Blumenthal Questions Carrier IQ Over Mobile Tracking Software Practices Discovered by CT Resident

(Hartford, CT) – Senator Richard Blumenthal (D-CT) today wrote to Larry Lenhart, President and CEO of Carrier IQ, Inc., to express serious concern over research by a Connecticut resident and multiple news reports that the company’s software – installed on many mobile devices without knowledge or consent – is tracking and storing data on users’ whereabouts and mobile phone activity.

Blumenthal wrote, “These practices are troubling enough, but they are compounded by what the software actually does. Research posted online by a Connecticut resident indicates that the Carrier IQ software is able to monitor and log a user’s keystrokes, text messages, web history, and location without the user’s consent or knowledge. This practice is an enormous invasion of consumers’ privacy.”

The Connecticut resident who originally posted the research was threatened by Carrier IQ, Inc. with lawsuits and other methods to censor or remove the research from the internet. In his letter, Blumenthal stated he was “strongly concerned” by this reaction.

“Threatening an individual with a frivolous lawsuit unless he removes his valid criticisms of your company is an appalling abuse of your corporate power and the legal system… In the future, I sincerely hope that your response to criticisms of your business practices is to address the problems raised, rather than to suppress or stifle the critic,” Blumenthal wrote.

The full text of the letter is below.

December 2, 2011

Larry Lenhart
President and CEO
Carrier IQ, Inc.
1200 Villa Street
Suite 200
Mountain View, CA 94041

Dear Mr. Lenhart:

                I am writing to express my serious concerns about Carrier IQ’s privacy practices as they pertain to the collection of data from smartphones. I am equally and deeply troubled by your company’s response to Connecticut resident who discovered and questioned these practices.

Reports indicate that your company’s software has been installed on numerous mobile devices, without the knowledge or consent of the devices’ owners. Further, it appears that there is no way for the device owner to disable or uninstall the software. Indeed, many users likely do not even know that this software exists on their mobile devices, because it does not appear on the application menus of the devices.

These practices are troubling enough, but they are compounded by what the software actually does. Research posted online by a Connecticut resident indicates that the Carrier IQ software is able to monitor and log a user’s keystrokes, text messages, web history, and location without the user’s consent or knowledge. This practice is an enormous invasion of consumers’ privacy. It may also violate several laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.

I ask that you immediately cease the collection of users’ information without their affirmative consent. I also ask that you provide me with the following information:

1.      A complete list of the devices and operating systems on which Carrier IQ is installed.

2.      What types of information the Carrier IQ software is able to collect.

3.      What types of information the Carrier IQ software has collected.

4.      Whether your company has shared any information it has collected with mobile device manufacturers, wireless service providers, law enforcement, or any other entity.

5.      If you company has shared such information, what information and with whom?

6.      What safeguards your company has implemented to prevent interception or breach of the data being collected.

7.      Whether any security breaches have occurred involving information collected by Carrier IQ software.

8.      If any such breaches have occurred, what information was breached, how many users’ information was breached, and whether your company  users that their information was breached.

                I am strongly concerned about your company’s response to complaints of these potential serious security and privacy violations. It was not to investigate and address the allegations but instead to seek to silence the systems administrator who discovered these issues. Threatening an individual with a frivolous lawsuit unless he removes his valid criticisms of your company is an appalling abuse of your corporate power and the legal system. I am pleased that your company appears to have recognized this egregious error and has publicly apologized to the person who discovered these problems, albeit only after he retained representation by the Electronic Frontier Foundation. In the future, I sincerely hope that your response to criticisms of your business practices is to address the problems raised, rather than to suppress or stifle the critic.

Sincerely,

Richard Blumenthal
United States Senate

###