Shortly after our article about Carrier IQ went live, HP sent over a statement claiming that the company does not install nor authorize its partners to embed Carrier IQ on its webOS devices. Other companies also came forth with their statements, some denying use of the supposed spying rootkit and others openly admitting to its use.
So who is using Carrier IQ and who isn't?
Out of the twenty that have come forth and responded with a statement, only six actually admit to using the software: AT&T, HTC, Samsung, Sprint, T-Mobile USA and Motorola (who reportedly only does so if requested by the carrier). Companies who claim no part in Carrier IQ's shenanigans include Google, Microsoft, Nokia, RIM, Sony Ericsson, Verizon and more.
"T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience," T-Mobile USA stated. "T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes."
"Some Samsung mobile phones do include Carrier IQ, but it's very important to note that it's up to the carrier to request that Samsung include that software on devices," Samsung said. "One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ."
Apple even pleaded guilty to some degree, stating that it stopped supporting Carrier IQ with iOS 5, and will remove it completely in future updates. "With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information," the company claims. "We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."
All major carriers in Canada said that they do not use Carrier IQ.
Carrier IQ's statement
On Thursday, Carrier IQ released a public statement explaining that carriers only use its software to diagnose operational problems on networks and mobile devices.
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company stated. "Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile Operators. Carrier IQ does not gather any other data from devices."
The company's public statement also quoted security expert Rebecca Bace of Infidel Inc. who said that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous. Her conclusion is based on her own hands-on with the software, and joins a similar conclusion offered by Security consultant Dan Rosenberg. He agrees with her assessment in that there's no foul play involved with Carrier IQ.
In speaking with CNET, Rosenberg claims to have extracted Carrier IQ from his own Android smartphones and analyzed the assembly language code with a debugger. "The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His investigation showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."
Despite Carrier IQ's claim of innocence, the company -- along with HTC and Samsung -- is now facing two class action lawsuits, just one day after the Senate began investigating the privacy scandal. All three are accused on violating the Federal Wiretap Act for allegedly gathering private information from consumer devices without obtaining prior consent. The class action lawsuits were filed in Chicago and St. Louis on behalf of all U.S. residents who had mobile phones containing the software. The penalty is $100 per day for each violation and for Carrier IQ, who claims to have its software on 140 million phones, the total sum could be devastating.
"Plaintiff, Erin Janek owns an HTC Android phone using the Sprint network," reads the lawsuit filed in St. Louis against HTC. "At all relevant times Plaintiff used her phone to electronically send over her cell phone network various types of private data. This data was not readily accessible to the general public. She did not know that Defendants were surreptitiously monitoring and collecting this data, nor did she give them permission to do so."
Meanwhile, Andrew Coward, Carrier IQ's VP of marketing, admitted to Business Insider in an interview that the software can take URLs the user visits on their phone and report that information to their carrier, but it's up to the carrier to decide whether or not it wants that information. The software can also see the apps on the device and determine how they perform, it can provide the user's location, and it can be added after market as an update from carriers or manufacturers.
Coward denies claims that the software retrieves personal information like keyboard strokes, test message content and so on. He also denies claims that the software controls data gathered on the device -- all that information supposedly goes straight to carriers or the device manufacturers, whichever party has a contract with Carrier IQ. He does admit, unsurpringly, that wireless carriers are the company's biggest customers.
Meanwhile, over in Europe
The Carrier IQ situation has also caught the attention of wireless carriers and device manufacturers abroad. Bloomberg reports that regulators in France, Ireland, Italy and the UK are currently reviewing whether Carrier IQ is in use in their jurisdictions. Germany’s Bavarian State Authority for Data Protection has also reached out to Apple in a letter to determine the company's stance on the situation.
"We read in the press about the privacy concerns the software may pose and decided to ask Apple about the details," said Thomas Kranig, head of the Bavarian agency. "If Apple decided to cease the use, all the better."
Georg Albrecht, a spokesman for Apple in Germany, declined to comment on the Bavarian agency’s letter. But as previously reported, Apple halted use of Carrier IQ as of iOS 5, and intends to completely remove it from the code in future updates.
In an e-mail statement, the U.K. Information Commissioner’s Office said it "will be contacting mobile phone operators to establish if the Carrier IQ or similar software is on U.K. customers’ handsets and, if so, what steps are being taken to ensure there are no privacy implications." Francesco Pizzetti, the president of Italy’s Protection of Personal Data Guarantor, said an actual investigation is open to determine how the Carrier IQ software works, and if it's in use on Italian mobile phones.
As for Ireland, the local data-protection agency plans to contact handset operators to see if and how Carrier IQ is used in their territory. Elsa Trochet-Mace, a spokeswoman for French privacy regulator CNIL, claims that initial findings indicate that the software is not in use in France.
Letters to the U.S. Government
Back here in the States, local organization Consumer Watchdog is also up in arms, calling on the U.S. government to investigate the allegations surrounding Carrier IQ's software. On Friday, the consumer group sent letters (pdf) to U.S. Attorney General Eric Holder and U.S. Federal Communications Commission Chairman Julius Genachowski. The group wants these two agencies to investigate Google, Apple and their partner mobile carriers.
"The device many of us carry in our pockets has, simply put, been turned into a virtual spy phone," John Simpson, Consumer Watchdog's Privacy Project director, told Computerworld in an email.
How to check if you have Carrier IQ
As previously reported, Android device owners can check to see if Carrier IQ resides on their rooted phone or tablet by downloading a non-Market application. But now another app has surfaced on Google's Android Market that doesn't require the device to be rooted. Called Voodoo Carrier IQ Detector, it alerts the user if the rootkit is present, but doesn't offer any means of removal. It's developed by Supercurio and requires Android 2.1 "Eclair" or greater to use.
According to the app, my Verizon-laced Sony Ericsson Xperia Play does not show signs of Carrier IQ software.