U.S. Senator Chris Coons (D-Del.), a member of the Senate Judiciary Committee, wrote to the president of Carrier IQ on Monday seeking answers about software found embedded on a variety of smartphone devices that appears capable of recording users' keystroke and location information and transmitting it back to the California-based company.
In his letter, Senator Coons supplemented questions posed earlier by Senators Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) with additional questions aimed at determining why Carrier IQ's software was capable of collecting personal and usage information that was not being transmitted.
"A latent capacity to log keystrokes or track location may provide a backdoor that an individual or organization could exploit. If your company never intended to collect or make use of this information, I wonder why your company would have included the capacity to log it."
Earlier this year, Senator Coons and Senator Franken teamed up to convince OnStar to reverse its decision to track the locations of its customers and potentially sell that information to third parties even after those customers have terminated their service plans with the company. Senator Coons also cosponsored the Location Privacy Protection Act -- introduced by Senator Franken -- which would require companies like OnStar to obtain their customers' explicit permission before tracking their location information or sharing that information with third parties.
Senator Coons is a member of the Senate Judiciary Committee, which has jurisdiction over laws relating to the use and distribution of consumer information by businesses. He firmly believes that strong consumer data privacy is not only an issue of civil liberty, but also commercial necessity. American companies must be able to earn the trust of the consumers whose information they collect and store or risk consumer revolt and, ultimately, non-competitiveness in the market.
The text of the letter to Carrier IQ follows:
December 5, 2011
Mr. Larry Lenhart
President and CEO
1200 Villa Street, Suite 200
Mountain View, CA 94041
Dear Mr. Lenhart,
As a member of the Senate Judiciary Committee, part of my job as a Senator is to be mindful of how increasingly powerful and integral technology affects our commonly held notions of privacy and susceptibility to risks posed by others.
I was, therefore, deeply concerned to read recent reports surrounding your company's IRQD software, which apparently has the capability to log keystroke and location information from users' smartphones. You have already received letters from at least two of my Judiciary Committee colleagues, Privacy Subcommittee Chairman Al Franken and Subcommittee member Richard Blumenthal. I would like to effectively cosign these letters, which constitute part of our Committee's continuing oversight work into the effects of technological innovations on the privacy rights of our citizens, and add several of my own questions.
I am aware of your company's public statements, which seem to indicate that the keystroke logging and location tracking capabilities of your IRQD software have not been used to transmit data to your company. I sincerely hope that these assertions prove to be accurate, as collection of this data without consent would most likely constitute a violation of the Electronic Communications Privacy Act and/or the Computer Fraud and Abuse Act.
Even if accurate, however, I remain concerned about the potential for abuse of the capabilities of your company's software. A latent capacity to log keystrokes or track location may provide a backdoor that an individual or organization could exploit. As users are beginning to become more aware of the ability of carriers to track the location of handsets and non-content information regarding usage, the ability of a third party to log keystroke activity would represent a novel threat to privacy. If your company never intended to collect or make use of this information, I wonder why your company would have included the capacity to log it.
I want to better understand this situation and, in the interest offering your company an opportunity to better inform the public debate of this technology, I request that you respond to the following additional questions:
Is Carrier IQ capable of obtaining, either through existing software or through software your engineers are reasonably capable of developing:
The content of emails sent or received?
The content of SMS texts sent or received?
Information entered into online forms?
Does your answer to any of the above questions depend on:
Whether the user is operating through a secure server or application?
The platform (Android, Palm, BlackBerry, iOS, etc.) of the end user's device? If so, why do the capabilities of the software vary by platform?
What steps has your company taken to assure that third parties cannot access the information that your software is capable of logging? Can you provide assurances that these steps have been completely successful?
I appreciate your prompt attention to these questions.
Christopher A. Coons
United States Senate