Sprint disabling Carrier IQ on phones

Sprint, which for weeks has defended its use of Carrier IQ software on mobile phones, is now disabling the software, a Sprint spokeswoman confirmed today.

"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," spokeswoman Stephanie Vinge-Walsh said in a statement.

"We are further evaluating options regarding this diagnostic software as well as Sprint's diagnostic needs," the statement said. "At Sprint, we work hard to earn the trust of our customers and believe this course of action is in the best interest of our business and customers."

Asked exactly what "disabling" means, Vinge-Walsh said "we are not collecting the diagnostic information."

The news initially came from Geek.com, which reported earlier today that lawsuits had prompted Sprint to ask its manufacturer partners to "get rid" of Carrier IQ. Geek.com cited sources at HTC.

"Starting with the high-volume and high-profile devices on the network, each of the OEMs has been asked to quickly release binaries that do not contain Carrier IQ so that over-the-air updates can be pushed to those devices as quickly as possible," Geek.com reported. "The eventual plan is to remove Carrier IQ from all of the devices on Sprint's network."

Asked to comment on that report, Vinge-Walsh said: "Regarding your questions about manufacturers and removing the software, those are rumors and speculation and we don't comment on rumors."

Vinge-Walsh's statement reiterated that Sprint uses Carrier IQ for troubleshooting and diagnostic purposes, and does not look at the content of messages, e-mails, photos, videos, or keystrokes:

Sprint has not used Carrier IQ diagnostics to profile customers, to serve targeted advertising, or for any purpose not specifically related to certifying that a device is able to operate on our network or to otherwise improve the customer experience or our network operations. We have used Carrier IQ to certify devices prior to launching them on our network and after launch to review device functionality on our network (i.e., to better understand where dropped calls occur, identifying gaps in cell tower coverage, etc.).
Customers can trust that we look at only enough information through the Carrier IQ tool reporting aggregated, anonymized metrics, to understand the customer experience with devices and how we can improve our performance and enhance the customer experience.

Vinge-Walsh said she could not say whether Sprint plans to remove the software entirely from phones.

Controversy continues

Carrier IQ, Sprint, AT&T, and T-Mobile have said they use the software to diagnose problems and troubleshoot network failures. But critics--including Android developer Trevor Eckhart, who first exposed the workings of Carrier IQ on the phones last month--complain that consumers aren't aware that data is being collected from their phones and can't opt out. The critics also have raised alarms that content of messages and keystrokes are being logged, which Carrier IQ and the operators deny. Outside security experts also say they find no evidence of keylogging by the software.

Carrier IQ's delayed response in releasing details added fuel to a firestorm already stoked by Carrier IQ's filing a cease-and-desist notice against Eckhart shortly after he went public with his concerns. The company eventually backed down and apologized, but to many people it seemed like the company had something to hide.

The privacy concerns have prompted lawsuits against Carrier IQ and carriers, as well as calls for an investigation by the Federal Trade Commission, which could already be under way. (For complete coverage see CNET's Carrier IQ Roundup.

Sprint began including Carrier IQ on devices in 2006, and it is installed on devices manufactured by Audiovox, Franklin, HTC, Huawei, Kyocera, LG, Motorola, Novatel, Palmone, Samsung, Sanyo, and Sierra Wireless, the company divulged in a letter responding to questions from U.S. Senator Al Franken earlier this week.

"There are approximately 26 million active Sprint devices that have the Carrier IQ software installed," Sprint said in its letter. "Sprint only 'tasks' (queries information about) a fraction of these devices at any one time (a maximum of 1.3 million) for its diagnostic needs; and then only a subset of devices--approximately 30,000--are tasked to research specific problems, (e.g., in-network roaming in a given area) with any query."

Sprint said it does not receive from Carrier IQ keystrokes, contents of text messages, e-mails, Web search queries, telephone numbers, or contact information, but does receive URLs of Web sites visited. "Sprint already knows the URL of a Web site that a user is trying to reach from routing the request on its network," the company said in its letter to Franken. "This information may be collected through the Carrier IQ software as part of a profile established to troubleshoot Web site loading latencies or errors experienced by a population of subscribers."

