We've talked for a while about just how often law enforcement seeks information from mobile operators -- often without getting any actual warrant -- knowing that it was astounding. But after an article from a few months ago in the NY Times noting that it was both routine and a big business for mobile operators, who charge law enforcement for each request, Rep. Ed Markey asked all of the major mobile operators just how often they get requests from law enforcement for subscriber info, and discovered that last year they responded to an astounding 1.3 million requests for subscriber info -- including location info, text messages and other data. And, apparently, this number likely undercounts the true size, because it notes that there was "incomplete record-keeping" in some cases. Oh yeah, and also, this just requests, not individuals -- a single request might include multiple people whose information was being sought. So, an awful lot of people were spied on this way.

Not surprisingly, the number of requests continues to rise drastically, with AT&T admitting that it had seen a tripling in requests in the last five years. As the report notes:

AT&T alone now responds to an average of more than 700 requests a day, with about 230 of them regarded as emergencies that do not require the normal court orders and subpoena.... Sprint, which did not break down its figures in as much detail as other carriers, led all companies last year in reporting what amounted to at least 1,500 data requests on average a day.

This isn't a huge surprise, but does raise significant questions about how reasonable these information trawling operations are. Do we honestly believe that law enforcement needed all of that info? This seems like a case where, of course, if the info is easy to get, law enforcement wants it. But is that reasonable?

And, telcos have little incentive to stand up for the rights of their users. They actually make money from these kinds of requests:

AT&T, for one, said it collected $8.3 million last year compared with $2.8 million in 2007, and other carriers reported similar increases in billings.

For a company that large, this isn't a major cash cow, but it is something. It's unclear how carefully the telcos review the request. At least one (smaller) telco, C Spire Wireless, reported that it had rejected about 15% of the requests, but most of the other operators didn't provide any info on rejections (and it makes you wonder if they ever rejected any requests at all).

None of this is surprising. When such a tool is available, it's almost impossible for it not to be abused. It's just too easy for law enforcement to snoop on anyone's location or text messages, and they can't resist doing so. It seems like telcos (1) could be a lot more transparent about this. While Google and Twitter both have voluntarily opened up to provide data on law enforcement requests, the only reason this info became public from the mobile operators was because of Markey's request. On top of that, it seems that the rules concerning an individual's privacy rights should also be a lot clearer, to give the telcos more ammo to push back against bogus requests.

I've actually been one of the few satisfied Sprint customers for many years. Over the past few years, they were the only mobile broadband provider who didn't limit mobile broadband to ridiculously low plans like 5 gigs per month, like other carriers. In fact, this was a key selling point, and one of the reasons why I happily stuck it out with Sprint. I know Wall St. analysts have been insisting that Sprint would need to cap such broadband usage at some point, but it seemed like a really short-sighted idea, since the unlimited broadband is really about the only facet of a Sprint account that makes it more appealing than its competitors. And so... of course... it appears to be going away. Here's the email I recently received concerning my "phone as modem" option, which I use often enough:
Basically, with no warning, effective immediately, Sprint has unilaterally changed our deal from one where I was paying for unlimited data via the phone as a modem -- to one where it's capped at a stupidly low 5GB. And, the company even has the gall to then happily tell me (below the screenshot cut off) that this change won't impact how much I pay -- as if I should have expected them to increase the fees while taking away a feature I like.

Considering that unlimited mobile broadband was not only part of the marketing pitch, but also a big part of the reason for why I signed up for the plan I did, this certainly seems like a bait-and-switch deal... and I'd thought that bait-and-switch deals like this were violations of FTC rules, but what do I know?

Of course, on a whim, I wondered if Sprint's marketing had changed... and I did a quick search on "Sprint unlimited broadband" and turned up the following advertisement:


If you can't see it clearly -- it appears Sprint is still advertising unlimited mobile broadband -- highlighting that you can "avoid the data dilemma" and "get truly Unlimited data." Except, um, that's clearly not the case. Changing your plans unilaterally for those who specifically signed up for unlimited broadband is one thing. But continuing to advertise such plans while limiting them and -- even worse, effectively mocking such limited plans -- is simply adding rather obnoxious insult to injury. Sorry Sprint, but you may have finally convinced me it's time to explore other options.

