Two weeks ago, smack-dab in the midst of the CarrierIQ saga, Senator Al Franken pounded his fist at the table and demanded answers. He desired to know what CarrierIQ is all about and why several US mobile providers and manufacturers felt the necessity to install potentially invasive software at the phones of unsuspecting consumers. Senator Franken sent Sprint, AT&T, T-Mobile, Samsung, HTC and Motorola a chain of thirteen questions each, seeking to resolve what each company is doing with the mysterious software. To this point, all but T-Mobile and Motorola have complied with the Senator’s wishes, because the two remaining companies got until December 20th to have their responses submitted (we’ll update this post as those are made public).
As we reported previously, the Senator wasn’t all too pleased by what the firms needed to say. But what exactly is located in these pages and pages of documents? a couple of answers, and a few more questions. Now we have pored through each company’s letter, so follow us below as we break down their responses to every of the Senator’s queries.
Note: The extent of involvement by the federal government appears to be like making an impact, as Sprint is now disabling all Carrier IQ software on its devices in order that data can’t be collected anymore. Its response to Senator Franken, however, shouldn’t be discounted because it provides insight into why the carrier’s been a “valued customer” of CIQ’s since 2006, and the way it has been using the information it has collected over the last five years. Read on!
Opening statements
Below are excerpts from each company’s opening statement, during which they try to explain to the Senator the innocence in their intentions.
Sprint:
You will need to remember that when Sprint makes a “profile” request to CIQ for certain data, it is not seeking nor does it receive an image of any particular user’s online or mobile behavior through the years. On the contrary, a “profile” is a listing of analytical data collected from many tasked devices to investigate a definite problem, including conditions or criteria for research of a selected performance issue. To illustrate, a “dropped call profile” could include the signal strength of the cell towers in a specific area for a random volume of calls.
Data collected by the CIQ tool is transmitted in encrypted form to CIQ and uploaded to the CIQ servers. The info received by CIQ in a raw format is anonymized or otherwise made unreadable by humans before CIQ personnel access or use the info…Sprint has not used CIQ diagnostics to profile customer behavior, serve targeted advertising, or for any purpose not specifically involving certifying that a tool is ready to operate on Sprint’s network or otherwise to enhance network operations and customer experiences.
AT&T:
AT&T uses CIQ software only to gather diagnostic details about its network to enhance the client experience. We don’t use CIQ to acquire the contents of customers’ communications, to trace where our customers go on the web, or to trace customer location.
AT&T must collect operational data that could point to possible network upgrades, including improved call completion rates. We continually evaluate details about network performance.
Samsung:
Pursuant to the carriers’ agreements with STA, a number of those cellular carriers required Samsung to pre-install CIQ software on a few of the devices ahead of the sale of these devices to the carrier. Samsung installs CIQ software only on the instruction of cellular carriers, and does so within the exact manner and within the configuration required by the carrier and CIQ. The carrier is exclusively answerable for selecting the categories of info transmitted by the CIQ software to the carrier at the carrier’s network without intervention by Samsung. Samsung doesn’t receive data generated by the CIQ software.
Samsung installs the CIQ software only as laid out in the carrier and would not select or determine the configuration of the CIQ software, and it’s Samsung’s understanding that there’s no information collected by the software that’s inconsistent with waht is disclosed by the carriers to their customers of their respective TOS and / or Privacy Policies. Samsung devices undergo extensive testing by the carriers making sure that the devices meet the entire carriers’ specifications and requirements, including CIQ specifications.
HTC:
HTC doesn’t own the Carrier IQ software. The Carrier IQ software and repair are developed and managed by Carrier IQ and utilized by providers of wireless services together with Sprint, T-Mobile, and AT&T.
HTC doesn’t use the Carrier IQ software for its own purposes; our involvement with the Carrier IQ software and repair is restricted to integrating the Carrier IQ software into certain HTC devices. This integration is needed by the wireless service providers and performed under contract and per their specifications. The Carrier IQ software collects data laid out in the wireless service providers, processes it, and transmits it off the HTC Devices.
