wall posts, etc.
But an app on your phone can circumvent this encryption. Essentially, the Carrier IQ app can see whatever you see. So although someone listening in to your encrypted conversation with Gmail sees gibberish, an app sees the plain text that you see on your phone. For this reason, most phones have a permissions system where apps must be granted explicit permission to do something like read your emails or track your location.
The problem with Carrier IQ is that it was preinstalled on phones with permission to do everything. This new law seeks, appropriately, to require that you give explicit permission to allow an app access to your personal data.
What's much more important than deciding whether or not cell phone carriers were explicit enough in asking consumers' permission to be tracked, though, is that consumers understand privacy issues like encryption and are cognizant of them.
--
