One of the biggest tech stories this week involved the independent discovery of an application embedded in several major smartphones. The application, created by the company Carrier IQ Inc., functions by “counting and measuring operational information in mobile devices - feature phones, smartphones and tablets.” According to Trevor Eckhart, who reported the application’s existence and functionality, Carrier IQ’s software goes so far as to log individual keystrokes made by the user. The broad scope of such capability seems to render concerns associated with tracking location data insignificant by comparison. Eckhart demonstrates several examples of Carrier IQ’s interesting capabilities:

• Recording individual keys pressed by the user
• Recording the contents of SMS messages
• Recording requests made to websites, even when using HTTPS

I recommend you watch Eckhart’s video. If you feel the way I do about privacy, you should start to have a sinking feeling about 9 minutes in.

All of this seems bad. More developments have been reported that seem to indicate that Eckhart’s findings portray Carrier IQ’s software inaccurately. I’m sure that this story is far from over, but I think the most shocking part to me is unrelated to the veracity of Eckhart’s findings. In response to Eckhart sharing his information, Carrier IQ sent him a cease-and-desist notice based on copyright infringement related to hosting the company’s manuals on his website. Eckhart argued that he wanted the manuals in order to verify his research. He obtained them from the Carrier IQ website, and hosted them only as a precaution should they become unavailable from Carrier IQ. According to Wired.com, Carrier IQ had in fact removed the manuals around the same time they sent the letter to Eckhart. Another Wired.com article goes on to show how the EFF stepped in, and not long after that, Carrier IQ apologized for the letter.

Carrier IQ’s response is more damning than anything Eckhart could have demonstrated. The “root” of the problem isn’t necessarily what mechanisms the application is capable of, but what data it actually records. It’s possible that Carrier IQ only records a small subset of what it is capable of logging. If they had been more transparent about it, this whole story goes from “brouhaha” to not even newsworthy. However, instead of disclosure, Carrier IQ’s initial reaction was to push the big red lawyer button. This means that the only notion I think anyone can take away is that Carrier IQ has something to hide. After threatening didn’t work, Carrier IQ defended themselves based on a premise that the carriers determine what information was collected and stored. Why should full disclosure be a last resort if someone inaccurately portrays your work? If Carrier IQ’s claims are true, why not come out with that first and not after you fail in silencing your critics?

I would hope that most companies choose not to react the way Carrier IQ did to criticism. They should be up front in defending their products or at least acknowledging privacy issues when they arise. By threatening legal action against Eckhart as a first response, Carrier IQ set themselves up as a bully who can’t own up to the facts, no matter how damaging they actually are.