Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Carrier IQ Vs. Wiretap Laws

Network diagnostic software maker Carrier IQ feels the heat after a researcher's video demonstrates how software captured his every keystroke. But is that illegal?

Diagnostic tools running on over 141 million handsets appear to record every keystroke made on the device. The software, which is made by Carrier IQ, is deployed by wireless carriers on their smartphones.

The ability of telecommunications carriers to assess the health of their network is enshrined in federal law, which even gives carriers the ability to listen in on phone calls to ensure that they go through. But what's less clear is this: Does a third-party service such as Carrier IQ, which provides diagnostic software hidden on smartphones, enjoy the same protections as telecommunications providers?

That's a relevant question since security researcher Trevor Eckhart released a video Monday detailing what he sees Carrier IQ software doing on his device--in this case, an HTC smartphone. In particular, he found that the Carrier IQ application saw all of the HTTP and HTTPS traffic from his browser, saw all phone numbers that he input before they were dialed, and also received the contents of all inbound and outbound SMS messages.

Based on that revelation, Carrier IQ may run afoul of federal wiretap regulations. "If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case," said Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, via Twitter. "Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too? Federal wiretapping is a 5-year felony," he tweeted.

Ohm told Forbes.com. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," said Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."

[Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]

Interestingly, Carrier IQ has issued multiple statements saying that its software doesn't track keystrokes. "Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices," it said in a statement issued Nov. 16. "Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools," it said.

Carrier IQ's statement came in response to Eckhart suggesting otherwise in a written report that he released in November, which said that Carrier IQ's software was recording his keystrokes. In response, Carrier IQ sent him a cease and desist letter threatening him with $150,000 in copyright violations for posting its publically accessible training materials online, and requiring that he retract all of his research. After the Electronic Frontier Foundation came to Eckhart's defense, however, the software vendor backed off.

Despite Carrier IQ's statements, questions remain: exactly what is its software doing, and why? "Many people are clearly confused about this application and what it does, and it's being explained to nobody," said Eckhart, in a follow-up report on Carrier IQ that he released Wednesday, tied to his new video demonstrating how he sees the Carrier IQ software capturing data.

"What we don't know--until Carrier IQ and the carriers tell us--is how much of that information it transmits back to the carriers. Now, if it's not transmitting it, why would it collect it?" said attorney Mark Rasch, a former Department of Justice computer crime investigator and prosecutor who's now director of cybersecurity and privacy consulting at CSC. "The basic rule should be one of transparency, openness, and user control, and that's the first place where Carrier IQ or the providers fell down. People didn't know the stuff was there," he said.

In light of that, did Carrier IQ break federal wiretapping laws? Interestingly, while Ohm sees this as a clear case of federal wiretapping laws having been broken, Rasch offers a different assessment: "The answer to this, of course--like everything else with the law--is, it depends," he said.

Notably, the law recognizes that carriers must ensure that their infrastructure is working properly. "The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions," he said. "These are the guys in the phone booth with alligator clips checking line quality, call quality, making sure the call went through. Which even allows the phone company to listen in on a phone call to make sure it went through."

But on the other hand, while Carrier IQ is working for carriers, its software tool operates on handsets, which might make it an agent of the handset manufacturer. Furthermore, instead of capturing data as it's traveling over their network, it sees the data before it even gets transmitted.

That might put Carrier IQ's activities into a legal gray area, or it may be protected under existing statutes. "There's no case law on this," said Rasch, who calls the related legal questions "clearly ambiguous," based on his reading of the relevant federal statutes. As a result, "this is one that's more likely to be decided in the court of public opinion than it is in a U.S. district court," he said.

Companies that have implemented or are evaluating managed print services look to the model for its ability to reduce costs and increase end user productivity. However, IT teams need to be aware of security and scalability when selecting a partner. Here's how two large companies in diverse industries got a handle on printing. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Freedom Fighter
50%
50%
Freedom Fighter,
User Rank: Apprentice
12/1/2011 | 7:31:01 PM
re: Carrier IQ Vs. Wiretap Laws
"The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions," he said.

But what their software is doing is recording my keystrokes in my phone that may or may not be sent over their network, then covertly sending it to them... even over Wi-fi connections that are NOT THEIR NETWORK. They are recording my notepad entries, calender entries, grocery lists.

Paint is grey if you wish, but it is still black and white.
fredaevans
50%
50%
fredaevans,
User Rank: Apprentice
12/1/2011 | 7:28:03 PM
re: Carrier IQ Vs. Wiretap Laws
True to a degree. If you have your phone turned on the nearest cell phone tower is tracking its location. It's not so much that it's 'gathering' information, but knowing where you are for incoming calls.
DHOOVER079
50%
50%
DHOOVER079,
User Rank: Apprentice
12/1/2011 | 7:27:07 PM
re: Carrier IQ Vs. Wiretap Laws
if
fredaevans
50%
50%
fredaevans,
User Rank: Apprentice
12/1/2011 | 7:21:41 PM
re: Carrier IQ Vs. Wiretap Laws
I'm not too sure if there really is any violation of 'wire tapping' here. This system operates off of cell phones and the like (millions in use at any given time). Once you hit 'send' on a cell phone it becomes a 'radio transmitter' to a cell phone tower (then into a land line?) There was a big stink years back as you could easily build a set that would intercept any call being made in close proximity. Also (as I understand same) the 'wire tap' laws for land lines vs cell phone numbers is not the same; in one case a specific phone number. The other 'any number' an individual may use.

One way or the other this will get interesting.
fae
nightmage80
50%
50%
nightmage80,
User Rank: Apprentice
12/1/2011 | 7:04:42 PM
re: Carrier IQ Vs. Wiretap Laws
Also... why is the phone company allowed to spy on us? Does the wiretapping law really extend to data usage as well or is that just implied and untested?
KPICKERING000
50%
50%
KPICKERING000,
User Rank: Apprentice
12/1/2011 | 6:51:29 PM
re: Carrier IQ Vs. Wiretap Laws
It's worth noting that Eckhart discovered that CarrierIQ tracks and captures data travelling over Wi-Fi, i.e., data not part of any carrier network. It even captures data when the phone isn't connected to any network at all. If that's not a violation of the law, then the law is written too narrowly.
skyhawk83
50%
50%
skyhawk83,
User Rank: Apprentice
12/1/2011 | 6:47:13 PM
re: Carrier IQ Vs. Wiretap Laws
Well...I guess the hackers are going to have fun with this one.
Psyanomaly
50%
50%
Psyanomaly,
User Rank: Apprentice
12/1/2011 | 6:27:59 PM
re: Carrier IQ Vs. Wiretap Laws
Just a thought.... I wonder if the data collected, in its transmission is also counting against the users data plan.
<<   <   Page 2 / 2
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21441
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
CVE-2020-9493
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...