Franken to cellphone companies: Explain data

Franken to cellphone companies: Explain data

WASHINGTON - Worried that smartphone software could transmit a phone user's whereabouts and personal data to manufacturers or wireless providers without the person's knowledge, Minnesota Sen. Al Franken has peppered four big players in the mobile communications industry with a long list of questions.

Franken wants AT&T, HTC, Samsung and Sprint Nextel to tell him what information software on their smartphones gathers and if they retrieve and share the data.

The information gathered by the software is believed to include the location of persons using the phone, even if they have not granted permission for that to be tracked; the time owners turn their phones on and off; the numbers dialed; the contents of text and e-mail messages; website visits and online search queries, even if encrypted.

"This information appears to be logged in a manner undetectable by the average consumer," Franken wrote to the four companies. "It also appears that when a consumer does become aware of this activity, he or she has no reasonable means to stop it."

A company called Carrier IQ developed the software in question. Franken said Carrier IQ told him the software was modified and installed by phone manufacturers and mobile phone service providers.

Chris Soghoian, a computer expert and a graduate fellow at Indiana University's Center for Applied Cybersecurity, said consumers need to understand that their privacy could be at stake. The Carrier IQ software "is recording everything you're doing," Soghoian said. "It's one application that sees everything. It would be a gold mine for hackers."

Still, Soghoian noted, "There is nothing to suggest that this data being captured is being transmitted back to the wireless companies." But such transmissions are technically possible, he added.

Two lawsuits were filed this week against Carrier IQ in the wake of revelations of the secret installation of its technology. HTC was named as a defendant in both suits, and Samsung was named as a defendant in one. HTC issued a statement encouraging customers to check with their mobile phone service providers to find out what information was being gathered.

"HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ," the company said. "HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application."

Sprint, AT&T and T-Mobile acknowledged using Carrier IQ's "key-logging" software that measures key strokes on smartphones, according to media reports. But the three companies said they do not use the information to monitor customers' activities.

In a statement, Franken acknowledged "the legitimate need for diagnosis software on smartphones." But the scope of what is being captured -- every keystroke, e-mail, or text message -- is "alarming," the senator added.

Some companies already bundle information gathered from cellphones and sell it to marketing companies, said Adam Levin, a former director of consumer affairs for the state of New Jersey. Levin now runs a company that helps businesses protect customers from identity theft.

"Informed consent is paramount in protecting privacy," Levin said. A smartphone stores data like a laptop computer. Levin compared the gathering of smartphone data to "someone was crawling around inside your laptop looking at everything."

"Would you want them to do that?" Levin asked. "I think the main concern Sen. Franken has is how much access someone should have to our personal information without notice."

Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology & the Law, has introduced a Senate bill that requires mobile communications companies to get customers' permission before they track customer locations and share or sell information to third parties.

The Minnesota Democrat posed 13 questions to AT&T, HTC, Samsung and Sprint Nextel aimed at precisely measuring the size and scope of data that smartphones track and who gets access. Franken asked the companies to provide answers by Dec. 14. He also affixed a warning to his letter.

"If these activities do not meet specific statutory safe harbors," Franken wrote, "it is possible that some of these activities may violate federal privacy laws."