Carrier IQ Speaks! And of Course It Denies All Wrongdoing

Illustration for article titled Carrier IQ Speaks! And of Course It Denies All Wrongdoing

It hasn't been a good week for Carrier IQ. First a damning video apparently illustrating the extent of what information the program collects surfaces, then everything goes to shit. Now, the company is facing a Senate investigation for potentially millions of violations of privacy laws. And this is the response?


The company released its official statement on the matter late Thursday afternoon. You can find the full text of it here.

There isn't anything particularly surprising in the statement itself. The company flatly denies any unethical and illegal actions without actually providing any explanation of what the software does,

While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.

Essentially CIQ argues that while keystrokes, messages, phone numbers, and websites did pass through the software, they were not recorded. Quite the contrary, in fact. CIQ paints itself as an advocate of the consumer, "explaining what works and what does not work...Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery." I'm not exactly sure how peering into my SMS messages helps extend my battery life but let's just keep moving.

CIQ also brought in Rebecca Bace a respected security expert from Infidel Inc., for its PR defense. She too asserts that, "having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user's content are erroneous." Overall, the company's statement doesn't really add any light or explanation to the controversy, we may just have to wait until Senator Franken gets a hold of them for answers. [Business Wire]


You can keep up with Andrew Tarantola, the author of this post, on Twitteror Google+.




So... they actually could be right, here. Sorry to play Devil's Advocate, but bear with me, here...

The video from the other day just showed what Android was passing to CIQ. It doesn't show what CIQ did with it. As a developer, I can write a method/function that takes in data, and not do anything with it.

The video does not show what CIQ does with the data after it gets it. It doesn't show where CIQ is writing it to memory, and it doesn't show CIQ transmitting it anywhere. All we know from the video is that CIQ got Android to call some of its methods/functions when certain system events happened (I'm more of a Windows/web developer, but it seems similar to the concept of an "event", registering a handler. I'm guessing Java/Android has something similar). This is a *very* important fact to get right, here: the video *only* shows Android passing potentially sensitive data *into* CIQ.

Granted, it's fishy that they would hook into what seems like pretty much everything. But I've seen nothing to convince me that CIQ's claims that they don't store or transmit full text messages, for example, are false. For all I know, the only way that CIQ could get notified about a text message being received successfully at all (which, if I recall, is one of the performance stats they claimed to track) was to have Android pass it all of the details of the message due to the nature of the Android API.

Show me a Wireshark or other packet capture from a wifi router showing me CIQ *retransmitting* this information from the phone, and *then* I'll be pissed. Until then, I'm going to believe that it's just storing aggregate data from the events raised, since nobody else has shown me otherwise.