Carrier IQ Scandal Results in 'Mobile Device Privacy Act'

US Representative Edward Markey has released a draft of the new "Mobile Device Privacy Act." The proposed legislation emerged in the wake of the Carrier IQ scandal in which data from mobile handsets were being transmitted to mobile operators without users' knowledge or consent.

The MDPA would require disclosure of any device monitoring by carriers, OEMs or app developers. It would also require the information collected to be identified and consumer consent to be obtained. According to a missive put out by Markey's office:

[The Mobile Device Privacy Act] would require companies to disclose to consumers the capability to monitor telephone usage, as well as require express consent of the consumer prior to monitoring. News broke last month that Carrier IQ software installed on millions of smart phones and mobile devices can track every keystroke of users and send the information back to the software company without user knowledge or permission.

Here are the rules, requirements and enforcement provisions contained in the act in broad strokes:

  • Disclosure of mobile telephone monitoring software, including when a consumer buys a mobile phone; after sale, if the carrier, manufacturer, or operating system later installs monitoring software; and if a consumer downloads an app and that app contains monitoring software.
  • Disclosure to include the fact that the monitoring software has been installed on the phone, the types of information that are collected, the identity of the third party to which the information is transmitted, and how such information will be used.
  • Consumer consent be obtained before monitoring software begins collecting and transmitting information.
  • Third party receiving the personal information must have policies in place to secure the information.
  • Agreements on transmission to third parties must be filed at the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).
  • Outline an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action. 

Carriers and others in the industry are likely to cry foul over "new government regulation." However, almost without exception -- Verizon claimed it never used the monitoring software -- US carriers and OEMs used Carrier IQ on their handsets without making any disclosures to consumers.

As with GPS-based tracking and monitoring the law is struggling to keep up with the pace of technology and cultural change in its wake.