Carrier IQ Defends Mobile Phone Monitoring Tool as FBI Denies FOIA Request

The FBI has denied a request for information on how the nation's topmost law enforcement agency is using Carrier IQ's mobile diagnostic and monitoring software.

Michael Morisy of Muckrock News filed on Dec. 1 a Freedom of Information Act (FOIA) request for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ." The FBI denied the request on Dec. 7, claiming that complying with the request may "interfere" with "pending or prospective enforcement proceedings."

David Hardy, the section manager of the FBI's Records Management Group, said the FBI has in its possession "responsive documents" pertaining to Carrier IQ but will not release the documents as requested, according to a copy of the letter posted along with the FOIA request on MuckRock.com.

"I have determined that the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records," Hardy wrote.

Morisy said it is not clear whether the FBI is using Carrier IQ in its own investigations, whether it is currently investigating the company or a combination of both. However, Jeff Cormier, an attorney with The Next Web, said there is no indication of an ongoing investigation, since the letter mentioned only "pending or prospective" proceedings.

The denial was most likely because Sen. Al Franken, D-Minn., and other congressional lawmakers are asking for the Federal Trade Commission to investigate, according to Cormier. "That is the likely reason why information is being withheld. It's completely inaccurate to state there is an 'ongoing investigation,'" Cormier said.

Franken has also asked wireless companies and hardware makers to hand over information related to how they're using Carrier IQ data in their products or services by Dec. 14.

Carrier IQ also released a new document on Dec. 12 that details how carriers deploy the tool, called IQ Agent, how it works on installed devices and what kind of data it is capable of collecting. The company separately denied ever handing over any data to the FBI.

"Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ," the company said.

The company also admitted that IQ Agent has a bug that could cause the application to collect the contents of SMS messages. Under some limited circumstances, such as when the user receives an SMS during a call or during a data session, the software will be able to log the contents of SMS messages sent to the user, but the contents would be encrypted and not be human readable, according to Carrier IQ. The only way to access the information is by using special software, and carriers don't have access to the software or the messages, the document said. Carrier IQ has since fixed the bug.

"Over the course of the past week, as Carrier IQ conducted extensive reviews with the Network Operators, Carrier IQ has discovered an unintended bug in a diagnostic profile to measure radio-network-to-mobile device signaling," the company wrote in the document.

Security researchers who have reverse-engineered IQ Agent on various Android devices have found that the software does not, in fact, have the ability to record text messages, emails or the contents of Web pages visited by users. The application can log which URLs a user visits, but not the contents of those pages. It also can't see or record the contents of emails or other messages, researchers said.

The data that system administrator Trevor Eckhart flagged as being collected by Carrier IQ was actually debugging data that was being written to Android log files, Carrier IQ said. The software does not use those logs to collect data or transmit to carriers. The debug messages were from a preproduction handset manufacturer and the manufacturer had forgotten to turn off the software's debug capabilities, the company said.

Carrier IQ said it is working with handset manufacturers to get them to turn off debug messages with personal data "to prevent them from being written into log files."