- when they turn their phones on;
- when they turn their phones off;
- the phone numbers they dial;
- the contents of text messages they receive;
- the URLs of the websites they visit;
- the contents of their online search queries—even when those searches are encrypted; and
- the location of the customer using the smartphone—even when the customer has expressly denied permission for an app that is currently running to access his or her location.
In November, Carrier IQ acknowledged tracking user data and sending it to phone manufacturers, which use the software as “a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience.” The company denied using the data for any nefarious purpose.
“While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools,” the company said in a press release. “The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools.
“The information gathered by Carrier IQ is done so for the exclusive use of that customer [the cell phone manufactures and service providers], and Carrier IQ does not sell personal subscriber information to third parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.”
Franken, the chairman of the Senate Subcommittee on Privacy, Technology and Law, wrote a letter to Carrier IQ president and CEO Larry Lenhart on Thursday demanding further answers, specifically details on what exactly the software tracks and where that information goes.
“I understand the need to provide usage and diagnostic information to carriers. I also understand that carriers can modify Carrier IQ’s software. But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics — including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit,” Franken wrote.
“These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter.”
Franken asked the company to respond by Dec. 14.