Apparently the new way for institutions to weasel out of responsibility is to investigate yourself. For example, Syracuse University is getting heat for its decision to have its lawyers rather than police investigate in 2005 when one of its coaches was accused of child rape. The release of a taped phone call that the alleged victim made in 2003, where the coach’s wife corroborates his story, makes that investigation look like a feeble whitewash.
Even Carrier IQ, the cellphone spyware maker, is getting in on this con. Yesterday, a reporter from the Verge committed some journalism by visiting their offices and refusing to go away. He got their PR guy to say that Carrier IQ will come clean about a video showing their software logging every keystroke on a smartphone “soon — after it has external security companies conduct independent validation of the privacy implications in that same video.”
Carrier IQ is saying that it can’t tell us what the software it sells does until the investigators it pays tells them how their own software works. This makes me wonder how Carrier IQ’s software came to be.
Apparently, CEO Larry Lenhart’s mom sent him to the store one day to buy dinner for the family. On the way, he met a man who offered to sell him three magic beans and some software. Instead of buying dinner, Larry gave the man his money and took home the beans and the code. His mother, enraged, threw the beans out the window. Larry went to bed without any dinner. The next morning, ran the software on his computer and found that it could magically track cellphones. Larry founded Carrier IQ and lived happily every after. The End.
There’s a whole crew of PR people who spend their time trying to polish turds. “Independent Investigation” is just a new brand of turd polish, and the sooner reporters stop passing on that kind of PR-bullshit without comment, the better.
Having been an employee of a major university for 25 years, I can tell you this is par for the course. Nobody circles the wagons like them.
We do have had a potential mishap in the making in my department for a number of years now. The upper echelon does not want to deal with it. So every day is one of trepidation of what will happen next. To be truthful, it’s not a case of abuse. It’s a case of someone losing complete control and causing harm to others.
Syracuse University investigated on its’ own because the police failed to investigate claiming the statute of limitations had past on the crime. Perhaps, they would’ve done differently if they knew about the tape.
ESPN and The Syracuse Post Standard never turned over a copy of the tape to any authority, law enforcement or otherwise, as evidence back in 2003 claiming that it was not their responsibility to do so. What ESPN and The Post Standard did was no different from what Joe Paterno did at Penn St and is probably worse. At least Joe Paterno contacted his “so called” boss. ESPN and The Post Standard did nothing when presented with evidence of possible child molestation. Both news organizations should be deeply ashamed of themselves.
Good post mostly, but the remark about the name Coward is a low blow.
@kd bart: I’ve already posted on the news organizations, and they do deserve some shame, but here’s the thing. SU investigated the allegation for three months. Did they call the cops to confirm that nothing could be done? Did they ask Davis if he had a tape? What, exactly, did they investigate?
@gbbalto: You’re right. I took it out.
Thank you, mistermix.
Thank you, mistermix.
An Independent Investigation is just precisely a Dependent Investigation. Dependent on the entity being investigated.
The only investigations that are truly independent are carried out by law enforcement.
No, no and no.
Carrier IQ knows full well what their software does. What they don’t know is what exploits it enables — they obviously never even thought about that. The security company is going to tell them what they were too stupid to figure out on their own.
Villago Delenda Est
No, they don’t. They know what they intended for it to do, but they don’t know everything it does.
Which is why the security company needs to tell them the other fun things it does.
@Villago Delenda Est: Thank you for rephrasing what I said. That was helpful.
Anyway, I think they’re hoping that the outside consultant gives them some good news like, “This really wasn’t a problem.”
I don’t think they’ll get it, and we’ll not hear about their findings.
I’m an attorney. I once handle a series of sex discrimination cases alleging misconduct by a senior official at a large university. When the women initially complained, the President hired an outside investigator (an experienced employment lawyer) to look into the allegations. The investigator talked to all the employees in the office, as well as the accusers and the accused. The investigator then wrote a very lengthy report finding rampant sex discrimination within that particular office. Some individual contentions were found not to be supported, but by and large the investor found that this senior manager had created an atmosphere that was intolerable for female employees.
This was not what the President wanted to hear. So instead of acting on the independent outsider’s report, he appointed a committee of three of his direct reports, all of whom were peers of the harasser. They were charged with determining whether the outside investigator had done an adequate job.
This committee proceeded to read the investigator’s report interviewed one of the three accusers and interviewed the accused (i.e., their peer and work colleague). They did not request the investigator’s file or notes or talk to any of the other witnesses. Nor did they speak to the investigator whose work they were supposedly investigating. Not surprisingly they then concluded that the investigator’s report was flawed every time there was a finding of discrimination. Also not surprisingly, they found the investigator had done a bang-up job every time there was a finding that some specific allegation could not be substantiated at that time.
The bottom line is that these outside investigations are done for no reason other than to give the organization cover. If the investigator doesn’t realize that’s his or her role, the organization will make other arrangements.
@Villago Delenda Est: I agree that there may be other unintended side effects of their software, but from other information that’s been published, it’s clear that Carrier IQ collects and stores a huge amount of personal information. They could admit that, but instead they’re asking to forestall any discussion at all of what their software does until this investigation happens. That’s what’s disingenuous about their position.
except when they investigate themselves
Exactly what they do in any kind of case being brought to their attention.
If CIQ stored the personal information, we might never have known. CIQ logs a lot of sensitive data. How much of that data is actually stored and what, if anything, can be done with it has not been determined.
@Winston Smith: There are screenshots of product demos from their site that show statistics of the number of of applications launched by application, as an example. Clearly to create aggregate statistics some data must be stored. And CIQ has said that they encrypt all data. Why encrypt data if it isn’t sensitive and kept?
Right, but the data that must be stored is aggregate data. For example, the software I’m working on saves information like, “It took 10ms to save 124 items.” Those 124 items contain sensitive data, but we don’t store that in the profile data. I image — well, hope really — that all CIQ is storing is the statistics it cares about. This is likely the case because phones are limited devices — they don’t have 500GB hard drives that you can store everything you’ve ever done on.
First, encrypting stuff is easy these days and business people think its sexy even if it doesn’t actually accomplish anything. Second, the statistics may not be sensitive data to the user, but they are sensitive data to the carrier. If AT&T figured out a way to get detailed stats on Sprint’s network, it would jump at the opportunity. If that data is encrypted, however, it can’t pretend that it “accidentally” intercepted it.
We should call it the GW Bush software.
They call ‘independent investigations’ by another name in Washington. There, they are referred to as ‘special bipartisan committees’*.
*(see: Iraq-Contra investigation and cover-up).
This has been going on in many ways for a long time. Ever look at that contract you sign when you buy a car? Arbitration, baby. With the arbitration company picked by the dealer or mfg, who pays them. The game is rigged. How different is having your own, not-so-independent investigation into how you/your organization screwed the pooch?