Carrier IQ: 'We're as surprised as you'

@CNNMoneyTech December 2, 2011: 3:39 PM ET
Developer Travis Eckhart's YouTube video exposed Carrier IQ's detailed smartphone data logging capabilities.

Developer Travis Eckhart's YouTube video exposed Carrier IQ's detailed smartphone data logging capabilities.

NEW YORK (CNNMoney) -- The company behind the now-notorious Carrier IQ software that has been found to log every keystroke pressed, website visited and text message sent by 150 million mobile phone users said Friday it was shocked to learn that its software was doing that.

"We're as surprised as anybody to see all that information flowing," Andrew Coward, Carrier IQ's director of marketing, told CNNMoney in an interview. "It raises a lot of questions for the industry -- and not [only] for Carrier IQ."

The "flowing" information Coward was referring to was spotlighted Monday in a 17-minute YouTube video posted by Android developer Travis Eckhart. The video showed Carrier IQ recording everything Eckhart entered into his phone, storing the data in what's known as a debug log.

The purpose of a debug log is for software developers to see if anything is going wrong with an application. It stashes that information in the phone's memory, which it remains stored until the device is powered down.

It's unusual, however -- and bad, security experts say -- for an application to store so much data to the debug logger.

"It's not considered a good security practice to insert any sensitive information in a log like that," said Dan Rosenberg, a consultant at Virtual Security Research.

But what's not clear is whether it's entirely Carrier IQ's fault. Coward insisted that the Carrier IQ software was not responsible for the logging of keystrokes and other user data. He said the program does not need to log that kind of information to serve its purpose of transmitting network diagnostic data to the phone's carrier.

Instead, Coward said the logging was happening at the operating system level, likely as a result of add-on software installed by the handset manufacturers. But he couldn't say for sure.

"We don't know enough at this point -- it's a very good question," Coward said.

Security experts say Carrier IQ's preliminary explanation makes sense, and it's at least conceivable that the company was "surprised" to learn that its app was logging data. But Carrier IQ isn't blameless.

"If the company says it's surprised, that indicates the handset manufacturers inserted some debugging code that the manufacturers are turning on when they shouldn't be," Rosenberg said. "But that still means Carrier IQ has some debugging mode built into it that is capable of logging everything. I'm not sure who wrote code, but that was a poor decision."

The fact that Carrier IQ itself doesn't know what's going on with its own application shows just how murky, complicated and entangled the debacle has become. The result is a lot of finger pointing: Spokesmen from HTC and Samsung both told CNNMoney that carriers forced them to install the program.

The wireless providers that have acknowledged using Carrier IQ -- AT&T (T, Fortune 500), Sprint (S, Fortune 500) and T-Mobile -- are all deflecting questions about the software's detailed logging to Carrier IQ. Which, in turn, is pointing back to the manufacturers' implementations of its software and saying that's where the problem lies.

The manufacturers, most of whom are sticking to painstakingly worded statements, are still trying to sort out their role in this mess. A Samsung spokesman said the company was digging into the issue and would have a comment later.

HTC tossed the hot potato onward: "Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier," a company spokesman said in a prepared statement.

OK, but does the debug log problem stem from HTC's own implementation of the Carrier IQ software? Company representatives did not respond to specific questions on the issue.

How many manufacturers are affected? Researchers are still trying to sort it out. With an estimated 150 million devices running Carrier IQ, the working assumption is "most of them."

For example, Research in Motion (RIMM) issued a carefully phrased statement saying it "does not pre-install the Carrier IQ app on BlackBerry smartphones or authorize its carrier partners to install the Carrier IQ app before sales or distribution." It didn't categorically say the app isn't on its handsets, added on by someone further along in the distribution chain.

Even Apple (AAPL, Fortune 500), which fanatically controls all aspects of its devices' hardware and software, acknowledged installing the tool on its iPhones. Apple said it "stopped supporting Carrier IQ with iOS 5 in most of our products" and will remove it completely in a future software update.

Regardless of whoever is ultimately responsible, the app continues to raise privacy concerns. A stolen phone that hasn't been turned off -- a common occurrence among cell phone users -- could be a gold mine for hackers, who would have access to literally everything a user has done or said on the device since it was last powered down.

Because of that risk, Carrier IQ is trying to figure out what to do next.

"We need to look at the implementation of our app and what is stored in the log," said Carrier IQ's Coward. "We're sifting through a lot of information now." To top of page

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.