Unless you’ve been living under a rock for the past few weeks, you’ve probably heard about Carrier IQ, the service installed deep in the guts of multiple devices that logs various aspects of your cellular experience. Companies such as Sprint, T-Mobile, AT&T, Samsung, HTC and others use this information to provide software updates that fix bugs with your device or improve upon their cellular network in your area.
A frenzy was created because nobody fully knew exactly what Carrier IQ had access to or what it actually was tracking on their end. Carrier IQ and their customers were called on by Al Franken and the US Senate to release details about how the service operates and what the service has access to on user devices.
The potentially bigger story on Carrier IQ came out in the last 24 hours. The FBI uses Carrier IQ, though they’re very much unwilling to tell us just how and what they use. In fact, reporter Michael Morisy of the Muckrock News sent a Freedom of Information Act (FOIA) request for manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ. The FBI refused to cooperate, stating that they were exempt under a provision of the FOIA that exempts materials that could potentially interfere with an ongoing investigation.
Carrier IQ is fulfilling its end of the bargain, however. In a 19-page document released yesterday, Carrier IQ has come clean on their service. You can read the full document for yourself by clicking the link in the previous sentence or the source link at the end of this post. Otherwise, what follows is the summary section of the Carrier IQ document (bold sentences are their emphasis):
- The source of personal information in Android log files shown by Trevor Eckhart in his video is a result of debug settings remaining in production devices and should be classified as vulnerability. The IQ Agent software on the mobile device was not responsible for writing log messages containing personal information seen in the video.
- Carrier IQ does not acquire or forward the content of multi-media messages (MMS), emails, photos, web pages, audio or video. A detailed list of what is actually gathered can be found in Exhibit A and Exhibit B in the document.
- In some unique circumstances described in this document, an unintended bug in a diagnostic profile allowed collection of layer 3 radio messages in which SMS messages may have been embedded. While the layer 3 signaling data was provided to the Network Operators over whose networks the data was originally sent, they were not decoded or made available in human readable form to Carrier IQ, its customers or any third party. Upon discovering the bug, Carrier IQ and its customers took immediate steps to remedy the bug and Carrier IQ customers are no longer uploading such data.
- A specific numeric key code can be entered by the user to cause the IQ Agent software to commence an upload and the IQ Agent software on the device receives numeric key presses so that it can identify when this key code is entered. Carrier IQ has never intentionally captured or transmitted keystrokes and is not aware of any circumstances where this has occurred. Carrier IQ is not a keylogger and no customer has asked Carrier IQ to capture key strokes.
- Network Operators define through profiles which specific diagnostics are actually gathered from a device. Carrier IQ writes profiles for each Network Operator to gather the diagnostic information they require.
There you have it; a full response from Carrier IQ that hopes to clear the air and invoke consumer trust that they’re actually trying to do the right thing. What do you guys think? Does the report suffice? Or do you still have questions you’d like to ask Carrier IQ? (We’ll send your questions their way).