FBI Director Robert Mueller on Wednesday denied the bureau had ever sought information from the mobile-software company Carrier IQ, but said he could not rule out the possibility it obtained data collected by the controversial software through requests from wireless carriers.
At a hearing before the Senate Judiciary Committee, Mueller said the FBI had "neither sought nor obtained any information from Carrier IQ in any one of our investigations."
But when pressed by Sen. Al Franken (D-Minn.) about whether the FBI acquired information from wireless carriers that use Carrier IQ to collect customer data, Mueller said it was possible.
"I do not know in the information we seek from wireless carriers or what have you - and I'm not talking about Carrier IQ, I'm talking about wireless carriers - we may obtain information that in some way Carrier IQ may have been involved with," Mueller said.
Last month, security researcher Trevor Eckhart sparked controversy over the potential privacy risks of Carrier IQ by posting a video claiming the software logs every text message, Google search and phone number typed on a wide variety of smartphones and reports them to the mobile phone carrier. Carrier IQ is installed on about 150 million smartphones.
Mueller's comments came two days after Michael Morisy, a blogger for MuckRock News, posted an FBI response to his Freedom of Information Act request for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ." The FBI's response suggested it had documents on the software, but that they were exempt from disclosure.
"What is still unclear is whether the FBI used Carrier IQ's software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both - not unlikely given the recent uproar over the practice coupled with the U.S. intelligence communities reliance on third-party vendors," Morisy wrote. "The response would seem to indicate at least the former, since the request was specifically for documents related directly to accessing and analyzing Carrier IQ data."
On Wednesday, Mueller told lawmakers there was "some confusion" over the meaning behind the FBI's FOIA response. In a statement to reporters on Tuesday, Carrier IQ denied having given data to the FBI.
"Carrier IQ has never provided any data to the FBI," the statement said. "If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ."
Mueller told lawmakers Wednesday that the FBI seeks customer data from wireless carriers through Title III of the Foreign Intelligence Surveillance Act.
This week, Carrier IQ CEO Larry Lenhart and VP of Marketing Andrew Coward met with members of Franken's staff. Franken sent a letter to the company asking for an explanation of what the software records, whether it transmits data to a third party, and whether the data presents any security or privacy risks. Franken has said the software's capabilities may violate federal laws.
In a 19-page statement released Monday, Carrier IQ acknowledged its software contained "an unintended bug" that "unintentionally" captured and transmitted encoded SMS messages to its carrier customers, including wireless companies -- Sprint, T-Mobile and AT&T. The company said the bug occurred only in "unique circumstances," like when a user receives a text message during a call, though the messages are "not human readable."
The company denied that its software captures or forwards to wireless carriers the content of multi-media messages (MMS), emails, photos, web pages, audio or video.
UPDATE: 3:56pm Carrier IQ officials met this week with federal regulators to discuss the company's software, according to a company spokeswoman. CEO Larry Lenhart and VP of Marketing Andrew Coward met with members of the Federal Trade Commission and Federal Communications Commission.
"We sought the meetings with FCC and FTC in the interest of transparency and full disclosure, and to answer their questions," Carrier IQ spokeswoman Mira Woods said.
To see which mobile carriers and manufacturers have claimed or denied affiliation with Carrier IQ, take a look at our slideshow (below), which includes statements from Apple, Google, Microsoft, Verizon, AT&T, HTC, Nokia, RIM and others.
According to GigaOM, Verizon Wireless spokesperson Jeffrey Nelson said in an email that the carrier is not a CIQ customer. "Any report that Verizon Wireless uses Carrier IQ is patently false," wrote Nelson. ComputerWorld received a similar statement, which reads thus: "Verizon Wireless does not add Carrier IQ to our phones, and the reports we have seen about Verizon using Carrier IQ are false."
Although CIQ can be found on Apple's iDevices running software as old as iOS 3.1.1 and as recent as iOS 5, the Cupertino giant said that it no longer collects CIQ data and that a future iOS update will wipe CIQ software from active devices. "We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update," Apple said in a statement to AllThingsD. "With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."
Google has stated that it is not a CIQ customer and does not manage the installation of CIQ software onto Android devices. That, said Google according to The Verge, is the responsibility of the mobile operators. "Android is an open source effort and we do not control how carriers or OEMs customize their devices," said the Google rep, per The Verge
Sprint, a CIQ customer, provided the following statement to GigaOM: Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint. [...] Carrier IQ is an integral part of the Sprint service.
T-Mobile, another CIQ customer, sent the following statement to The Huffington Post via email: T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience . T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes.
BlackBerry-maker RIM told AllThingsD that is does not approve CIQ software on its devices, despite the fact that CIQ software has allegedly been found on BlackBerry handsets. "RIM is aware of a recent claim by a security researcher that an application called 'CarrierIQ' is installed on mobile devices from multiple vendors without the knowledge or consent of the device users," the company said in a statement to AllThingsD. "RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution. RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to CarrierIQ."
While some HTC devices have been found to run CIQ software, the hardware manufacturer said it does not manage the data transmitted to carriers by CIQ from HTC-made devices. Via The Verge: Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier. It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.
In an email to HuffPost, HP said that it "does not install nor authorize its partners to embed Carrier IQ on its webOS devices."
"Since people are asking -- Windows Phones don't have CarrierIQ on them either," a Microsoft rep for Windows Phone told Engadget.
Samsung also stated that carriers are responsible for the installation of CIQ software on Samsung hardware. "Some Samsung mobile phones do include Carrier IQ, but it's very important to note that it's up to the carrier to request that Samsung include that software on devices," Samsung told Engadget. "One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ."
Nokia flat-out denied that Carrier IQ software is present on any of its devices. Via a statement published on the Nokia forums by a community manager: Nokia is aware of inaccurate reports which state that software from CarrierIQ has been found on Nokia devices. CarrierIQ does not ship products for any Nokia devices, so these reports are wrong.