12:09 PM

Carrier IQ Faces FTC Probe

FBI Director Robert Mueller says bureau doesn't knowingly use data collected by Carrier IQ.

10 Epic Android Apps
10 Epic Android Apps
(click image for larger view and for slideshow)
Carrier IQ is reportedly facing a federal probe over allegations that its monitoring software collected smartphone data and transmitted it to carriers without consumers' knowledge.

Government officials, speaking on condition of anonymity since any investigation would be private, confirmed that the Federal Trade Commission has begun an inquiry into Carrier IQ, reported The Washington Post. The FTC is responsible for policing companies' privacy policies, and also helps protect consumers against unfair or deceptive practices.

Regulators are reportedly reviewing how Carrier IQ collects data. The company's data-collection practices came to light after security researcher Trevor Eckhart highlighted the existence the company's monitoring software, which is employed on about 140 million handsets. Prior to Eckhart's research, few people had been aware of the software's existence.

[ States are becoming more active in fighting cyber crime. Read California Forms Cyber Crime Unit. ]

Studies by independent security researchers ultimately found that Carrier IQ's software was only collecting performance monitoring data, as allowed by telecommunications laws.

But Carrier IQ's initial failure to fully detail what its software did, and why, had led many to question whether its software might be breaking wiretap or privacy laws. Senator Al Franken (D-Minn.) wrote to the company, demanding detailed information about its data collection and sharing practices. Likewise, Rep. Edward Markey (D-Mass.) urged the FTC to investigate Carrier IQ to ensure it hadn't engaged in unfair or deceptive practices. "Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone," said Markey in a letter to the FTC.

This week, two Carrier IQ executives went to Washington to reassure legislators, as well as regulators at the FTC and Federal Communications Commission, about how its software works. "This week Carrier IQ sought meetings with the FTC and FCC to educate the two agencies about the functionality of its software and answer any and all questions," said Andrew Coward, VP of marketing for Carrier IQ, via email.

In addition, in spite of Markey's request that the FTC investigate Carrier IQ, "we are not aware of an official investigation into Carrier IQ at this time," said Coward.

Carrier IQ president and CEO Larry Lenhart, as well as Coward, also met Tuesday with the staffs of three senators--Franken, as well as Richard Blumenthal (D-Conn.) and Christopher A. Coons (D-Del.)--each of whom had written letters of concern to the company. Wednesday had been the deadline set by Franken for Carrier IQ to provide him with detailed responses to his questions.

Carrier IQ Tuesday also released a detailed report into exactly which types of data its software collected, and noted that all data points were selected by carriers for tracking, and that collected data was shared only with the relevant carrier.

On a related note, at a Wednesday Senate Judiciary Committee hearing, FBI Director Robert Mueller said that his agency had never requested data from Carrier IQ. But he couldn't rule out the possibility that data provided by carriers to the bureau may have originated from Carrier IQ's collection software.

"We may obtain information that in some way Carrier IQ may have been involved with," said Mueller in response to a question posed by Sen. Franken, reportedComputerworld.

He also said that the bureau's recent rejection of a Freedom of Information Act request for details about how it used Carrier IQ data had been misinterpreted. The FBI's rejection said that disclosing the information might impede an investigation, leading many to wonder whether the FBI was relying on Carrier IQ's data, or whether Carrier IQ itself was under investigation. But Mueller said that the rejection was only a simple "standard exemption" employed by the bureau.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.