So remember Carrier IQ? That would be the company that is providing what's been deemed a root kit on a ton of mobile phones. While the company has sought to downplay the security and privacy risks of its software (to the point of threatening the main researcher behind the revelation), further research suggested that the software likely tracked actions down to the keystroke. Again, Carrier IQ has insisted that its only purpose was to help mobile operators get data and information to help out when users are having problems. For example, it notes the ability to highlight when and how users have dropped calls. And if this was all it really does, then the software might be slightly reasonable (though, the fact that it's hidden and almost impossible to remove represents a significant problem no matter how benign the software might be).
However, Michael Morisy over at the site Muckrock, decided he might try a different angle to learn about Carrier IQ and whether it was used for surveillance: he filed a Freedom of Information Act request with the FBI to find out if and how it uses Carrier IQ data. Not too surprisingly, the FBI won't provide him any details, but the way in which it turned him down was actually quite telling. Rather than just saying there were "no responsive documents," it instead said that it did have responsive documents "but they were exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation." That may imply, contrary to Carrier IQ's suggestions, that its software isn't for monitoring and spying, that the FBI views it quite differently, and already makes use of some Carrier IQ data. Of course, Morisy notes that there is another possible explanation: the FBI could be investigating Carrier IQ itself following these allegations, and it won't reveal the data for fear of compromising that investigation. Either way, it at least raises some significant new questions concerning Carrier IQ and how its data is being used.
Update: Carrier IQ has come out with a response insisting that it has never given out info to the FBI. I would imagine that's true, but it's besides the point. The issue is whether or not the FBI uses Carrier IQ data that it receives via the mobile operators.
Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down... and again insisted that the claims of keystroke logging were simply not true.
Yeah. So. Don't piss off a security researcher. Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless.
Dave Kravets at Wired highlights what's really scary about all of this:
By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.
And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?
I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).
Security researcher Trevor Eckhart has put out a report suggesting that a ton of Sprint and Verizon Wireless mobile phones have what is effectively a rootkit installed on them. Specifically, he's talking about CarrierIQ, a bit of software intended to monitor device usage, supposedly for the purpose of understanding problems that a user might be having and helping to troubleshoot remotely. The description of the software seems mostly innocuous:
Carrier IQ is used to understand what problems customers are having with our network or devices so we can take action to improve service quality.
It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems. We do not and cannot look at the contents of messages, photos, videos, etc., using this tool
However, in digging into the details of the software, Eckhart realized that it can easily track all sorts of info, including what websites people are visiting and what keypresses they make. The software can also surreptitiously report where the phone is located. He further notes that the software is purposely hidden on a bunch of devices, and on many it appears that you simply can't turn it off.
Now, I don't think anyone is suggesting anything nefarious here. There are reasons why operators like to collect this kind of data and, in the aggregate, it seems useful. But, as Eckhart looked in more detail at training materials for the software, he realized it could easily be used to track at a much more granular level, down to individuals. The potential for abuse seems pretty high. Again, it's obvious why this software is installed, but it raises questions about what carriers are doing to make sure the software isn't being abused. It's also somewhat troubling that the carriers aren't all that straightforward about how this software is monitoring their users...
With the Justice Department believing that it can get all sorts of data from telcos without any oversight or without a warrant, it seems rather important to know what kind of info your mobile operator is keeping -- and for how long. The ACLU, via a Freedom of Information Act request, was able to get a "for law enforcement use only" document that shows how long the carriers hold on to what data (Wired also notes that the document could already be found online if you knew the title). The document itself is a pretty weak scan:
Thankfully, however, now that the data is out there, we can show it friendlier formats. Michael Robertson was kind enough to take the data (minus the "for law enforcement use only" part, and put it into a Google docs spreadsheet:
Additionally, the folks at Wired put together a nice infographic from the data:
What it seems to show is that Verizon holds onto your texting data for the least amount of time, but also retains the actual text of your text messages -- something no one else, outside of Virgin Mobile, does. How long until we see a push for a mobile data retention law to "standardize" what these companies have to hang onto and for how long?
While there's been plenty of concern in the past couple weeks about Apple's iPhone/iPad location data, followed by Google's Android location data, plenty of people pointed out from the beginning that what both companies have done completely pales in comparison to the sort of data that mobile phone operators regularly collect on you. Even as lawsuits have been filed against both Apple and Google, few of the people who are really upset about those two companies seem to recognize that what the operators have is much, much more complete. The mobile operators, apparently fearing that people may start to realize this, have become a bit proactive and are trying to convince everyone that the real problems are elsewhere -- specifically with apps on phones, not with the service providers. You see, don't worry about all the data we collect. Just look at what those apps are doing:
AT&T noted it “plays no role” in what kind of information smartphone apps collect, while T-Mobile pointed out the ways in which that data can be used.
