U.S. Senator Al Franken wants answers from companies who install Carrier IQ software on smartphones

Today, U.S. Sen. Al Franken (D-Minn.) reached out to AT&T, HTC, Samsung, and Sprint Nextel after they acknowledged their use of Carrier IQ’s diagnostic software to request that they explain what they do with the information they receive from the software. Sen. Franken took action after learning from representatives of Carrier IQ—the software company recently accused of secretly logging location and private information from smartphones—that while Carrier IQ develops the software, it is subsequently modified and actually installed by carriers and handset manufacturers.

The letter to the carriers and handset manufacturers comes on the heels of a letter Sen. Franken sent to Carrier IQ earlier in the day requesting that they explain what their software records, where it is transmitted, and who has access to it.

“Consumers need to know that their privacy rights aren’t being violated by the companies they trust with their sensitive information,” said Sen. Franken in the press release. “While I understand and acknowledge the legitimate need for diagnostics software on smartphones, the data that Carrier IQ’s software appears to be logging is alarming. I want to hear from these companies exactly why they feel the need to install this software on their devices and what they’re doing with the information they’re gathering.”

Earlier this year, Sen. Franken introduced the Location Privacy Protection Act, which would require companies to obtain the explicit permission of customers before tracking their location information or sharing that information with third parties. The legislation has already garnered significant support in the Senate and from prominent privacy and consumer protection advocates.

Sen. Franken has been a leader on privacy issues since joining the Senate and earlier this year was named chairman of the Senate Judiciary Subcommittee on Privacy, Technology & the Law. In May, he held the first hearing of that subcommittee, called Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy, during which he heard from representatives from Apple and Google, officials from the Department of Justice and the Federal Trade Commission, and technology experts. In September, Sen. Franken successfully called on OnStar to reverse its decision to track the locations of its customers and potentially sell that information to third parties.

The full text of Sen. Franken’s letter to AT&T, Sprint Nextel, Samsung, and HTC is below. Sen. Franken’s letter to Carrier IQ can be read here.

December 1, 2011

Dear Mr. Stephenson, Mr. Chou, Mr. Choi and Mr. Hesse:

Attached please find my letter to Mr. Larry Lenhart, President and CEO of Carrier IQ, Inc. It describes my concerns regarding that company’s software, pre-installed on countless Americans’ smartphones, that appears to log and potentially transmit highly sensitive information regarding consumers’ use of smartphones, including:

• when they turn their phones on;
• when they turn their phones off;
• the phone numbers they dial;
• the contents of text messages they receive;
• the URLs of the websites they visit;
• the contents of their online search queries—even when those searches are encrypted; and
• the location of the customer using the phone—even when the customer has expressly denied permission for an app that is currently running to access his or her location.

This information appears to be logged in a manner undetectable by the average consumer. It also appears that, when a consumer does become aware of this activity, he or she has no reasonable means to stop it.

Carrier IQ’s representatives have informed my office that while it develops the diagnostics software that has come into question, that software is subsequently modified and actually installed by other companies. Each of your companies has publicly acknowledged integrating Carrier IQ software into the handsets you either manufacture or service through a wireless service contract. See ComputerWorld, “AT&T, Sprint confirm use of Carrier IQ software on handsets,” December 1, 2011. While I understand and acknowledge the legitimate need for diagnostics software, the data that it appears can be logged through this software appears to go beyond technical diagnostic information.

Given this information, I request that you answer the following questions regarding what information your companies receive as a result of the operation of Carrier IQ software on your devices, how you protect and share that information, and what you believe the legal implications of these activities to be:

(1) On what devices does your company use or install Carrier IQ software?

(2) As of what date has your company used or installed this software on these devices?

(3) To the best of your knowledge, how many American consumers use these devices?

(4) Does your company receive customer location data collected by Carrier IQ software or by Carrier IQ?

(5) What other data does your company receive that has been collected by Carrier IQ software or by Carrier IQ?

a. The telephone numbers users dial?
b. The telephone numbers of individuals calling a user?
c. The contents of the text messages users receive?
d. The contents of the text messages users send?
e. The contents of the emails they receive?
f. The contents of the emails users send?
g. The URLs of the websites that users visit?
h. The contents of users’ online search queries?
i. The names or contact information from users’ address books?
j. Any other keystroke data?

