12 December 2011 E-011723/2011 Question for written answer to the Commission Rule 117 Sophia in 't Veld (ALDE) and Marietje Schaake (ALDE) Subject: US tools for mobile phone operators infringe EU rights Several mobile phone producers and mobile operating system providers have installed software from a US-based company called Carrier IQ on devices they have sold to European consumers. This software monitors every keystroke, data flow, geographical location of the phone and use of applications, even when the user has opted for an encrypted SSL connection. This information is then sent to the servers of Carrier IQ. The tools produced by Carrier IQ are sold to mobile phone companies as a ‘mission-critical tool to improve the quality of the network’ and to ‘understand device issues’. However, the information gathered on the Carrier IQ servers represents a massive breach of the fundamental right to privacy and data protection, since users are not aware of the existence of the software and have not given their unambiguous consent. Further, the operation of the software can be compared to deep packet inspection, though in this case the inspection is not on the level of telecom operators but of the mobile devices of users. 1. Is the Commission aware of companies such as Carrier IQ providing soft- and hardware to mobile phone producers or other firms in the mobile phone value chain? 2. Does the Commission consider information-gathering and storing by a company such as Carrier IQ to be a violation of applicable European data protection and privacy rules, notably Directive 95/46/EC, and most particularly the requirement for unambiguous consent by the data subject? If not, why not? 3. Does the Commission agree that the European data collected by Carrier IQ could be considered by US authorities as falling within US jurisdiction? 4. What immediate action will the Commission take to protect and represent the interests of EU citizens? What sanctions are available against companies which enable privacy breaches on a massive scale? 5. What immediate action will the Commission take to ensure that EU data protection rules are effectively enforced? 6. Is the Commission aware whether Carrier IQ has ever been obliged, by subpoena or otherwise, to make available to US authorities data collected and/or stored in the EU? Please find the answer here.