Congress Joins Carrier IQ Privacy Uproar

Sen. Al Franken, D-Minn. and chairman of the Subcommittee on Privacy Technology and the Law, listed nearly two dozen questions related to Carrier IQ's data-collection practices in a letter sent to Larry Lenhart, president and chief executive of the Mountain View, Calif.-based company. Franken has given the company until Dec. 14 to respond.

Carrier IQ's software is used in helping wireless carriers monitor quality of service to the user through information gathered from the mobile phone. The application is often hidden from the user and is nearly impossible to remove.

"I understand the need to provide usage and diagnostic information to carriers. I also understand that carriers can modify Carrier IQ's software," Franken said in the letter made public Thursday. "But it appears that Carrier IQ's software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics -- including who they are calling, the contents of the texts they are receiving, the contents of their searches and the websites they visit."

Serious privacy questions related to Carrier IQ entered the spotlight last month when Trevor Eckhart, a Connecticut systems administrator, posted a YouTube video showing data he claimed was gathered by the company's application on his HTC EVO handset. The information included location, keystrokes and text from received messages.

Eckhart also posted a report of his findings on the web, which prompted Carrier IQ to send him a cease-and-desist letter that claimed unauthorized use of the company's training materials. Eckhart had used the public documents in his report. Carrier IQ later withdrew the letter and apologized to Eckhart and the San Francisco-based Electronic Frontier Foundation, a consumer advocacy group representing Eckhart.

Carrier IQ has denied its software records keystrokes, tracks users or reports on the content of messages. The company also said it does not provide immediate data reporting to customers. "Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain," the company's statement said.

Eckhart claimed to have found the application in devices from Samsung, HTC, Nokia and Research In Motion. Carrier IQ says on its web site that its software is in more than 141 million mobile phones.

AT&T and Sprint Nextel acknowledged using Carrier IQ to monitor service quality. Both companies said the data gathered is in line with their privacy policies and is not shared with other companies.

"We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool," Sprint spokeswoman Stephanie Vinge-Walsh said in an e-mail.

Verizon Wireless said it was not a Carrier IQ customer. "We do not use Carrier IQ and have no access to any Carrier IQ data," Verizon spokesman Jeffrey Nelson said in an interview. Nelson did not know whether the carrier had ever been a customer of Carrier IQ.

Whether Carrier IQ's data-gathering practices are in line with federal law remains to be seen. Franken has asked the company to explain why it believes it is in compliance with the federal wiretap statue in the Electronic Communications Privacy Act. Paul Ohm, a former Justice Department prosecutor and a law professor at the University of Colorado Law School, said in a post on Twitter that if Eckhart's allegations are true, than "this is a clear, massive, felony wiretap. Not a close case."

Ohm told Forbes magazine that a class-action lawsuit is also possible, if it is shown that the software is hidden from the mobile phone user and records keystrokes meant for messaging and Internet communications. Such actions would be considered wiretapping without court approval. "That gives the people wire-tapped the right to sue and provides for significant monetary damages," he said.