Carrier IQ faces lawsuits, lawmaker seeks FTC probe

Larry Lenhart, CEO of Carrier IQ, talks about the software in this screenshot of a promotional video. The company is facing lawsuits and potential regulatory probes over its mobile diagnostic software that critics say violates user privacy.

(Credit: Carrier IQ)

Carrier IQ's woes continue to multiply.

The Mountain View, Calif., startup now faces four lawsuits over allegations that its cellphone software violates the privacy of mobile users. A congressman has also asked the U.S. Federal Trade Commission today to investigate those charges.

The developments aren't terribly surprising given the media firestorm around Carrier IQ, which programmer Trevor Eckhart alleges records keystrokes from mobile phones and sends all sorts of personal information off the phone. Carrier IQ denies that and says limited data is gathered for diagnostic purposes only. (CNET has a FAQ with more detailed information about exactlywhat Carrier IQ is doing to your mobile device.)

A lawsuit filed today in federal court in San Jose, Calif., alleges that Carrier IQ "is involved in installing spyware on mobile phones and using that hidden software to siphon off private consumer data without consumer consent," attorney Ira Rothken told CNET. The suit accuses Carrier IQ of violating various federal and state laws, including the California Anti-Spyware Statute and the right to privacy provision of the California Constitution.

A separate suit filed in the court yesterday targeted Carrier IQ and phone makers HTC and Samsung, also alleging violations of the Federal Wiretap Act and California's Unfair Business Practice Act. "The lawsuit alleges that, in reality, the program does record keystrokes and the content of messages, and could transmit the information to third parties, possibly including information sent to secure websites using HTTPS security protocols used in e-commerce and other security-sensitive sites such as banking," according to a statement plaintiff attorney Steve W. Berman released today.

Lawsuits also were filed in Chicago and St. Louis yesterday against Carrier IQ, HTC and Samsung for alleged violation of the Federal Wiretap Act, according to Paid Content. The law forbids the interception of "oral, wire or electronic communications." Penalties are $100 per day per violation.

"The company has not seen or been served on any lawsuit, so we cannot comment on the allegations at this time," Carrier IQ said in a statement today. "Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions."

Meanwhile, Rep. Edward Markey (D-Massachusetts) asked the FTC to investigate the Carrier IQ situation. "This software raises a number of privacy concerns for Android, Blackberry, and Nokia users," Markey wrote in a letter to the commission. "Consumers neither have knowledge of this data collection, nor what Carrier IQ intends to do with this information. As a co-Chair of the Congressional Bi-Partisan Privacy Caucus, I am concerned that this practice violates the privacy rights of consumers."

The data regulator in Germany has sent a letter to Apple requesting further information, according to the Paid Content report. Apple said yesterday that it stopped using Carrier IQ before releasing iOS 5 last month and will remove it entirely from its products in a future software update.

The Consumer Watchdog activist group asked the U.S. Justice Department and the Federal Communications Commission to investigate the "Spyphone Scandal." "The probe should extend beyond the software developer, Carrier IQ, and include operating systems developers like Google and Apple as well as carriers and device manufacturers, the nonpartisan, nonprofit public interest group said.

Sen. Al Franken, a Minnesota Democrat, sent a letter to Carrier IQ yesterday asking it to answer questions about the data it gathers by December 14.

The lawsuits do not name the carriers, despite the fact that Carrier IQ says it is merely doing their bidding. The carriers decide what types of data to collect, how much and when, Andrew Coward, vice president of marketing at Carrier IQ, told CNET. The carriers ask the device manufacturers to pre-load the software on their phones.

So far, Verizon says it does not use Carrier IQ, while Sprint, AT&T and T-Mobile say they use it to improve network performance.

"T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience," the carrier said in a statement sent to CNET today. "T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes."

Nokia and BlackBerry maker Research in Motion say they do not pre-install Carrier IQ on their phones, while HTC, Samsung and Motorola say they pre-install it at the carrier's request. Google, meanwhile, says it does not use it on Nexus devices.

Carrier IQ is getting vilified for making a "rootkit keylogger" while carriers are the ones in control of the data, which is collected without notice to or permission from users.

Related articles

• How Carrier IQ was wrongly accused of keylogging (aboutware.blogspot.com)

Read More

How Carrier IQ was wrongly accused of keylogging

In just a few days, a startup company named Carrier IQ has been subjected to extraordinary public vilification, with reports accusing it of making a "rootkit keylogger" that "creeps out everyone" or is the "rootkit of all evil."

The only problem, which is always a risk when a public lynching takes place, is that Carrier IQ appears to be not guilty of the charges lodged against it.

The most serious charge against Carrier IQ, a venture capital-funded startup in Mountain View, Calif. that makes diagnostic software for carriers, has been that it records keystrokes and transmits them to carriers. One article on a Mac Web site breathlessly reported that "Carrier IQ Probably Violated Federal Wiretap Laws In Millions Of Cases."

Well, no. There's zero evidence that Carrier IQ captured, recorded, or transmitted any keystrokes. But that didn't stop the self-appointed lynch mob on blogs and on Twitter (#OccupyCarriers, that would be you).

Dan Rosenberg, an exceptionally talented security consultant who has discovered over 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ's software from his own Android phones. He then analyzed the assembly language code with a debugger that allowed him to look under the hood.

"The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."

Carrier IQ has given Rebecca Bace, a well-known security expert who's advised startups including Tripwire and Qualys, access to the company's engineers and internal documents. (Bace says she has no financial relationship with Carrier IQ.)

Bace told CNET that: "I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software -- to serve as a diagnostic aid for assuring quality of service and experience for mobile carriers."

Andrew Coward, Carrier IQ's vice president for marketing, acknowledged last night that the company may not have taken the best approach in responding to public criticism, which started with a blog post by Trevor Eckhart, a 25-year old system administrator in Connecticut who noticed unusual software on HTC EVO devices. He dubbed it a rootkit, leading to legal threats from Carrier IQ, an intervention by the Electronic Frontier Foundation, and an embarrassing bit of backtracking a few days later.

Threatening to sue a security researcher, even a newly-minted one, isn't exactly the way to make friends nowadays -- especially after the last decade has seen a parade of ill-received threats from Cisco, HP, voting machine makers, and the Recording Industry Association of America.

That legal threat, not unreasonably, led critics to assume the worst. "That's really been part of our challenge in responding to the allegations," Coward told CNET. The company decided it needed to be more forthcoming after "going back and saying, 'No, we don't, no we don't,' which is where we started, didn't really work." (The company also released a public statementyesterday.)

There's now a "vast misunderstanding of what we do," Coward says.

That Carrier IQ is innocent of the keylogging accusation, the most serious charge, does not, however, mean there are no privacy concerns.

Coward acknowledged that the company's software, which is designed to be installed by carriers, can report back what applications are being used and what URLs are visited. Carrier IQ doesn't make these decisions; rather, they sell configurable software and the carriers decide what options to enable.

"It's up to them whether they do or don't collect that information," Coward says.

The information is used to summarize how the device is working so carriers can improve their networks, he says. It also helps them when they're forced to field calls from outraged customers wondering why their handset keeps crashing or runs out of battery life in a few hours.

Typically the data dump to a carrier is configured to be sent daily, either over Wi-Fi or the carrier's networks, Coward said. "The device ends up storing about 200 kilobytes of data," he says. "That's typical upload size. When it gets to the point that it's full, it'll do an upload or it'll drop data and start wrapping and store summary information." (Customers aren't charged for the upload, and it's disabled when the phone is roaming.)

Read More