Documents filed in response to a U.S. lawmaker's request show that Sprint is by far the biggest user of Carrier IQ's software, with more than 26 million handsets featuring the controversial mobile tracking tool.
AT&T, another major wireless carrier, said it has integrated the software into about 900,000 handsets, although it is collecting data only from about 575,000 of them.
[ InfoWorld's Galen Gruman says Carrier IQ and Facebook pose the least of your privacy threats. | Also see Paul Venezia's post "The Carrier IQ scandal: Enough is enough" and check out "Is a privacy backlash brewing?" by InfoWorld's Eric Knorr. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
Details about the carriers' use of Carrier IQ software were included in letters filed with U.S. Sen. Al Franken's (D-Minn.) office Thursday. Franken earlier this month had sent letters to AT&T, Sprint and several other companies demanding details about their use of Carrier IQ's software.
The letter was prompted by security researcher Trevor Eckhart's disclosure last month that Carrier IQ software could be used to conduct surreptitious and highly intrusive tracking of mobile phone users.
Franken had asked the carriers for such details as how many devices had the software installed, how long they had been using the software, what they were using it for and what data was being collected with it.
On Thursday, Franken issued a statement saying that despite the clarifications, he was still "very troubled by what's going on."
"People have a fundamental right to control their private information. After reading the companies' responses, I'm still concerned that this right is not being respected," Franken said. He added that average users had no way of knowing if the software was running on their devices, what information was being captured and where it being sent. "That's a problem, he said.
In its response, Sprint noted that it has been using Carrier IQ software since 2006 but insisted that the only information it collects and uses is related to network and device performance.
"Sprint has not used Carrier IQ diagnostics to profile customer behavior, serve targeted advertising, or for any purpose not specifically related to certifying that a device is able to operate on Sprint's network or otherwise to improve network operations and customer experiences," Vonya McCann, the company's senior vice president of government affairs, said in the letter.
McCann noted that though the software was installed on 26 million devices, at any particular time only about 5% of those devices, or about 1.3 million phones, are actually tasked to collect information. Of that number, about 30,000 are queried to respond to specific requests from Sprint personnel.
McCann categorically denied that Sprint collects or ever had collected the contents of emails and text messages or has read the contents of users' search queries using Carrier IQ software.
Timothy McKone, AT&T's executive vice president of federal relations, expressed similar sentiments in that company's response to Franken's letter.
McKone noted that AT&T has been using Carrier IQ software since March and has so far installed the software on several AT&T handsets including the Pantech Pursuit II, Pantech Breeze III, Motorola Atrix 2 and the Motorola Bravo. The company has also embedded, but not activated Carrier IQ's software in the HTC Vivid, LG Nitro and Samsung Skyrocket devices.
But McKone insisted that the software has only been used to collect diagnostic information about its network. "We do not use CIQ to obtain the content of customers' communications, to track where our customers go on the Internet, or to track customer location."
All information that is gathered and used by AT&T via Carrier IQ is strictly in line with the company's privacy policies, he said.
McKone said Carrier IQ had recently informed AT&T about a software bug that resulted in the contents of some SMS messages being recorded and sent to AT&T's servers along with other traffic.
AT&T did not know the SMS messages were being captured and the data has not been accessed by anyone at AT&T, McKone said. The inadvertently captured data cannot be read without specific decoding software from Carrier IQ. AT&T has not and does not intend to obtain that software, he added.
Both executives said their companies stored the Carrier IQ data for 45 to 60 days and claimed to have implemented all the necessary precautions to protect the data while in transit and at rest.
Dale Sohn, president and CEO of STA, said his company had pre-installed Carrier IQ's software on 25 million of its devices. But the software was installed at the request of its wireless carrier customers and Samsung itself had nothing to do with any data that might have been collected with the software, Sohn said.
HTC CEO Peter Chou said his company began installing Carrier IQ's software into its handsets in 2009 at Sprint's request. So far, HTC has pre-installed the software in about 6.3 million devices, he said. Chou also said his company has no knowledge and nothing to do with the data collection practices of its customers.
Meanwhile, Carrier IQ which also responded to Franken's letter, reiterated many of the statements and clarifications it made earlier this week in a 19-page document explaining its technology.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His email address is firstname.lastname@example.org.
Read more about privacy in Computerworld's Privacy Topic Center.
This story, "Sprint says 26 million handsets have Carrier IQ; AT&T claims 900K" was originally published by Computerworld.