Carrier IQ says it found bugs, never intentionally captures keystrokes

Carrier IQ has released a report reiterating what its software does and doesn't do and acknowledging a few bugs have been found — and corrected.

The report comes as a response to a recent wave of critical attention following a video report from security researcher Trevor Eckhart. Eckhart found the company's software, which wireless network customers install on handsets to help them track their services' performance, was monitoring keystrokes, capturing text messages and obtaining device location data (CP: Analysis: Is Carrier IQ controversy the perfect storm to destroy operator trust?).

The report also thanks Eckhart, who has apparently since worked with the company, clueing them into his findings and enabling them to address some issues.

Most specifically, "The source of personal information in Android log files shown by Trevor Eckhart in his video is a result of debug settings remaining in production devices and should be classified as [a] vulnerability," states the report. "The IQ Agent software on the mobile device was not responsible for writing log messages containing personal information seen in the video."

The report also notes, in summary, that:

-- "An unintended bug in a diagnostic profile allowed collection of layer 3 radio messages in which SMS messages may have been embedded." The data, however, were not decoded or made "human readable" to the network, Carrier IQ or any customers. Upon discovering it, Carrier IQ and its carrier customers took steps to remedy it and customers' devices are no longer uploading such data.

-- Carrier IQ doesn't acquire or forward the content of multimedia messages, emails, photos, Web pages, audio or video.

-- "Carrier IQ has never intentionally captured or transmitted keystrokes and is not aware of any circumstances where this has occurred."

-- No carrier customers have ever asked Carrier IQ to capture keystrokes, and users can enter a "specific numeric key code" to stop an IQ Agent software upload.

-- Carrier IQ's wireless carrier customers determine the metrics they'd like to gather and Carrier IQ writes each one a specific profile for its devices.

Regarding the profiles, the report shares: "What is actually gathered by a network operator is based on their business requirements and the agreements they form with their consumers on data collection," suggesting details about such data collection exist in customer contracts.

Uses for the collected metrics also include improving customer service calls, says the report. The software can not only automatically pass the device's serial number and subscriber serial number to the network operator, but make it possible for service reps to diagnose a recently downloaded application as the source of battery drain, for example, or to clarify that a customer loses service between two particular highway exits because reception is low there, and the carrier is working to upgrade its towers.

The photo above, for example, shows how a technician can "drill down from a map view" to understand the where and when of a service issue and offer a fix.

The report is likely also offered in response to calls from politicians for more information about the software. Most recently, U.S. Representative Edward Markey asked that the Federal Trade Commission investigate the company and its practices. Americans, he added should be protected from "unfair or deceptive acts or practices." (CP: FTC asked to investigate Carrier IQ practices)

Carrier IQ and several carrier customers have insisted that the software is used solely for the purpose of improving wireless networks and customers' experiences on them.