Carrier IQThe fallout from the controversy surrounding the presence of Carrier IQ’s software on millions of mobile devices on several different platforms has now reached Washington. Sen. Al Franken on Thursday sent a letter to the company, demanding answers to a series of questions about the software and its capabilities, and saying that the data that Carrier IQ collects “may violate federal privacy laws”.

Franken (D-Minn.) has been a vocal presence in the Senate on technology and privacy issues, and in his letter to Carrier IQ he says that while he understands that carriers are interested in getting usage and diagnostic information on their subscribers, that doesn’t mean that they or software makers have carte blanche to do whatever they want on users’ devices.

“I understand the need to provide usage and diagnostic information to carriers. I also understand that carriers can modify Carrier IQ’s software. But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics—including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit,” Franken says in his letter

“These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter.”

The controversy over carriers’ usage of Carrier IQ’s software on mobile devices has grown in the last couple of weeks after demonstrations by Trevor Eckhart that showed the software on Android devices seemingly recording each keystroke he made and logging SMS messages. In the demo, Eckhart shows that it is difficult, if not impossible, to disable the Carrier IQ agent on the device. Others have since asserted that the Carrier IQ software also is on other devices and that the software itself doesn’t log any key strokes or messages and just provides analytical information for the carriers.

In his letter, Franken asks for answers to a long list of questions, especially around exactly what data Carrier IQ software is capable of collecting, logging and sending to carriers. Here are some of the questions he asked:

(1)   Does Carrier IQ software log users’ location?
 
(2)   What other data does Carrier IQ software log? Does it log:
 
a.         The telephone numbers users dial?
b.         The telephone numbers of individuals calling a user?
c.         The contents of the text messages users receive?
d.         The contents of the text messages users send?
e.         The contents of the emails they receive?
f.          The contents of the emails users send?
g.         The URLs of the websites that users visit?
h.         The contents of users’ online search queries?
i.          The names or contact information from users’ address books?
j.          Any other keystroke data?

Carrier IQ has said in public statements that its software doesn’t track users or log their actions on their devices or report on those actions to carriers. It also sent a cease and desist letter to Eckhart last week in response to his revelations, before retracting the letter a day later after communication from the EFF.

“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world,” the Carrier IQ statement says.

This article was updated on Dec. 2 to provide more information about the software.

Categories: Mobile Security, Social Engineering, Web Security

Comments (2)

  1. Anonymous
    1

    Once they say yes to the above

    Make them answer:

    Who does Carrier IQ share this information with and are they paying customers of Carrier IQ in some way?

Comments are closed.