Carriers and handset vendors provide senator information about Carrier IQ deployment

Rich Fiscus
19 Dec 2011 3:20

Shortly after the furor over Carrier IQ began, Senator Al Franken sent letters to several national mobile carriers and handset manufacturers asking for details of the program's operation.
Carrier IQ is a rootkit which comes preinstalled on various smartphones sold in the US. A rootkit is a program which runs secretly with privileged access. Carrier IQ sends diagnostic information, at the carrier's request, to servers operated by the software's developers, who then forward that information to the carrier.
Since the software was discovered in November, there has been a great deal of debate over what information it is capable of collecting, what information is actually being collected, and the legality of it.
The researcher who first announced its existence, Trevor Eckhart, claimed it could record and report every keystroke made on a smartphone. Later, another researcher reported that was not true.
Senator Franken has received and published responses to his letter from Sprint, AT&T, Samsung, and HTC. He is still waiting for responses from T-Mobile and Motorola, which he has requested no later than December 20.
According to Sprint's response, their agreement for using Carrier IQ services does not provide them with information from individual users directly. Instead, their letter says, they receive aggregate data which has already been processed by the vendor.

The data received by Carrier IQ in a raw format is anonymized or otherwise made unreadable by humans before Carrier IQ personnel access or use of the data. Carrier IQ analyzes the anonymized data and generally provides Sprint with analytical reports of aggregated metrics based on the anonymized data, thus ensuring that user privacy is not affected in the process. Sprint has not used Carrier IQ diagnostics to profile customer behavior, serve targeted advertising, or for any purpose not specifically related to certifying that a device is able to operate on Sprint's network or otherwise to improve network operations and customer experiences.

Sprint goes on to say this is completely legal because of the wording of their subscriber agreement:

Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit. And, Sprint's privacy policy explains that it may use tools and analytics to collect such information.

The letter he received from AT&T suggests they do, in fact, receive the raw data. They go into some detail about what information is being collected, which includes voice call performance, data performance, and network coverage/roaming.
They also say this is allowed by their subscriber agreement:

Customers purchasing wireless devices from AT&T for use on the AT&T network agree to the AT&T Wireless Customer Agreement. Section 3.6 of that agreement provides:
AT&T collects information about the approximate location of your Device in relation to our cell towers and the Global Positioning System (GPS). We use that information, as well as other usage and performance information also obtained from our network and your Device, to provide you with wireless voice and data services, and to maintain and improve our network and the quality of your wireless experience.....

However, that may not provide them as much protection as they are suggesting since their letter says they are also collecting other information including:

• Device Stability
  Certain AT&T CIQ profiles collect information to assist AT&T in determining the reason for any device stability issues on the AT&T wireless network, such as device shutdowns or battery performance.

• Messaging Performance
  On a trial basis, AT&T is collecting information on certain CIQ profiles for the purpose of evaluating whether that information will be helpful in assessing network performance problems associated with text messaging. Although collected, this information has not yet been accessed or analyzed by AT&T

• Application Performance
  Also on a trial basis, AT&T is collecting collected information on certain CIQ profiles for the purpose of evaluating whether that information will be helpful in assessing network performance problems associated with application performance. Again, this information has not yet been collected or analyzed by AT&T.

While it may be true their subscriber agreement could include this data, it could also be argued a reasonable person would not understand it to mean that. Those descriptions are also notably vague, leaving some question as to exactly what messaging and app data is being collected.
This is particularly troubling in light of the fact AT&T admits to having collected data which could identify individual phone users and also to keeping that data for several months:

Of the three downstream systems receiving personally identifiable CIQ data from the AT&T server for analysis purposes, one deletes the data after 45 days, one has CIQ data from September of 2011, and one has data from May 2011.

AT&T also confirmed that Carrier IQ was, at one point, collecting the contents of SMS messages. They say this was the result of a "programming error" and insist they neither have nor plan to acquire software for reading these messages.

As CIQ has stated publicly and also advised AT&T, during the course of its investigation into this matter, CIQ found that, as a result of a programming error related to the capture of signalling data associated with voice calls, the CIQ software also captured the content of SMS text messages when -- and only when -- such messages were sent or received while a voice call was in progress. Because it did not request that this data be collected, AT&T did not know the SMS text data was being transmitted to its secure servers until it was informed by CIQ. The data has not been accessed by any AT&T employees and, in fact, it is encoded in such a manner that AT&T is unable to view it without decoding software for CIQ -- which AT&T has not and does not intend to obtain.

The two handset vendors responding to Senator Franken's letter both explained that the installation of Carrier IQ was purely at the direction and under the authority of the carriers. Both say they do not receive any information gathered by the software.
Interestingly, HTC also mentioned that some components of Carrier IQ had been identified on handsets which weren't supposed to have it installed.
You can find the entire list of devices provided by the carriers and handset vendors in the letters, which are included below. In total, it appears more than 25 million subscribers are affected. This, of course, does not include any information from T-Mobile or Motorola, whose responses the senator has not received.