Carrier IQ, the company behind a recently revealed secret mobile phone tracking program installed on upwards of 140 million phones — including what appears to be many Android, iOS and BlackBerry devices — has come out with a carefully-worded denial to video evidence showing that the software captures nearly all of a user’s activity on one’s phone.
Carrier IQ released a statement late Thursday defending its software, saying it is benign and transmits only non-identifying phone “performance” data to carriers to allow them to improve their networks. As Carrier IQ’s statement reads:
“While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.”
It’s important to recognize that the company isn’t denying that the Carrier IQ software captures much of a user’s activity, just that most of that information isn’t recorded or transmitted to wireless carriers such as Sprint, AT&T and T-Mobile, who have admitted to using Carrier IQ.
In fact, Carrier IQ concedes right off the bat that “a great deal of information” is “available to the Carrier IQ software.”
As Andrew Coward, Carrier IQ’s VP of marketing, told All Things D: “The software receives a huge amount of information from the operating system…But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.”
Coward said that the video posted by an Android researcher showing the software covertly tracking user data doesn’t show that information being “processed, stored, or forwarded out of the device.”
The company’s CEO, Larry Lenhart, also told All Things D that: “We capture only the data they [the carriers] specify, and provide it to them,” he reiterates. “We don’t capture more than that.”
According to the two executives, that arrangement varies by carrier, but data is typically not stored for more than 30 days.
Furthermore, the company trotted out a “respected security expert,” Rebecca “Becky” Bace, founder of network security consulting firm Infidel, Inc. formerly a computer expert with the National Security Agency, to contribute to their official statement.
“Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous,” Bace said.
Nowhere else in the statement, or the interview with All Things D does the company specifically address keylogging.
Carrier IQ’s statement goes on to explain that the company’s software delivers “intelligence on the performance of mobile devices and networks” to carriers to help them “provide optimal service efficiency.”
The company says that “while in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service – the mobile device itself.”
Carrier IQ attempts to reassure users that the information that it captures from their phones and transmits to carriers is secure, unidentifiable, and protected: “The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities.”
The company also attempts to rebut the allegations — made by Sen. Al Franken (D-MN) and a former Justice Department prosecutor, among others — that the software could be in violation of U.S. privacy law, specifically wiretapping law: “As a condition of its contracts with Operators [carriers], CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction….Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions.”
That may be cold comfort to the hundreds of millions of users just finding out about the secret software, especially as Carrier IQ gives no information on how to control, disable or opt-out of the software. Another conspicuous omission: The company doesn’t explain why the software was secret in the first place.
We’ve reached out to Carrier IQ and Bace for answers to these and other questions and will update when we receive a response.