(6) If your company receives this data, does it subsequently share it with third parties? With whom does it share this data? What data is shared?

(7) Has your company disclosed this data to federal or state law enforcement?

(8) How long does your company store this data?

(9) How does your company protect this data against hackers and other security threats?

(10) Does your company believe that its actions comply with the Electronic Communications Privacy Act, including the pen register statute (18 USC § 3121 et seq.), the federal wiretap statute (18 U.S.C. § 2511 et seq.), and the Stored Communications Act (18 U.S.C. § 2701 et seq.)?

(11) Does your company believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. § 1030)?

(12) Does your company believe that its actions comply with your privacy policy?

(13) Does it believe that consumers are aware that this activity is actually occurring on their devices?

I believe that if these reports are verified—and if these activities do not meet specific statutory safe harbors—it is possible that some of these activities may violate federal privacy laws. I am eager to obtain a complete factual record from each of your companies to better evaluate this situation.

I appreciate your prompt attention to this matter, and would appreciate a response by December 14, 2011.

Sincerely,
Al Franken
Chairman, Subcommittee on Privacy

Source: Official Web Site of Sen. Al Franken

MacDailyNews Take: At 12:20 PM EST today, and hour and one minute after we posted an article headlined, “Senator Al Franken! Paging Senator Al Franken!“, with excerpts from an article by “Apple Fanboy,” we noticed that @FrankenCommTeam (“Press releases, news, and advisories from Senator Franken’s press office”) began following @MacDailyNews on Twitter. And, then… see above. Okay, now we’re starting to scare ourselves.

Related articles:
Senator Al Franken! Paging Senator Al Franken! – December 1, 2011

AT&T, Sprint, T-Mobile, HTC, Samsung confirm use of Carrier IQ tracking software on mobile phones – December 1, 2011
Apple: We stopped supporting Carrier IQ with iOS 5; never recorded keystrokes, messages or any other info – December 1, 2011
Video shows secret software on millions of Android, BlackBerry, and Nokia phones logging everything you do – November 30, 2011

55 Comments

          1. I hate it when they keep recounting the votes with liberal judges involved until they get the result they want. Throwing out Military votes and whatever else they can get away with. It seems to always be liberals making recalls and filing lawsuits when they lose. They are the scum of the earth!

            1. … “Liberal Judges” who awarded W the election (though I believe the “voting machine” folk stole it first) then gave companies the right to buy votes? THOSE “Liberal Judges”? Yeah … I hate them, too.

            2. Michael – It’s morons like you that are destroying freedom and the US. Go crawl back under your rock you pathetic excuse for whatever you are.

      1. … his attention. He (his people?) is listening to you. When you have a valid point, you can expect a response. When you are full of it … well, we know where THAT leads. Use your limited influence well, OK?
        😉

    1. The answer to your question is no. Carrier IQ does not run on iOS 5. AT&T or any other carrier has no way of installing it either since Apple controls the software.

    1. MacSteve – the steps you call out are accurate only for the iPhone. Android has no such procedure for the user to opt out. In fact, the CarrierIQ software is part of the Android pre-compiled source code.

      One question Senator Franken should have Carrier IQ is “Who owns your company, and is that company’s motto, “Do no evil”?

      1. The Carrier IQ software is an installed APK on Android, just like any other app you’d download or install.

        the issue (at least on the 2 sprint phones I rooted to remove it) is that Sprint has set the permissions on the ‘factory apps’ directory so that you cannot remove it. You can see the app, you can stop it (for a moment) but you can’t remove it.

        After rooting you can mount any directory in Android as Read/Write and blow it away, but not all phones are easy to root and I do not consider that to be a procedure a customer should be expected to deal with.

        While technically the software is an installed app, if you can’t root the phone and remove Carrier IQ then it might as well be a compiled piece of the Android kernel because you are screwed short of Sprint doing an OTA update and removing it. I agree with you in part, as far as some people being totally hosed.

      2. Since you’ve asked:

        “We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices.” ~ Google’s official response.