As portion of the mixing of Carrier IQ into HTC devices performed on behalf of Sprint and AT&T, HTC had developed a software component according to their respective specifications. This software component enables the Carrier IQ software to gather additional data laid out in Sprint and AT&T from HTC devices after which delivers the required data to the Carrier IQ software at the device.
Senator Franken’s questions
1. On what devices does your organization use or install Carrier IQ software?
Sprint: CIQ software is installed on numerous devices, corresponding to phones and tablets. It may be found on Audiovox, Franklin, HTC, Huawei, Kyocera, LG, Motorola, Novatel, Palmone, Samsung, Sanyo and Sierra Wireless.
AT&T: CIQ is integrated and active on eleven devices: Pantech Pursuit 2, Pantech Breeze 3, Pantech Link 2, Pantech Pocket, Sierra Wireless Shockwave, LG Thrill, ZTE Avail, ZTE Z331, Sony Ericsson Xperia Play, Motorola Atrix 2 and Motorola Bravo. It is usually embedded at the HTC Vivid, LG Nitro HD and Samsung Skyrocket, though it hasn’t been activated as a result of potential for the software agent to interfere with the performance of those devices. Additionally it is packaged with AT&T’s Mark the Spot application (it mentions later within the letter that Android and BlackBerry versions of the app have CIQ, but iOS doesn’t).
Samsung: CIQ is installed at the AT&T Skyrocket, the Galaxy S II and Exhibit II 4G on T-Mobile, four handsets on Cricket and a whopping 28 Sprint devices.
HTC: CIQ are available at the Amaze 4G (T-Mobile), Vivid (AT&T) and 7 devices on Sprint, including the Snap, Touch Pro2, Hero, EVO 4G, EVO Shift 4G, EVO 3D and EVO Design 4G. Components of CIQ have also been found at the Merge, Acquire, Desire, Wildfire, Flyer and a variant of Hero, but aren’t requested by the carriers who sell them. HTC is operating on an update to take away these components.
2. As of what date has your organization used or installed this software on these devices?
Sprint: 2006.
AT&T: The primary AT&T device to be integrated with CIQ was the Bravo in March of 2011 (this was likely included as a part of the upgrade to Froyo). RIM’s version of Mark the Spot was packaged with CIQ in February 2011, followed by the Android version a month later. (As an aspect note, AT&T takes the chance to state here that it all started adding it to devices end result of the positive experience they’d with CIQ in Mark the Spot.)
Samsung: November 2007.
HTC: HTC’s response is a little bit interesting. It first alleviates itself of any blame, citing that it was contractually required by the carriers to integrate CIQ into its devices. The corporate goes directly to say that “the CIQ software was first integrated at the Hero, which became available to customers through Sprint on October 2009.” Immediately after, it explains that the Snap and Touch Pro2, both using CIQ, became available within the US market sooner than this date, suggesting that the brand new software was introduced to those phones in future updates.
3. To the finest of your knowledge, what number American consumers use these devices?
Sprint: 26 million Sprint devices have CIQ installed. However, Sprint specifies here that just a fraction of those devices are “tasked” — pinged with requests for data — at one time, and not exceeds 1.3 million. Of these, just a subset (it throws out a figure of 30,000) are tasked to analyze specific problems, comparable to in-network roaming. Our concern is if only 30,000 — out of one.3 million — are looking into specific problems, why are the remainder 1.27 million still being tasked?
AT&T: CIQ is used on one percent of the network’s devices, which equals approximately 900,000. This includes CIQ integrated into the handset in addition to downloaded using Mark the Spot. Of these 900,000, only 575,000 are “collecting and reporting wireless and repair performance information to AT&T.” Same question, AT&T: what in regards to the remaining 325,000?
Samsung: Approximately 25 million phones were pre-installed with CIQ, however it doesn’t be ready to say exactly what number of consumers are using these phones.
HTC: Approximately 6.3 million devices using CIQ are active.
4. Does your organization receive customer location data collected by CIQ?
Sprint: Yes, but only to spot and troubleshoot issues occurring in a specific area. Besides, it already knows the position of devices registering at the network regardless of CIQ — and Sprint must know this knowledge that will route calls and information services comparable to E911.
AT&T: Yes. CIQ provides them with location, date and time the handset experiences a “network event” reminiscent of a dropped call or an attempted call when the telephone has no signal.This enhances AT&T’s ability to spot the cause and solution for the matter.
