Carrier IQ Admits Holding ‘Treasure Trove’ of Consumer Data, But No Keystrokes

MOUNTAIN VIEW, California — An embattled phone-monitoring software maker said Friday that its wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

The Carrier IQ executives, speaking at their nondescript headquarters in a residential neighborhood in the heart of Silicon Valley, told Wired that the data they vacuum to their servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, they said, they are not logging every keystroke as a prominent critic suggested.

The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided  to carriers to enhance the “user experience,” these executives said.

“We do recognize the power and value of this data,” Andrew Coward, the chief marketing officer, said. “We’re very aware that this information is sensitive. It’s a treasure trove.”

Carrier IQ came under intense scrutiny the last few days after a Connecticut-based Android developer posted a YouTube video showing the software has enormous access to usage information, and claiming that it logs a user’s every keystroke.  The company was hit with privacy lawsuit on Friday. What’s more, Democratic Senator Al Franken demanded answers, asking Carrier IQ’s chief executive Larry Lenhart whether Carrier IQ was vacuuming to Carrier IQ’s servers every stroke and communication.

Company executives invited Wired to Carrier IQ offices Friday to debunk the keystroke logging claim. Coward also emphasized that the software does not know the content of websites or apps or text messages or phone calls, but acknowledged that it does transmit website addresses to some carriers as a diagnostic tool.

“We’re seeing URLS and we can capture that information,” Coward said during the two-hour interview.

He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

“They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches.

Not all Carrier IQ’s customer carriers choose to turn on the “record the urls” function, but some do. How much data is sent to each carrier depends on how much they want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

The company holds onto the data for 10 to 30 days, depending on the carrier.

Coward said he was not aware of any carriers selling the data it collects on their behalf to third-party marketers. He said Carrier IQ “has no rights to the data collected.”

The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty.