Carrier IQ: We Remotely Turn on Your Wifi With It, It was Capturing Text Messages, and You Agreed to It, says ATT, Sprint

You can share this, including by text message!

  • Carrier IQ:  We Remotely Turn on Your Wifi With It, It was Capturing Text Messages, and You Agreed to It, says ATT, Sprint

Sprint and ATT have provided their official responses to Senator Al Franken’s inquiry about Carrier IQ, (also known as CIQ) the commercial customer tracking software included on the sly on their customers’ cell phones, and their response is, essentially, “our customers agreed to it.” ATT admits that they have CIQ installed on “900,000 devices, with 575,000 of those collecting and reporting wireless and service performance information to ATT.” They also admit that they were capturing the content of SMS text messages sent and received while a voice call was in progress. This they blame on a “programming error”, and that may be, but it illustrates the capabilities and danger of Carrier IQ.

But one of the biggest bombshells may be that through Carrier IQ, they can – and doremotely turn on your wifi!

Think about that for a minute.

Let’s say that even if AT&T were the most benign of carriers, and they were only remotely turning the wifi on your phone on for the most benign of reasons – the point still remains that they are turning the wifi on your phone on!. There you are thinking that your wifi is turned off, and that your phone is completely secure, not on any unknown or untrusted networks – and they are turning your phone’s wifi on. If you are sitting in a Starbucks or other location with AT&T wifi, that means that your phone may be automatically be joining that wifi network. Same for any unsecured wifi network that happens to be in the area when AT&T decides to turn your wifi on for you.

They also admit that one of their “three downstream systems receiving personally identifiable CIQ data from the AT&T server for analysis purposes” has data dating back to May of 2011. If you have an AT&T phone with Carrier IQ, that’s the better part of a year – at least 200 days’ worth – of YOUR personally identifiable customer data.

 

In some ways, Sprint is even worse. They have been surreptitiously installing Carrier Q on their phones, and monitoring their users, since 2006! And, as a result, CIQ is installed on 26 million Sprint devices! However, Sprint is quick to add, “the Carrier IQ software tool does not collect any information unless it is “tasked” to do so by Sprint. At any one time, only l.3 million devices may be tasked to collect and report data.”

Ahem, “only” 1.3 million devices.

That said, it is very interesting to see the different tones, and information offered, between the letter from AT&T and the letter from Sprint. If you had to choose between using AT&T or using Sprint, based on the below letters, which one would you choose?

Here are the full texts of each letter – first the one from AT&T, and below that the one from Sprint (and below that, the comment section of this article, for you to tell us what you think):

No Paywall Here! The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:

FULL TEXT LETTER FROM AT&T TO SENATOR AL FRANKEN REGARDING CARRIER IQ DATA MONITORED BY AT&T

Dear Senator Franken:

I am responding to your letter to AT&T Inc. regarding AT&T’s use of Carrier IQ (“CIQ”)
software. Let me start by stating that AT&T uses CIQ software only to collect diagnostic infonnation about its network to improve the customer experience. We do not use CIQ to obtain the contents of customers’ communications, to track where our customers go on the Internet, or to track customer location. The information collected is protected in secure storage with restricted access.

AT&T must collect operational data that can point to possible network upgrades, including improved call completion rates. We continually evaluate information about network performance. The information gathered by CIQ software on AT&T devices has been a valuable tool for this purpose because it provides us with a device-side view ofthe customer’s experience – a view that cannot be obtained from the network alone. This unique view enables us to better anticipate, identify and improve network and service perfonnance.

We know well that personal data and privacy are of paramount concern to our customers. As a network service provider, we have access to a great deal of information necessarily incident to the provision of service. Our Privacy Policy commitments are fundamental to the way we do business and our privacy commitments come first when we consider the use and collection of performance data. We strive to provide transparent and easy-to-understand notice to our customers conceming the information we collect and how we use it.

Attached, please find our responses to your specific questions concerning AT&T’s deployment and use ofthe CIQ software. If you have additional questions or concems, please let us know.
Sincerely,

1. On what devices does your company use or install CIQ software?
2. As of what date has your company used or installed this software on these devices?

