As we reported previously, the Senator wasn't all too pleased by what the companies had to say. But what exactly is found in these pages and pages of documents? A few answers, and some more questions. We have pored through each company's letter, so follow us below as we break down their responses to each of the Senator's queries.
Note: The level of involvement by the government seems to be making an impact, as Sprint is now disabling all Carrier IQ software on its devices so that data cannot be collected anymore. Its response to Senator Franken, however, should not be discounted as it provides insight into why the carrier's been a "valued customer" of CIQ's since 2006, and how it's been using the data it has collected over the past five years. Read on!
Below are excerpts from each company's opening statement, in which they attempt to explain to the Senator the innocence of their intentions.
It is important to understand that when Sprint makes a "profile" request to CIQ for certain data, it's not seeking nor does it receive a picture of any particular user's online or mobile behavior over time. To the contrary, a "profile" is a list of analytical data collected from many tasked devices to analyze a certain problem, including conditions or criteria for research of a particular performance issue. For example, a "dropped call profile" could include the signal strength of the cell towers in a particular area for a random volume of calls.
Data collected by the CIQ tool is transmitted in encrypted form to CIQ and uploaded to the CIQ servers. The data received by CIQ in a raw format is anonymized or otherwise made unreadable by humans before CIQ personnel access or use the data...Sprint has not used CIQ diagnostics to profile customer behavior, serve targeted advertising, or for any purpose not specifically related to certifying that a device is able to operate on Sprint's network or otherwise to improve network operations and customer experiences.
AT&T uses CIQ software only to collect diagnostic information about its network to improve the customer experience. We do not use CIQ to obtain the contents of customers' communications, to track where our customers go on the internet, or to track customer location.
AT&T must collect operational data that can point to possible network upgrades, including improved call completion rates. We continually evaluate information about network performance.
Pursuant to the carriers' agreements with STA, some of those cellular carriers required Samsung to pre-install CIQ software on some of the devices prior to the sale of those devices to the carrier. Samsung installs CIQ software only at the instruction of cellular carriers, and does so in the exact manner and in the configuration required by the carrier and CIQ. The carrier is exclusively responsible for selecting the types of information transmitted by the CIQ software to the carrier on the carrier's network without intervention by Samsung. Samsung does not receive data generated by the CIQ software.
Samsung installs the CIQ software only as specified by the carrier and does not select or determine the configuration of the CIQ software, and it is Samsung's understanding that there is no information collected by the software that is inconsistent with what is disclosed by the carriers to their customers in their respective TOS and / or Privacy Policies. Samsung devices undergo extensive testing by the carriers to ensure that the devices meet all of the carriers' specifications and requirements, including CIQ specifications.
HTC does not own the Carrier IQ software. The Carrier IQ software and service are developed and managed by Carrier IQ and used by providers of wireless services such as Sprint, T-Mobile, and AT&T.
HTC does not use the Carrier IQ software for its own purposes; our involvement with the Carrier IQ software and service is limited to integrating the Carrier IQ software into certain HTC devices. This integration is required by the wireless service providers and performed under contract and per their specifications. The Carrier IQ software collects data specified by the wireless service providers, processes it, and transmits it off the HTC Devices.
As part of the integration of Carrier IQ into HTC devices performed on behalf of Sprint and AT&T, HTC had developed a software component based on their respective specifications. This software component enables the Carrier IQ software to collect additional data specified by Sprint and AT&T from HTC devices and then delivers the specified data to the Carrier IQ software on the device.
Senator Franken's questions
1. On what devices does your company use or install Carrier IQ software?
Sprint: CIQ software is installed on a variety of devices, such as phones and tablets. It can be found on Audiovox, Franklin, HTC, Huawei, Kyocera, LG, Motorola, Novatel, Palmone, Samsung, Sanyo and Sierra Wireless.
AT&T: CIQ is integrated and active on eleven devices: Pantech Pursuit 2, Pantech Breeze 3, Pantech Link 2, Pantech Pocket, Sierra Wireless Shockwave, LG Thrill, ZTE Avail, ZTE Z331, Sony Ericsson Xperia Play, Motorola Atrix 2 and Motorola Bravo. It's also embedded on the HTC Vivid, LG Nitro HD and Samsung Skyrocket, though it hasn't been activated due to the potential for the software agent to interfere with the performance of these devices. It's also packaged with AT&T's Mark the Spot application (it mentions later in the letter that Android and BlackBerry versions of the app have CIQ, but iOS doesn't).
Samsung: CIQ is installed on the AT&T Skyrocket, the Galaxy S II and Exhibit II 4G on T-Mobile, four handsets on Cricket and a whopping 28 Sprint devices.
