Americans consented to secretly installed software on 150 million mobile phones that logs what apps they use and what websites they visit and who they communicate with, according to mobile-phone makers and carriers.
Sprint, AT&T, HTC and Samsung told Sen. Al Franken (D-Minnesota) Thursday that their end-user licensing agreements — those pages of fine print you sign when you get a new cell phone — authorize them to use Carrier IQ software to monitor app deployment, battery life, phone CPU output and data and cell-site connectivity. The companies’ statements, released by Franken, are a good roadmap to how the companies will fight federal privacy lawsuits already brought by consumers over the secret software.
The companies have deployed the software on handsets for years now. But it had only received mainstream attention last month when a Connecticut researcher publicized its presence on YouTube. The ensuing furor over the video prompted Franken to demand answers.
Franken was none too happy with the ones he got.
“People have a fundamental right to control their private information. After reading the companies’ responses, I’m still concerned that this right is not being respected,” Franken said in a statement. “The average user of any device equipped with Carrier IQ software has no way of knowing that this software is running, what information it is getting, and who it is giving it to — and that’s a problem.”
T-Mobile, which has acknowledged using the software, and Motorola are expected to respond to Franken’s inquiry by Dec. 20. Carrier IQ, founded in Mountain View, California, six years ago, has also spoken to government officials, including the Federal Trade Commission, but maintains no official investigation has commenced.
AT&T, for example, cited its terms-of-service agreement with consumers to Franken. Among other things, the agreement says consumers consent to monitoring to “improve your network and the quality of your wireless experience.”
Samsung, which installs the software at the carriers’ request, told Franken that the carriers are responsible for notifying consumers about it. The phone maker said it does not sell phones installed with Carrier IQ “directly to consumers.”
The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty.
What data is sent to Carrier IQ and the carriers depends on how much data the telcos want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.
“Sprint does not always know why a call drops or a website will not load, for example. Sprint may not always know why a get message is not delivered timely, or why service is unavailable in a particular area,” Sprint wrote. “To help it better understand these issues, Sprint uses troubleshooting software installed on customers’ devices to report diagnostic and analytics data so it can solve particular problems,” Sprint told Franken.
Sprint, which said Friday it was disabling Carrier IQ from 26 million active devices that carry it, added that its “privacy policy explains that it may use tools and analytics to collect such information.”
Verizon does not employ Carrier IQ.
Some carriers collect the the data on an anonymized basis. That provides them a roadmap to where and when calls are dropped without knowing whose phone was being used. When too many calls are dropped in a certain location, for example, that could mean extra cell towers are needed in that area. The same could be true for when the software detects similar areas of low data connectivity.
But other carriers collect data that lets them drill down to the individual phone, providing customer-service representatives with vast tools to assist complaining customers. For example, a carrier could tell a customer that battery life is poor because a certain app is hogging electricity in the background. The software can be programmed to know when a consumer changed the battery, or how many times a battery charger was used. AT&T’s and Sprint’s letters spell out what data Carrier IQ collects on their behalf.
Here’s a synopsis of what the respondents told Franken:
- “AT&T collects information about the proximate location of your Device in relations to our cell towers and the Global Positioning System (GPS). We use that information, as well as other usage and performance information also obtained from our network and your Device, to provide you with wireless voice and data services, and to maintain and improve your network and the quality of your wireless experience,” AT&T said, (.pdf) citing its terms of service.
- “Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit. And, Sprint’s privacy policy explains that it may use tools and analytics to collect such information,” Sprint wrote (.pdf) Franken, also citing its user agreement.
- “To the best of HTC’s knowledge the wireless service providers have made their collection activities known via their privacy policies and terms of use. The Federal Trade Commission staff also recognize that consumers ‘reasonably anticipate, and are likely to accept, that an [electronic communication service provider] will monitor the transmission of data for reasons related to providing the [related service], such as to ensure that their service is not interrupted or to detect and block the transmission of computer viruses or malware.’ Accordingly, the FTC calls this type of activity a ‘commonly accepted practice,’” HTC responded. (.pdf)
- “Because Samsung does not sell any relevant devices directly to consumers, Samsung is not in a position to determine the extent of consumer awareness regarding the nature of the relationship between the carrier and the consumer, including the carriers’ inclusion of Carrier IQ on devices operating on their networks. Samsung understands that the carriers have Terms of Service and/or Privacy Policy agreements that discuss the collection and usage of consumer data, and that those agreements may govern the carriers’ relationships,” Samsung said.
Gizmodo has a quick rundown of which phones run Carrier IQ.