Senator Al Franken was right in the middle of the Carrier IQ smartphone tracking controversy: a pair of scathing letters from the Minnesota senator are what ultimately shed the most light on how Carrier IQ was being used. Every major carrier save Verizon has now responded to his questions and admitted some use of the software or similar tracking software on their networks. (Verizon simply denied any use of Carrier IQ at all.) It now appears that such software is pervasive throughout the industry; whether it's Carrier IQ or something else, it's clear that network operators can track and analyze customer behavior with alarming detail. That's on top of whatever tracking ability device makers, OS vendors, and app developers add in — all features users may not want, or even know about.
But Carrier IQ is just one more piece of the puzzle for Franken: he's been chairman of the Senate Subcommittee on Privacy, Technology, and the Law since it was formed in February, and the first-ever hearing he called was a bruising session with Google and Apple about the tracking abilities of Android and iOS. That hearing ultimately led Franken to introduce the Location Privacy Protection Act, which would require that companies get express consent from users before recording or sharing location data. Add in the recent FTC privacy settlements with Google, Facebook, and Twitter, and it's clear that Washington is waking up to a tectonic shift in how privacy works in an always-connected world.
We asked Senator Franken what the real problems are, and most importantly, how he'd solve them.
If Carrier IQ is indeed recording and sharing user data in an inappropriate manner, what remedy do you propose?
I think that what we're seeing is that all of the companies involved here — wireless carriers, device manufacturers and Carrier IQ itself — need to be doing a better job of informing their customers about the information that is being collected. I also think that those companies need to give consumers a choice about whether or not they want that information collected about them in the first place. There will be technical issues that need to be resolved, but that is the overarching theme I've drawn from this so far: we need more consumer awareness and better consumer control.
Every carrier does some type of tracking to improve their network. How do you strike the balance between the carrier collecting data to improve the consumer experience on their network and collecting personal data?
Obviously, it’s important that carriers be able to get the information that they need to have to improve the quality of the networks and other services that they offer. At the same time, I think that consumers have a fundamental right to know — and control — what data about them is being collected and who it’s being shared with. So it is a real problem that Carrier IQ’s software isn’t easily visible to the user and that it is so difficult to remove or disable it. We need to give users information and a choice — and it looks like neither of those things happened with Carrier IQ.
Are there any kinds of data that should be beyond a carrier's ability to collect?
I think that the default for collecting any kind of personal data should be opt-in consent. I think we need to be especially careful about certain categories of data — like location, for example. After holding hearings where I looked at how Apple and Google were treating this data, I introduced a bill called the Location Privacy Protection Act that would make sure that any company that wants to get the location of your phone has to ask your explicit permission first. But it isn’t just location that’s sensitive — there’s also medical data, biometrics, and the content of communications, to name a few.
With this current issue involving Carrier IQ, I think we need to be especially protective of content — things like the contents of text messages and the contents of our searches online. Without very clear notice and affirmative consent, a company shouldn’t be able to flip a switch and be able to read our search queries over an encrypted connection.
What role should the government play in regulating privacy?
I think the government has a role in protecting the fundamental rights of its citizens. And I think we have a fundamental right to know what information is being collected about us and who it is shared with — and a right to control that collection and sharing. We’ve seen time and time again that companies aren’t doing enough to protect consumers’ sensitive data. I think there is a role here for government to come in and protect some really basic consumer rights.
What's the mood about this in Washington? Would you say there's any momentum for a change in the law as it relates to privacy?
I think that the formation of my subcommittee shows that members of Congress are concerned about privacy and think we need to address it. If you look at the hearings I’ve held in my subcommittee, as well as my Location Privacy Protection Act, you can see that people around here understand that the law has yet to catch up with technology in important areas like location and medical records.
If you look at my Location Privacy Protection Act, you’ll see that it requires not just notice, but clear notice. I think that too frequently, companies are writing their privacy policies in legalese that covers liabilities but does not clearly notify users as to what is going on. Again, I think that consumers have a fundamental right to know what data is being collected about them. Without clear notice so they can understand what’s happening, that right might not be realized.