Carrier IQ Denies Wiretap Claims

Carrier IQ, a "mobile service intelligence" provider, has responded to ongoing questions about exactly what types of information its handset monitoring software records, and denied allegations that its software runs afoul of wiretapping regulations.

"Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions," according to a statement released by the company Thursday.

According to Carrier IQ, while its smartphone monitoring applications see smartphone data--to assess what is or isn't pertinent to monitoring the performance of the smartphone or the network that it uses--that isn't the same as recording or transmitting that data. "While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store, or transmit the contents of SMS messages, email, photographs, audio, or video," according to Carrier IQ. "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

[ Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]

Notably, federal wiretapping statutes provide exemptions for carriers and their business partners to monitor the performance of their infrastructure. Carrier IQ said that it "acts as an agent for the operators," to help make their customers' phones work better. "Our software allows operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery," it said.

Carrier IQ's Thursday statement includes a testimonial from security expert Rebecca Bace of Infidel, a former member of NSA's Information Security Research and Technology Group, as well as deputy security officer for Los Alamos National Laboratory. "Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of [a] mobile device user's content are erroneous," said Bace.

Carrier IQ's statement was released in response to growing questions about what data its software collects from handsets, and why. Suspicion had been mounting over the company's software after the Electronic Frontier Foundation disclosed a cease-and-desist letter that Carrier IQ had sent to 25-year-old Connecticut security researcher Trevor Eckhart last month--threatening at least $180,000 in copyright damages--after he published insights into how the company's software operates, and branded it as a rootkit. (Similarly, security researchers before him had labeled it as spyware). Notably, Eckhart also manages corporate networks, and had begun looking into Carrier IQ's software after finding unauthorized communications between devices inside his network and Carrier IQ's servers. Eckhart's research ultimately highlighted that while Carrier IQ software was running on more than 141 million handsets, it was typically installed so that it was hidden, impossible to deactivate, and transmitting unknown data points off of the device. Accordingly, Eckhart demanded detailed answers from Carrier IQ about what its software was doing, and why.

Since then, Carrier IQ has said that it only transmits data that the carriers tell it to capture. "It's the operator that determines what data is collected," Carrier IQ CEO Larry Lenhart told All Things Digital on Thursday. "They make that decision based on their privacy standards and their agreement with their users, and we implement it."

In other words: "We capture only the data they specify, and provide it to them," he said. "We don't capture more than that."

While Carrier IQ hasn't detailed exactly which data points that includes--say, on a carrier-by-carrier basis--it now has a December 14 deadline to do so. That's thanks to a letter to Carrier IQ, sent by Senator Al Franken (D-Minn.) Thursday. Franken has demanded detailed answers to numerous questions, including whether Carrier IQ logs users' location, exact details of the data it logs (such as telephone numbers, URLs visited, or online search queries), exactly which data points get transmitted to Carrier IQ's servers, and whether Carrier IQ will allow users to opt out of this data collection. He also asked for a detailed response as to why the company believes that it complies with the federal wiretap statute, the Stored Communications Act, and the Computer Fraud and Abuse Act.

Which carriers use Carrier IQ software, and which smartphone manufacturers include the software as part of their Android operating system distributions? Carrier IQ hasn't published a customer list, but many carriers and manufacturers--including Apple--have recently clarified their relationship with the company. "We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update," according to a statement from Apple. In addition, it said that all other diagnostic data collected by Apple is only done if users explicitly opt in, at which point the data is sent in anonymized and encrypted form.

Nokia has denied that its current handsets ship with Carrier IQ, and Verizon has also said that none of its handsets currently ship with Carrier IQ software installed. RIM, meanwhile, released this statement: "RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution."

In terms of current Carrier IQ customers, AT&T and Sprint both use its software on some of their handsets, though both say they use it only for diagnostic purposes. In addition, HTC and Samsung have confirmed that Carrier IQ runs on some of their handsets, and said that they added the software in response to carriers' requests.

IPv4 address space is being gobbled up by the vast number of devices connecting to the Internet, and it's expected to be depleted in the next year. In this report, we offer recommendations for ensuring that your data center is fully ready. Download it now. (Free with registration.)