        1. And we believe that don’t we… because google has proven them selves to be so forthright and trustworthy data-logging from the camera trucks and then lying about what they collected and stored

          1. We don’t have to believe it. That’s their official response, and now we can either take it at face value or find out if they have been lying. Some, I’m sure, will actually try to verify it. If Google gets caught lying, they would be in more trouble or liable now than they would have been for keeping mum.

    2. There is no point to diagnostics off on iPhone since even when versions of this Carrior IQ service works, it does not collect privacy-related data — comparing to blatantly criminal versions for HTC, Samsung, LG, et cetera

      1. That’s what people don’t understand. This software in the iPhone never collected the same info as on Android, the information Apple collected didn’t go through CarrierIQ, and it was opt in even on pre-iOS 5 devices. Ever plug your pre-iOS 5 device into iTunes to sync and have iTunes ask if you would like to send diagnostic and usage data to Apple? I have.

  1. I wouldn’t mind one bit if senator Franken includes Apple into the chastisement and fines the industry as a whole heavily. This was a reckless failure of privacy, and Apple doesn’t have the face to stand out feeling pretty like MS on this. Sadly.

    1. @ krquet

      My gawd man, you don’t know what you’re babbling about! The main difference between Apple and Android is that Apple won’t allow the carriers to insert crap into the iOS that does things Apple doesn’t know about and approve.
      Apple isn’t doing anything the user doesn’t know about and even allows the user to opt out of sending diagnostic data.

      1. My concern is not the “main difference” between Apple’s and Google’s w.r.t. CIQ implementation and usage. Matter of fact, as I now just responded to your earlier comment, Google doesn’t have any direct affiliation with CIQ unlike Apple. According to them, its the OEMs and Carriers that have added CIQ, not Google.

        I remain outraged that Apple even considered it, let alone shipped it with previous and current versions. You seem to be frustrated with anyone not “getting it” what is apparent to you that CIQ is an opt-in by default; it seems you’re under the impression that I can’t read or haven’t already read dozens of commentaries on this from both sides. I care strongly about personal privacy and I expect more, a lot more than average, from Apple. Currently, the implementation of CIQ is disabled (with some exception) on the iOS devices, but there’s no guarantee it was disabled by default at all times in the past, or how good was their encryption then, and have they changed the type of data they wanted to collect over time. Like I said, Apple is tiptoeing around this with lots of qualified statements “most of the devices”, “in the future” etc. already. So far, I’m not impressed.

        Shameful.

        1. @krquet, Let me guess, you are an android user? Pleeeeez!!! Stop dragging Apple as the bad guy because Carrier IQ on the iPhone doesn’t log as much private data as an Android phone does. It only logs diagnostic data. Thats it!!!! Android phones logs every single thing you do on the phone. So pleeeeez stop trying to be an a$$ and stop trying to make Apple out as the bad guy here which is what you are really trying to do because you don’t even mention “Google” or “Android” in your comment at all.

          1. First off, krquet does mention Google:

            “According to them [Google], its the OEMs and Carriers that have added CIQ, not Google.”

            Second, krquet’s comment is not Apple bashing. His point is that Apple had no business “even considering” allowing the CIQ app onto their devices. Why put a hand grenade in their devices and then claim it’s OK because the consumer has to pull the pin in order for it to be harmful?

            Third, your own reply states:

            “Carrier IQ on the iPhone doesn’t log as much private data as an Android phone does. It only logs diagnostic data.”

            You seem to be ignoring a central point that krquet made, which is that there is no way to know if the “state” of the CIQ app on Apple’s devices has changed over time or not.

            I have believe that the people running Apple are far more ethical than the people running Google, ATT, Samsung, etc. But I have to admit that Apple’s language in their statement–“most devices”–smells like a rat.

            1. Apple has always been very clear about what user/device data they collect. Apple has always been very pro-consumer when it comes to privacy issues. It’s usually ignorant people that DON’T READ that find themselves stuck in situations they never saw coming.

              The CarrierIQ app is nothing more than an application that collects data. It is not evil in and of itself. It’s the actions taken by the companies that use the software in nefarious ways that are evil. There are legitimate uses for the software, Apple uses it in this regard; to collect diagnostic information to better support their users when they have problems with their devices. All versions of the iPhone have had a way to turn this off and on. Even Mac OS X has always had a similar feature. This is nothing new.

