Diagnostic tools running on over 141 million handsets appear to record every keystroke made on the device. The software, which is made by Carrier IQ, is deployed by wireless carriers on their smartphones.
The ability of telecommunications carriers to assess the health of their network is enshrined in federal law, which even gives carriers the ability to listen in on phone calls to ensure that they go through. But what's less clear is this: Does a third-party service such as Carrier IQ, which provides diagnostic software hidden on smartphones, enjoy the same protections as telecommunications providers?
That's a relevant question since security researcher Trevor Eckhart released a video Monday detailing what he sees Carrier IQ software doing on his device--in this case, an HTC smartphone. In particular, he found that the Carrier IQ application saw all of the HTTP and HTTPS traffic from his browser, saw all phone numbers that he input before they were dialed, and also received the contents of all inbound and outbound SMS messages.
Based on that revelation, Carrier IQ may run afoul of federal wiretap regulations. "If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case," said Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, via Twitter. "Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too? Federal wiretapping is a 5-year felony," he tweeted.
Ohm told Forbes.com. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," said Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."
[Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]
Interestingly, Carrier IQ has issued multiple statements saying that its software doesn't track keystrokes. "Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices," it said in a statement issued Nov. 16. "Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools," it said.
Carrier IQ's statement came in response to Eckhart suggesting otherwise in a written report that he released in November, which said that Carrier IQ's software was recording his keystrokes. In response, Carrier IQ sent him a cease and desist letter threatening him with $150,000 in copyright violations for posting its publically accessible training materials online, and requiring that he retract all of his research. After the Electronic Frontier Foundation came to Eckhart's defense, however, the software vendor backed off.
Despite Carrier IQ's statements, questions remain: exactly what is its software doing, and why? "Many people are clearly confused about this application and what it does, and it's being explained to nobody," said Eckhart, in a follow-up report on Carrier IQ that he released Wednesday, tied to his new video demonstrating how he sees the Carrier IQ software capturing data.
"What we don't know--until Carrier IQ and the carriers tell us--is how much of that information it transmits back to the carriers. Now, if it's not transmitting it, why would it collect it?" said attorney Mark Rasch, a former Department of Justice computer crime investigator and prosecutor who's now director of cybersecurity and privacy consulting at CSC. "The basic rule should be one of transparency, openness, and user control, and that's the first place where Carrier IQ or the providers fell down. People didn't know the stuff was there," he said.
In light of that, did Carrier IQ break federal wiretapping laws? Interestingly, while Ohm sees this as a clear case of federal wiretapping laws having been broken, Rasch offers a different assessment: "The answer to this, of course--like everything else with the law--is, it depends," he said.
Notably, the law recognizes that carriers must ensure that their infrastructure is working properly. "The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions," he said. "These are the guys in the phone booth with alligator clips checking line quality, call quality, making sure the call went through. Which even allows the phone company to listen in on a phone call to make sure it went through."
But on the other hand, while Carrier IQ is working for carriers, its software tool operates on handsets, which might make it an agent of the handset manufacturer. Furthermore, instead of capturing data as it's traveling over their network, it sees the data before it even gets transmitted.
That might put Carrier IQ's activities into a legal gray area, or it may be protected under existing statutes. "There's no case law on this," said Rasch, who calls the related legal questions "clearly ambiguous," based on his reading of the relevant federal statutes. As a result, "this is one that's more likely to be decided in the court of public opinion than it is in a U.S. district court," he said.
Companies that have implemented or are evaluating managed print services look to the model for its ability to reduce costs and increase end user productivity. However, IT teams need to be aware of security and scalability when selecting a partner. Here's how two large companies in diverse industries got a handle on printing. Read our report now. (Free registration required.)