Customers agree to the data collection when they sign up for the cellular service, Sprint said. Its privacy policy outlines specific types of data it may collect and that it may use tools and analytics to gather it. From its letter:

Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit.

AT&T, HTC, Samsung

AT&T told Franken that the first device it offered to be integrated with Carrier IQ was the Motorola Bravo in March 2011, and that it is active on 11 devices: Pantech Pursuit II, Pantech Breeze 3, Pantech P5000 (Link2), Pantech Pocket, Sierra Wireless Shockwave, LG Thrill, ZTE Avail, ZTE Z331, SEMC Xperia Play, Motorola Atrix 2, and Motorola Bravo. It is also embedded on the HTC Vivid, LG Nitro, and Samsung Skyrocket devices, but has not been activated because it may interfere with the performance of those devices, AT&T said in its letter.

Carrier IQ is resident on about 1 percent of the devices on AT&T's wireless network, or about 900,000 devices, with 575,000 of them collecting and reporting data to AT&T, the company said. AT&T collects telephone numbers "in the ordinary course of its business" of provisioning voice and text messaging services, but does not collect keystroke data, URLs visited, contact information from address books, content of e-mails or text messages or search queries and has not asked to collect the content of text messages. AT&T customers give permission to collect the data in the end user license agreement, the company said.

Meanwhile, both HTC and Samsung told Franken in their letters that they do not use Carrier IQ for their own purposes and do not receive any of the data, but are asked to integrated it into certain devices by the wireless service providers in most cases.

The first HTC device to have Carrier IQ integrated was the Hero, offered through Sprint in October 2009, and about 6.3 million HTC devices using the software are active, the company said. The software is integrated for active use on the Snap, Touch Pro2, Hero, Evo 4G, Evo Shift 4G, Evo 3D, and Evo Design available through Sprint; the Vivid from AT&T; and the Amaze 4G from T-Mobile. Components of Carrier IQ have been found on the following HTC devices: Merge, Acquire, Desire, Wildfire, Flyer, and a variant of Hero, but the components are not believed to be collecting or reporting any data. The Carrier IQ components on those devices were not requested by the wireless service providers who sell the devices, and HTC is working on an update to remove the components from them, HTC's letter said.

The software was first used on Samsung devices in November 2007 and it is pre-installed on about 25 million Samsung cell phones offered through Sprint, T-Mobile, Cricket, and AT&T, Samsung said in its letter to Franken, which lists specific model numbers.

Senator troubled

Franken had asked Carrier IQ and the carriers and several handset makers two weeks ago to disclose what data they collect. After receiving some of their responses, he said yesterday that he is "very troubled" and remains worried that consumer privacy rights are being violated.

"People have a fundamental right to control their private information. After reading the companies' responses, I'm still concerned that this right is not being respected," Franken (D-Minn.) said in a statement. "The average user of any device equipped with Carrier IQ software has no way of knowing that this software is running, what information it is getting, and who it is giving it to--and that's a problem. It appears that Carrier IQ has been receiving the contents of a number of text messages--even though they had told the public that they did not."

Franken also said he is bothered by Carrier IQ's ability to capture the contents of Web searches, even when people are using encryption. "So there are still many questions to be answered here and things that need to be fixed," he said.

Asked for comment on Franken's latest statement, Andrew Coward, vice president of marketing for Carrier IQ, said in a statement: "We appreciate Subcommittee Chairman Franken's continued interest in protecting consumer privacy and look forward to our ongoing dialogue with the Senator to answer his additional questions." For more information about Carrier IQ's functionality, he directed CNET to an 18-page document (PDF) the company provided to Franken, which CNET previously reported on.

T-Mobile and Motorola have until December 20 to respond to Franken's questions.

(Via Mobile Burn)

Updated 4:50 p.m. PT with more background, information from AT&T, HTC, and Samsung letters to Franken and 3:40 p.m. PT with background, Sprint letter to Franken, Franken's comments and 3:10 p.m. PT with Vinge-Walsh clarifying that it is disabling the software but not commenting on rumors that manufacturers are removing it, and 3 p.m. PT with Sprint statement.