An Android developer, Trevor Eckhart, reported last month that Carrier IQ software phoned home with details about how the phone was being used and where it was. Earlier this week, Eckhart posted a video elaborating on his claims, which was followed by another report that the software has been found on iPhones.
Apple responded today by saying it hasn't used Carrier IQ since it released iOS 5 last month and will remove it entirely from its products "in a future software update," the company said in a statement reported by GigaOm:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.BlackBerry maker Research in Motion also said it has neither pre-installed Carrier IQ on its devices nor authorized carriers to do so, according to a statement it provided to All Things D.
Smartphone manufacturer HTC went further, saying that Carrier IQ is "required on devices by a number of U.S. carriers," and directed users to the carriers themselves. Verizon spokesman Jeffrey Nelson said on Twitter today that "Carrier IQ is *not* on" the company's phones.
For its part, Sprint circulated a statement denying that it uses Carrier IQ to look at the "contents" of communications, a important legal point, but didn't provide specifics of how the software is configured:
Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint.Al Franken, who heads a U.S. Senate panel on privacy, sent a letter (PDF) today to Carrier IQ asking pointed questions, including what data are logged, what data are transmitted, and whether the company believes its software complies with federal privacy laws that prohibit wiretapping. Franken, a Minnesota Democrat, asked for a response by December 14.
Carrier IQ, based in Mountain View, Calif. has not responded to a series of questions that CNET posed this week. A spokeswoman said today that she is "only one person and have been unable to respond to the thousands of incoming requests."
What remains unclear is exactly what is transmitted, a key point that will determine whether Carrier IQ is a privacy and security threat (and, secondarily, if anyone has been lying).
Security researcher Dan Rosenberg posted a note saying that he's reverse-engineered Carrier IQ and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data." There's "no code in CarrierIQ that actually records keystrokes for data collection purposes," he said.
If Rosenberg is correct, it wouldn't be the first time that there was a widespread Internet panic over false or unverified accusations. It happened earlier this year when Samsung was cleared of false allegations lodged by a security specialist in a now-deleted NetworkWorld article that claimed keylogging software was installed on two of the company's laptops.