Carrier IQ: A cop's best friend?

Is the FBI using Carrier IQ's data to track down bad guys? The Feds aren't allowed to say -- and that's pretty telling in itself. UPDATE: Carrier IQ responds.

Maybe that smart phone in your pocket is a little too smart.

Earlier this month during the big Carrier IQ kerfuffle I asked whether its diagnostic software, which can secretly record many things you do on your phone and transmit that data back to your telecom carrier, made your phone more vulnerable to hackers.

Today’s burning question: Does CIQ’s software make you more vulnerable to law enforcement? The answer appears to be yes.

Two weeks ago blogger Michael Morisy of MuckRock News submitted a Freedom of Information Act request to the FBI, asking if the Feds had accessed or analyzed any data collected by CIQ’s software.

The FBI’s response – or nonresponse, as it turns out – speaks volumes. The service declined to answer, citing the following exemption under US Code:

The material you requested is located in an investigative file which is exempt from disclosure pursuant to 5 U.S.C. Section 552(b)(7)(A)…[which exempts] “ records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information… could reasonably be expected to interfere with enforcement proceedings…”

Well then. I take that answer as a “yes.” Not only is the CIQ data used by the FBI, it appears to be relevant to at least one case that’s underway right now. (Brad McCarty at The Next Web posits another possibility – that the Feds can’t turn over information because of the pending FTC and Senate investigations of Carrier IQ. But that would still imply the FBI has received data from the CIQ software.)

In any case, this does not exactly jibe with the arguments CIQ has been pushing – most recently and explicitly in conversations with John Paczkowski at AllThingsD – that its software captures only diagnostic information, not keystrokes or other content. In fact, Carrier IQ CEO Larry Lenhart says his company has been approached by law enforcement for use in tracking alleged criminals, and CIQ has rejected them:

Lenhart: We have been approached by law enforcement about using our technology, and every time it’s happened, we’ve determined that that’s not an appropriate use of it. A lot of data that we capture is historical, so if you really want to find out where somebody is and what they’re doing, our technology isn’t going to give you that. Remember, this is diagnostic data. And we don’t share it with anyone.

He adds, when pressed, that if CIQ were approached with a legal order, it would punt to the carriers, since it’s their data not CIQ’s.

After bungling its initial response to the controversy – to the point of trying to silence Android security researcher Trevor Eckhart by threatening to sue him – CIQ has been much more forthcoming about what its software can and can’t do. Independent security researchers like Dan Rosenberg have confirmed CIQ’s statements, at least in terms of the phone he tested.

CIQ has published yet another explanation of what data its software could collect if asked, and how it got on those 140 million+ handsets. The 19-page document goes into painful detail about the metrics CIQ gathers; the bits the Feds would most likely be interested in would be the identities of others contacted by the target of its investigation, the target’s physical location, and the URLs of the Web sites he or she visited – all data that the wireless company would presumably already have access to without CIQ's help.

So… if CIQ software only captures diagnostic data, why would the Feds be using it? Have the G-men suddenly gone into the smartphone troubleshooting business? I think not. We’re still left with too many questions and not enough answers.

UPDATE: Got an email response from Carrier IQ spokesperson Mira Wood, who must be wanting her life back right about now. She writes:

Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ. Carrier IQ's data is not designed to address the special needs of law enforcement. The diagnostic data that we capture is mostly historical and won't reveal where somebody is and what they are doing on a real-time basis.

She confirms that the wireless carriers have plenty of other tools at their disposal for tracking location of users and other data, and don't need CIQ's software for that.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon