Internal documents from Sprint and T-Mobile defending the companies’ usage of the controversial Carrier IQ mobile intelligence-gathering software have leaked on the web.
The two documents, one from each mobile wireless company, provide additional information about the companies’ reliance on Carrier IQ, beyond the companies’ initial official public statements. T-Mobile, Sprint and AT&T have all admitted to using Carrier IQ in some form on their customers’ phones.
Sprint’s “Talking Points” on Carrier IQ
The new Sprint document, which first surfaced on the unofficial blog SprintFeed Monday afternoon, presents a list of “Sprint & Carrier IQ Talking Points,” apparently issued by Sprint’s internal communications department to employees, informing them how to handle Carrier IQ questions from customers.
Most important for consumers, Sprint’s document states that “Sprint uses the Carrier IQ data to only understand device performance on our network so we can understand when issues are occurring…Even with Carrier IQ, Sprint does not and cannot look at or record contents of messages, photos, videos, etc. nor do we sell or provide a direct feed of Carrier IQ data to anyone outside of Sprint.” (Emphasis original).
There’s a lot to unpack there, but let’s start with the basics: Sprint is essentially saying that the data it receives from Carrier IQ is not personal data, and that Carrier IQ couldn’t provide such data to Sprint even if Sprint wanted it to, which it does not.
That said, it is intriguing that Sprint doesn’t come right out and deny the most damning accusation about Carrier IQ: That the software is recording keystrokes.
That charge was first articulated by Android researcher Trevor Eckhart in his now-infamous November 28 video demonstration of the software’s seeming ability to receive information from every keystroke entered into a phone by a user.
Eckhart’s video drew the attention of the media, lawmakers, lawyers and the wider public, most of whom reacted with alarm at the apparent extent of Carrier IQ’s tracking abilities, and the fact that it was running in the background on smartphones, without the expressed knowledge and consent of users. Carrier IQ has since been sued in several U.S. class action lawsuits for violating U.S. wiretapping law, and is facing pressure from European regulators.
Since then, other security researchers have pushed back, running their own tests that show while Carrier IQ does have access to key presses, it can only record which numeric dialer buttons are pushed, not every keystroke.
Moreoever, Sprint’s document notes that the company doesn’t “sell or provide a direct feed of Carrier IQ data” to third parties. The important phrase here is “direct feed.” That seems like a bit of an over-qualifier. It also doesn’t satisfactorily answer the question of whether Sprint provides any user data gathered by Carrier IQ on any “feed,” direct or otherwise, to anyone outside of the company.
Sprint’s document further states that “Carrier IQ’s software can be found on most Android, BlackBerry and Nokia phones,” conducive with Eckhart’s original observation.
RIM, which makes the BlackBerry line, and Nokia both earlier denied to TPM installing Carrier IQ on any of their devices.
The Sprint document concludes by telling the reader to “Assure customers that Sprint is committed to respecting the privacy and security of each customer’s personally identifiable information and other customer data.” It also encourages referring customers to Sprint’s privacy policy.
T-Mobile’s Carrier IQ Q-and-A
T-Mobile earlier stated to PC Magazine that “T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers’ experience. T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers’ Internet activity, nor is the tool used for marketing purposes.”
A screengrab of a new internal document that takes the form of a Q-and-A was published Sunday on TmoNews, an unofficial T-Mobile blog. In it, T-Mobile first answers the question “What data does the Carrier IQ diagnostic tool collect?”
T-Mobile states that it has “implemented” Carrier IQ to “collect specific metrics” about “device specific issues.” It provides the following examples, via TmoNews:
Battery performance: If a customer’s device battery appears not to be holding a charge, T-Mobile can determine if the issue is the battery, charger or device
Dropped calls: If a customer attempts to make a call and the call fails, T-Mobile can determine whether the cause was the handset or the network
Application failures: If a customer uses an application, preinstalled or downloaded from a third-party marketplace, and the app fails, T-Mobile will be able to troubleshoot that app failure, which may be perceived by the customer to be the device freezing/crashing
T-Mobile goes on to say that it does not use Carrier IQ to “obtain the content of text, email or voice messages, or the specific destinations of customers’ Internet activity. It is not used for marketing purposes…”
The document also does not rebut, or even mention, any specific allegation of keylogging.
Finally, T-Mobile notes that its cancellation fees still apply to customers who want to cancel over their concerns about Carrier IQ, per its Terms & Conditions, and provides a list of T-Mobile devices upon which the software is installed. Those T-Mobile devices with Carrier IQ installed include:
-HTC Amaze 4G
-Samsung Galaxy S II
-Samsung Exhibit II 4G
-T-Mobile myTouch
-T-Mobile myTouch Q
-LG DoublePlay
-BlackBerry Bold 9900
-BlackBerry Curve 9360
-BlackBerry Torch 9810
We’ve reached out to both T-Mobile and Sprint for more information on these documents and will update when we receive a response.
