Carrier IQ Vs. Wiretap Laws

  /     /     /  
Publicated : 22/11/2024   Category : security


Carrier IQ Vs. Wiretap Laws


Network diagnostic software maker Carrier IQ feels the heat after a researchers video demonstrates how software captured his every keystroke. But is that illegal?



Diagnostic tools running on over 141 million handsets appear to record every keystroke made on the device. The software, which is made by Carrier IQ, is deployed by wireless carriers on their smartphones.
The ability of telecommunications carriers to assess the health of their network is enshrined in federal law, which even gives carriers the ability to listen in on phone calls to ensure that they go through. But whats less clear is this: Does a third-party service such as
Carrier IQ
, which provides diagnostic software hidden on smartphones, enjoy the same protections as telecommunications providers?
Thats a relevant question since security researcher Trevor Eckhart
released a video
Monday detailing what he sees Carrier IQ software doing on his device--in this case, an HTC smartphone. In particular, he found that the Carrier IQ application saw all of the HTTP and HTTPS traffic from his browser, saw all phone numbers that he input before they were dialed, and also received the contents of all inbound and outbound SMS messages.
Based on that revelation, Carrier IQ may run afoul of federal wiretap regulations. If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case, said Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School,
via Twitter
. Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too? Federal wiretapping is a 5-year felony, he tweeted.
Ohm
told Forbes.com
. Even if they were collecting only anonymized usage metrics, it doesnt mean they didnt break the law, said Ohm. Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away.
[Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in
Carrier IQ: Mobile App Crap Must Stop
. ]
Interestingly, Carrier IQ has issued multiple statements saying that its software doesnt track keystrokes. Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices, it said in a statement issued Nov. 16. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a devices performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools, it said.
Carrier IQs statement came in response to Eckhart suggesting otherwise in a written report that he released in November, which said that Carrier IQs software was recording his keystrokes. In response, Carrier IQ sent him a
cease and desist letter
threatening him with $150,000 in copyright violations for posting its publically accessible training materials online, and requiring that he retract all of his research. After the Electronic Frontier Foundation came to Eckharts defense, however, the software vendor backed off.
Despite Carrier IQs statements, questions remain: exactly what is its software doing, and why? Many people are clearly confused about this application and what it does, and its being explained to nobody, said Eckhart, in a
follow-up report on Carrier IQ
that he released Wednesday, tied to his new video demonstrating how he sees the Carrier IQ software capturing data.
What we dont know--until Carrier IQ and the carriers tell us--is how much of that information it transmits back to the carriers. Now, if its not transmitting it, why would it collect it? said attorney Mark Rasch, a former Department of Justice computer crime investigator and prosecutor whos now director of cybersecurity and privacy consulting at CSC. The basic rule should be one of transparency, openness, and user control, and thats the first place where Carrier IQ or the providers fell down. People didnt know the stuff was there, he said.
In light of that, did Carrier IQ break federal wiretapping laws? Interestingly, while Ohm sees this as a clear case of federal wiretapping laws having been broken, Rasch offers a different assessment: The answer to this, of course--like everything else with the law--is, it depends, he said.
Notably, the law recognizes that carriers must ensure that their infrastructure is working properly. The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions, he said. These are the guys in the phone booth with alligator clips checking line quality, call quality, making sure the call went through. Which even allows the phone company to listen in on a phone call to make sure it went through.
But on the other hand, while Carrier IQ is
working for carriers
, its software tool operates on handsets, which might make it an agent of the handset manufacturer. Furthermore, instead of capturing data as its traveling over their network, it sees the data before it even gets transmitted.
That might put Carrier IQs activities into a legal gray area, or it may be protected under existing statutes. Theres no case law on this, said Rasch, who calls the related legal questions clearly ambiguous, based on his reading of the relevant federal statutes. As a result, this is one thats more likely to be decided in the court of public opinion than it is in a U.S. district court, he said.
Companies that have implemented or are evaluating managed print services look to the model for its ability to reduce costs and increase end user productivity. However, IT teams need to be aware of security and scalability when selecting a partner. Heres how two large companies in diverse industries got a handle on printing.
Read our report now
. (Free registration required.)

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Carrier IQ Vs. Wiretap Laws