Risk
12/1/2011
12:21 PM
Connect Directly
RSS
E-Mail
50%
50%

Carrier IQ Vs. Wiretap Laws

Network diagnostic software maker Carrier IQ feels the heat after a researcher's video demonstrates how software captured his every keystroke. But is that illegal?

Diagnostic tools running on over 141 million handsets appear to record every keystroke made on the device. The software, which is made by Carrier IQ, is deployed by wireless carriers on their smartphones.

The ability of telecommunications carriers to assess the health of their network is enshrined in federal law, which even gives carriers the ability to listen in on phone calls to ensure that they go through. But what's less clear is this: Does a third-party service such as Carrier IQ, which provides diagnostic software hidden on smartphones, enjoy the same protections as telecommunications providers?

That's a relevant question since security researcher Trevor Eckhart released a video Monday detailing what he sees Carrier IQ software doing on his device--in this case, an HTC smartphone. In particular, he found that the Carrier IQ application saw all of the HTTP and HTTPS traffic from his browser, saw all phone numbers that he input before they were dialed, and also received the contents of all inbound and outbound SMS messages.

Based on that revelation, Carrier IQ may run afoul of federal wiretap regulations. "If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case," said Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, via Twitter. "Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too? Federal wiretapping is a 5-year felony," he tweeted.

Ohm told Forbes.com. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," said Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."

[Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]

Interestingly, Carrier IQ has issued multiple statements saying that its software doesn't track keystrokes. "Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices," it said in a statement issued Nov. 16. "Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools," it said.

Carrier IQ's statement came in response to Eckhart suggesting otherwise in a written report that he released in November, which said that Carrier IQ's software was recording his keystrokes. In response, Carrier IQ sent him a cease and desist letter threatening him with $150,000 in copyright violations for posting its publically accessible training materials online, and requiring that he retract all of his research. After the Electronic Frontier Foundation came to Eckhart's defense, however, the software vendor backed off.

Despite Carrier IQ's statements, questions remain: exactly what is its software doing, and why? "Many people are clearly confused about this application and what it does, and it's being explained to nobody," said Eckhart, in a follow-up report on Carrier IQ that he released Wednesday, tied to his new video demonstrating how he sees the Carrier IQ software capturing data.

"What we don't know--until Carrier IQ and the carriers tell us--is how much of that information it transmits back to the carriers. Now, if it's not transmitting it, why would it collect it?" said attorney Mark Rasch, a former Department of Justice computer crime investigator and prosecutor who's now director of cybersecurity and privacy consulting at CSC. "The basic rule should be one of transparency, openness, and user control, and that's the first place where Carrier IQ or the providers fell down. People didn't know the stuff was there," he said.

In light of that, did Carrier IQ break federal wiretapping laws? Interestingly, while Ohm sees this as a clear case of federal wiretapping laws having been broken, Rasch offers a different assessment: "The answer to this, of course--like everything else with the law--is, it depends," he said.

Notably, the law recognizes that carriers must ensure that their infrastructure is working properly. "The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions," he said. "These are the guys in the phone booth with alligator clips checking line quality, call quality, making sure the call went through. Which even allows the phone company to listen in on a phone call to make sure it went through."

But on the other hand, while Carrier IQ is working for carriers, its software tool operates on handsets, which might make it an agent of the handset manufacturer. Furthermore, instead of capturing data as it's traveling over their network, it sees the data before it even gets transmitted.

That might put Carrier IQ's activities into a legal gray area, or it may be protected under existing statutes. "There's no case law on this," said Rasch, who calls the related legal questions "clearly ambiguous," based on his reading of the relevant federal statutes. As a result, "this is one that's more likely to be decided in the court of public opinion than it is in a U.S. district court," he said.

Companies that have implemented or are evaluating managed print services look to the model for its ability to reduce costs and increase end user productivity. However, IT teams need to be aware of security and scalability when selecting a partner. Here's how two large companies in diverse industries got a handle on printing. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RichF
50%
50%
RichF,
User Rank: Apprentice
12/2/2011 | 8:01:37 PM
re: Carrier IQ Vs. Wiretap Laws
I think that there is some confusion here. If you watch the video that Eckhart has released, on his HTC phone, the software was hidden under a filename starting with a letter H. So everyone out there has been looking for software with CIQ in the executeable name. I looked on my Verizon Smartphone, which is a Motorola Android 2 Global and it has no CIQ software on it. And Verizon swears that there is no CIQ malware on their phones, So is my phone clean? I don't think so. Looking carefully, I found a hidden app running un-noticed called KPI Logger. If you look at the information this application accesses, it appears to perform the same functions as the CIQ software. That KPI Logger app is branded Motorola, but on Eckharts demo, his CIQ software might have been branded HTC.