Samsung: No, Samsung would not collect that data (however doesn’t specify that the carriers do, a fact that’s becoming quite evident).
HTC: HTC isn’t intended to be a recipient of CIQ data, thus it doesn’t receive any. However, it does mention that some data can have inadvertently been received through error reporting mechanisms, and is investigating the problem. If truth be told, this very same statement was repeated throughout its response.
5. What other data does your organization receive that was collected by CIQ software? (Senator Franken specifies telephone numbers, contents of SMS and emails, URLs of web sites users visit, contents of search queries, keystroke data and speak to information from address books.)
Sprint: Sprint receives not one of the above, excluding URLs. However, the carrier already knows the info anyways, since it’s routing the request on its network. CIQ software may collect the URLs as “a part of a profile established to troubleshoot website loading latencies or errors experienced.”
AT&T: AT&T’s response was incredibly long and detailed. It mentions that the software collects metrics related to device and network events, and that it specifies which metrics it wants CIQ to assemble by defining a profile for that collection. The metrics include performance in voice calls performance (whether calls made of the device were successful, dropped or failed), data, device stability (seeking to determine if device shutdowns or poor battery life are because of the network issues, for example), network coverage (identifying coverage gaps), messaging (which AT&T specifies gets collected on a tribulation basis, but not accessed or analyzed) and applications (also on an ordeal basis, meaning it doesn’t get collected or analyzed).
AT&T goes directly to state that when the information is collected, it gets compressed, encoded and stored within the device, then transmitted securely over an encrypted channel to AT&T’s servers located behind a firewall. When the device is turned on, these uploads occur once every 24 hours and do not incur data charges to the client.
Finally, it breaks down the Senator’s specific queries. As well as purposes of provisioning voice and text services, AT&T collects telephone numbers from the network for its voice call and messaging performance metrics; it claims the number may help determine why a distinctive call or text fails or gets dropped. Other than this, it is also been inadvertently collecting the content of texts sent or received during a choice, however the carrier didn’t request this information be collected, and was only made accustomed to the difficulty when CIQ discovered it during recent investigations. However, the information was encoded in a fashion that the carrier was unable to view it without specific software in CIQ’s possession that AT&T doesn’t currently have access to (“and doesn’t intend to procure”). Both companies are working together to remedy this concern.
Samsung: In a far shorter response, Samsung refers to the previous answer, where it insists it doesn’t collect any data.
HTC: HTC repeats its answer to query four, stating that the OEM doesn’t receive any data from CIQ.
6. In case your company receives data, does it subsequently share it with third parties? With whom does it share this knowledge? What data is shared?
Sprint: Sprint doesn’t share CIQ data with third parties. The tips is used internally for Sprint’s own use for analysis by employees and contractors to aid with device certification and functionality on its network, and for network maintenance, operation and improvement. It does, however, share “certain testing results” with OEMs.
AT&T: AT&T has shared limited data with CIQ to troubleshoot problems and test software and platform performance, but it surely hasn’t shared CIQ information with every other non-AT&T company.
Samsung: Not applicable, since Samsung doesn’t receive data.
HTC: Same answer as questions four and five.
7. Has your organization disclosed this knowledge to federal or state law enforcement?
Sprint: No.
AT&T: No. AT&T, however, does observe court orders, subpoenas, or to meet the other legal requirements (we imagine it has rather extensive representation, in spite of everything).
Samsung: Again, not applicable.
HTC: HTC hasn’t received any requests for disclosure of CIQ data from federal or state law enforcement.
8. How long does your organization store this knowledge?
Sprint: Data is stored on CIQ’s servers on Sprint’s behalf for about 30-45 days. Sprint stores raw data from CIQ for around six months and stores reports it receives from CIQ in accordance with this knowledge for about one year.
AT&T: Data is erased from the AT&T CIQ servers 60 days after being uploaded. There are three downstream systems receiving personally identifiable CIQ data from the AT&T server for analysis purposes; one deletes the information after 45 days, one has data from September 2011 and the opposite has data from May 2011.
Samsung: Not applicable.
HTC: Same answer as questions four, five and 7.
