12:09 PM

Carrier IQ Faces FTC Probe

FBI Director Robert Mueller says bureau doesn't knowingly use data collected by Carrier IQ.

10 Epic Android Apps
10 Epic Android Apps
(click image for larger view and for slideshow)
Carrier IQ is reportedly facing a federal probe over allegations that its monitoring software collected smartphone data and transmitted it to carriers without consumers' knowledge.

Government officials, speaking on condition of anonymity since any investigation would be private, confirmed that the Federal Trade Commission has begun an inquiry into Carrier IQ, reported The Washington Post. The FTC is responsible for policing companies' privacy policies, and also helps protect consumers against unfair or deceptive practices.

Regulators are reportedly reviewing how Carrier IQ collects data. The company's data-collection practices came to light after security researcher Trevor Eckhart highlighted the existence the company's monitoring software, which is employed on about 140 million handsets. Prior to Eckhart's research, few people had been aware of the software's existence.

[ States are becoming more active in fighting cyber crime. Read California Forms Cyber Crime Unit. ]

Studies by independent security researchers ultimately found that Carrier IQ's software was only collecting performance monitoring data, as allowed by telecommunications laws.

But Carrier IQ's initial failure to fully detail what its software did, and why, had led many to question whether its software might be breaking wiretap or privacy laws. Senator Al Franken (D-Minn.) wrote to the company, demanding detailed information about its data collection and sharing practices. Likewise, Rep. Edward Markey (D-Mass.) urged the FTC to investigate Carrier IQ to ensure it hadn't engaged in unfair or deceptive practices. "Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone," said Markey in a letter to the FTC.

This week, two Carrier IQ executives went to Washington to reassure legislators, as well as regulators at the FTC and Federal Communications Commission, about how its software works. "This week Carrier IQ sought meetings with the FTC and FCC to educate the two agencies about the functionality of its software and answer any and all questions," said Andrew Coward, VP of marketing for Carrier IQ, via email.

In addition, in spite of Markey's request that the FTC investigate Carrier IQ, "we are not aware of an official investigation into Carrier IQ at this time," said Coward.

Carrier IQ president and CEO Larry Lenhart, as well as Coward, also met Tuesday with the staffs of three senators--Franken, as well as Richard Blumenthal (D-Conn.) and Christopher A. Coons (D-Del.)--each of whom had written letters of concern to the company. Wednesday had been the deadline set by Franken for Carrier IQ to provide him with detailed responses to his questions.

Carrier IQ Tuesday also released a detailed report into exactly which types of data its software collected, and noted that all data points were selected by carriers for tracking, and that collected data was shared only with the relevant carrier.

On a related note, at a Wednesday Senate Judiciary Committee hearing, FBI Director Robert Mueller said that his agency had never requested data from Carrier IQ. But he couldn't rule out the possibility that data provided by carriers to the bureau may have originated from Carrier IQ's collection software.

"We may obtain information that in some way Carrier IQ may have been involved with," said Mueller in response to a question posed by Sen. Franken, reportedComputerworld.

He also said that the bureau's recent rejection of a Freedom of Information Act request for details about how it used Carrier IQ data had been misinterpreted. The FBI's rejection said that disclosing the information might impede an investigation, leading many to wonder whether the FBI was relying on Carrier IQ's data, or whether Carrier IQ itself was under investigation. But Mueller said that the rejection was only a simple "standard exemption" employed by the bureau.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.