Sen Al Franken (D-MN) on Thursday demanded the developer of hidden software included on virtually all new Android smartphones explain why the application logs and may transmit personal information.
Called “Carrier IQ,” the software is supposedly meant to help mobile carriers monitor and diagnose problems with their devices. The company that makes the software insists it does not log keystrokes, but 25-year-old Trevor Eckhart seems to have proved that claim quite wrong.
Not only did he demonstrate the software capturing his keystrokes from a text message, it was being recorded even before the message he typed was displayed. Eckhart also demonstrated how the software can read Internet searches over secure connections, meaning that not even encrypted communications are completely private on Android phones. The software also tracks the location of the customer using the smartphone.
“I am very concerned by recent reports that your company’s software—pre-installed on smartphones used by millions of Americans—is logging and may be transmitting extraordinarily sensitive information from consumers’ phones,” Franken said in a letter to Carrier IQ President and CEO Larry Lenhart.
“I understand the need to provide usage and diagnostic information to carriers,” he continued. “I also understand that carriers can modify Carrier IQ’s software. But it appears that Carrier IQ’s software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics—including who they are calling, the contents of the texts they are receiving, the contents of their searches, and the websites they visit.”
“These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act,” Franken warned. “This is potentially a very serious matter.”
He asked Lenhart to explain what data the Carrier IQ software logs, whether the data is transmitted to any other third parties, whether the data is subsequently shared with other third parties, and if the data is disclosed to law enforcement agencies, among other things.
Photo credit: Joe Kekeris