This article first appeared in TechCrunch.
Imagine how differently Carrier IQ’s fortunes would be if instead of engaging lawyers and flaks to address alleged privacy breaches they engaged the actual discoverer of those breaches, security researcher Trevor Eckhart. For those of you not familiar with thestory it is the latest example of a company that let hubris trump transparency and in the process has potentially committed suicide.
When Mr. Eckhart found potential key logging and personal message logging by a supposedly harmless performance data-tracking application built by Carrier IQ and installed on over 100 million phones, the maker had a choice: attack the messenger or attack the problem. They did they the exact wrong thing. They sent a cease-and-desist letter to Eckhart, as if watching data traffic on ones personal mobile phone and fair use of public documents was a violation of some corporate right. They then issued a defensive press release that seemed in direct contradiction to data Eckhart had already publically posted.
They did everything but address the problem. The results? A class action lawsuit, a US Senator asking for information from them and their carrier and handset customers, undoubtedly countless headaches with their customers and tangibly dimmer prospects for the company and their investors,some of Silicon Valley’s most respected. Carrier IQ, in short, made a problem into a story.
Now consider an alternative scenario. Instead of choosing hubris and stonewalling, Carrier IQ could have chosen transparency. They could have attacked the problem by enlisting Eckhart as a partner rather than casting him as an enemy. Instead of sending lawyers and PR flaks, Carrier IQ could have simply invited Eckhart, even paid Eckhart, to come to their offices and help them understand what he saw and how, if necessary, they should fix it. They could have called the EFF and asked for advice on an independent privacy audit. If they truly believed that their software does no evil as their press releases say, they could have very easily opened up the doors to prove it. If there are actual privacy violations due to poor implementations or non-malicious mistakes, they should be looking for all the help they can get, including Eckharts, in discovering and fixing those errors.
Instead, because they badly flubbed the perception war, the public and lawmakers can only assume they have something to hide. If we take them at their word, they do care about privacy, but their actions indicate the contrary. It’s a mistake that will cost them for years to come and radically change the direction and momentum of their business. We will all eventually know if they were doing malicious things, or they just screwed up, or if Eckhart’s analysis is flawed. But even if we discover they are pristine, the fortunes of the company are probably irreparably damaged.
The lesson in this mess is: openness wins. When someone points out your flaws, or your company’s flaws, that someone is your best friend, not your enemy. CarrierIQ made this a story by attacking the messenger not the problem, and in doing so created countless more problems for themselves. Learn from their hubris.