9. How does your organization protect this information against hackers and security threats?
Sprint: Sprint imposes privacy obligations on CIQ through contract with respect to data stored on its servers at the carrier’s behalf. It ensures security through a sequence of controls surrounding its IT environment, and access is specific to a necessity-to-know basis (and is terminated when the employee’s relationship with Sprint is over). Firewalls are arrange in any respect points of entry to the network, with intrusion detection systems at each point, and Sprint continually reassesses its technology and processes to make certain they continue to be state-of-the-art and powerful.
AT&T: The carrier uses several safeguards. Collected data is uploaded and transmitted in encrypted format on to servers inside AT&T’s firewalls. The servers are monitored 24 / 7, and only properly authorized employees and contractors have access to its data. Daily meetings are conducted on the AT&T Labs to check security and function, and weekly device testing and certification occurs.
Samsung: Not applicable.
HTC: It gives an identical answer to these prior, but mentions that it would not manage the proection of CIQ data because it isn’t an intended recipient of said information. Also, it adds that “error reporting data collected by HTC is protected using appropriate processes and strategies.”
10. Does your organization believe its actions observe the Electronic Communications Privacy Act and Stored Communications Act?
All companies answered yes.
11. Does your organization believe its actions follow the pc Fraud and Abuse Act?
Again, all companies answered yes, with Samsung continuing to insist that each one CIQ data and access is handled at the carrier level.
12. Does your organization believe that its actions agree to your privacy policy?
Once more, the solution was a convincing yes. HTC mentions that its privacy policy doesn’t apply to CIQ data, because it doesn’t cover data it doesn’t intend to receive.
13. Does it believe that customers are aware that this activity is basically occurring on their devices?
Sprint: The carrier “believes customers expect service providers and network operators to take reasonable technological steps to preserve the performance in their networks and device functionality on the way to effectively deliver call and information services to users. Sprint’s privacy policy contains notice of the info we collect.”
AT&T: Yes. AT&T points to the Privacy Policy, Wireless Customer Agreement and Mark the Spot EULA, signifying that network, performance and usage information is collected, and it uses that information to keep and improve network and wireless experience.
AT&T then goes directly to include the sections of every agreement that time out that the client — in the event that they read in the course of the entire thing — must be aware that such things are occurring at the network.
Samsung: Again, Sammy insists the blame resides solely with carriers. “Samsung seriously isn’t capable of determine the level of consumer awareness in regards to the relationship between carrier and consumer, including the carrier’s inclusion of CIQ.”
HTC: HTC mentions that carriers have made these activities known via their very own specific privacy policies. It then argues that the FTC also recognizes that these activities are commonly accepted practices by which choice isn’t necessary, just like “improving services offered, fraud prevention, legal compliance, and primary-party marketing.”
So there you’veyou’ve got you have got it, folks. The carriers insist here’s highly protected data that’s only used for purposes of network enhancement, and OEMs are playing the blame game by stating that they just pre-installed CIQ software on their devices thanks to contractual restrictions with the carriers. This raises more questions, however, at the amount of control carriers are enacting on phone manufacturers; either HTC and Samsung had absolutely no qualms with allowing CIQ software on their devices — since we need to think that HTC and Samsung had as a minimum some say in contractual negotiations with the carriers — or they just haven’t any power within the US whatsoever. Regardless, contracts are a two-way street, and the manufacturers were involved just up to the carriers were.
Also, let’s take note of what the carriers are saying about their use of CIQ software. In brief, both AT&T and Sprint made it sound like they did not have some other option for monitoring, testing and maintaining their networks properly and efficiently. If AT&T, however, didn’t use CIQ until earlier this year, what did the carrier do to make certain smooth network performance earlier than March 2011? Going one step further, how will Sprint retrieve diagnostic information now that CIQ is disabled on its devices? What does Verizon use, because it insists that CIQ isn’t installed on any of its phones? How much does each carrier depend on CIQ?
What else was of particular interest to you in reading these responses? Are you satisfied with each company’s explanation? Pontificate within the comments below.
Insert Coin: Node helps your smartphone monitor just about everything
NVIDIA’s quad-core Tegra 3 chips get LTE support, radio makers GCT and Renesas on board
