Manufacturers Admit to Using Program That Some Say 'Spies' on You

Reports of phones that do and don't have Carrier IQ software -- the program we've reported on that logs actions such as dropped calls and phone numbers dialed -- have been emerging since Trevor Eckhart first announced finding the program and demonstrated its logging capabilities.

Now, manufacturers are coming forward and fessing up to including the program on their phones, but are stating that it is for evaluating phone performance, not tracking personal messages or numbers dialed. This is the same sentiment Carrier IQ has issued about the program since Eckhart called it out.

Computerworld (via Gizmodo) reports that AT&T, Sprint, T-Mobile and HTC and Samsung have admitted to using the program:

Both wireless carriers AT&T and Sprint insisted that the software is being used solely to improve wireless network performance while phone makers HTC and Samsung said they were integrating the software into their handsets only because their carrier customers were asking for it.

T-Mobile said that it, too, uses Carrier IQ's software, which it described as a diagnostic tool to troubleshoot device and network performance. "T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' Internet activity, nor is the tool used for marketing purposes," the company said in an email statement.

Computerworld goes on to report Mark Siegel, executive director of media relations at AT&T, neither confirming nor denying whether the program was installed in all handsets. Here's what Sprint's spokesperson said about the company's use of the program:

"We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool," she said via email [to Computerworld].

"The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint." She added that Sprint's privacy policy makes it clear that the company collects device information, including how it is being used.

Verizon is among the Carrier IQ deniers, adding that it also doesn't use any similar program that would perform the same function as Carrier IQ, according to PC World. PC World goes on to state that RIM and Nokia have also claimed they don't use Carrier IQ, even though Eckhart said the program was found running on devices from both these manufacturers and Verizon. SlashGear reports Google, which makes Nexus phones, has joined the group of naysayers.

While it is becoming more clear which phones may or may not use the program, many are still wondering if we should be worried? Sen. Al Franken (D-Minn.) sent a letter yesterday to Carrier IQ expressing his concerns and demanding answers. In the letter he said, "I understand the need to provide usage and diagnostic information to carriers.  I also understand that carriers can modify Carrier IQ’s software.  But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics—including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit. " He then goes on to list several questions and asks for a response by Dec. 14.

In the mean time, some security professionals, according to the LA Times' blog, have come out to say they disagree with Eckhart's findings:

"It's not true," said Dan Rosenberg, a senior consultant at Virtual Security Research, who said the video shows only diagnostic information and at no point provides evidence the data is stored or sent back to Carrier IQ.

"I've reverse engineered the software myself at a fairly good level of detail," Rosenberg said. "They're not recording keystroke information, they're using keystroke events as part of the application."

The difference is subtle but important. To perform commands, applications need to know which buttons a user has pushed: Your email app needs to know when you tap the reply button, and your phone app needs to know which numbers you press in order to dial. Applications therefore pay attention to which buttons a user is pressing.

But listening for a button press does not mean an application is therefore sending a record of those button presses back to the company, researchers said.

[...]

"It's just spitting debug messages to the internal Android log service," sad Jon Oberheide, a co-founder of Duo Security. "It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages or Web browsing session content are being transferred off the device."

The Times reports the researchers as saying that the program appears to be working correctly and only recording performance metrics. The Times also points out that many manufacturers that have admitted to using the program have long been open with the fact that they collect information about user location and other data.