Feds scrutinizing Carrier IQ

The U.S. Federal Trade Commission is investigating allegations that Carrier IQ software is being used by operators to track cell phone activity without user permission, The Washington Post reported today citing anonymous officials.

Andrew Coward, vice president of marketing at Carrier IQ, told CNET he could not say whether there was an official investigation or not but said he spent Monday and Tuesday in Washington, D.C., talking to officials from the FTC and the Federal Communications Commission and answering their questions.

"Investigation is probably too strong a word," he said. "We sought the meetings with the FCC and FTC in the interest of transparency and full disclosure, and to answer their questions."

FTC spokeswoman Claudia Bourne Farrell said: "FTC investigations are non-public with a narrow exception that would not be met in this case. I can neither confirm nor deny that the FTC is investigating Carrier IQ."

The company has come under fire for its Carrier IQ software that some carriers -- including AT&T, Sprint and T-Mobile -- use to gather data from phones that can be used to diagnose problems with the network. Android developer Trevor Eckhart first complained in mid-November, calling Carrier IQ a "rootkit" that tracked the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information. But a video he posted to the Web after that really stoked the fire. Carrier IQ says the video is confusing, showing information from the phone via an Android log file and that not all that information is logged by Carrier IQ and transmitted off the phone.

Carrier IQ says the software is designed to help carriers troubleshoot network failures and other problems, such as when calls drop or batteries get quickly depleted, and not designed to capture keystrokes or the content of messages. Outside experts say it's not a "keylogger." The company released more details in a report on Monday.

But the information hasn't silenced critics who complain that the data is gathered without the knowledge or permission of phone users. Sen. Al Franken has asked the company to answer questions about the privacy implications of its technology and Rep. Edward Markey has called for an FTC investigation into Carrier IQ. There also have been at least four lawsuits filed over the matter naming Carrier IQ and various carriers.

Meanwhile, Carrier IQ has not received any requests from law enforcement for the data, Coward said when asked about a report from government watchdog site MuckRock that the FBI had denied a request it submitted under the Freedom of Information Act (FOIA) for manuals, documents, and other information used to access or analyze data gathered or deployed by Carrier IQ. The FBI denied the request, saying that the documents are relevant to a "pending or prospective law enforcement proceeding," but it's unclear if the agency is investigating the company or using the data from Carrier IQ itself in investigations.

"We have not received requests from the FBI or any other agency to examine any data that has been gathered," Coward said. "It's possible it is being used, but we have no knowledge of that." Such requests would likely go directly to the carriers who receive the data and are at liberty to use it at will, he added.

FBI Director Robert Mueller said in a Senate Judiciary Committee hearing that his agency had never asked Carrier IQ for any information as part of its investigations, but conceded that the FBI may have received customer data from wireless carriers that may have been gathered via Carrier IQ.

The Electronic Frontier Foundation released a technical report on Carrier IQ this week that concluded that "keystrokes, text message content and other very sensitive information is in fact being transmitted from some phones on which Carrier IQ is installed to third parties." This is most likely inadvertent and "happens when crash reporting tools collect copies of the system logs for debugging purposes," Peter Eckersley, technology projects director for the EFF, wrote in the report.

Another security researcher, Ashkan Soltani, analyzed Carrier IQ and said he found problems with the HTC/Sprint implementation of the software.

"By pre-loading misconfigured 'carrier analytics' software on their devices, Sprint/HTC has inadvertently exposed nearly 1.5M customers to privacy risks, however minor. Standard audit procedures should typically capture misconfigured debugger settings or data leakage, an issue that has been pretty well documented in the app developer community," he wrote on his blog. "Finally, the collection and storage of full HTTPS URLs and SMS content on the device may be problematic for device owners wishing to protect sensitive information on their device. Seizure or unauthorized access to the device may lead to inadvertent disclosure of past messages or secure browsing activity since it is recorded in multiple locations without users' knowledge or ability to delete."

Additionally, the use of dynamically configurable analytics software such as CarrierIQ itself poses some questions into what information should legitimately be collected by carriers. For example, while your carrier has access to location (via cell towers) and non-HTTPS browsing history on account of providing you wireless service, they typically do not receive this information when you're using your home WiFi. Furthermore, in no case would they normally get access to secure HTTPs browsing activity and precise GPS location.

"Our software does not communicate with Android and does not transmit any files up to Google or anybody else," Coward said today. "Our implementation, the only thing we are sending out is metrics ... if other information is going out of the device to Google or anyone else it has nothing to do with Carrier IQ."

"There should not be personal information written into the Android log files. Applications can get ahold of them, on the one hand, which is not good," he continued. "We've implemented a new procedure as we qualify our software on devices (and) we check that... We saw the Android log file may be receiving messages from our software but ... also from other applications too. So it's a generic issue here with regard to Android log files that the industry needs to address and we point that out in the report."

Separately, researchers at Dell SecureWorks analyzed the Samsung implementation of Carrier IQ on the Galaxy Tablet 7 and cleared up some confusion over initial reports about Verizon using Carrier IQ despite Verizon emphatically denying that. SecureWorks found that Samsung pre-installed the software on the devices and it does not appear to be operational.

"We were able to confirm with Verizon Wireless's product team that the software was included as a standard software package from the manufacturer who supports similar devices for other wireless providers," SecureWorks wrote in a blog post today. "Furthermore, while working with Verizon, they stated that the software was never intended for use on the Verizon network and, as we discovered, is not functional."

"Carrier IQ is greatly misunderstood regarding both software capabilities and device deployment," the post said. "We encourage decision makers to verify reports, and be aware that privacy or security sensitive situations may warrant additional, independent platform review."

Updated 5:10 p.m. PT with Dell Secureworks comment on Verizon and 4:32 p.m. PT with comment from Ashkan Soltani and 1:08 p.m. PT with no comment from FTC and more details and background.

Updated December 15 at 11:20 a.m. PT with FBI director saying the agency never asked Carrier IQ for customer data but may have gotten it from carriers.