Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law 140 Million Times

Started by jimmy olsen, December 01, 2011, 12:14:20 AM

Previous topic - Next topic

jimmy olsen

Fucked up, but can't say I'm surprised this kind of software is on there.

http://www.forbes.com/sites/andygreenberg/2011/11/30/phone-rootkit-carrier-iq-may-have-violated-wiretap-law-in-millions-of-cases/
QuotePhone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases

A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of Nokia, Android, and RIM devices that it's tough to spot and nearly impossible to remove, as 25-year old Connecticut systems administrator Trevor Eckhart revealed in a video Tuesday.

That's not just creepy, says Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it's also likely grounds for a class action lawsuit based on a federal wiretapping law.

"If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap." he says. "And that gives the people wiretapped the right to sue and provides for significant monetary damages."

As Eckhart's analysis of the company's training videos and the debugging logs on his own HTC Evo handset have shown, Carrier IQ captures every keystroke on a device as well as location and other data, and potentially makes that data available to Carrier IQ's customers. The video he's created (below) shows every keystroke being sent to the highly-obscured application on the phone before a call, text message, or Internet data packet is ever communicated beyond the phone. Eckhart has found the application on Samsung, HTC, Nokia and RIM devices, and Carrier IQ claims on its website that it has installed the program on more than 140 million handsets.

Specifically, Ohm points to changes made to the Wiretap Act under the Electronic Communications Privacy Act of 1986 that forbid acquiring the contents of communications without the users' consent. "Because this happens with text messages as they're being sent, a quintessentially streaming form of communication, it seems like exactly the kind of thing the wiretap act is meant to prevent," he says.  "When I was at the Justice Department, we definitely prosecuted people for installing software with these kinds of capabilities on personal computers."

Carrier IQ didn't respond to my request for comment, but the firm has posted a response statement on its website, claiming that it collects only limited "operational information" on devices for its carrier customers:

    While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer's network or in our audited and customer-approved facilities

Former Justice Department prosecutor and University of Colorado Law School professor Paul Ohm

But even if the data were somehow aggregated and anonymized before being communicated to a remote server, Ohm argues, Carrier IQ and possibly even Sprint and other carriers shown to have used the company's services should still expect a costly class action lawsuit. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," says Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."

"In the next days or weeks, someone will sue, and then this company is tangled up in very expensive litigation," he adds. "It's almost certain."

Over the last month, Carrier IQ has attempted to quash Eckhart's research with a cease-and-desist letter, apologizing only after the Electronic Frontier Foundation came to his defense. Eckhart's legal representation at the EFF declined to comment on the legality of Carrier IQ's business practices.

If the case went to court, Carrier IQ's first line of defense might be that users have agreed to some form of tracking in their contract with one of Carrier IQ's cellular carrier customers. But when I reached Eckhart by phone, he pointed out that in his tests, he turned on the phone's airplane mode, shutting down its cellular connection and using only Wifi. Even then, the app seemed to record all his keystrokes and communications as they happened. "[Sprint] defines their service as their network," he says, referring to his own tests on his Sprint-connected HTC Evo. "I don't understand how my phone on my own wireless network is their service, and how they have the right to look at that."

Ohm argues that even when the phone is connected to the cellular network, only carriers are protected by contracts they make with users, not an intermediate software company of which most users are unaware. And carriers themselves typically don't spell out in their contracts the kind of surveillance that Eckhart has shown Carrier IQ to be performing. "This seems like really intrusive, comprehensive surveillance," says Ohm. "If so, is there really a provision in the contract that's so all-encompassing? They may say they'll periodically monitor for quality assurance, or something to that effect. But that seems like a far cry from saving every keystroke."
It is far better for the truth to tear my flesh to pieces, then for my soul to wander through darkness in eternal damnation.

Jet: So what kind of woman is she? What's Julia like?
Faye: Ordinary. The kind of beautiful, dangerous ordinary that you just can't leave alone.
Jet: I see.
Faye: Like an angel from the underworld. Or a devil from Paradise.
--------------------------------------------
1 Karma Chameleon point

The Brain

The communications industry is working closely with the government in monitoring the population. Hardly news.
Women want me. Men want to be with me.