My Story, Carrier IQ verbatim: Answers from company exec, researchers

It's been a tumultuous few weeks for Carrier IQ, the Mountain View, Calif.-based startup at the center of an Internet-wide privacy flap over what its software, which carriers place on mobile phones, actually does.

By now it seems abundantly clear that, contrary to earlier reports, Carrier IQ is not actually a "rootkit keylogger."

But the company has not yet published technical details on how its software works--it says more will be forthcoming soon--so CNET readers and others have continued to raise questions. In addition, carriers can configure Carrier IQ to record and transmit the URLs of Web pages visited, a separate privacy concern from keylogging.

Below are some verbatim statements from Carrier IQ, security researchers, and other parties that might provide some answers. Also see CNET's FAQ and related articles, including an analysis of the privacy concerns.

---

Andrew Coward, vice president marketing, Carrier IQ

[On a CNN.com article quoting him saying he was "surprised" by
data logging] "I think my comments were misconstrued.
I said that there is an
Android system debug log in the phone
(not related to CIQ) which generates log messages of what is
happening in the device and it was this information that the
security consultants were able to view. FYI this debug log
viewer is called logcat."

[On being quoted in a Wired.com article as saying "probably yes"
when asked whether Carrier IQ's software could read text messages:
That was a misquote. It was in reference to the phone number
associated with the SMS message, not the contents of the message.]

[On what carriers see] "They're not going to see the contents. They're
not going to see what you type. They're not going to see the contents
of your SMS messages. They're not going to see what's on your screen."

[On being able to record running apps, visited URLs] "That relates really
to understanding what applications are on the device and application usage.
If you're having problems with the applications, we'll see all of that. Next to
that in terms of sensitivity would be understanding what URLs your device
is going to. We see that information too. Whether a service provider
actually uses that information (is up to them)."

[On remotely changing phone settings] "That profile obviously gets
changed dynamically. What they do and can do is step up
activity. Let's say they see a lot of dropped calls in one area. They
might say, 'I need to turn on another 10,000 phones... to step up the
amount of information that's coming in.'"

[On deciding not to reveal technical specifications] "We have
competitors, potentially, and there's a great hacking community out
there as we've discovered. Source code published for everybody to see
probably isn't the best outcome for us."

[On encrypting customer data] "When the information is transmitted,
it's encrypted. I don't want to talk about what we do with the data on
the device."

[On real-time data collection] "If the consumer dials a special short
code (during a support call), the device will upload the latest
diagnostic information."

[On being theoretically able to record all keystrokes because the
software is running with root access] "We know our (software) doesn't
do that. We strongly stand by that and hope to have proof as soon as
possible."

Becky Bace, security specialist given access to Carrier IQ's systems

[On what Carrier IQ does] "Though I've not had time to do a deep dive
into code, I've reviewed the system design (with focus on the
monitoring pieces in particular) and asked some pretty damned hard
questions of the tech principals about the particulars regarding the
monitoring/data capture and forward mechanisms - I'm comfortable that
the designers and implementers expended a great deal of discipline in
focusing on the espoused goals of the software (i.e. to serve as a
diagnostic aid for assuring quality of service/experience for mobile
carriers.)..."

[On financial ties] "I've no financial relationship with the firm -- it
falls outside the information security and risk management functions
that have defined my investment activities of the past. I have known
the CEO of the firm for awhile (our paths originally crossed when he
was a CEO of one of the firms in which Trident invested a decade ago)
but again, there has been no financial relationship between us and
when he called me for advice, the situation honked me off badly enough
that I volunteered to help."

Dan Rosenberg, security researcher, Linux kernel hacker

"Based on my own research on CarrierIQ, the application does not record
and transmit keystroke data back to carriers. The video depicts
keystroke events being recorded to a temporary buffer that is not
written to disk or sent back to carriers. These keystrokes are
inspected in order to check for special sequences used for technical
support, and have nothing to do with the information that's being
gathered by the application."

"In terms of how I conducted my research, I copied the application off
of several Android devices that use it, and analyzed the assembly code
using a disassembler to determine how it works under the hood..."

[On releasing the results of his work] "Redistributing the
reverse-engineered internals of commercial software for purposes other
than interoperability would most likely be a DMCA violation. Plus,
it's not especially interesting for the purposes of this discussion,
since the most important thing isn't the code that's there but the
code that isn't there (namely, there's no code that records
keystrokes)."

Jon Oberheide, co-founder of Duo Security, exploit creator, code auditor

"I definitely wouldn't use the term keylogger to refer to Carrier IQ. It
processes some input events (hardware buttons, etc), but it doesn't
meet the functionality and intent of a keylogger...

"I agree with Carrier IQ's statement that it's really the carrier's
policy on collecting URLs and other data. There's certainly privacy
concerns and sensitive data that could be leaked through the
URLs. Carrier IQ seems to be receiving the blame in this scenario,
while it's really the carriers that should be answering the questions
and claims here (which they've started to)...

"Most malware will just root your phone and have full access to all
your activity regardless. Funny how people freak about about
Carrier IQ, when malware can do the same thing but easier, more
stealthily, and with obviously malicious intent. "

Sprint's statement

"Carrier IQ provides information that allows Sprint, and other carriers
that use it, to analyze our network performance and identify where we
should be improving service. We also use the data to understand device
performance so we can figure out when issues are occurring. We collect
enough information to understand the customer experience with devices
on our network and how to address any connection problems, but we do
not and cannot look at the contents of messages, photos, videos, etc.,
using this tool. The information collected is not sold and we don't
provide a direct feed of this data to anyone outside of Sprint."

Apple's statement

"We stopped supporting CarrierIQ with iOS 5 in most of our products and
will remove it completely in a future software update. With any
diagnostic data sent to Apple, customers must actively opt-in to share
this information, and if they do, the data is sent in an anonymous and
encrypted form and does not include any personal information. We never
recorded keystrokes, messages or any other personal information for
diagnostic data and have no plans to ever do so."

CNET's Elinor Mills contributed to this report