After years of not suing anyone (but always threatening that it might, someday), Intellectual Ventures has become more and more aggressive of late in suing lots of companies. A few weeks ago it sued AT&T, Sprint and T-Mobile over a bunch of patents that (of course) involved some of IV's favorite shell companies. Just as it was preparing this lawsuit, a VP from IV went public with an attempt to argue that all this litigation is a sign of innovation at work. The article is rather shocking in how it presents its argument. It mainly relies on false claims that correlation means causation, concerning historical periods of innovation and lawsuits over patents. Of course, what it ignores is that the patent fights often come right after the innovation, not before. In other words, the patent battles aren't a sign that innovation is working. Rather it's a sign of patent holders freaking out that others are innovating. It's entirely about hindering innovation, not helping move it forward.

Along those lines, the folks at M-CAM who continue to call out bogus claims in patent lawsuits analyzed the patents in this IV lawsuit and found them... well... lacking:

Our systems found nearly 500 AT&T patents, with similar claims, that predate the fifteen asserted patents. Sprint Nextel also owns 12 patents that predate the asserted portfolio.

M-CAM also questions the claims that these lawsuits have anything at all to do with innovation, and hint at more nefarious reasons for the use of a bunch of shell companies:

Is IV’s patent litigation helping inventors or investors? Considering that the bulk of the patents in suit were each “acquired” from what the USPTO characterizes as a “merger” with a different relatively unknown LLC, we’ll let you decide. Seems to us that it simply represents an attempt to use opacity and “hidden weapons” for a tactical assault having ABSOLUTELY NOTHING to do with innovation. In fact, these kinds of structures are also typically employed for tax “optimization” which is to say, to avoid paying taxes for any economic gains resulting from a successful assault, ahem sorry again, we mean “settlement”.

By the way, you may have noticed that Verizon is conspicuously absent from the list of mobile operators being sued here. That's because Verizon paid the entrance fee and is a "member" in the IV club... which apparently only cost the company $350 million. Oh yeah... and it then became an enabler. One of the patents in the new lawsuit... once was owned by Verizon.

Of the four national mobile operators, only Sprint still offers an "unlimited" data plan -- and most industry watchers expect that to go away soon. When the operators talk about this stuff, they complain about how unlimited plans are abused and the amount of data being used by so-called "data hogs" is crippling network bandwidth. Of course, the alternative story is that they just want to charge people higher rates, and putting a toll booth on data usage makes that possible. A new study by Validas confirms that the latter theory seems to match with reality. The company looked at 11,000 mobile phone bills of users on both throttled (tiered) plans and unlimited data plans and found... data usage was effectively the same. In other words, for all the talk about how tiers and throttles are needed to stop bandwidth hogging... reality shows that these plans have little impact on actual data usage. Or, to put it really simply: these plans are all about the mobile operators making more money and have nothing to do with network capacity.

Of course, as I've argued in the past, this is a pretty short-sighted strategy by the mobile operators. While they have every right to set up whatever business models they want in order to maximize profit, this might come back to haunt them. The problem with a tiered or throttled data plan is that it actually makes the mobile data service less valuable. Not only does it cost more for the same usage, it adds mental transaction costs as users have to keep track of their usage. That's only going to make people value alternatives much more. The carriers can get away with that if there are no alternatives (as is the case some of the time), but as more alternatives hit the market, expect people to shift their usage to networks they can actually use without fear.

The story so far: security researcher Trevor Eckhart exposed some very disturbing information about the "Carrier IQ" application here. This set off a small firestorm, which quickly got much bigger when Carrier IQ responded by attempting to bully and threaten him into silence. This did not go over well. After he refused to back down, they retracted the threats and apologized.

Eckhart followed up by posting part two of his research, demonstrating some of his findings on video. Considerable discussion of that demonstration ensued, for example here and here and here. Some critics of Eckhart's research have opined that it's overblown or not rigorous enough. But further analysis and commentary suggests that the problem could well be worse than we currently know. Stephen Wicker of Cornell University has explored some of the implications, and his comments seem especially apropos given that Carrier IQ has publicly admitted holding a treasure trove of data. Dan Rosenberg has done further in-depth research on the detailed workings of Carrier IQ, leading to rather a lot of discussion about Carrier IQ's capabilities -- there's some disagreement among researchers over what Carrier IQ is doing versus what it could be doing, e.g.: Is Carrier IQ's Data-Logging Phone Software Helpful or a Hacker's Goldmine?