The CIQ software is integrated and active on eleven AT&T wireless consumer devices:

Pantech Pursuit II, Pantech Breeze 3, Pantech P5000 (Link2), Pantech Pocket, Sierra Wireless Shockwave, LG Thrill, ZTE Avail, ZTE Z33l, SEMC Xperia Play, Motorola Atrix 2, and Motorola Bravo. It also is embedded on the HTC Vivid, LG Nitro and Samsung Skyrocket devices, but has not been activated due to the potential for the software agent to interfere with the performance of those devices. The first AT&T device to be integrated with CIQ software was the Motorola Bravo in March of 2011.

CIQ software is also packaged with AT&T’s Mark the Spot (MTS) application, which is offered without charge from the Android Market and RIM Apps World storefronts. The RIM version of MTS was packaged with CIQ in February 2011, with the Android version following in March 2011.

AT&T first released the MTS application – without CIQ software for iPhone in December 2009. We later made the application available in both the Android and RIM marketplaces.

The rapid adoption of MTS by iPhone customers, and by RIM and Android customers when made available for those devices, provided AT&T with new insights into the network problems experienced by customers while using their devices and new abilities to address those problems in a direct and effective manner. It also informed us that, not only did customers want us to improve their network experience, they also recognized the value of using information gathered from their devices for that purpose.

It was AT&T’s positive experience with MTS that ultimately lead to AT&T’s decision to enhance its network reporting capabilities by packaging CIQ software with MTS and integrating it into the devices we offer to customers.

To the best of your knowledge, how many American consumers use these devices?

We can only answer this question for AT&T customers. CIQ software (including versions integrated on the device and downloaded with AT&T’s MTS application) is resident on about 1% of the devices on AT&T’s wireless network, or approximately 900,000 devices, with 575,000 of those collecting and reporting wireless and service performance information to AT&T.

Does your company receive customer location data collected by Carrier IQ software or by Carrier IQ?

Yes. To improve customer service, the CIQ software provides AT&T with the location, date and time the handset experiences a network event, such as a dialed or received telephone call a dropped call or an attempted call when the handset has no signal. This information tells AT&T where the device was at the time ofthe occurrence – a device-side view of the customer experience that enhances AT&T’s ability to identify the cause and solution for the problem.

AT&T MTS without CIQ is still available for iPhone downloads. MTS packaged with CIQ has never been available for iPhone customers.

5. What other data does your company receive that has been collected by Carrier IQ software or by Carrier IQ?

a. The telephone numbers users dial?
b. The telephone numbers of individuals calling a user?
c. The contents of the text messages users receive?
d. The contents of the text messages users send?
e. The contents of the emails they receive?
f. The contents of the emails users send?
g. The URLs of the websites that users visit?
h. The contents of users’ online search queries?
i. The names or contact information from users’ address books?
j. Any other keystroke data?

AT&T collects technical data via its version of CIQ software for network and service improvement purposes. The CIQ software agent is a diagnostics package that is either integrated into each of the device types listed above as part of the manufacturing process (“integrated CIQ”), or has been downloaded to a device via AT&T’s Mark the Spot application (“downloaded CIQ”). As described in more detail below, both the integrated and downloaded CIQ agents allow for the collection of metrics associated with device and network events. AT&T specifies the metrics it wants the CIQ software to collect by defining a CIQ profile for that collection; CIQ then writes code designed to collect the infomation necessary to satisfy AT&T’s profile requirements.

These metrics include:

– Voice Call Performance. Certain AT&T CIQ profiles collect infomation to assist AT&T in determining whether calls made from the device were successful or unsuccessful, including whether calls were dropped or call attempts failed.

– Data Performance. Certain AT&T CIQ profiles collect information to assist AT&T in determining whether data sessions attempted by the device were established successfully or unsuccessfully, including whether the data session attempt failed, or was dropped after being established.