Sprint lamented “consumers no longer can look to their trusted carrier with whom they have a trusted relationship to answer all of their questions,” particularly on privacy.
And Verizon Wireless called out smartphone app makers directly on the issue, stressing “location-based applications and services (whether provided by us or third parties such as Google) should give customers clear and transparent notice” and control.
This was in response to questions from Congressional Reps. Ed Markey and Joe Barton, leading all of the operators to also admit that they collect such data as well, but really, apps. Apps are a bigger issue. Just focus on the apps. Really. Apps.
We just wrote about how Max Davis, who's trying to create a silly and totally pointless compulsory licensing system for MMS content was more or less laughed out of court in the lawsuit he filed against the mobile operators, claiming that they were running illegal P2P file sharing programs in the form of their MMS capabilities. It apparently took him all of a few days to come up with a new, perhaps even more ridiculous strategy: he's suing AT&T, Verizon, Sprint, T-Mobile and TracFone for supposed antitrust violations over the same basic issues. Once again, it seems clear that this is an incredibly weak (and almost certainly unproductive) attempt at getting these companies to agree to his pointless licensing scheme.
So how are these mobile operators guilty of antitrust violations? According to Davis:
Defendants purposely conspired via collusion to install themselves as the new primary gate keepers and sole beneficiaries of multimedia content sharing through their new MMS technologies.
Except, of course, that's ridiculous. These companies did agree to set up MMS systems, but that's because they're the mobile operators who run the mobile networks. That's not collusion. And it's not antitrust. The filing gets more ridiculous as it goes on. He claims that these operators do not qualify as DMCA service providers, contrary to the pretty clear language of the law and plenty of case law. The whole thing seems frivolous, and it seems likely that this lawsuit will reach a similar conclusion to the previous one.
Last summer, we wrote about an incredibly poorly thought out lawsuit, by a company named Luvdarts, developers of MMS content, suing the mobile operators, because MMS can be forwarded from a recipient to another person. The company claimed that the big mobile operators were no different than file sharing networks, like Limewire or Gnutella, because each forwarding of content was infringement. As we pointed out at the time, this made no sense. It was a silly argument that was really being put forth by a guy named Max Davis, who has an equally silly plan to add compulsory licensing to MMS content, and this lawsuit was an incredibly weak attempt to push the mobile operators into negotiating. Instead, as we predicted, it's been dismissed by the courts for failure to state a claim. The dismissal was with prejudice, meaning that the court doesn't want to see them again on this. The press release linked above is kind of amusing, because it has the folks behind the lawsuit claiming that they're happy about this result and planning to appeal. Guys, you just got laughed out of court, because this lawsuit makes no sense. Appealing isn't going to fix that.
We recently wrote about a somewhat surprising ruling by the appeals court in the DC circuit saying that long-term use of a GPS to track someone without a warrant violated the 4th Amendment. What was surprising about this is that, while state courts had ruled similarly, the federal courts had almost universally ruled that such tracking was legal. While that case will almost certainly be appealed and seems to have a decent likelihood of ending up before the Supreme Court, it's apparently already impacting some rulings elsewhere. Chris Soghoian notes that a federal magistrate judge recently rejected the governments' request for historical cell site data from Sprint, because the government failed to show probable cause (as required under the 4th Amendment):
What's notable is that the judge admits to having approved similar requests in the past, but refuses to do so this time, as a result of that recent ruling, and noting that the reasoning highlighted that technology is changing the way many view things concerning privacy and surveillance:
The decision in Maynard is just one of several rulings in recent years reflecting a growing
recognition, at least in some courts, that technology has progressed to the point where a person
who wishes to partake in the social, cultural, and political affairs of our society has no realistic
choice but to expose to others, if not to the public as a whole, a broad range of conduct and
communications that would previously have been deemed unquestionably private....
As a result of such decisions, I believe that magistrate judges presented with ex parte
requests for authority to deploy various forms of warrantless location-tracking must carefully re-
examine the constitutionality of such investigative techniques, and that it is no longer enough to
dismiss the need for such analysis by relying on cases such as Knotts or, as discussed below,
Smith v. Maryland.... For the reasons discussed below, I now conclude that the Fourth Amendment
prohibits as an unreasonable search and seizure the order the government now seeks in the absence of a showing of "probable cause, supported by Oath or affirmation[.]"
Nice to see some judges recognizing this, though it remains to be seen how many others will agree... and how the Supreme Court reacts to all of this.
