Developer Trevor Eckhart's YouTube video exposed how detailed smartphone data was being logged by Carrier IQ's app.
NEW YORK (CNNMoney) -- As the privacy fiasco that erupted around Carrier IQ continues smoldering, the finger pointing has intensified over the controversial software that sends data from individuals' phones back to their carriers.
This week, Carrier IQ concluded an internal investigation and released a report on its findings. The company's analysis confirmed that its software does not, by itself, record users' keystrokes. Instead, the report affirmed the Carrier IQ's prior suspicions that the recording is being triggered on the handset manufacturers' end.
Carrier IQ's investigation was a response to developer Trevor Eckhart's 17-minute YouTube video, which showed how the software secretly runs on his HTC EVO 3D Android phone and logs every key press, every text, and the full URL of every website he visits. It recorded that data even from websites that use security encryption designed to prevent that kind of tracking.
Carrier IQ's report said that what the Eckhart video displays is actually the result of separate tools put in place by the handset manufacturer.
The data recording was being done in what's known as a debug log. The log is intended to help software developers understand what happened if something goes wrong with an application. It stashes information in the phone's memory, which it remains stored until the device is powered down.
"It appears that the handset manufacturer software's debug capabilities remained 'switched on' in devices sold to consumers," Carrier IQ said in its analysis.
That debugger is supposed to be turned off unless a developer turns it on. It's also highly unusual -- and potentially insecure -- for an application to store so much data to the debug logger. A stolen phone that hasn't been turned off could be a gold mine for hackers, who would have access to literally everything a user has done or said on the device since it was last powered down.
Though Carrier IQ is installed on more than 150 million phones worldwide, the debug logging problem appears to only exist on HTC and Samsung smartphones. Those two manufacturers add a layer of their own software on top of the stock Google Android operating system, according to Dan Rosenberg, a consultant at Virtual Security Research who has extensively studied Carrier IQ's software.
HTC did not respond to multiple requests for comment. A Samsung spokesman confirmed to CNNMoney that Samsung was storing data in its phones' logs, but declined to say why the manufacturer had turned on that functionality or whether it is working on a fix for the problem.
Still, Carrier IQ isn't completely off the hook.
As part of its internal investigation, the company discovered that it had been accidentally sending users' text messages to carriers.
The problem was the result of a bug, which Carrier IQ says it has told the carriers how to fix. The texts were also encoded, so they weren't "human readable," the company claims.
The potential privacy breach caught the attention of the government regulators, who have launched a probe into the issue, according to The Washington Post. Senator Al Franken, D-Minn., has been asking pointed questions, and Rep Edward Markey, D-Mass., has asked the Federal Trade Commission to investigate the practices of Carrier IQ.
Company spokeswoman Mira Woods said she was "not aware of an official investigation into Carrier IQ at this time."
In an attempt to get ahead of the probes, Carrier IQ this week sought meetings with the FTC and Federal Communications Commission to answer questions and present its side of the argument.
An under-the-radar company until recently, Carrier IQ is a small firm whose software is designed to help carriers run diagnostics on their phones and network. Its tools are intended to monitor boring, basic phone functions, like signal outages, battery life and website load times.
But there's a whole lot lurking under the hood of our smartphones. Carrier IQ's sudden thrust into the national spotlight illustrates that even those who build, sell and service our phones may not know everything that's hiding inside Pandora's box.