Meanwhile, the scandal grew, questions were raised about whether it violated federal wiretap laws, a least one US Senator noticed, and Carrier IQ issued an inept press release. Phone vendors and carriers have been begun backing away from Carrier IQ as quickly as possible; there were denials from Verizon and Apple . T-Mobile has posted internal and external quick guides about Carrier IQ. Some of the denials were more credible than others. There has been some skepticism about Carrier IQ's statements, given their own marketing claims and the non-answers to some questions. There's also been discussion about the claims made in Carrier IQ's patent.

Then the lawsuits started, see Hagens Berman and Sianna & Straite and 8 companies hit with lawsuit for some details on three of them.

Attempts to figure out which phones are infected with Carrier IQ are ongoing. For example, the Google Nexus Android phones and original Xoom tablet seem to not be infected, nor do phones used on UK-based mobile networks, but traces of are present in some versions of iOS, although their function isn't entirely clear. A preliminary/beta application that tries to detect it is now available. Methods for removing it have been discussed.

Meanhile, A Freedom of Information Act request's response has indicated (per the FBI) that Carrier IQ files have been used for "law enforcement purposes", but Carrier IQ has denied this. And there seems to be a growing realization that all of this has somehow become standard practice; as Dennis Fisher astutely observes, With Mobile Devices, Users Are the Product, Not the Buyer.

Those are the details; now what about the implications?

Debate continues about whether Carrier's IQ is a rootkit and/or spyware. Some have observed that if it's a rootkit, it's a rather poorly-concealed one. But it's been made unkillable, and it harvests keystrokes -- two properties most often associated with malicious software. And there's no question that Carrier IQ really did attempt to suppress Eckhart's publication of his findings.

But even if we grant, for the purpose of argument, that it's not a rootkit and not spyware, it still has an impact on the aggregate system security of the phone: it provides a good deal of pre-existing functionality that any attacker can leverage. In other words, intruding malware doesn't need to implement the vast array of functions that Carrier IQ already has; it just has to activate and tap into them.

Which brings me to a set of questions that probably should have been publicly debated and answered before software like this was installed on an estimated 150 million phones. I'm not talking about the questions that involve the details of Carrier IQ -- because I think we'll get answers to those from researchers and from legal proceedings. I'm talking about larger questions that apply to all phones -- indeed, to all mobile devices -- such as:

• What kind of debugging or performance-monitoring software should be included?
• Who should be responsible for that software's installation? Its maintenance?
• Should the source code for that software be published so that we can all see exactly what it does?
• Should device owners be allowed to turn it off/deinstall it -- or, should they be asked for permission to install it/turn it on?
• Will carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
• Should carriers or manufacturers pay phone owners for access to the device owners' data?
• Where's the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
• Will data transmission be encrypted? How?
• Will data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
• What data will be sent -- and will device owners be able to exert some fine-grained control over what and when?
• Who is is responsible for the security of the data gathered?
• Who will have access to that data?
• When will that data be destroyed?
• Who will be accountable if/when security on the data repository is breached?
• What are the privacy implications of such a large collection of diverse data?
• Will it be available to law enforcement agencies? (Actually, I think I can answer that one: "yes". I think it's a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See "FBI", above, for a case in point.)

Lots of questions, I know. Perhaps I could summarize that list by asking these three instead: (1) Who owns your mobile device? (2) Who owns the software installed on your mobile device? and (3) Who owns your data?

So remember Carrier IQ? That would be the company that is providing what's been deemed a root kit on a ton of mobile phones. While the company has sought to downplay the security and privacy risks of its software (to the point of threatening the main researcher behind the revelation), further research suggested that the software likely tracked actions down to the keystroke. Again, Carrier IQ has insisted that its only purpose was to help mobile operators get data and information to help out when users are having problems. For example, it notes the ability to highlight when and how users have dropped calls. And if this was all it really does, then the software might be slightly reasonable (though, the fact that it's hidden and almost impossible to remove represents a significant problem no matter how benign the software might be).

However, Michael Morisy over at the site Muckrock, decided he might try a different angle to learn about Carrier IQ and whether it was used for surveillance: he filed a Freedom of Information Act request with the FBI to find out if and how it uses Carrier IQ data. Not too surprisingly, the FBI won't provide him any details, but the way in which it turned him down was actually quite telling. Rather than just saying there were "no responsive documents," it instead said that it did have responsive documents "but they were exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation." That may imply, contrary to Carrier IQ's suggestions, that its software isn't for monitoring and spying, that the FBI views it quite differently, and already makes use of some Carrier IQ data. Of course, Morisy notes that there is another possible explanation: the FBI could be investigating Carrier IQ itself following these allegations, and it won't reveal the data for fear of compromising that investigation. Either way, it at least raises some significant new questions concerning Carrier IQ and how its data is being used.

