Last November, after a security researcher revealed that many Android phones contained software that tracked keystrokes while users were dialing phone numbers, news providers boiled the issue into a genuine spyware scare. That gave Carrier IQ, the maker of performance monitoring software, a black eye in the public mind.
As the testing software maker continues to recover from a huge perception problem, a leading House Democrat is proposing legislation mandating that carriers inform customers of the existence of any monitoring software on the phones they intend to purchase, and obtain their consent, prior to engaging that software.
“Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, that require any person who is subject to the disclosure requirements of the regulations promulgated under section 2(a) to obtain the express consent of the consumer prior to the time when the monitoring software first begins collecting and transmitting information.” This is the first paragraph of Section 3 of the proposed Mobile Device Privacy Act (PDF available here), put forth today by Rep. Edward Markey (D – Mass.), who serves on the House Energy & Commerce Committee.
“While consumers rely on their phones, their phones relay all sorts of information about them, often without their knowledge or consent,” reads a statement from Rep. Markey’s office today. “I am concerned about the threat to consumers’ privacy posed by electronic monitoring software on mobile phones, such as the software developed by Carrier IQ.”
Carriers (or parties to the sale of a phone) failing to make this disclosure to customers, under Rep. Markey’s proposed provisions, could find themselves prosecuted for deception and/or unfair trade practices.
But that might not be the stickiest part of this bill. Under Rep. Markey’s proposal, once the customer consented to the monitoring software doing its job, the carrier (or other point of sale) would become responsible for maintaining a secure database of the identities of those who consented. Such a database could conceivably be used to retrieve data about the phones being monitored.
It would be precisely the situation that Carrier IQ says its architecture tries to avoid: tracking people. Rather, the company says its interest is in the performance and engineering of phones, for the benefit of engineers who build phones.
“In building a solution capable of scaling to millions of subscribers,” reads last month’s Carrier IQ white paper (PDF available here), “we understand that having an effective solution requires that the software gather only the critical diagnostic information and do so in a manner that protects consumers’ information. From a business perspective, using the least amount of data possible reduces costs in providing the service (less storage facilities, less data to analyze).”
Carrier IQ’s software is capable of detecting signal degradation down to the level of a single phone, pinpointing the location of that phone. But the company says it does not use personally identifiable data in its analysis. In that sense, the best way to safeguard customer data from being pilfered from Carrier IQ is for Carrier IQ not to have it in the first place. “Carrier IQ have no rights to the data that is gathered into the MSIP system for any Carrier IQ customer,” the company says.
Rep. Markey’s statement reminds us that his office requested the Federal Trade Commission last year to investigate Carrier IQ for possible unfair or deceptive trade practices.