"That logfile is not our logfile"

So back to the earlier question, you wanted to say that part of what seeing we're exposed in Trevor Eckhart's video is what Carrier IQ is doing, and some of it isn't.

When a piece of information is sent to us from the operating system, we do not need it to go through that log file. There is no value to us in reading a debug file, that's just not how our software works.

That is not your log file?

That log file is not our log file. It's just a standard, Android system logfile. What goes in that logfile is up to the manufacturer... So, you would hope in a shipping device, you wouldn't get very much information to go in there.

Do you make any recommendations about logging to manufacturers? Do you say "you shouldn't log this after you give it to us," or something like that?

We have a standard list of things that we will log when our software doesn't work properly, or things happen... It's like "the application stopped," or "it restarted." It's up to the manufacturer to decide whether to place that in the log file of a shipping device.

I'm trying to understand why a manufacturer, in order to give you certain information, is actually logging keystrokes. I want to separate those two things. It's logging it, putting it into this file, and then giving it to you?

What should be happening, is it should just be giving it to us through the API. What appears to be happening is that it's giving it to us and making a copy of what it gave to us in the log file.

Well, I guess you're not the ones we should be asking about that particular log file, then...

But there are two very good questions that sit behind it, because it does demonstrate that keystrokes are coming into our software, and that information is coming in through our API, it just happens to recorded out to this log file.

So you do receive keystrokes.

We do receive keystrokes, yes.

Do you log those keystrokes?

No. What we do with them...

Then why do you bother receiving them?

There are short codes that can get dialed by the user... we have half-a-dozen codes that will cause an upload, or cause things... I don't particularly want the entire world going out to try and figure out what those codes are or what they do.

And that's why you're logging keystrokes, to keep an eye out for those...

Logging is the wrong word. We are filtering keys that get pressed to pattern match.

That's why you're listening for keystrokes, then. And that all happens on the phone, or after they get uploaded through the encrypted channel?

All on the phone. The keystrokes are never sent off the device.

Do you listen to all keystrokes?

It depends on implementation. All we care about are the dial codes. Whatever stream gets sent to us, we just read that. The SMSs is also a control channel discussion. "It's said you guys listen to the content of SMSs." The backend system can send SMS messages to a phone to cause it check in, or cause it to upload, again it's a very standard way of doing things. So we have pattern matching for the SMS string that's ours.

So these aren't short codes for particular carrier functions, but for Carrier IQ specifically?

Yes, but the operators know what they are. Our software has its own set of short codes that cause our software to take certain actions.

Most of it is diagnostic — say a phone hasn't reported in for a while, for whatever reason, you don't have any recent information — you could say to the consumer, please dial "*8080##" (not a real code) to cause the phone to do an upload.

So we understand that there are these certain messages you're looking for, but why did you implement your software in such a way that it is listening to all text messages? It seems nefarious to say "Oh, well of course we listen to every text message that comes in." Well really, that's how you had to do it? (laughs)

It's an implementation discussion. In some devices, we only get the text messages passed through this channel that are destined for us. In other devices we get everything, we're just doing a pattern match. So we're not fussy.

It's amazing the difference between the OEMs. Some OEMs are really strict and say "Right, you're only getting the SMSs that have got your name on it" and others are "Yeah, whatever."