– Device Stability. Certain AT&T CIQ profiles collect infomation to assist A’1`&’l` in determining the reason for any device stability issues on the AT&T wireless network, such as device shutdowns or battery performance.

– Network Coverage/Roaming. Certain AT&T CIQ profiles collect infomation to assist AT&T in identifying coverage gaps in our network, such as the location of any shift to roaming.

– Messaging Performance: On atrial basis, AT&T is collecting infomation on certain CIQ profiles for the purpose of evaluating whether that infomation will be helpful in assessing network perfomance problems associated with text messaging. Although collected, this infomation has not yet been accessed or analyzed by AT&T.

– Application Performance: Also on a trial basis, AT&T is collecting collected infomation on certain CIQ profiles for the purpose of evaluating whether that information will be helpful in assessing network performance problems associated with application performance. Again, this information has not yet been collected or analyzed by AT&T.

After the data is collected by the software, it is stored in the customer’s device in a compressed and encoded format, and then transmitted to AT&T’s secure servers over an encrypted communications channel to secure AT&T servers located behind AT&T’s firewall. AT&T’s CIQ profiles are designed so that data uploads from customer handsets do not incur charges.
Except in limited circumstances (as, for example, when the device is turned off), those uploads occur once every 24 hours.

In response to your inquiry as to specific data types listed in Question No. 5:

AT&T does collect telephone numbers from the network in the ordinary course of its business as necessarily incident to the provision of wireless voice and text messaging services. AT&T also does collect the telephone numbers sent and received by the device user for Voice Call Performance and Messaging Performance metrics as described above.

The telephone number assists us in determining why a particular call or text message is dropped or otherwise could not be placed or received by the customer. For example, if we see numerous dropped calls to the same number, we are able to investigate whether the underlying cause is a dialing error or a routing problem, and take necessary steps to address the issue.

– AT&T does not collect the contents of e-mails sent and received by device users;
– AT&T does not collect the URLs of websites visited by individual users;
– AT&T does not collect the contents of user’s online search queries;
– AT&T does not collect the names or contact information from users’ address books;
– AT&T did not define any of its CIQ profiles to collect the content of text messages sent or received by users.

As CIQ has stated publicly and also advised AT&T, during the course of its investigation into this matter, CIQ found that, as a result of a programming error related to the capture of signaling data associated with voice calls, the CIQ software also captured the content of SMS text messages when and only when such messages were sent or received while a voice call was in progress.

Because it did not request that this data be collected, AT&T did not know the SMS text data was being transmitted to its secure servers until it was informed by CIQ. The data has not been accessed by any AT&T employees and, in fact, it is encoded in such a manner that AT&T is unable to view it without decoding software from CIQ which AT&T has not and does not intend to obtain.

AT&T currently is retaining this data in response to a legal hold imposed due to pending litigation.
To remedy this inadvertent collection of unreadable SMS text messages, we have taken the following steps: 1) we have implemented a script that prevents the storage of any new data transmitted to AT&T’s servers from devices that are still running the profile collecting SMS Text messages; 2) working with CIQ, we have modified our profiles to avoid this programming error and we are instructing all devices with the affected profiles to discontinue the collection of SMS text messages; and 3) we have implemented a process to verify that any new AT&T CIQ profiles will not inadvertently collect SMS text message content.

– AT&T does not collect keystroke data.

AT&T’s version of the CIQ software is programmed to be aware when keystrokes are entered on the device, but the data entered on the keypad is not collected by the CIQ agent or downloaded to the secure AT&T server.

If your company receives this data, does it subsequently share it with third parties?
With whom does it share this data? What data is shared?

In line with our Privacy Policy, we have shared limited data with CIQ as necessary to troubleshoot problems and test the software and platform performance subject to the conditions noted above.

We have not shared CIQ information with any other non-AT&T company.

Has your company disclosed this data to federal or state law enforcement?

