Risk
12/15/2011
12:09 PM
50%
50%

Carrier IQ Faces FTC Probe

FBI Director Robert Mueller says bureau doesn't knowingly use data collected by Carrier IQ.

10 Epic Android Apps
10 Epic Android Apps
(click image for larger view and for slideshow)
Carrier IQ is reportedly facing a federal probe over allegations that its monitoring software collected smartphone data and transmitted it to carriers without consumers' knowledge.

Government officials, speaking on condition of anonymity since any investigation would be private, confirmed that the Federal Trade Commission has begun an inquiry into Carrier IQ, reported The Washington Post. The FTC is responsible for policing companies' privacy policies, and also helps protect consumers against unfair or deceptive practices.

Regulators are reportedly reviewing how Carrier IQ collects data. The company's data-collection practices came to light after security researcher Trevor Eckhart highlighted the existence the company's monitoring software, which is employed on about 140 million handsets. Prior to Eckhart's research, few people had been aware of the software's existence.

[ States are becoming more active in fighting cyber crime. Read California Forms Cyber Crime Unit. ]

Studies by independent security researchers ultimately found that Carrier IQ's software was only collecting performance monitoring data, as allowed by telecommunications laws.

But Carrier IQ's initial failure to fully detail what its software did, and why, had led many to question whether its software might be breaking wiretap or privacy laws. Senator Al Franken (D-Minn.) wrote to the company, demanding detailed information about its data collection and sharing practices. Likewise, Rep. Edward Markey (D-Mass.) urged the FTC to investigate Carrier IQ to ensure it hadn't engaged in unfair or deceptive practices. "Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone," said Markey in a letter to the FTC.

This week, two Carrier IQ executives went to Washington to reassure legislators, as well as regulators at the FTC and Federal Communications Commission, about how its software works. "This week Carrier IQ sought meetings with the FTC and FCC to educate the two agencies about the functionality of its software and answer any and all questions," said Andrew Coward, VP of marketing for Carrier IQ, via email.

In addition, in spite of Markey's request that the FTC investigate Carrier IQ, "we are not aware of an official investigation into Carrier IQ at this time," said Coward.

Carrier IQ president and CEO Larry Lenhart, as well as Coward, also met Tuesday with the staffs of three senators--Franken, as well as Richard Blumenthal (D-Conn.) and Christopher A. Coons (D-Del.)--each of whom had written letters of concern to the company. Wednesday had been the deadline set by Franken for Carrier IQ to provide him with detailed responses to his questions.

Carrier IQ Tuesday also released a detailed report into exactly which types of data its software collected, and noted that all data points were selected by carriers for tracking, and that collected data was shared only with the relevant carrier.

On a related note, at a Wednesday Senate Judiciary Committee hearing, FBI Director Robert Mueller said that his agency had never requested data from Carrier IQ. But he couldn't rule out the possibility that data provided by carriers to the bureau may have originated from Carrier IQ's collection software.

"We may obtain information that in some way Carrier IQ may have been involved with," said Mueller in response to a question posed by Sen. Franken, reportedComputerworld.

He also said that the bureau's recent rejection of a Freedom of Information Act request for details about how it used Carrier IQ data had been misinterpreted. The FBI's rejection said that disclosing the information might impede an investigation, leading many to wonder whether the FBI was relying on Carrier IQ's data, or whether Carrier IQ itself was under investigation. But Mueller said that the rejection was only a simple "standard exemption" employed by the bureau.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.