Regular Techdirt commenter Max Davis (who I believe may be involved in this lawsuit) passed along the news that all the big US mobile operators have been sued -- including AT&T, Verizon Wireless, Sprint and T-Mobile -- under the claim that their MMS platforms are really illegal file sharing networks, and that these operators are no different than Limewire or Gnuttella. Yes, seriously -- the email Max sent repeatedly refers to MMS and Limewire as if they were the same. Here's the complaint:
Honestly, the whole lawsuit seems ridiculous. Here's the crux of it:
Defendants, and each of them, enabled the transfer/transmission and publication of this copyright protected content via mobile devices by building and implementing a peer to peer file sharing network with the dedicated purpose of enabling end users to share multimedia files via this MMS network. Defendants, and each of them, profited from these activities by charging the transmitter and receivers of this content a fee or flat rate for the transfer/transmission that resulted in the publication of said content. Despite charging the transmitter and receiver a fee for the delivery of this copyrighted content, Defendants, and each of them, failed to compensate the holder of the copyrights for this content that was necessary in generating the MMS data revenue. Furthermore, Defendants, and each of them failed or refused to provide a system where an adequate accounting of the transfer/transmission and publication of this copyrighted content could be made.
Basically, this company, Luvdarts, made MMS content, and it got distributed via MMS. Since recipients of MMS can forward the MMS data they receive, such content got forwarded around. Since the mobile operators receive revenue for MMS data, Luvdarts is effectively claiming that they are profiting off the infringement of Luvdarts content. This makes no sense. It's like saying that any email provider is infringing on the copyrights of email writers by letting recipients forward emails. You know those chain emails that get passed around? Imagine if one of the authors of those then sued all the big email providers. It would get laughed out of court. Hopefully, this lawsuit gets laughed out of court too.
The one oddity is that the lawsuit claims that the mobile operators do not qualify for DMCA safe harbor protections, because they're "not service providers" as defined in the DMCA. Specifically:
The transmission of this MMS data is not covered by the exemption for Internet Service Providers as set forth in 17 U.S.C. §512 because the wireless carriers are not Internet Service Providers as defined by §512 while providing a dedicated MMS network for multimedia file sharing.
Really? If you haven't read your §512 lately, why not go take a look and explain how a mobile operator offering MMS is not covered. It certainly seems covered by the definition:
(1) Service provider--
(A) As used in subsection (a), the term "service provider" means an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing, without modification to the content of the material as sent or received.
(B) As used in this section, other than subsection (a), the term "service provider" means a provider of online services or network access, or the operator of facilities therefor, and includes an entity described in subparagraph (A).
Help me out. Where are mobile operators offering MMS features excluded? Looks like yet another frivolous lawsuit. But, of course, Luvdarts is demanding the statutory maximum of $150,000 per infringement, and claims "9,999 to 100,000 counts of
infringement" (broad enough range there?). Good luck, Max.
Back when Sprint joined other mobile carriers in issuing a 5 GB limit on its EVDO connection, I was among those who noted that it was disappointing that the company sold me an "unlimited" service, and then changed the terms on me unilaterally. It also changed the way I used my EVDO card, making it significantly less useful and valuable for me. I don't want to be thinking about how much data I'm using (and it was especially difficult without a detailed system of tracking how much data you were using). I remember once, while traveling, I accidentally left the EVDO connection running over night, and got worried that Sprint might cut me off. It's just not worth it, and I've actually been thinking about dumping Sprint once my contract is up.
Apparently, I wasn't alone in thinking this and Sprint has noticed. With its new WiMax network, it has stayed away from talking about any caps, and has now admitted that the reaction to the EVDO caps is part of the reason why. They're afraid that, just as they're trying to convince people to use the WiMax network, they'll get scared off by caps. The problem, of course, is that these mobile broadband providers are fighting against themselves on these things. They want to convince the world that these networks are useful -- and to do that, you have to show all the cool things that you can do with them. But, if they haven't really invested enough in the networks, they can actually run into some congestion problems, and so they can't encourage you to use them too much. Hopefully, the investment into WiMax (or, potentially moving on to LTE) will mean that such congestion problems are mostly a thing of the past, and that it's not worth implementing caps.
That said, Sprint's admission of how people responded to the EVDO caps should be a clear warning to ISPs that keep trying to implement broadband caps or metered broadband. Doing so imposes additional costs that you might not have considered, such as the mental transaction costs your users face in determining if it's even worth using your network. Of course, ISPs should know this already. We already have a detailed case study in that AOL only really took off after it switched from hourly billing to an unlimited flat-rate. Why some ISPs want to go back to make their product less valuable is beyond me.