No, we have not disclosed CIQ data to federal or state law enforcement. The AT&T Privacy Policy and FAQ on Information Sharing address circumstances under which we disclose personal information to law enforcement. We provide personal information as necessary to comply with court orders, subpoenas, lawful discovery requests, legal or regulatory requirements, to enforce our legal rights or defend against legal claims, or when otherwise permitted by law (e.g., to prevent death or serious injury). We do not disclose personal information to law enforcement except under those circumstances.

How long does your company store this data?

CIQ data is erased so that it is no longer retrievable from the AT&T CIQ servers 60 days after being uploaded from the device. Of the three downstream systems receiving personally identifiable CIQ data from the AT&T server for analysis purposes, one deletes the data after 45 days, one has CIQ data from September of 2011, and one has data from May 2011.

AT&T’s retention of data is subject to any legal holds that may apply to the data in connection with actual or anticipated litigation.

How does your company protect this data against hackers and other security threats?

AT&T uses technical, administrative and physical safeguards to protect this information.
Data collected by the CIQ software on AT&T devices is uploaded daily from the device and transmitted in encrypted format directly to AT&T servers located inside AT&T’s secure firewalls. These servers are uniquely provisioned for CIQ data and adhere to AT&T’s security policy and requirements that include authentication, access controls, security settings, and administrative procedures, among other items. The servers are monitored 24×7 for performance, reliability and unauthorized intrusion. Only properly authorized, authenticated, and approved AT&T employees, CIQ personnel and Contractors acting on behalf of AT&T have access to the data on this server. Additionally, our AT&T Labs Operations meets daily to review security, compliance, performance and availability of the CIQ data and the AT&T Network organization meets weekly to address program status and conducts weekly device testing and certification procedures.

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Carrier IQ:  We Remotely Turn on Your Wifi With It, It was Capturing Text Messages, and You Agreed to It, says ATT, Sprint

Does your company believe that its actions comply with the Electronic Communications Privacy Act, including the pen register statute (18 USC § 3121 et. seq.), the federal wiretap statute (18 USC § 2511 et seq.) and the Stored Communications Act (18 USC §2701 et seq.)?

Yes.

Does your company believe that its actions comply with the Computer Fraud and Abuse Act (18 USC § 1030)?

Yes.

Does your company believe that its actions comply with your privacy policy?

Yes. Please see our response to Question 13 for more detail.

Does it believe that consumers are aware that this activity is actually occurring on their devices?

Yes. Clear notice is included in the AT&T Privacy Policy, our Wireless Customer Agreement and the MTS End User Licensing Agreement (EULA) that we collect network, performance, and usage information from our network and customer devices, and we use that information to maintain and improve our network and their wireless experience.

The AT&T Wireless Customer Agreement and the AT&T MTS End User License Agreement (EULA), explain that AT&T uses information from their devices for network service improvement.

Mark the Spot Sign-up: A customer downloading the AT&T MTS application receives and agrees to the EULA for that service. A copy of the first screen of that EULA is Exhibit A to this letter. It states:

IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, INCLUDING THE COLLECTION AND USE OF YOUR LOCATION AND PERFORMANCE INFORMATION (SEE SECTION 1.1), DO NOT CLICK THE “ACCEPT” BUTTON OR DOWNLOAD, INSTALL OR USE THE APPLICATION.

Section 1.1 of the MTS EULA then advises the user:

CONSENT TO USE LOCATION AND PERFORMANCE INFORMATION: This Application accesses and uses Your personally identifiable location information (“Your Location Information”), as well as performance and usage information from your Device (“Your Performance Information), in order to maintain and improve our network and the quality of Your wireless experience. The Information may be accessed by AT&T through any available wireless connection, including but not limited to Wi-Fi (AT&T may, through this Application, turn on Your Device’s Wi-Fi radio to access the Information). By using this Application, You agree that AT&T may collect and use Your Location and Performance Information for such purpose. AT&T does not retain Your Location or Performance information longer than is reasonably necessary for such use.

