Rich Fiscus
19 Dec 2011 3:20
Shortly after the furor over Carrier IQ began, Senator Al Franken sent letters to several national mobile carriers and handset manufacturers asking for details of the program's operation.
Carrier IQ is a rootkit which comes preinstalled on various smartphones sold in the US. A rootkit is a program which runs secretly with privileged access. Carrier IQ sends diagnostic information, at the carrier's request, to servers operated by the software's developers, who then forward that information to the carrier.
Since the software was discovered in November, there has been a great deal of debate over what information it is capable of collecting, what information is actually being collected, and the legality of it.
The researcher who first announced its existence, Trevor Eckhart, claimed it could record and report every keystroke made on a smartphone. Later, another researcher reported that was not true.
Senator Franken has received and published responses to his letter from Sprint, AT&T, Samsung, and HTC. He is still waiting for responses from T-Mobile and Motorola, which he has requested no later than December 20.
According to Sprint's response, their agreement for using Carrier IQ services does not provide them with information from individual users directly. Instead, their letter says, they receive aggregate data which has already been processed by the vendor.
The data received by Carrier IQ in a raw format is anonymized or otherwise made unreadable by humans before Carrier IQ personnel access or use of the data. Carrier IQ analyzes the anonymized data and generally provides Sprint with analytical reports of aggregated metrics based on the anonymized data, thus ensuring that user privacy is not affected in the process. Sprint has not used Carrier IQ diagnostics to profile customer behavior, serve targeted advertising, or for any purpose not specifically related to certifying that a device is able to operate on Sprint's network or otherwise to improve network operations and customer experiences.
Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit. And, Sprint's privacy policy explains that it may use tools and analytics to collect such information.
Customers purchasing wireless devices from AT&T for use on the AT&T network agree to the AT&T Wireless Customer Agreement. Section 3.6 of that agreement provides:
AT&T collects information about the approximate location of your Device in relation to our cell towers and the Global Positioning System (GPS). We use that information, as well as other usage and performance information also obtained from our network and your Device, to provide you with wireless voice and data services, and to maintain and improve our network and the quality of your wireless experience.....
While it may be true their subscriber agreement could include this data, it could also be argued a reasonable person would not understand it to mean that. Those descriptions are also notably vague, leaving some question as to exactly what messaging and app data is being collected.
This is particularly troubling in light of the fact AT&T admits to having collected data which could identify individual phone users and also to keeping that data for several months:
Of the three downstream systems receiving personally identifiable CIQ data from the AT&T server for analysis purposes, one deletes the data after 45 days, one has CIQ data from September of 2011, and one has data from May 2011.
As CIQ has stated publicly and also advised AT&T, during the course of its investigation into this matter, CIQ found that, as a result of a programming error related to the capture of signalling data associated with voice calls, the CIQ software also captured the content of SMS text messages when -- and only when -- such messages were sent or received while a voice call was in progress. Because it did not request that this data be collected, AT&T did not know the SMS text data was being transmitted to its secure servers until it was informed by CIQ. The data has not been accessed by any AT&T employees and, in fact, it is encoded in such a manner that AT&T is unable to view it without decoding software for CIQ -- which AT&T has not and does not intend to obtain.