The FBI is downplaying speculation that its denial of a request for records regarding its possible use of Carrier IQ’s software is proof-positive the agency is using the software’s data collection capabilities.
Carrier IQ has been at the center of controversy since it security researcher Trevor Eckhart published findings in November that accused the software of collecting location, keystroke and SMS data from mobile users.
Michael Morisy, co-founder of MuckRock.com, filed a Freedom of Information Act (FOIA) requesting “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ.” The FBI responded to Morisy’s request in a letter stating: “…the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that the release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceedings.”
In a blog post, Morisy contended that the FBI’s response indicates that “responsive records” exist, and while it is unclear whether the FBI uses Carrier IQ’s software in its own investigations, is investigating the company itself or both, “the response would seem to indicate at least the former, since the request was specifically for documents related directly to accessing and analyzing Carrier IQ data.”
In response to an inquiry from SecurityWeek, FBI spokesperson Bill Carter responded that the FBI has a long-standing policy not to discuss sources, methods or techniques utilized in its investigations.
“The story I saw speculates about the possibility that the FBI is utilizing this data logging program and cites a FOIA request denying their request for information,” he wrote in an email. “Under the FOIA, the FBI is required by law to divulge information from its files. However, there are exemptions under the law for release of information about investigative techniques, and any request for information about techniques utilized in our investigations would be denied as a standard response. The denial for information requested under FOIA should not be construed that we do or do not utilize this data logging program.”
On Dec. 12, Carrier IQ released a document entitled ‘Understanding Carrier IQ Technology’ outlining the ways carriers use its software and how it works. The company also confessed the existence of a bug in its software could lead to SMS messages “unintentionally” being included in layer 3 signaling traffic collected by the IQ agent under certain circumstances. The messages would be encoded and embedded in the signaling traffic however and could not be read by humans, according to the company.
The company is facing a number of lawsuits accusing it of privacy violations. Carrier IQ contends that its software is intended to only gather data to help diagnose operational problems on networks and devices.