HTC: CIQ can be found on the Amaze 4G (T-Mobile), Vivid (AT&T) and seven devices on Sprint, including the Snap, Touch Pro2, Hero, EVO 4G, EVO Shift 4G, EVO 3D and EVO Design 4G. Components of CIQ have also been found on the Merge, Acquire, Desire, Wildfire, Flyer and a variant of Hero, but aren't requested by the carriers who sell them. HTC is working on an update to remove these components.
2. As of what date has your company used or installed this software on these devices?
AT&T: The first AT&T device to be integrated with CIQ was the Bravo in March of 2011 (this was likely included as part of the upgrade to Froyo). RIM's version of Mark the Spot was packaged with CIQ in February 2011, followed by the Android version a month later. (As a side note, AT&T takes the opportunity to state here that it began adding it to devices as a result of the positive experience they had with CIQ in Mark the Spot.)
Samsung: November 2007.
HTC: HTC's response is a little interesting. It first alleviates itself of any blame, citing that it was contractually required by the carriers to integrate CIQ into its devices. The company goes on to say that "the CIQ software was first integrated on the Hero, which became available to customers through Sprint on October 2009." Immediately after, it explains that the Snap and Touch Pro2, both using CIQ, became available in the US market prior to this date, suggesting that the new software was introduced to these phones in future updates.
3. To the best of your knowledge, how many American consumers use these devices?
Sprint: 26 million Sprint devices have CIQ installed. However, Sprint specifies here that only a fraction of these devices are "tasked" -- pinged with requests for data -- at one time, and never exceeds 1.3 million. Of those, only a subset (it throws out a figure of 30,000) are tasked to research specific problems, such as in-network roaming. Our concern is that if only 30,000 -- out of 1.3 million -- are looking into specific problems, why are the remaining 1.27 million still being tasked?
AT&T: CIQ is used on one percent of the network's devices, which equals approximately 900,000. This includes CIQ integrated into the handset as well as downloaded using Mark the Spot. Of those 900,000, only 575,000 are "collecting and reporting wireless and service performance information to AT&T." Same question, AT&T: what about the remaining 325,000?
Samsung: Approximately 25 million phones have been pre-installed with CIQ, but it doesn't have the ability to say exactly how many consumers are using these phones.
HTC: Approximately 6.3 million devices using CIQ are active.
4. Does your company receive customer location data collected by CIQ?
Sprint: Yes, but only to identify and troubleshoot issues occurring in a particular area. Besides, it already knows the location of devices registering on the network irrespective of CIQ -- and Sprint must know this information in order to route calls and data services such as E911.
AT&T: Yes. CIQ provides them with location, date and time the handset experiences a "network event" such as a dropped call or an attempted call when the phone has no signal.This enhances AT&T's ability to identify the cause and solution for the problem.
Samsung: No, Samsung does not collect that data (but it doesn't specify that the carriers do, a fact that's becoming quite evident).
HTC: HTC isn't intended to be a recipient of CIQ data, thus it does not receive any. However, it does mention that some data may have inadvertently been received through error reporting mechanisms, and is investigating the matter. In fact, this exact same statement was repeated throughout its response.
5. What other data does your company receive that was collected by CIQ software? (Senator Franken specifies telephone numbers, contents of SMS and emails, URLs of websites users visit, contents of search queries, keystroke data and contact information from address books.)
Sprint: Sprint receives none of the above, with the exception of URLs. However, the carrier already knows the information anyways, since it's routing the request on its network. CIQ software may collect the URLs as "part of a profile established to troubleshoot website loading latencies or errors experienced."
AT&T: AT&T's response was incredibly long and detailed. It mentions that the software collects metrics associated with device and network events, and that it specifies which metrics it wants CIQ to collect by defining a profile for that collection. The metrics include performance in voice calls performance (whether calls made from the device were successful, dropped or failed), data, device stability (trying to determine if device shutdowns or poor battery life are a result of network issues, for instance), network coverage (identifying coverage gaps), messaging (which AT&T specifies gets collected on a trial basis, but not accessed or analyzed) and applications (also on a trial basis, meaning it doesn't get collected or analyzed).
AT&T goes on to state that once the data is collected, it gets compressed, encoded and stored in the device, then transmitted securely over an encrypted channel to AT&T's servers located behind a firewall. When the device is turned on, these uploads take place once every 24 hours and don't incur data charges to the customer.
Finally, it breaks down the Senator's specific queries. In addition to purposes of provisioning voice and text services, AT&T collects telephone numbers from the network for its voice call and messaging performance metrics; it claims the number can help determine why a particular call or text fails or gets dropped. Aside from this, it's also been inadvertently collecting the content of texts sent or received during a call, but the carrier did not request this data be collected, and was only made aware of the issue when CIQ discovered it during recent investigations. However, the data was encoded in a manner that the carrier was unable to view it without specific software in CIQ's possession that AT&T doesn't currently have access to ("and does not intend to obtain"). The two companies are working together to remedy this concern.
Samsung: In a much shorter response, Samsung refers back to the previous answer, in which it insists it does not collect any data.
