Carrier IQ, the controversial software company suspected of spying on over 150 million smartphone users, is opening its kimono and admitting to some mistakes. However, it's also pushing back hard against the most aggressive allegations of privacy violations, including but not limited to a recent speculation that the company has been supplying the Federal Bureau of Investigation with confidential user data. In a 19-page-document riddled with bullet-points and book-ended by charts, the company provides it's most comprehensive apparently honest explanation of exactly what Carrier IQ software collects, stores and sends to mobile carriers. In a corresponding Q&A with AllThingsD's John Paczkowski, two of the company's top executives trudged through the alleged privacy violations -- they blamed the carriers for the worst ones -- and sounded hurt by the scrutiny. "Our world has been turned upside down," Carrier IQ's chief executive Larry Lenhart said. "We love what we do, and we have a lot of passion for it. And to see it misunderstood like this has been painful."
Let's start with the good news.
Carrier IQ is not an F.B.I. operative. Carrier IQ is denying haven given data to the F.B.I. after a report from the government transparency site MuckRock about the agency's potential involvement drummed up a decent amount of anxiety this week. Long story short, the Feds denied a Freedom of Information Act (FOIA) request for information about Carrier IQ. The F.B.I. denied the request with a letter explaining that the "material … requested is located in an investigative file which is exempt from disclosure." The letter points to a section of the United States Code that exempts the Bureau from disclosing information that might be "used for law enforcement purposes." This led the somewhat misleading headline: "FBI: Carrier IQ files used for 'law enforcement purposes'" Not so, the company says. "We have never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ," a company spokesperson told The Atlantic Wire in an email.
Carrier IQ collects data but mobile carriers use it. A number of the specific denials Carrier IQ makes in its explainer were already mounted about a week ago, when the controversy was really infuriating privacy advocates. Coward explained to The Atlantic Wire that his company does gather a lot of data but doesn't actually log keystrokes, as was alleged in the YouTube video by Trevor Eckart that blew the lid off the scandal at the end of November. Carrier IQ apparently consulted with Eckhart for the new document and explains in depth what the code that showed up in Eckhart's video does:
We cannot comment on all handset manufacturer implementations of Android. Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software's debug capabilities remained "switched on" in devices sold to consumers.
In other words, if you're being spied on, it's Carrier IQ's customers, the mobile carriers, who doing the spying. If anybody is storing your data and potentially sharing it with law enforcement agencies, it's them, Carrier IQ says. The report does add, "Carrier IQ is not a keylogger and no customer has asked Carrier IQ to capture key strokes."
Now for the bad news.
Carrier IQ did accidentally collect a bunch of text messages. Thanks to the scrutiny, Carrier IQ realized that it was collecting some data that included "collection of layer 3 radio messages in which SMS messages may have been embedded." This contradicts what Coward told us recently. The exact quote: "We would not record or transmit the contents of that SMS." The report details how a bug caused the collection of text message data and a spokesperson told us that "a fix is in place." Carrier IQ also claims that the text messages "were not decoded or made available in human readable form to Carrier IQ, its customers or any third party." While we appreciate the transparency, privacy champions will find it a little unsettling to hear Carrier IQ admit to collecting private data -- even if it was happening accidentally.
This certainly isn't the last we'll hear from Carrier IQ. The company's executives are set to meet with Senator Al Franken this week, to review the document (embedded in full below) and answer more questions. Meanwhile, Congressman Edward Markey has called for a Federal Trade Commission (FTC) probe into the matter, and an investigation is already getting started in Europe over the company's data collection practice. Again, it does sound like Carrier IQ's executives are pretty sorry for all of the confusion and controversy. Still no word from the mobile carriers, but it looks like they'll have their day in court, too.