This isn't just an Apple problem, or an HTC Sprint problem. I suspect that all the carriers are using either licensed versions of the CIQ software or software witten by or for them by another company that accomplishes the same nastiness.
majenkins
50%
50%
majenkins,
User Rank: Apprentice
12/2/2011 | 1:28:46 PM
re: Carrier IQ Vs. Wiretap Laws
I don't think the data was ever being sent to Carrier IQ, at the most it was being sent to your carrier.

This is a terrible situation but you don't need to make to seem worse than it is.
majenkins
50%
50%
majenkins,
User Rank: Apprentice
12/2/2011 | 1:27:15 PM
re: Carrier IQ Vs. Wiretap Laws
When you say your personal computers do mean computers you owned or computers they owned? And please tell us what you were doing on company time that caused being monitored at work to ruin your life.
majenkins
50%
50%
majenkins,
User Rank: Apprentice
12/2/2011 | 1:22:23 PM
re: Carrier IQ Vs. Wiretap Laws
This sounds a lot like the Sony root-kit on music CDs issue from a few years ago and I suspect that in the end the carriers and Carrier IQ are going to have a lot of egg on their faces and are going to take a big public relations hit, if not something worse.
GCE
50%
50%
GCE,
User Rank: Apprentice
12/2/2011 | 12:17:05 AM
re: Carrier IQ Vs. Wiretap Laws
Why does SPRINT in my case need to know and log my personal financial information? Why does SPRINT need to log all of my keystrokes on my HTC EVO 3D smartphone? Why was I not told about this when I purchased the product? Why am I not allowed to turn Carrier IQ IQRD application off? What does SPRINT and Carrier IQ do with my personal text messages? When I contacted SPRINT Customer and Technical Support they told me there was nothing they could do to stop the application.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
12/1/2011 | 11:10:31 PM
re: Carrier IQ Vs. Wiretap Laws
Look up Legal Intercept and CALEA. Governments often require backdoors.
japura941
50%
50%
japura941,
User Rank: Apprentice
12/1/2011 | 9:38:16 PM
re: Carrier IQ Vs. Wiretap Laws
Carrier IQ isn't just illegal spyware, it's a threat to the safety and security of our spouses and children. It opens the potential for Carrier IQ to sell all of our GPS coordinates and system authentication credentials to anyone or group who has the interest and the financial capacity.

With millions of these infected mobile devices in the hands of thousands of government workers, it then becomes a serious threat to our National Security! Password credentials to government systems and real-time GPS whereabouts of government workers can be very valuable and can easily fall into the hands of the wrong and malicious groups or enemies.
JZHOU000
50%
50%
JZHOU000,
User Rank: Apprentice
12/1/2011 | 9:09:34 PM
re: Carrier IQ Vs. Wiretap Laws
Omg, I hope they will pay for it, I worked for Verizon for a short time, the managers there song Lin, bilal wahid,... Installed spyware on all my personal computers, spy on my computer, spy on my PHONE, listen in my personal calls for 3 years now!!!!!!! I really hope they will get what they deserve, they destroyed my life.
dgilmore14601
50%
50%
dgilmore14601,
User Rank: Apprentice
12/1/2011 | 8:26:42 PM
re: Carrier IQ Vs. Wiretap Laws
As data (in this case voice data via a celluar phone) traverses the network from point A to B a myriad of carriers networks are touched. This is the world we live in. The concept of "privacy" exists only between the ears and I'm not so sure about that with the last developments in MRI technology. As long as we leverage the concept of static legal rights into dynamic technologies we will continue to "disappoint" someone.
oink444
50%
50%
oink444,
User Rank: Apprentice
12/1/2011 | 7:53:54 PM
re: Carrier IQ Vs. Wiretap Laws
While privacy is a huge issue in this case so is data billing we the customer is paying them to transfer your stuff which making our bills higher I want to know how offen and how much data is being transfered and be refunded back since the very start of this spy ring that everyone in the cell business knew of this . This has nothing to do with testing the network , a persons keystroke, text message and passwords dosn;t help them build a better network its all bull. Class action suit sign me up.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.