Carrier IQ, the new poster child for (alleged) smartphone privacy violations, has been hit with two class-action lawsuits from users worried about how the company's software tracks their smartphone activity. Carrier IQ, of course, professes its innocence. But the company has also received some public support from security researchers who say Carrier IQ's software is only tracking diagnostic information and likely is not violating user privacy.

It all began recently with a developer named Trevor Eckhart showing how Carrier IQ software seems to record button presses, search queries and the contents of text messages on an HTC Evo Android phone, with no way for the user to shut the tracking activity off. Carrier IQ initially tried to silence Eckhart with a cease-and-desist letter, but ultimately backed down on the threat in the face of opposition from the Electronic Frontier Foundation.

But Carrier IQ still has legal and publicity problems to handle. One new class-action lawsuit names both Carrier IQ and HTC, accusing the companies of violations under the Federal Wiretap Act. Another lawsuit was filed against Carrier IQ as well as HTC and Samsung, both of which have confirmed installing Carrier IQ software on their smartphones, saying they do so at the request of wireless carriers.

Carrier IQ, speaking to All Things D, said its software doesn't log or understand keystrokes. “The software receives a huge amount of information from the operating system,” Carrier IQ marketing vice president Andrew Coward said. “But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.”

Coward further said his company's software is used to help carriers diagnose problems. “If there’s a dropped call, the carriers want to know about it,” he said. “So we record where you were when the call dropped, and the location of the tower being used. Similarly, if you send an SMS to me and it doesn’t go through, the carriers want to know that, too. And they want to know why—if it’s a problem with your handset or the network.”

The company also posted a statement on its website saying "Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

Security researchers who spoke to the Los Angeles Times disagreed with the conclusions Eckhart made, saying there's no evidence the diagnostic information collected by Carrier IQ is stored or transmitted.

Virtual Security Research consultant Dan Rosenberg said "I've reverse engineered the software myself at a fairly good level of detail. They're not recording keystroke information, they're using keystroke events as part of the application." What that means, according to the article, is Carrier IQ software knows when a button is pressed, just as your e-mail application knows when you hit reply, but it doesn't record each keystroke or send a record of it to anyone.

Ultimately, how much information is collected on Android phones and what is done with it seems to be up to the carriers. We asked AT&T exactly what information is logged on its phones, where it is sent and how it is used. While we didn't receive a detailed response, AT&T did tell us "In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance."

We haven't heard back from Sprint, but the company told Computerworld that "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool."

Ars spoke with Apple yesterday, and we heard much the same thing. While Apple is in the process of phasing Carrier IQ out of iOS, it said "data was sent anonymously, and in encrypted fashion. We did not record keystrokes, messages or any personal information for the diagnostic data, and we have no plans to in the future."

Carrier IQ boasts that its software is deployed on more than 141 million handsets, and has operated for several years without any major level of controversy. Clearly, smartphones would be capable of tracking much of our activity even if Carrier IQ never existed. But the lawsuits filed against Carrier IQ and its customers, and forthcoming responses to Franken's letters, should shed more light on exactly what information is collected and how it is used.

UPDATE: We've just received a statement from Sprint, which says that while it "cannot look at the content of customer messages, e-mails, photos, videos, etc., using the diagnostic tools offered by Carrier IQ," it uses the tool to analyze device and network performance to identify problems and resolve them. Sprint says the data it collects is anonymized and "not sold or provided to anyone outside of Sprint."