Wireless Customer Agreement: Customers purchasing wireless devices from AT&T for use on the AT&T network agree to the AT&T Wireless Customer Agreement. Section 3.6 of that agreement provides:

AT&T collects infomation about the approximate location of your Device in relation to our cell towers and the Global Positioning System (GPS). We use that infomiation, as well as other usage and performance information also obtained from our network and your Device, to provide you with wireless voice and data services, and to maintain and improve our network and the quality of your wireless experience.

Separate and apart from these notices, the AT&T Privacy Policy provides explicit notice to customers about the information we collect and how we use it. Our upfront policy statement provides:

Location Information: We monitor, collect and use your wireless location information, as well as other information obtained from our network and your device, to provide you with wireless voice and data services, and to maintain and improve our network.

We elaborate further on this provision in the Location FAQ section of the policy, where we respond to the following question:

Do you collect and use my wireless location information?
Yes. AT&T monitors, collects and uses wireless location information to provide you with wireless voice and data services. We also use that infonnation, together with other usage and performance information obtained from our network and your wireless device, to maintain and improve our network and the quality of your wireless experience.

(This letter signed by Timothy P. McKone, Executive Vice President, Federal Relations, AT&T)

 

FULL TEXT LETTER FROM SPRINT TO SENATOR AL FRANKEN REGARDING CARRIER IQ DATA MONITORED BY AT&T


Dear Chairman Franken:

Thank you for your letter to Dan Hesse, CEO of Sprint Nextel Corporation (Sprint), dated December 1, 2011, inquiring about Sprint’s use of Carrier IQ diagnostic software. Sprint appreciates that your letter reflected both an understanding and acknowledgement of a wireless network operator’s legitimate need to deploy and use diagnostic software in the maintenance and operation of its services. Sprint recognizes that it is fair to ask whether the data collected using Carrier IQ software goes beyond “technical diagnostics information”, and Sprint’s answer is unequivocally no. Sprint takes the privacy of its users and the security of the data it collects seriously so this opportunity to inform the Committee about Sprint’s data collection and privacy practices is timely and welcome, especially in light of recent media stories that did not accurately reflect the facts.

As you know, Sprint is a communications company. Sprint is in the business of connecting its customers with their family and friends, getting them online on the mobile web so that they can connect to sites of their choice, and delivering important and life-saving services, such as E911 services and roadside assistance. Sprint is able to deliver these services because it can correctly connect and route customer calls, direct customers’ data queries to websites of their choosing, and know how and where to find their devices when they need assistance.

Operationally, Sprint knows how to deliver these services on its network. Sprint‘s customers trust it with the information that it collects and uses in order to deliver communications services to them.

There are some things Sprint does not know. Sprint does not always know why a call drops or a website will not load, for example. Sprint may not always know why a text message is not delivered timely, or why service is unavailable in a particular area. To help it better understand these issues, Sprint uses troubleshooting software installed on customers’ devices to report diagnostic and analytics data so it can solve particular problems. Sprint does not need to learn the URL of a website that a user is trying to reach – it is something Sprint already knows from routing the request on its network.

Similarly, we know the cell site on which a phone is registering its location, which is necessary for the delivery of voice and data services. We also know the telephone numbers to which our customers have initiated a call or sent a text. Such data is necessary to deliver telecommunications services. In many cases the data collection is required by law and regulations. Under federal law, Customer Proprietary Network information (CPNI) is also privacy protected. 47 U.S.C. § 222; 47 C.F.R. §§ 64.1200 et. seq.

Discovering, however, why a page did not load requires Sprint to understand what users may be experiencing with their handsets. That is how Sprint has used Carrier iQ — as a diagnostic tool on devices. The Carrier IQ diagnostic tool can help Sprint engineers understand the functionality (or not) of handset applications when connecting with the network and steps that Sprint might take to improve services and the customer experience, including network enhancements.

Carrier IQ diagnostic software is installed on approximately 26 million Sprint devices.
However, the Carrier IQ software tool does not collect any information unless it is “tasked” to do so by Sprint. At any one time, only l.3 million devices may be tasked to collect and report data.
In fact, for any particular research request, a subset of a much smaller number of devices, approximately 30,000, are queried to respond to a research request from Sprint personnel.

