[Noisebridge-discuss] Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases

[Jake]

who is guilty?  It sounds like CarrierIQ just wrote the software/spyware.. 
and it's the networks who are actually doing the wiretapping?

http://www.forbes.com/sites/andygreenberg/2011/11/30/phone-rootkit-carrier-iq-may-have-violated-wiretap-law-in-millions-of-cases/

Andy Greenberg, Forbes Staff
Covering the worlds of data security, privacy and hacker culture.

SECURITY | 11/30/2011 @ 4:04PM |145,214 views
Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases
Updated with a more detailed response from Carrier IQ below.

Update 2: Class action lawsuits have now been filed against Carrier IQ, 
HTC, and Samsung.

A piece of keystroke-sniffing software called Carrier IQ has been embedded 
so deeply in millions of HTC and Samsung-built Android devices that it's 
tough to spot and nearly impossible to remove, as 25-year old Connecticut 
systems administrator Trevor Eckhart revealed in a video Tuesday.

That's not just creepy, says Paul Ohm, a former Justice Department 
prosecutor and law professor at the University of Colorado Law School. He 
thinks it's also likely grounds for a class action lawsuit based on a 
federal wiretapping law.

"If CarrierIQ has gotten the handset manufactures to install secret 
software that records keystrokes intended for text messaging and the 
Internet and are sending some of that information back somewhere, this is 
very likely a federal wiretap." he says. "And that gives the people 
wiretapped the right to sue and provides for significant monetary 
damages."

As Eckhart's analysis of the company's training videos and the debugging 
logs on his own HTC Evo handset have shown, Carrier IQ captures every 
keystroke on a device as well as location and other data, and potentially 
makes that data available to Carrier IQ's customers. The video he's 
created (below) shows every keystroke being sent to the highly-obscured 
application on the phone before a call, text message, or Internet data 
packet is ever communicated beyond the phone. Eckhart has found the 
application on Samsung, HTC, Nokia and RIM devices, and Carrier IQ claims 
on its website that it has installed the program on more than 140 million 
handsets.

Update: Nokia and RIM have both denied installing the software on any of 
their handsets.


Specifically, Ohm points to changes made to the Wiretap Act under the 
Electronic Communications Privacy Act of 1986 that forbid acquiring the 
contents of communications without the users' consent. "Because this 
happens with text messages as they're being sent, a quintessentially 
streaming form of communication, it seems like exactly the kind of thing 
the wiretap act is meant to prevent," he says.  "When I was at the Justice 
Department, we definitely prosecuted people for installing software with 
these kinds of capabilities on personal computers."

Carrier IQ didn't respond to my request for comment, but the firm has 
posted a response statement on its website, claiming that it collects only 
limited "operational information" on devices for its carrier customers:

While we look at many aspects of a device's performance, we are counting 
and summarizing performance, not recording keystrokes or providing 
tracking tools. The metrics and tools we derive are not designed to 
deliver such information, nor do we have any intention of developing such 
tools. The information gathered by Carrier IQ is done so for the exclusive 
use of that customer, and Carrier IQ does not sell personal subscriber 
information to 3rd parties. The information derived from devices is 
encrypted and secured within our customer's network or in our audited and 
customer-approved facilities


Former Justice Department prosecutor and University of Colorado Law School 
professor Paul Ohm

But even if the data were somehow aggregated and anonymized before being 
communicated to a remote server, Ohm argues, Carrier IQ and possibly even 
Sprint and other carriers shown to have used the company's services should 
still expect a costly class action lawsuit. "Even if they were collecting 
only anonymized usage metrics, it doesn't mean they didn't break the law," 
says Ohm. "Then it becomes a hard, open question. And hard open questions 
take hundreds of thousands of dollars to make go away."

"In the next days or weeks, someone will sue, and then this company is 
tangled up in very expensive litigation," he adds. "It's almost certain."

Over the last month, Carrier IQ has attempted to quash Eckhart's research 
with a cease-and-desist letter, apologizing only after the Electronic 
Frontier Foundation came to his defense. Eckhart's legal representation at 
the EFF declined to comment on the legality of Carrier IQ's business 
practices.

If the case went to court, Carrier IQ's first line of defense might be 
that users have agreed to some form of tracking in their contract with one 
of Carrier IQ's cellular carrier customers. But when I reached Eckhart by 
phone, he pointed out that in his tests, he turned on the phone's airplane 
mode, shutting down its cellular connection and using only Wifi. Even 
then, the app seemed to record all his keystrokes and communications as 
they happened. "[Sprint] defines their service as their network," he says, 
referring to his own tests on his Sprint-connected HTC Evo. "I don't 
understand how my phone on my own wireless network is their service, and 
how they have the right to look at that."

Ohm argues that even when the phone is connected to the cellular network, 
only carriers are protected by contracts they make with users, not an 
intermediate software company of which most users are unaware. And 
carriers themselves typically don't spell out in their contracts the kind 
of surveillance that Eckhart has shown Carrier IQ to be performing. "This 
seems like really intrusive, comprehensive surveillance," says Ohm. "If 
so, is there really a provision in the contract that's so 
all-encompassing? They may say they'll periodically monitor for quality 
assurance, or something to that effect. But that seems like a far cry from 
saving every keystroke."

Update: Carrier IQ has issued a new, more detailed statement in response 
to its critics, claiming that it has violated no laws, doesn't communicate 
users' private information off of the phones that run the software, and 
leaves the decision of exactly what data should be remotely collected up 
to the cellular carriers which are its customers.

It reads in part:


Here's The Letter Senator Al Franken Just Sent To Phone 'Rootkit' Firm 
Carrier IQ Andy Greenberg Forbes Staff We measure and summarize 
performance of the device to assist Operators in delivering better 
service. While a few individuals have identified that there is a great 
deal of information available to the Carrier IQ software inside the 
handset, our software does not record, store or transmit the contents of 
SMS messages, email, photographs, audio or video. For example, we 
understand whether an SMS was sent accurately, but do not record or 
transmit the content of the SMS. We know which applications are draining 
your battery, but do not capture the screen.

Carrier IQ is aware of various commentators alleging Carrier IQ has 
violated wiretap laws and we vigorously disagree with these assertions.

Our software makes your phone better by delivering intelligence on the 
performance of mobile devices and networks to help the Operators provide 
optimal service efficiency. We are deployed by leading Operators to 
monitor and analyze the performance of their services and mobile devices 
to ensure the system (network and handsets) works to optimal efficiency. 
Operators want to provide better service to their customers, and 
information from the device and about the network is critical for them to 
do this.  While in-network tools deliver information such as the location 
of calls and call quality, they do not provide information on the most 
important aspect of the service - the mobile device itself.

Carrier IQ acts as an agent for the Operators.  Each implementation is 
different and the diagnostic information actually gathered is determined 
by our customers - the mobile Operators. Carrier IQ does not gather any 
other data from devices.