Sen. Franken Wants Answers from Companies Who Install Carrier IQ Software on Smartphones
Software Company Accused of Secretly Logging Location and Private Information of Millions of Smartphone Users
Today, U.S. Sen. Al Franken (D-Minn.) reached out to AT&T, HTC, Samsung, and Sprint Nextel after they acknowledged their use of Carrier IQ’s diagnostic software to request that they explain what they do with the information they receive from the software. Sen. Franken took action after learning from representatives of Carrier IQ—the software company recently accused of secretly logging location and private information from smartphones—that while Carrier IQ develops the software, it is subsequently modified and actually installed by carriers and handset manufacturers.
The letter to the carriers and handset manufacturers comes on the heels of a letter Sen. Franken sent to Carrier IQ earlier in the day requesting that they explain what their software records, where it is transmitted, and who has access to it.
“Consumers need to know that their privacy rights aren’t being violated by the companies they trust with their sensitive information,” said Sen. Franken. “While I understand and acknowledge the legitimate need for diagnostics software on smartphones, the data that Carrier IQ’s software appears to be logging is alarming. I want to hear from these companies exactly why they feel the need to install this software on their devices and what they’re doing with the information they’re gathering.”
Earlier this year, Sen. Franken introduced the Location Privacy Protection Act, which would require companies to obtain the explicit permission of customers before tracking their location information or sharing that information with third parties. The legislation has already garnered significant support in the Senate and from prominent privacy and consumer protection advocates.
Sen. Franken has been a leader on privacy issues since joining the Senate and earlier this year was named chairman of the Senate Judiciary Subcommittee on Privacy, Technology & the Law. In May, he held the first hearing of that subcommittee, called Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy, during which he heard from representatives from Apple and Google, officials from the Department of Justice and the Federal Trade Commission, and technology experts. In September, Sen. Franken successfully called on OnStar to reverse its decision to track the locations of its customers and potentially sell that information to third parties.
The full text of Sen. Franken’s letter to AT&T, Sprint Nextel, Samsung, and HTC can be read here is below.
Sen. Franken’s letter to Carrier IQ can be read here.
December 1, 2011
Dear Mr. Stephenson, Mr. Chou, Mr. Choi and Mr. Hesse:
Attached please find my letter to Mr. Larry Lenhart, President and CEO of Carrier IQ, Inc. It describes my concerns regarding that company’s software, pre-installed on countless Americans’ smartphones, that appears to log and potentially transmit highly sensitive information regarding consumers’ use of smartphones, including:
• when they turn their phones on;
• when they turn their phones off;
• the phone numbers they dial;
• the contents of text messages they receive;
• the URLs of the websites they visit;
• the contents of their online search queries—even when those searches are encrypted; and
• the location of the customer using the phone—even when the customer has expressly denied permission for an app that is currently running to access his or her location.
This information appears to be logged in a manner undetectable by the average consumer. It also appears that, when a consumer does become aware of this activity, he or she has no reasonable means to stop it.
Carrier IQ’s representatives have informed my office that while it develops the diagnostics software that has come into question, that software is subsequently modified and actually installed by other companies. Each of your companies has publicly acknowledged integrating Carrier IQ software into the handsets you either manufacture or service through a wireless service contract. See ComputerWorld, “AT&T, Sprint confirm use of Carrier IQ software on handsets,” December 1, 2011. While I understand and acknowledge the legitimate need for diagnostics software, the data that it appears can be logged through this software appears to go beyond technical diagnostic information.
Given this information, I request that you answer the following questions regarding what information your companies receive as a result of the operation of Carrier IQ software on your devices, how you protect and share that information, and what you believe the legal implications of these activities to be:
(1) On what devices does your company use or install Carrier IQ software?
(2) As of what date has your company used or installed this software on these devices?
(3) To the best of your knowledge, how many American consumers use these devices?
(4) Does your company receive customer location data collected by Carrier IQ software or by Carrier IQ?
(5) What other data does your company receive that has been collected by Carrier IQ software or by Carrier IQ?
a. The telephone numbers users dial?
b. The telephone numbers of individuals calling a user?
c. The contents of the text messages users receive?
d. The contents of the text messages users send?
e. The contents of the emails they receive?
f. The contents of the emails users send?
g. The URLs of the websites that users visit?
h. The contents of users’ online search queries?
i. The names or contact information from users’ address books?
j. Any other keystroke data?
(6) If your company receives this data, does it subsequently share it with third parties? With whom does it share this data? What data is shared?
(7) Has your company disclosed this data to federal or state law enforcement?
(8) How long does your company store this data?
(9) How does your company protect this data against hackers and other security threats?
(10) Does your company believe that its actions comply with the Electronic Communications Privacy Act, including the pen register statute (18 USC § 3121 et seq.), the federal wiretap statute (18 U.S.C. § 2511 et seq.), and the Stored Communications Act (18 U.S.C. § 2701 et seq.)?
(11) Does your company believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. § 1030)?
(13) Does it believe that consumers are aware that this activity is actually occurring on their devices?
I believe that if these reports are verified—and if these activities do not meet specific statutory safe harbors—it is possible that some of these activities may violate federal privacy laws. I am eager to obtain a complete factual record from each of your companies to better evaluate this situation.
I appreciate your prompt attention to this matter, and would appreciate a response by December 14, 2011.
Chairman, Subcommittee on Privacy