Washington, DC— Today Rep. Henry A. Waxman, Ranking Member of the Energy and Commerce Committee, Rep. Diana DeGette, Ranking Member of the Oversight and Investigations Subcommittee, and Rep. G. K. Butterfield Ranking Member of the Commerce, Manufacturing, and Trade Subcommittee called for a Committee hearing on the concerns about consumer privacy raised by the recent Carrier IQ software controversy.  In December 2011, a researcher reported that that Carrier IQ diagnostic cell phone software records all keystrokes entered into a mobile device using Google’s Android operating system, including the content of text messages and other sensitive data. 

 In their letter to Chairman Fred Upton and Subcommittee Chairmen Stearns and Bono Mack, the Democratic members wrote that “[d]ata collection and transmission by Carrier IQ and similar software is widespread, and consumers appear to have little knowledge and even less control over the practice,” and that “there continue to be many unanswered questions about the handling of this data and the extent to which its collection, analysis, and transmission pose legitimate privacy concerns for the American public.”

 The full text of the letter is below and also available online here.

January 12, 2012

The Honorable Fred Upton

Chairman

Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515

The Honorable Cliff Stearns

Chairman

Subcommittee on Oversight and Investigations

U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515

The Honorable Mary Bono Mack

Chairman

Subcommittee on Commerce, Manufacturing, and Trade

Committee on Energy and Commerce

2125 Rayburn House Office Building

Washington, DC 20515

Dear Chairman Upton, Chairman Stearns, and Chairman Bono Mack:

We are writing to request a hearing on concerns about consumer privacy raised by the recent Carrier IQ controversy.  Last month, an analysis of log files on an Android mobile device generated alarm about diagnostic software created by Carrier IQ and the scope of data collected, analyzed, and transmitted by that company and by mobile device manufacturers and wireless carriers.[1]  There continue to be many unanswered questions about the handling of this data and the extent to which its collection, analysis, and transmission pose legitimate privacy concerns for the American public.  The Committee should examine the facts and potential concerns raised by the Carrier IQ controversy.

            Carrier IQ software is designed to help mobile device manufacturers and wireless carriers track the performance of their phones and networks.  It is present on millions of phones on Sprint, T-Mobile, AT&T, and other networks.  Although consumers know little if anything about this software, it could represent a significant threat to privacy.  Last month, a researcher published analysis suggesting that Carrier IQ software records all keystrokes entered into a mobile device using Google’s Android operating system, including the content of text messages and other sensitive data.[2]

Carrier IQ has confirmed some important information about its software:  that it can collect information such as calls made and received, a phone’s physical location, the URLs of websites searched by a device user, and in some cases, internet search queries, and that it can transmit this information back to network providers.  Carrier IQ has also admitted that its software collected and transmitted the content of SMS text messages sent by some mobile device users, though the company states that this collection was unintentional and resulted from a bug that it has corrected.[3]

Carrier IQ has denied the allegations that its software makes logging of keystrokes possible.  Instead, the company argues that the third-party expert analysis revealed a vulnerability in Android devices that resulted in the logging of keystrokes in some phones.[4]  If true, these conclusions are also troubling.  The Android vulnerability could have left this keystroke information available to any third-party whose software had been installed on a user’s phone. 

Data collection and transmission by Carrier IQ and similar software is widespread, and consumers appear to have little knowledge and even less control over the practice.  By one estimate, Carrier IQ software is present in over 30 million mobile phones in the United States.[5]  Wireless carriers and device manufacturers that have not purchased Carrier IQ’s services may be collecting similar data internally, adding to the number of affected consumers.  Before last month, even the most technically savvy customers may not have been aware of the presence of this software and of its capacity for transmitting sensitive information.  And even if consumers know about the threat to their privacy, they have little practical recourse because most device users have no ability to delete the data collection and transmission software from their phones.[6][7]

This controversy raises important questions that the Committee should address:  What are the data collection, analysis, and transmission capabilities of Carrier IQ and similar software, and what privacy protections are built into the software?  Were Android phones sold with security flaws that could have exacerbated privacy concerns related to Carrier IQ and other software and, if so, have these flaws been addressed?  Are carriers and device manufacturers providing sufficient disclosure to consumers about this data collection, analysis, and transmission?  Do these practices create privacy and security risks for consumers and, if so, how are carriers and manufacturers addressing them?  How much control do mobile device users have over this data collection, analysis, and transmission and should that control be expanded?

There is great bipartisan interest in consumer data privacy.  This Committee has held four hearings on the issue in this Congress, members on both sides on the aisle have introduced privacy legislation, and the Subcommittee on Commerce, Manufacturing, and Trade marked up a Republican data privacy proposal, the SAFE Act, last July.[8]  We urge you to hold a hearing as expeditiously as possible to explore the answers to questions raised by recent reports about Carrier IQ and data collection, analysis, and transmission in the mobile device market.

Sincerely,