Carrier IQ, Carriers, Manufacturers Hit With Wiretap LawsuitsCarrier IQ, Carriers, Manufacturers Hit With Wiretap Lawsuits

10 Companies Driving Mobile Security

At least three lawsuits are now targeting smartphone monitoring software vendor Carrier IQ, as well as handset manufacturers and carriers--including Apple--who install or use the software to monitor devices.

One suit, filed Friday in U.S. District Court for the Northern District of Illinois by Erin Janek, accused Carrier IQ and HTC of surreptitiously intercepting, recording, and collecting private data. The lawsuit seeks class action status. Janek, a Sprint customer with an HTC handset that runs Android, "used her phone to electronically send over her cellphone network various types of private data," according to the complaint. "She did not know that defendants were surreptitiously monitoring and collecting this data, nor did she give them permission to do so."

A second lawsuit was also filed Friday on behalf of four people, by a group of three law firms--Sianni & Straite; Eichen Crutchlow Zaslow & McElroy; and Keefe Bartels--in federal court in Wilmington, Del. The class-action complaint "asserts that three cellphone providers (T-Mobile, Sprint, and AT&T) and four manufacturers of cellphones (HTC, Motorola, Apple, and Samsung) violated the Federal Wiretap Act, the Stored Electronic Communications Act, and the Federal Computer Fraud and Abuse Act," according to a statement released by Sianni & Straite.

[ Security is always a battle, but sometimes the good guys win. See Duqu Malware Detection Tool Released. ]

The complaint also accused Carrier IQ of "surreptitiously logging and transmitting extraordinarily sensitive information from consumers' phones to the mobile phone carriers, without the knowledge or consent of the users, in violation of federal privacy laws."

Via email, AT&T spokesman Mark Siegel said that the carrier had no comment on the lawsuit, but emphasized how it uses Carrier IQ's software. "In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance," he said. The other companies named in the suit were not available for immediate comment.

Meanwhile, a third lawsuit, filed Friday in the U.S. District Court for the Northern District of California on behalf of four smartphone owners, accused Carrier IQ, HTC, and Samsung of violating the Federal Wiretap Act, as well as California's Unfair Business Practice Act. "The Federal Wiretap Act prohibits the unauthorized interception or illegal use of electronic communications," according to a statement released by Hagens Berman, the Seattle-based law firm that filed the lawsuit.

That lawsuit complaint--as with the one filed in Delaware--referenced a video released last week by security researcher Trevor Eckhart, which showed Carrier IQ's monitoring software in operation. "Mr. Eckhart's video shows CIQ software intercepting incoming text messages, and it also shows that the software captures dialed numbers and sensitive information sent through protected websites," said attorney Steve W. Berman, who's representing the smartphone owners in the suit filed in California, in a statement. The lawsuit also accused Carrier IQ's software of recording keystrokes, message content, and possibly also information that gets sent via HTTPS.

But does Eckhart's video show the Carrier IQ software intercepting messages and information? As Eckhart has noted, it's unclear exactly what data the software might be logging, as well as what it might then be transmitting back to Carrier IQ's backend servers.

Even so, University of Colorado law and telecommunications scholar Paul Ohm, a former federal prosecutor, last week told Wired that the manner in which the software is used "verges on wiretapping." Furthermore, while few customers would have even known that it existed, how long have law enforcement agencies had access to the collected data? "There's a lot of really sensitive stuff that you never ever realized that anybody was saving," he said. "One really likely scenario, the FBI, once they get wind of this, it's going to give them a trove of information."

10 Companies Driving Mobile Security

Still, it's likely that Carrier IQ hasn't broken any federal wiretapping laws. According to attorney Mark Rasch, a former Department of Justice computer crime investigator and prosecutor who's now director of cybersecurity and privacy consulting at CSC, federal wiretapping laws provide carriers with broad latitude--including the ability to listen to calls made on their infrastructure--for the purposes of quality control.

That's been the crux of Carrier IQ's public defense: it legally can't be violating wiretapping laws, because those laws provide an exemption for companies such as itself, which function as an agent of the carriers. In other words, Carrier IQ is providing software at the carriers' and manufacturers' request for their handsets, and collecting only data that they specify. Furthermore, it doesn't share a carrier's data with any of its other customers. (The company's wording, however, leaves open the possibility that law enforcement agencies have access to the data it collects, but there would be little the company could do about that.)

Exactly what information does Carrier IQ collect? Senator Al Franken (D-Minn.) last week wrote to the company, requesting detailed answers to that question by December 14. Similarly, Rep. Edward Markey (D-Mass.) last week requested that the FTC investigate Carrier IQ to ensure it hadn't engaged in unfair or deceptive practices. "Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone," wrote Markey in a letter to FTC chairman Jon Leibowitz.

Regulators abroad have said they will also be questioning Carrier IQ and its customers. So far, European privacy regulators in Belgium, France, Germany, Ireland, Italy, and the United Kingdom have said that they're investigating if or how mobile operators inside their countries use Carrier IQ.

Vodafone and Orange have already denied using the software. As noted by PCWorld, Vodafone Portugal in 2009 announced that it was using Carrier IQ. But a Vodafone spokesperson has said that report was erroneous.

Last week, Apple acknowledged that some of its products use Carrier IQ, but it plans to discontinue that practice. "We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update," Apple said in an emailed statement last week.

In response, Germany's Bavarian State Authority for Data Protection has already contacted Apple seeking more information about how it works--or has worked--with Carrier IQ, reported Bloomberg.

In the United Kingdom, meanwhile, the Information Commissioner's Office (ICO), which is responsible for enforcing the European Data Protection Act, said it will query the country's mobile phone manufacturers and carriers about their use of Carrier IQ. "Being open and upfront with customers about how their personal data is being used is fundamental to maintaining their trust. It is obviously also vital that mobile manufacturers and operators comply with the Data Protection Act," said an ICO spokesman via email.

For the 15th consecutive year, information is conducting its U.S. IT Salary Survey. Upon completion of the survey, you will be eligible to enter a contest for prizes including a Bravia HDTV or iPad 2, and get a link to download our report once it is published. Take the survey now. Survey ends Jan. 20.