The data collection practices of Carrier IQ--a once obscure maker of diagnostic software for smartphones--ignited a firestorm last week, with lawmakers questioning the legality of its product and users filing lawsuits. Carrier IQ insisted that its software is installed solely for the purpose of helping carriers ensure service quality, but critics claim it is tantamount to spyware. For enterprises, the incident raises new questions about what it takes to protect company data on mobile devices.

A quick recap: A short while back a systems administrator in Connecticut named Trevor Eckhart wrote in a blog post that a Carrier IQ application "is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the 'secure' Internet." Other researchers had detected the problematic application previously, but Eckhart's disclosure sent Carrier IQ into a rather nasty defense mode. The company sent Eckhart a cease-and-desist warning, threatening huge damages until the Electronic Frontier Foundation stepped into the melee on Eckhart's behalf.

AT&T (NYSE: T), T-Mobile and Sprint (NYSE: S) have all acknowledged using Carrier IQ's services, and the software is said to be installed on 150 million phones. On Thursday, Sen. Al Franken (D-Minn.) sent a letter to Carrier IQ demanding to know what data the application records and where it is transmitted, warning that the software may violate privacy laws. Carrier IQ, in a statement published Thursday, denied having violated any wiretap laws.

"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store, or transmit the contents of SMS messages, email, photographs, audio, or video," the company said. "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

For enterprises, Carrier IQ's application represents "an insane breach of trust," in the view of InformationWeek's Jonathan Feldman.

"From an enterprise perspective, this is massive," he wrote. "We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide."

Since Carrier IQ doesn't work directly with enterprise customers and apparently has no incentive not to take what data it can, carrier--who are trusted partners of enterprises--should get rid of such middlemen, Feldman wrote. If carriers continue to rely on third-parties for management software for phones, enterprises will have to come up with new resources to "re-image spyware-vulnerable smartphones," Feldman warned. 

For more:
- see Sen. Franken's letter
- see Carrier IQ's statement
- see Jonathan Feldman's post at InformationWeek

Related Articles:
What to watch for in mobile security
ISACA: Personal mobile devices are biggest security risk
How much does mobile encryption help?