Network diagnostic software maker Carrier IQ feels the heat after a
researcher's video demonstrates how software captured his every
keystroke. But is that illegal?
By Mathew J. Schwartz InformationWeek
December 01, 2011 12:51 PM
Diagnostic tools running on over 141 million handsets appear to record
every keystroke made on the device. The software, which is made by
Carrier IQ, is deployed by wireless carriers on their smartphones.
The ability of telecommunications carriers to assess the health of
their network is enshrined in federal law, which even gives carriers
the ability to listen in on phone calls to ensure that they go
through. But what's less clear is this: Does a third-party service
such as Carrier IQ, which provides diagnostic software hidden on
smartphones, enjoy the same protections as telecommunications
providers?
That's a relevant question since security researcher Trevor Eckhart
released a video Monday detailing what he sees Carrier IQ software
doing on his device--in this case, an HTC smartphone. In particular,
he found that the Carrier IQ application saw all of the HTTP and HTTPS
traffic from his browser, saw all phone numbers that he input before
they were dialed, and also received the contents of all inbound and
outbound SMS messages.
Based on that revelation, Carrier IQ may run afoul of federal wiretap
regulations. "If the Carrier IQ/cellphone rootkit story is accurate,
this is a clear, massive, felony wiretap. Not a close case," said Paul
Ohm, a former Justice Department prosecutor and law professor at the
University of Colorado Law School, via Twitter. "Carrier IQ, prepare
for a multi-million $ class action lawsuit. Maybe a criminal case too?
Federal wiretapping is a 5-year felony," he tweeted.
Ohm told Forbes.com. "Even if they were collecting only anonymized
usage metrics, it doesn't mean they didn't break the law," said Ohm.
"Then it becomes a hard, open question. And hard open questions take
hundreds of thousands of dollars to make go away."
[Carrier IQ is an insane breach of enterprise trust, says IT leader
Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile
App Crap Must Stop. ]
Interestingly, Carrier IQ has issued multiple statements saying that
its software doesn't track keystrokes. "Carrier IQ would like to
clarify some recent press on how our product is used and the
information that is gathered from smartphones and mobile devices," it
said in a statement issued Nov. 16. "Our software is embedded by
device manufacturers along with other diagnostic tools and software
prior to shipment. While we look at many aspects of a device's
performance, we are counting and summarizing performance, not
recording keystrokes or providing tracking tools," it said.
Carrier IQ's statement came in response to Eckhart suggesting
otherwise in a written report that he released in November, which said
that Carrier IQ's software was recording his keystrokes. In response,
Carrier IQ sent him a cease and desist letter threatening him with
$150,000 in copyright violations for posting its publically accessible
training materials online, and requiring that he retract all of his
research. After the Electronic Frontier Foundation came to Eckhart's
defense, however, the software vendor backed off.
Despite Carrier IQ's statements, questions remain: exactly what is its
software doing, and why? "Many people are clearly confused about this
application and what it does, and it's being explained to nobody,"
said Eckhart, in a follow-up report on Carrier IQ that he released
Wednesday, tied to his new video demonstrating how he sees the Carrier
IQ software capturing data.
"What we don't know--until Carrier IQ and the carriers tell us--is how
much of that information it transmits back to the carriers. Now, if
it's not transmitting it, why would it collect it?" said attorney Mark
Rasch, a former Department of Justice computer crime investigator and
prosecutor who's now director of cybersecurity and privacy consulting
at CSC. "The basic rule should be one of transparency, openness, and
user control, and that's the first place where Carrier IQ or the
providers fell down. People didn't know the stuff was there," he said.
In light of that, did Carrier IQ break federal wiretapping laws?
Interestingly, while Ohm sees this as a clear case of federal
wiretapping laws having been broken, Rasch offers a different
assessment: "The answer to this, of course--like everything else with
the law--is, it depends," he said.
Notably, the law recognizes that carriers must ensure that their
infrastructure is working properly. "The law gives carriers a lot of
leeway in capturing data traveling over their networks, for
specifically this reason--quality control--going back to the days of
copper wires. So the wiretap laws create exceptions," he said. "These
are the guys in the phone booth with alligator clips checking line
quality, call quality, making sure the call went through. Which even
allows the phone company to listen in on a phone call to make sure it
went through."
But on the other hand, while Carrier IQ is working for carriers, its
software tool operates on handsets, which might make it an agent of
the handset manufacturer. Furthermore, instead of capturing data as
it's traveling over their network, it sees the data before it even
gets transmitted.
That might put Carrier IQ's activities into a legal gray area, or it
may be protected under existing statutes. "There's no case law on
this," said Rasch, who calls the related legal questions "clearly
ambiguous," based on his reading of the relevant federal statutes. As
a result, "this is one that's more likely to be decided in the court
of public opinion than it is in a U.S. district court," he said.
Companies that have implemented or are evaluating managed print
services look to the model for its ability to reduce costs and
increase end user productivity. However, IT teams need to be aware of
security and scalability when selecting a partner. Here's how two
large companies in diverse industries got a handle on printing. Read
our report now. (Free registration required.)
--
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum
* Visit our other community at http://www.PoliticalForum.com/
* It's active and moderated. Register and vote in our polls.
* Read the latest breaking news, and more.