It’s a whole new year, but the Carrier IQ controversy hasn’t blown over in Washington. In fact, it appears it’s really just getting started for good, and now Google and the wireless carriers may be forced to defend themselves in front of Congress over their roles in the scandal.
On Thursday, Rep. Henry Waxman (D-CA), Rep. Diana DeGette (D-CO) and Rep. G.J. Butterfield (D-NC) sent an open letter to Rep. Fred Upton (R-MI), Chairman of the House Energy and Commerce Committee, as well as several subcommittee chairs, requesting that the full committee hold a hearing “on concerns about consumer privacy raised by the recent Carrier IQ controversy… as expeditiously as possible…”
The letter continues:
“There continue to be many unanswered questions about the handling of this data and the extent to which its collection, analysis, and transmission pose legitimate privacy concerns for the American public. The Committee should examine the facts and potential concerns raised by the Carrier IQ controversy.”
That controversy began in late November, after Android developer and security researcher Trevor Eckhart posted a YouTube video revealing that Carrier IQ’s “mobile intelligence software” was covertly installed on his phone, an Android HTC Evo model, and presumably on the background of over 140 million phones worldwide, as that was the number posted on Carrier IQ’s own website. As Eckhart demonstrated in his video, the Carrier IQ software couldn’t be disabled or stopped and appeared to have the capability to log, and potentially transmit, every keystroke entered by a user.
Carrier IQ only fanned the flames when it sent a cease-and-desist letter attempting to get Eckhart to retract his findings. The Electronic Frontier Foundation quickly leapt to Eckhart’s defense, and within several weeks, Carrier IQ’s name had been dragged through the mud by tech bloggers and the public. Even Sen. Al Franken (D-MN) waded into the fray, demanding Carrier IQ answer his questions about its software in writing.
Throughout the controversy, Carrier IQ has attempted (mostly in vain) to defend its software — relying on third party security experts to bolster its claims that it provides only a humble diagnostic tool used by the nation’s largest wireless companies to improve their service by pinpointing network problems by location. The company even released documentation attempting to walk customers through its software.
But Carrier IQ also admitted that a previously undiscovered “bug” had actually been capturing and sending the contents of users SMS (text) messages to wireless companies, albeit in a “non-human readable format.” Carrier IQ previously told TPM it has since fixed this bug.
The letter sent Thursday by the three representatives acknowledges all of this brief but tumultuous history, and yet still seeks more answers from Carrier IQ and potentially even its wireless company customers, pointing out that: “wireless carriers and device manufacturers that have not purchased Carrier IQ’s services may be collecting similar data internally, adding to the number of affected consumers.”
AT&T, T-Mobile and Sprint have all admitted to using the Carrier IQ software. Sprint, the largest offender by volume, at 26 million phones, said in late December that it was disabling the software on its phones due to “customer concerns.”
Even more intriguing, the letter seeks answers to questions about the security of Google’s Android mobile operating system, which Carrier IQ has long maintained is the real culprit behind the appearance of keystroke logging. As the lawmakers’ letter explains:
“Carrier lQ has denied the allegations that its software makes logging of keystrokes possible. Instead, the company argues that the third-party expert analysis revealed a vulnerability in Android devices that resulted in the logging of keystrokes in some phones. If true, these conclusions are also troubling. The Android vulnerability could have left this keystroke information available to third-party whose software had been installed on a user’s phone.”
Google, for its part, has steadfastly denied having any part in the Carrier IQ software’s installation or operation. Google Chair Eric Schmidt even publicly blasted the software as a “keylogger,” at a tech conference in Netherlands in early December, saying that “We certainly don’t work with them,” as the UK Telegraph reported.
It’s unclear at this time just who would be called to testify in any hypothetical hearing. But based on the contents of the letter, it does appear that Google and the wireless carriers might be on the hook. We’ve reached out to Google, Carrier IQ and the lawmakers’ staffs for more information and will update when we receive a response.