Thursday, December 15, 2011

Federal Probe Of Carrier IQ Launched

For all the background you could ever need on the Carrier IQ controversy check out my recent posts on the subject, starting from earliest to the latest, here, here, and here.

As we know, executives from Carrier IQ — the company whose spying software was secretly installed in as many as 150 million cellphones — went to Washington to answer questions posed by the Federal Trade Commission and the Federal Communications Commission.

As I have written too many times to count on this blog, a lot of this comes down to data ownership and control - as in its OUR data and it should be in OUR control. Clearly, in the case of Carrier IQ and increasing numbers of telecom companies, third party marketers, and many more, we are seeing the invasion of individual privacy on a mass scale, including locational tracking and web search monitoring.

Now to the latest news: The FTC and FCC are looking into this matter closely...but we need and deserve more than just a questioning of Carrier IQ, but an investigation into what companies like AT&T, Sprint and T-Mobile are doing with our data as well.

With that, let's get to the Washington Posts coverage of these new inquiries:

Federal investigators are probing allegations that Carrier IQ software found on about 150 million cellphones tracked user activity and sent the information to cellphone companies without informing consumers, according to government officials...The FTC inquiry was confirmed by officials who spoke on condition of anonymity because it is private. An FTC spokeswoman said she could not confirm or deny whether the agency was investigating Carrier IQ. But a spokesman for Carrier IQ said company executives were cooperating with federal agencies.

Carrier IQ has said that its software is not designed to capture keystrokes or the content of messages but that in some cases that might have happened by accident. The data are intended to help improve the user experience with smartphones, the company said.

Woods said Carrier IQ chief executive Larry Lenhart and Coward met with regulators at the FTC and the FCC. The Carrier IQ executives also met with the staffs of three senators — Richard Blumenthal (D-Conn.), Christopher A. Coons (D-Del.) and Al Franken (D-Minn.) — who each had written letters of concern to Lenhart.

Three of the four major cellular providers — AT&T, T-Mobile and Sprint — have said they use the company’s software in line with their own privacy policies. A Verizon spokesman said the program is not on any of the company’s mobile devices. Apple has said it would remove Carrier IQ from i­Phones in a future software update.

Rep. Edward J. Markey (D-Mass.) asked the FTC on Dec. 2 to investigate the practices of Carrier IQ as possibly unfair or deceptive. “I have serious concerns about the Carrier IQ software and whether it is secretly collecting users’ personal information, such as the content of text messages,” said Markey, co-chairman of the Bi-Partisan Congressional Privacy Caucus. “Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone.”


While Carrier IQ executives were meeting with federal regulators, another controversy about the company erupted in the blogosphere. A response by the FBI to a reporter sparked rumors that the bureau was using the software for domestic surveillance.

The FBI denied a request for information regarding Carrier IQ filed by a reporter for MuckRock News under the Freedom of Information Act. The reporter had asked for “manuals, documents or other written guidance used to access or analyze data” gathered by any Carrier IQ program. In denying the request, the FBI said it had information but could not disclose it, because it was considered “law enforcement records.”


The backlash following Eckhart’s research has prompted several lawsuits against the company, mobile carriers and handset makers, including two class action lawsuits in Illinois. A class-action lawsuit has also been filed against AT&T, Sprint Nextel, Apple, T-Mobile USA, HTC, Samsung, Motorola and Carrier IQ by mobile phone customers in Delaware.

Click here to read more.

There are two particularly important developments here, one, that the FTC and FCC are looking into this controversy and two, the fact that the FBI and its potential use of this technology is being discussed and questioned. From the beginning, when I see the potential "uses" of this kind of tracking technology, in addition to the usual concerns, from stalkers to identity thieves to third party marketers, I worry about law enforcement access.

These concerns are especially resonant with me because two major battles over smart phone privacy are being fought in the courts and the California legislature as we speak: one being whether law enforcement can track individuals locations in real time without a warrant, and two, whether law enforcement can search someones smart phone, also without a warrant. Its not much of a leap to also suspect they'd want access to the treasure trove of information being collected by a technology like Carrier IQ.

As I detailed last post, there is debate now over whether Carrier IQ actually collects every keystroke, and therefore the contents of text messages and emails.  However, The Electronic Frontier Foundation has just released a technical report on Carrier IQ that concluded that "keystrokes, text message content and other very sensitive information is in fact being transmitted from some phones on which Carrier IQ is installed to third parties."

As CNET reported, "This is most likely inadvertent and "happens when crash reporting tools collect copies of the system logs for debugging purposes," Peter Eckersley, technology projects director for the EFF, wrote in the report.

"Our software does not communicate with Android and does not transmit any files up to Google or anybody else," Coward said today. "Our implementation, the only thing we are sending out is metrics ... if other information is going out of the device to Google or anyone else it has nothing to do with Carrier IQ."

"There should not be personal information written into the Android log files. Applications can get ahold of them, on the one hand, which is not good," he continued. "We've implemented a new procedure as we qualify our software on devices (and) we check that...We saw the Android log file may be receiving messages from our software but ... also from other applications too. So it's a generic issue here with regard to Android log files that the industry needs to address and we point that out in the report." 

Clearly there are a lot more questions in need of answers. 

As the Free Press noted in a recent action alert, "Mobile phones are the new frontlines in the battle over our right to communicate." As for next steps, I'm also in agreement with Free Press in that its time Congress takes a closer look at the role of companies like AT&T, T-Mobile, and Sprint - particularly as it relates to what's being done with our data.

No comments: