In the wake of the Carrier IQ blowup of the last few weeks, a Freedom of Information Act (FOIA) request was filed asking for “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ.”

The FBI has since responded to Muckrock’s missive stating that such records existed but they were not currently available because their release could affect ongoing investigations. Here is an excerpt:

The material you requested is located in an investigative file which is exempt from disclosure… the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceedings.

This is being read in many circles as tacit confirmation that the FBI indeed uses Carrier IQ. As far as whether or not the FBI has used the software, it almost certainly has. This shouldn’t be surprising to anyone given the high degree of cooperation between various carriers and the US government. The people looking for evidence of CIQ being used for nefarious purposes will find that they are actually tricky to prove.

There’s also a considerable difference between attempting to use CIQ data to determine the location / operating status of a device as opposed to using it to spy on one. As security researcher Dan Rosenberg detailed last week, CarrierIQ cannot be used to collect data on the specific information contained within a text message or the actual page contents of a URL (though the URL itself can be transmitted). The original video by Trevor Eckhart appears to demonstrate that a text message is logged by CIQ’s software, but we emailed Rosenberg and he explained to us what’s actually happening:

The other thing you’re seeing (text message bodies in the video) is an unrelated screwup by HTC. HTC put debugging statements in their code, a common practice to help developers figure out what’s going on while they’re working on the phone. These debugging statements included code that outputs the bodies of incoming SMS messages. These printouts should have been disabled before shipping the phone, but for some reason that didn’t happen. So you seeing SMS bodies in the video actually has nothing to do with CIQ, and is an artifact of HTC failing to disable printouts that were intended for developers only.

So why would the FBI want to use Carrier IQ? Partly because some of the information it does collect, including attempted dial-out numbers, location changes, network requests, and SMS data could be useful in a missing person investigation. It’s precisely the sort of data that could help establish a last known location or determine if a person attempted to make phone calls that didn’t connect but were still logged and eventually transmitted.

We’re not claiming that the FBI strictly uses Carrier IQ to retrieve kittens from trees, and it’s possible that the application has an undiscovered snoop mode that could somehow be enabled to give the government more access. The latter, however, only really makes sense in the minds of the tinfoil hat crowd. If the carriers were willing to go to such lengths to enable spying, they’d almost certainly handle the work in-house as opposed to farming it out to a different company.

CIQ raises significant concerns about user privacy and the need for full disclosure. It’s a potential attack vector that until recently, virtually no one knew existed. Ultimately, responsibility for how the software is used rests with the carriers; there’s no evidence that CIQ is designed to be more than an aggregator of anonymous device usage. The FBI already has avenues to get the information it wants from carriers without bothering with due process, it doesn’t need Carrier IQ for that. It’s ironic to see pundits upset at the idea that the government might use an anonymous data-gatherer as an information source when warrantless wiretapping and the Patriot Act has given the US DOJ far greater powers with far more potential to do harm.