Carrier IQ and the US' Escalating Privacy Risk Level
It seems that every day a new crisis hits the news about our privacy, but not many news stories are as astonishing as the recent revelation by a 25-year-old researcher about the Carrier IQ software that is installed on most modern Android, BlackBerry and Nokia phones. Carrier IQ software collects massive data from these devices, then "correlates and aggregates the data for near real-time system monitoring and business intelligence" for phone operators and manufacturers, ostensibly to improve their services.
Rep. Edward Markey, D-Mass., co-chair of the Congressional Bi-Partisan Privacy Caucus, sent a letter to the Federal Trade Commission asking what was being done to investigate.
The Carrier IQ technology "secretly installed on millions of mobile phones tracks nearly every keystroke users make and then sends the data back to the software company," Markey told FTC Chairman Jon Leibowitz. He requested that the FTC respond to his inquiry by Dec. 20.
Markey's letter isn't the only missive from a concerned member of Congress. Sen. Al Franken, D-Minn., chairman of the Subcommittee on Privacy, Technology, and the Law, sent his own letter to Carrier IQ, which included the following:
"I am very concerned by recent reports that your company's software -- pre-installed on smartphones used by millions of Americans -- is logging and may be transmitting extraordinarily sensitive information from consumers' phones ... It also appears that an average user would have no way to know that this software is running -- and that when the user finds out, he or she will have no reasonable means to remove or stop it. ... These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter."
Franken requested that Carrier IQ respond by Dec. 14 to a number of questions, including the following:
Does Carrier IQ software log users' location?Franken also questioned whether Carrier IQ's software was in compliance with specific federal statutes.
What other data does Carrier IQ software log? Does it log
- The telephone number users dial?
- The contents of text message users receive? Send? ...
- The contents of emails users send?
What if any of this data is transmitted off of a user's phone? When? In what form?
Is that data transmitted to Carrier IQ?
Is it transmitted to smartphone manufacturers, operating systems providers, or carriers?
Is it transmitted to any other third parties?
What Is Carrier IQ Software?
Markey learned of the Carrier IQ issue from a recent news story in Wired that included Android developer Trevor Eckert's 17-minute video demonstrating that Carrier IQ is loaded on his phone, cannot be disabled, and tracks every keystroke. Eckert demonstrated how Carrier IQ was logging and potentially transmitting the sensitive information of consumers.
Franken included the following list of sensitive information allegedly collected by the software in his letter to Carrier IQ:
- when they turn their phones on;
- when they turn their phones off;
- the phone numbers they dial;
- the contents of text messages they receive;
- the URLs of the websites they visit;
- the contents of their online search queries -- even when those searches are encrypted; and
- the location of the customer using the smartphone -- even when the customer has expressly denied permission for an app that is currently running to access his or her location.
Interestingly, Carrier IQ initially issued a cease and desist notice to Eckert asserting that he was violating the Copyright Act and could face infringement claims, but after the Electronic Frontier Foundation (EFF) sent a response letter on behalf of Eckert last month, Carrier IQ issued an apology.
Class Action Lawsuit Filed
Meanwhile, within days of the revelation that Carrier IQ software was installed on millions of phones without disclosure to the users, at least two class action lawsuits were filed. One, filed in the U.S. District Court for the Northern District of California, accuses HTC and Samsung of violating the Federal Wiretap Act and California's Unfair Business Practices Act. The Federal Wiretap Act is described in more detail below, and the California Unfair Business Practices Act applies to "any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising."
The second suit, filed in the U.S. District Court for the Eastern District of Missouri, accuses Carrier IQ, HTC Inc. and HTC America Inc. of unlawfully intercepting communications from private mobile phones, smartphones and handsets.
Additional suits have since been filed in several states. Since the class action suits were filed recently, it's impossible to know if their claims will actually be accepted by the federal judges. To be certified by a federal judge as a class action lawsuit, the plaintiffs must have common claims against defendants in addition to meeting other criteria about the underlying legal claims.
What about these legal theories?
The Federal Wiretap Act defines electronic communication to mean "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system."
Generally, Internet communications are electronic communications and covered by the Wiretap Act. The Wiretap Act specifically prohibits any act that "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication."
The Electronic Communications Privacy Act amended the Wiretap Act to prevent unauthorized government access to private communications, and coupled with the 1986 Stored Communications Act, it helps protect consumers so that no phone or Internet use records can be obtained without the user's permission, except where a valid subpoena is issued.
Since the Internet was not in widespread use in 1986, the 1986 Stored Communications Act dealt with records at the telephone companies -- yet it is now used to protect data on websites.
The Computer Fraud and Abuse Act was also passed in 1986 for security of federal government computers and the banking system, and later was updated to apply to the Internet as well. There are seven types of criminal activity enumerated in the Computer Fraud and Abuse Act:
- obtaining national security information;
- compromising confidentiality;
- trespassing in a government computer;
- accessing to defraud and obtain value;
- damaging a computer or information;
- trafficking in passwords; and
- threatening to damage a computer.
Most states also passed computer crime laws in the mid 1980s, but there have been few prosecutions.
What's Carrier IQ's Story?
After Markey sent his letter about millions of U.S. smartphones using Carrier IQ's software, Carrier IQ issued a statement vigorously disagreeing with allegations that it was in violation of any wiretap laws:
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
"Privacy is protected. Consumers have a trusted relationship with operators and expect their personal information and privacy to be respected. As a condition of its contracts with operators, Carrier IQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers' networks or in our audited and customer-approved facilities."
Further, "our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the operators provide optimal service efficiency," Carrier IQ claimed.
Each day, more is coming out about what Carrier IQ actually collects, and the actual threat level. Just use your search engine of choice for "Carrier IQ" to see the latest developments.
Even with Carrier IQ's statement, and even if the actual threat level is determined to be not as high as initially thought, this news may be alarming to the millions of smartphone consumers who unwittingly provide data about their personal phone usage and Internet activities without their consent or knowledge.
As more information is collected about us from a variety of sources, it will become more and more difficult to maintain our privacy in the digital world.