Sprint understands that Carrier IQ has shared a technical report with the Committee that describes how the Carrier IQ software works and what data may be available from devices for analysis. The report describes “profiles” that network operators can create for purposes of troubleshooting and understanding network performance. It is important to understand that when Sprint makes a “profile” request to Carrier IQ for certain data, it is not seeking nor does it receive a picture of any particular user’s online or mobile behavior over time. To the contrary, a “profile” in Carrier IQ software parlance is a list of analytical data collected from many tasked devices to analyze a certain problem, including conditions or criteria for research of a particular performance issue. For example, a “dropped call profile” could include the signal strength of the cell towers in a particular area for a random volume of calls.

Sprint wants to assure the Committee that data collected by the Carrier IQ tool is transmitted in encrypted form to Carrier IQ and uploaded to the Carrier IQ servers. The data received by Carrier IQ in a raw format is anonymized or otherwise made unreadable by humans before Carrier IQ personnel access or use the data. Carrier IQ analyzes the anonymized data and generally provides Sprint with analytical reports of aggregated metrics based on the anonymized data, thus ensuring that user privacy is not affected in the process. Sprint has not used Carrier IQ diagnostics to profile customer behavior, serve targeted advertising, or for any purpose not specifically related to certifying that a device is able to operate on Sprint’s network or otherwise to improve network operations and customer experiences.

Privacy protection is part of Sprint’s commitment to customer satisfaction and trust. Sprint implements and follows policies and practices that are transparent and demonstrate its accountability for customer privacy, as well as its compliance with the law. The following responses provide answers to your specific questions.

I. On what devices does your company use or install Carrier IQ software?

Response: Carrier IQ software is installed on a variety of Sprint devices, including mobile handsets and tablets. Various Sprint-offered devices manufactured by the following equipment manufacturers have Carrier IQ software installed: Audiovox, Franklin, HTC, Huawei, Kyocera, LG, Motorola, Novatel, Palmone, Samsung, Sanyo, and Sierra Wireless.

2. As of what date has your company used or installed this software on these devices?

Response: Sprint began including Carrier IQ software on devices in 2006.

To the best of your knowledge, how many American consumers use these devices?

Response: To the best of Sprints knowledge, there are approximately 26 million active Sprint devices that have the Carrier IQ software installed. As noted above, Sprint only “tasks”
(queries information about) a fraction of these devices at any one time (a maximum of l .3 million) for its diagnostic needs; and then only a subset of devices — approximately 30,000 —
are tasked to research specific problems (e. g., in-network roaming in a given area) with any query.

4. Does your company receive customer location data collected by Carrier IQ software or by Carrier IQ?

Response: Sprint receives information that helps determine the location of “tasked” devices. Sprint uses this information in aggregate to identify and troubleshoot issues occurring in a particular area. However, as a wireless service provider, Sprint knows the location of devices registering on its network irrespective of Carrier IQ diagnostics, and Sprint must know that information in order to route calls and data services, including life-saving E911 services.

5. What other data does your company receive that has been collected by Carrier IQ software or by Carrier IQ?

a. The telephone numbers users dial?
b. The telephone numbers of individuals calling a user?
c. The contents of the text messages users receive?
d. The contents of the text messages users send?
e. The contents ofthe emails they receive?
f The contents of the emails users send?
g. The URLs of the websites that users visit?
h. The contents of users’ online search queries?
i. The names or contact information from users’ address books?
j. Any other keystroke data?

Response: With the exception of “g” above, Sprint does not receive any of these data elements through the profiles it has established with Carrier IQ. Again, as noted earlier, Sprint already knows the URL of a website that a user is trying to reach from routing the request on its network. This information may be collected through the Carrier IQ software as part of a profile established to troubleshoot website loading latencies or errors experienced by a population of subscribers.

6. If your company receives this data, does it subsequently share it with third parties?
With whom does it share this data? What data is shared?