Update: Carrier IQ has come out with a response insisting that it has never given out info to the FBI. I would imagine that's true, but it's besides the point. The issue is whether or not the FBI uses Carrier IQ data that it receives via the mobile operators.

Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down... and again insisted that the claims of keystroke logging were simply not true.

Yeah. So. Don't piss off a security researcher. Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless. Dave Kravets at Wired highlights what's really scary about all of this:

By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.

It’s not even clear what privacy policy covers this. Is it Carrier IQ’s, your carrier’s or your phone manufacturer’s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government’s ban on wiretapping?

And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?

I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).

Security researcher Trevor Eckhart has put out a report suggesting that a ton of Sprint and Verizon Wireless mobile phones have what is effectively a rootkit installed on them. Specifically, he's talking about CarrierIQ, a bit of software intended to monitor device usage, supposedly for the purpose of understanding problems that a user might be having and helping to troubleshoot remotely. The description of the software seems mostly innocuous:

Carrier IQ is used to understand what problems customers are having with our network or devices so we can take action to improve service quality.

It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems. We do not and cannot look at the contents of messages, photos, videos, etc., using this tool

However, in digging into the details of the software, Eckhart realized that it can easily track all sorts of info, including what websites people are visiting and what keypresses they make. The software can also surreptitiously report where the phone is located. He further notes that the software is purposely hidden on a bunch of devices, and on many it appears that you simply can't turn it off.

Now, I don't think anyone is suggesting anything nefarious here. There are reasons why operators like to collect this kind of data and, in the aggregate, it seems useful. But, as Eckhart looked in more detail at training materials for the software, he realized it could easily be used to track at a much more granular level, down to individuals. The potential for abuse seems pretty high. Again, it's obvious why this software is installed, but it raises questions about what carriers are doing to make sure the software isn't being abused. It's also somewhat troubling that the carriers aren't all that straightforward about how this software is monitoring their users...

With the Justice Department believing that it can get all sorts of data from telcos without any oversight or without a warrant, it seems rather important to know what kind of info your mobile operator is keeping -- and for how long. The ACLU, via a Freedom of Information Act request, was able to get a "for law enforcement use only" document that shows how long the carriers hold on to what data (Wired also notes that the document could already be found online if you knew the title). The document itself is a pretty weak scan: Thankfully, however, now that the data is out there, we can show it friendlier formats. Michael Robertson was kind enough to take the data (minus the "for law enforcement use only" part, and put it into a Google docs spreadsheet: Additionally, the folks at Wired put together a nice infographic from the data: What it seems to show is that Verizon holds onto your texting data for the least amount of time, but also retains the actual text of your text messages -- something no one else, outside of Virgin Mobile, does. How long until we see a push for a mobile data retention law to "standardize" what these companies have to hang onto and for how long?

While there's been plenty of concern in the past couple weeks about Apple's iPhone/iPad location data, followed by Google's Android location data, plenty of people pointed out from the beginning that what both companies have done completely pales in comparison to the sort of data that mobile phone operators regularly collect on you. Even as lawsuits have been filed against both Apple and Google, few of the people who are really upset about those two companies seem to recognize that what the operators have is much, much more complete. The mobile operators, apparently fearing that people may start to realize this, have become a bit proactive and are trying to convince everyone that the real problems are elsewhere -- specifically with apps on phones, not with the service providers. You see, don't worry about all the data we collect. Just look at what those apps are doing:

AT&T noted it “plays no role” in what kind of information smartphone apps collect, while T-Mobile pointed out the ways in which that data can be used.

Sprint lamented “consumers no longer can look to their trusted carrier with whom they have a trusted relationship to answer all of their questions,” particularly on privacy.

And Verizon Wireless called out smartphone app makers directly on the issue, stressing “location-based applications and services (whether provided by us or third parties such as Google) should give customers clear and transparent notice” and control.

This was in response to questions from Congressional Reps. Ed Markey and Joe Barton, leading all of the operators to also admit that they collect such data as well, but really, apps. Apps are a bigger issue. Just focus on the apps. Really. Apps.