HTC: HTC repeats its answer to question four, stating that the OEM doesn't receive any data from CIQ.
6. If your company receives data, does it subsequently share it with third parties? With whom does it share this data? What data is shared?
Sprint: Sprint does not share CIQ data with third parties. The information is used internally for Sprint's own use for analysis by employees and contractors to assist with device certification and functionality on its network, and for network maintenance, operation and improvement. It does, however, share "certain testing results" with OEMs.
AT&T: AT&T has shared limited data with CIQ to troubleshoot problems and test software and platform performance, but it hasn't shared CIQ information with any other non-AT&T company.
Samsung: Not applicable, since Samsung doesn't receive data.
HTC: Same answer as questions four and five.
7. Has your company disclosed this data to federal or state law enforcement?
AT&T: No. AT&T, however, does comply with court orders, subpoenas, or to satisfy any other legal requirements (we imagine it has rather extensive representation, after all).
Samsung: Again, not applicable.
HTC: HTC hasn't received any requests for disclosure of CIQ data from federal or state law enforcement.
8. How long does your company store this data?
Sprint: Data is stored on CIQ's servers on Sprint's behalf for approximately 30-45 days. Sprint stores raw data from CIQ for around six months and stores reports it receives from CIQ based on this data for roughly twelve months.
AT&T: Data is erased from the AT&T CIQ servers 60 days after being uploaded. There are three downstream systems receiving personally identifiable CIQ data from the AT&T server for analysis purposes; one deletes the data after 45 days, one has data from September 2011 and the other has data from May 2011.
Samsung: Not applicable.
HTC: Same answer as questions four, five and seven.
9. How does your company protect this data against hackers and security threats?
Sprint: Sprint imposes privacy obligations on CIQ through contract with respect to data stored on its servers on the carrier's behalf. It ensures security through a series of controls surrounding its IT environment, and access is restricted to a need-to-know basis (and is terminated when the employee's relationship with Sprint is over). Firewalls are set up at all points of entry to the network, with intrusion detection systems at each point, and Sprint continually reassesses its technology and processes to make sure they remain state-of-the-art and robust.
AT&T: The carrier uses several safeguards. Collected data is uploaded and transmitted in encrypted format directly to servers inside AT&T's firewalls. The servers are monitored 24 / 7, and only properly authorized employees and contractors have access to its data. Daily meetings are conducted at the AT&T Labs to review security and performance, and weekly device testing and certification takes place.
Samsung: Not applicable.
HTC: It gives a similar answer to those prior, but mentions that it does not manage the protection of CIQ data since it isn't an intended recipient of said information. Also, it adds that "error reporting data collected by HTC is protected using appropriate processes and methods."
10. Does your company believe its actions comply with the Electronic Communications Privacy Act and Stored Communications Act?
All companies answered yes.
11. Does your company believe its actions comply with the Computer Fraud and Abuse Act?
Again, all companies answered yes, with Samsung continuing to insist that all CIQ data and access is dealt with on the carrier level.
13. Does it believe that consumers are aware that this activity is actually occurring on their devices?
AT&T then goes on to include the sections of each agreement that point out that the customer -- if they read through the entire thing -- should be aware that such things are taking place on the network.
Samsung: Again, Sammy insists the blame resides solely with carriers. "Samsung is not in a position to determine the extent of consumer awareness regarding the relationship between carrier and consumer, including the carrier's inclusion of CIQ."
HTC: HTC mentions that carriers have made these activities known via their own specific privacy policies. It then argues that the FTC also recognizes that these activities are commonly accepted practices in which choice is not necessary, much like "improving services offered, fraud prevention, legal compliance, and first-party marketing."
So there you have it, folks. The carriers insist this is highly protected data that's only used for purposes of network enhancement, and OEMs are playing the blame game by stating that they only pre-installed CIQ software on their devices due to contractual restrictions with the carriers. This raises more questions, however, on the amount of control carriers are enacting on phone manufacturers; either HTC and Samsung had absolutely no qualms with allowing CIQ software on their devices -- since we'd like to think that HTC and Samsung had at least some say in contractual negotiations with the carriers -- or they simply don't have any power in the US whatsoever. Regardless, contracts are a two-way street, and the manufacturers were involved just as much as the carriers were.
Also, let's take into consideration what the carriers are saying about their use of CIQ software. In short, both AT&T and Sprint made it sound like they didn't have any other option for monitoring, testing and maintaining their networks properly and efficiently. If AT&T, however, didn't use CIQ until earlier this year, what did the carrier do to ensure smooth network performance prior to March 2011? Going one step further, how will Sprint retrieve diagnostic information now that CIQ is disabled on its devices? What does Verizon use, since it insists that CIQ isn't installed on any of its phones? How much does each carrier rely on CIQ?
What else was of particular interest to you in reading these responses? Are you satisfied with each company's explanation? Sound off in the comments below.