              What is new, is that some hacker found that the CARRIERS are collecting more data then they probably really need. The carriers do not have access to Apple’s iOS. You download software directly from Apple, unlike all other mobile operating systems which come through the carriers.

            2. @pdr400: you wrote,,”…krquet’s comment is not Apple bashing. His point is that Apple had no business “even considering” allowing the CIQ app onto their devices. Why put a hand grenade in their devices and then claim it’s OK because the consumer has to pull the pin in order for it to be harmful?”

              Apple needs to collect diagnostic information, the CIQ program is not a hand grenade, it’s an industry-wide tool that Apple has control of, not the iPhone carriers. It seems the program has the ability to collect far more information than is legal or necessary, and Apple is wisely using it correctly and Sprint is not.

              pdr400 continued, “You seem to be ignoring a central point that krquet made, which is that there is no way to know if the “state” of the CIQ app on Apple’s devices has changed over time or not.”

              I don’t see that as krquet’s point at all. He was making a knee-jerk reaction to the CIQ software. Just because it could be set up to doing unnecessary reporting doesn’t mean it did in most cases. So far, it seems isolated within the industry. That doesn’t excuse any misuse, nor does it damn any proper use.

        2. Your outrage is disingenuous. Based on nothing more than your hate for Apple. You can EASILY turn it off and initially you were given the choice not to turn it on in the first place!

        3. The software it’s self is not evil. It’s what some carriers decided to do with the software that’s evil. They used a simple diagnostic tool to collect way more data then they should. Apple’s response was very clear on how much data they have in the past collected. They said they have NEVER collected privet data. That data goes to them, not a third party and it is anonymous and encrypted. Don’t read selectively. Apple’s statement doesn’t give any room for this mythical past you dreamed up where Apple collected more data at one time.

    1. This is the tip of the iceberg. Constitutional rights are being eroded on so many levels by Corporations and Government. Beyond “predictable”, there ought to be a Full Hearing on the issue of Privacy, including what is legal, according to current law, and what is blatantly illegal but tacitly allowed. Better this discussion is out in the open rather than hidden in some arcane committee.

      The recent defeat by the US Senate of the Udall amendment (without a public airing) banning the arrest of US citizens on the mere suspicion of “terrorism” ought to send chills throughout American society.
      http://thatsmycongress.com/index.php/2011/11/29/attack-on-american-liberty-remains-us-senate-rejects-udall-amendment/

    2. I do t usually agree with Al’s politics but at least he’s consistent. If he ignored this solely because Apple was not at fault, then I’d know he was totally without scruples.

  2. You inadvertently did them a favor and boosted people’s opinion of him. It makes sense that following that, his office would be concerned with what you said as your site, and the views expressed on it, probably have a major impact relative to the size of your organization and website traffic. Have you ever checked your http://www.klout.com score? It’s very cool and free as well. I get no compensation for promoting it, it’s just very cool and useful.

  3. Does anyone here see the bigger picture? This has nothing to do with phone spying and everything to do with the power that each branch of the legislature believes it has. Has anyone besides me seen Senator Al’s letter as a “Judicial Inquiry”? These are the types of questions that the legal branch might be asking in a court of law when a legal claim has been made. Last time I checked, the Legislative Branch of our government was intended to MAKE the laws and not ENFORCE the laws or EVALUATE the laws. Enforcement comes from the Executive Branch and Evaluation comes from the Judicial Branch.

    Geesh… next thing you know, Senators and Congressmen will have their staffers knocking on our doors with handcuffs and taking us off to jail… then they will take us through a trial in their office and find us guilty. WAKE UP PEOPLE!!!

    1. This is an investigation, not a legal trial. It is not uncommon for a senate subcommittee to do investigations of this nature. No one is going to be sentenced or punished during this investigation.

      You typically can’t have a legal trial without evidence. Thats what an investigation is for, to find evidence. It is possible there will be a legal trial following this investigation if enough evidence is found. That legal trial would be held by a judge.

  4. Why all the raised eyebrows? It’s almost impossible for tyrants and despots to have their police state without collecting personal data. Geez. I thought everyone knew that.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.