Carriers Accidentally Collect Text Messages, Intentionally Gather Visited URLs

The responses left Franken “very troubled by what’s going on,” he said. “People have a fundamental right to control their private information,” and it seems that right is not being respected, he said. “The average user of any device equipped with Carrier IQ software has no way of knowing that this software is running, what information it is getting, and who it is giving it to -- and that’s a problem. It appears that Carrier IQ has been receiving the contents of a number of text messages -- even though they had told the public that they did not. I'm also bothered by the software’s ability to capture the contents of our online searches -- even when users wish to encrypt them."

AT&T uses the software “only to collect diagnostic information about its network to improve the customer experience,” the carrier said in a separate letter to Franken. Sprint Nextel said the same in another letter. The software is on about 900,000 devices on the AT&T network, with 575,000 collecting and reporting data to AT&T, AT&T said. The software is installed on 26 million Sprint devices, but at “any one time, only 1.3 million devices may be tasked to collect and report data,” Sprint said. About 6.3 million active HTC devices have the software, HTC said in another letter. Samsung has sold 25 million cellphones with Carrier IQ to U.S. carriers, Samsung said. The company doesn’t know how many U.S. consumers use the devices.

AT&T doesn’t use the software “to obtain the contents of customers’ communications [or] to track where our customers go on the Internet,” it said. “The information collected is protected in secure storage with restricted access.” Sprint said it doesn’t use the software to “profile consumer behavior” or “serve targeted advertising.” AT&T and Sprint said they haven’t shared data with third parties, or federal or state law enforcement. And the carriers said they notify customers about the practice in their privacy policies.

Samsung “installs Carrier IQ software only at the instruction of cellular carriers,” it said. “The carrier is exclusively responsible for selecting the types of information transmitted by the Carrier IQ software to the carrier on the carrier’s network without intervention by Samsung.” Samsung receives none of the data, it said. Similarly, HTC said that installation of the software “is required by the wireless service providers and performed under contract and per their specifications.” HTC has no access to data collected, it said.

Carrier IQ software doesn’t “intentionally gather or transmit the content of text messages,” Carrier IQ said. “However, over the course of the past week, as Carrier IQ conducted extensive reviews with the Network Operators, Carrier IQ has discovered an unintended bug in a diagnostic profile to measure radio-network-to-mobile device signaling.” Because of the bug, “in some unique circumstances, such as when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent,” Carrier IQ said. “These messages were encoded and embedded in layer 3 signaling protocol messages and are not human readable.”

Carrier IQ doesn’t decode the SMS messages, it said. “For Network Operators to view the specific content of SMS messages, Carrier IQ would need to write additional software, which has never been done.” The bug doesn’t capture multimedia messages, email, Web, applications, photos, voice or video, it said. “Carrier IQ customers have been informed of this bug, and Carrier IQ has worked with customers to fix it quickly and ensure that this information is no longer captured."

The software collects “phone numbers dialed and received for the purpose of diagnosing and maintaining” the network, Carrier IQ said. The software doesn’t collect the phone number of the device on which it’s installed, it said. The software collects URLs of websites visited by users to determine how devices perform on specific websites. If a search string is in the URL, that would also be collected, it said. “Only one of Carrier IQ’s customers has requested a profile to collect URLs of websites visited on devices on its network,” Carrier IQ said. The software can’t read or copy the content of a website, it said. The software does not record keystrokes, it said.

Carrier IQ software doesn’t relay a consumer’s location in real time, “and our software is not used to track the location of consumers,” Carrier IQ said. The software can be used to get the location of where a dropped call or other problem took place, Carrier IQ said. The data “is held in a proprietary, binary non-human readable form for a period of time,” usually 24 hours, and then “securely transmitted to a network server located either in the Network Operator’s data center or in our secure data center facilities,” it said.

The software provides data on “when and where calls fail; where customers have problems accessing the network; the reliability and battery performance of their make and model of device and the interaction of the mobile network with a mobile device,” Carrier IQ said. The software “filters only the absolute essential information on the performance of a device and the network,” it said. The filtering happens on the device and “is limited to the collection of diagnostic data, rather than content."

Carrier IQ hasn’t provided data to any federal or state agency, it said. The FBI denied in a hearing last week (CD Dec 16 p14) that it’s asked Carrier IQ for any data. If a request was made, it would be the responsibility of the carrier or handset maker using the software to provide the data. Carriers and device makers using Carrier IQ software set data collection policies, including whether consumers may opt out, it said. “Carrier IQ does not, itself, access or collect any data from phones for its own use.”