Amid the turmoil surrounding Carrier IQ, the company's VP of Marketing, Andrew Coward, has come forward in a series of interviews with a few clarifications.
For those not in the loop, the controversy around Carrier IQ is based on developer Trevor Eckhart's findings which indicated that Carrier IQ's software was indeed collecting a vast array of information, and his demonstration showing that said data could be read using a simple command – one that could be executed by any malicious app with access to logcat. This data includes location information, SMS messages, and key taps.
Before we dive into Coward's remarks on the issue of security (and why he says CIQ is not to be blamed for insecure logs), it's important to look at how CIQ actually functions on a device. The software can either be built directly into the OS of a device, or installed by the OEM or carrier after the fact. If it is installed separately from the OS, CIQ's software doesn't have direct access to sensitive information. It's up to manufacturers to utilize an API created by CIQ to get information from the device to CIQ's software. In some cases, this data also appears to be getting dumped into logs readable by apps that can access a device's logcat log.
Coward explained to The Verge just how Carrier IQ operates, implying that the blame for data leakage rests entirely with manufacturers (HTC is implied here), because they leak sensitive data to the system log for no reason whatsoever.
Andrew Coward, Carrier IQ: When a piece of information is sent to us from the operation system, we do not need it to go through that log file. There is no value to us in reading a keylog file, that's not how our software works.
The Verge: That is not your log file?
Coward: That logfile is not our logfile. It's a standard, Android system logfile. What goes in that logfile is up to the manufacturer. ...So, you would hope in a shipping device, you wouldn't get very much information to go in there.
The Verge: [...] I'm trying to understand why a manufacturer, in order to give you certain information, is actually logging keystrokes. I want to separate those two things. It's logging it, putting it into this file, and then giving it to you?
Coward: What should be happening, is it should just be giving it to us through the API. What appears to be happening is that it's giving it to us and making a copy of what it gave to us in the log file.
It's worth noting, however, that CIQ's software is not without its own temporary log file. No details were given about the security or encryption of this log, but CIQ stated that it is not stored in plain text, and that it is continually overwritten with new data (no more than a week old). While CIQ does technically monitor key taps, the company emphasizes that the software monitors for "short codes," filtering out data that doesn't represent an important system command or specialized carrier command, ostensibly before the information is ever transmitted anywhere.
Coward compared the selective monitoring of data to a large fishing net in an interview with The Register, explaining the filtering process in terms of a sea-bound fishing operation:
"To answer your point, we're on a fishing boat out at sea and we're catching fish that are too small and they go back in, and they go back in for two reasons: One, the holes in the net don't catch small fish, i.e. the filtering, and/or the fish is the wrong type and it gets thrown out of the boat, hopefully while it's still alive."
While Coward's statements are both informative and interesting, there has yet to be any mention of why CIQ is not opt-in, or why it lacks opt-out functionality. This is still an important question for many users, as the idea of having any information logged (temporarily or otherwise) sounds suspicious and threatening. HTC, according to The Verge, has already stated that it is "investigating the option to allow customers to opt-out."
Coward, in his interview with the Register, was sure to specify that CIQ has no rights to any collected data, as it is under the control of carriers and manufacturers, although it is often processed in CIQ's data centers.
For more information, and to read more of what Andrew Coward had to say in response to the hubbub, visit the links below.