Dec. 13, 2011 at 2:02 PM ET
Carrier IQ can't seem to stay out of the spotlight: A recent post from a government watchdog site implicated the FBI as a user of the software, which can monitor network performance — and, to the alarm of many, log sensitive information. Meanwhile, the company head gave an interview in order to explain the allegations of carrier phone snooping.
There's no smoking gun that shows the Feds are using Carrier IQ. Instead, the site MuckRock, which facilitates and reports on Freedom of Information Act requests, posted a "telling denial" of such a request. The idea is that the denial shows that the FBI was using the controversial diagnostic tool.
Shown by security researcher Trevor Eckhart to be capable of covert keylogging, Carrier IQ has since come under heavy scrutiny by lawmakers, other security firms, individuals concerned for their privacy and now, perhaps, federal law enforcement.
MuckRock's Michael Morisy filed the FOI request for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ," which the Department of Justice responded to by citing an exemption to disclosure. Using the rationale that the records requested by Morisy fall under "law enforcement records" that are currently being used in legal proceedings and that release of such documents could interfere with such proceedings, the DOJ's records management division would not allow the request to go through.
Morisy, who plans to appeal the denial, inferred this from the DOJ letter:
What is still unclear is whether the FBI used Carrier IQ's software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both — not unlikely given the recent uproar over the practice coupled with the U.S. intelligence communities reliance on third-party vendors. The response would seem to indicate at least the former, since the request was specifically for documents related directly to accessing and analyzing Carrier IQ data.
The Next Web takes a much more cautionary perspective on this interaction, from its own legal expert, Jeff Cormier:
What can be inferred, and should have been pointed out, is that Al Franken and others are asking for the FTC to look into the matter. That is the likely reason why information is being withheld. It's completely inaccurate to state there is an "ongoing investigation."
Cormier is referring to U.S. Representative Edward Markey, who on Dec. 2 asked the Federal Trade Commission to investigate Carrier IQ for violation of privacy rights amongst million of mobile phone users. The company's hot water also includes two lawsuits that also pin HTC and Samsung for violating the federal Wiretap Act.
To try to get itself out of the immense hole it's dug, Carrier IQ CEO Larry Lenhart, and Andrew Coward, the company’s VP of marketing tried to exert some damage control, through an interview with AllThingsD.
Coward came up with this explanation for Eckhart's findings:
What he was looking at there was an Android log file. And to be blunt, there was information there that shouldn’t have been. In order for Carrier IQ to get information off a device, we work with the manufacturers to deliver that information through an API. That information shouldn’t show up in an Android log file. We don’t read from Android log files; we don’t see Android log files. That info just shouldn’t be there. And, ultimately, what goes in that log file is up to the manufacturer.
And then, Carrier IQ released this document yesterday, which reaffirms the company's position that its software is used for the purposes of better network management and customer care (in analyzing a problem and giving the user an explanation for it).
The document also emphasizes how little data it's gathering: "In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours."
Carrier IQ seems to shift any responsibility for what information is gathered to individual carriers and whatever agreements they have with their customers.
And because they can't let go of Eckhart's damning video:
Our investigation of Trevor Eckhart’s video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software’s debug capabilities remained “switched on” in devices sold to consumers.
It also attributes inadvertent keylogging to a bug:
Carrier IQ has discovered that, due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.
In summary, Carrier IQ wants you, the mobile phone user, to be assured that forward content, that it may have accidentally logged some text messages and that it does admit a vulnerability in debug settings.
Read the rest of the 19-page document (linked above) if you want to dive into it more.