Response: Sprint does not share with third parties Carrier IQ data from customer devices. The Carrier IQ data is used internally for Sprint’s own use, for analysis by Sprint employees and contractors to assist with device certification and functionality on its network, and for network maintenance, operation and improvement. In the course of certifying device functionality, prior to selling phones to consumers, Sprint does share and receive certain testing results with handset manufacturers.

7. Has your company disclosed this data to federal or state law enforcement?

Response: Sprint has not disclosed Carrier IQ data to federal or state law enforcement.

8. How long does your company store this data?

Response: Carrier IQ stores data on its servers collected on Sprint’s behalf for approximately 30-45 days. Sprint stores raw data received from Carrier IQ for approximately 6 months and stores reports it receives from Carrier IQ based on aggregations of this data for approximately I2 months (data retention may vary depending on the analysis being conducted).

9. How does your company protect this data against trackers and other security threats?

Response: Sprint imposes privacy and security obligations on Carrier IQ through contract with respect to the data housed at Carrier IQ facilities on Sprint’s behalf. Such obligations include the use of technical, physical and administrative safeguards and meeting or exceeding industry best practices in sateguarding data. Sprint ensures the security ofthe reports it receives from Carrier IQ through a series of controls that surround Sprint’s IT environment.

Sprint uses logical access controls at the operating system, database, and network layers to restrict access to those individuals who have a need~to»know such data. Access at the network layer is terminated when an employee’s relationship with Sprint terminates. Database access is reviewed quarterly to ensure compliance with access control policy and procedures. On the periphery, Sprint employs a host of IT security measures including firewalls at all points of entry to Sprint’s network, and intrusion detection systems at all Internet points of entry. Sprint has a centralized security department responsible for oversight of security policy, awareness, and enforcement throughout the company. Sprint continuously reassesses its technology and processes to ensure that the security of customer data remains robust and state-of-the-art.

10. Does your company believe that its actions comply with the Electronic Communications Privacy Act, including the pen register statute (18 U.S.C § 2511 et seq.), and the Stored Communications Act (18 U.S.C. § 2701 et seq.) ?

Response: Yes.

11. Does your company believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. § 1030)?

Response: Yes.

12. Does your company believe that its actions comply with your privacy policy?

Response: Yes. Sprint’s current privacy policy (sprint.com/legal/privacy) describes the information it collects automatically when a customer uses Sprint services. The policy states in pertinent part:

Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit.

And, Sprint’s privacy policy explains that it may use tools and analytics to collect such information.

13. Does it believe that consumers are aware that this activity is actualiy occurring on their devices?

Response: Sprint believes customers expect service providers and network operators to take reasonable technological steps to maintain the performance of their networks and device functionality in order to effectively deliver call and data services to users. Sprint’s privacy policy contains notice of the information we collect, including the notice described above.

*****************

Thank you, again, for the opportunity to address Sprint’s use of the Carrier IQ tool. As you noted, Sprint has a legitimate need for diagnostic information in providing communications services to its customers. Sprint appreciates and respects the Committee’s interest in ensuring that such data collection and use is in full compliance with the law. Sprint trusts that its response makes clear that its use of the Carrier IQ software for such limited purposes is appropriate and that Sprint has followed its privacy policy and all applicable laws.

Sincerely yours,

(This letter signed by Vonya B. McCann, Senior Vice President, Government Affairs, Sprint)

  
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

Carrier IQ:  We Remotely Turn on Your Wifi With It, It was Capturing Text Messages, and You Agreed to It, says ATT, Sprint

Get notified of new Internet Patrol articles!

You can share this, including by text message!

  • Carrier IQ:  We Remotely Turn on Your Wifi With It, It was Capturing Text Messages, and You Agreed to It, says ATT, Sprint

1 Reply to “Carrier IQ: We Remotely Turn on Your Wifi With It, It was Capturing Text Messages, and You Agreed to It, says ATT, Sprint”

  1. What’s the point of having us turn off our phones on the plane then? What about airplane mode?

Leave a Reply

Your email address will not be published. Required fields are marked *