By
updated 12/15/2011 4:48:00 PM ET 2011-12-15T21:48:00

(UPDATED 4:30 pm Thursday, Dec. 15 with denial from FBI director. See below.)

There are a couple of new twists in the ongoing Carrier IQ saga. A muckracking blog has linked the cellphone-diagnostics software to an FBI investigation, and the Carrier IQ company itself admitted that under certain conditions, user text messages might be forwarded to its servers.

The company also said that the now-famous video showing its software allegedly capturing keystrokes actually showed an unrelated Android logging program.

According to the Boston investigative-journalism blog MuckRock, the FBI might be using Carrier IQ. Or it might not be. But to MuckRock's Michael Morisy, whose Freedom of Information Act (FOIA) request to the FBI regarding the bureau's use of Carrier IQ was denied, such a lack of comment amounts to an admission.

Morisy asked the FBI for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ" and was met with a polite but firm refusal.

"I have determined that the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that the release of these responsive records could reasonably be expected to interfere with the law enforcement proceedings," wrote David M. Hardy of the FBI's Records Management Division in a letter responding to Hardy.

Hardy invited Morisy to appeal the refusal, and gave him detailed instructions on how to do so.

To Morisy, Hardy's letter is a "telling denial" that indicates that the FBI has "used Carrier IQ's software in its own investigations."

To TheNextWeb's Brad McCarthy, Hardy's letter offered "no indication of an ongoing investigation, or any investigation at all."

McCarthy's colleague Jeff Cormier, an attorney, offered a more thorough dismissal of Morisy's suspicions.

"What can be inferred, and should have been pointed out, is that [Sen.] Al Franken and others are asking for the FTC [Federal Trade Commission] to look into the matter," Cormier said, as quoted by McCarthy. "That is the likely reason why information is being withheld. It's completely inaccurate to state there is an 'ongoing investigation.'"

Mistaken identity?

If Morisy is indeed leaping to conclusions, he may not be the first to have done so. Trevor Eckhart, the Connecticut IT professional who first publicized the Carrier IQ issue, posted a now-famous YouTube video in late November that Eckhart claimed as evidence that Carrier IQ logs keystrokes.

But in a long document entitled " Understanding Carrier IQ Technology " posted on its website yesterday (Dec. 12), Carrier IQ now says that Eckhart's video doesn't show its software in action at all. Instead, the company says, the video shows an unrelated logging program installed by the handset maker.

"In Trevor Eckhart's video, an Android-based HTC device is shown writing location, keylog and SMS information to an Android log file in clear (human readable) text," the company said. "Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software’s debug capabilities remained 'switched on' in devices sold to consumers."

But Carrier IQ also said it had found a "bug" in its own software that could forward text (SMS) messages received by users to the company's servers, provided that the text message came in as the phone was in the middle of a call or data transmission.

"Due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent," the document read. "These messages were encoded and embedded in layer 3 signaling traffic and are not human readable."

Layer 3 is the "networking" layer of the "seven-layer model" that governs most computer networking.

"Carrier IQ customers who have deployed the embedded version of the IQ Agent have been informed of this bug," the document said, "and Carrier IQ has worked with customers to fix it and ensure that this information is no longer captured."

In any case, the privacy concerns may be misplaced. The biggest fears raised over Carrier IQ are that it forwards users' text messages, Web browsing data and phone numbers dialed to parties unknown. But cellular carriers already have all that information, and will gladly turn it over to any government authority that asks for it.

Carrier IQ, for its part, states that "Under our customer contracts we are not permitted to analyze, resell or reuse any of the information gathered for our own purposes, or to pass to any third party unless required by law."

UPDATE: During unrelated Senate testimony Wednesday, FBI Director Robert Mueller said that the bureau had "neither sought nor obtained any information from Carrier IQ in any one of our investigations."

Mueller was responding to a question from Sen. Al Franken, D-Minn. He acknowledged that is was possible that the FBI had obtained "information that in some way Carrier IQ may have been involved with."

© 2012 SecurityNewsDaily. All rights reserved

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments