Carrier IQ – Has someone violated the Electronic Communications Privacy Act?

Photo Titled "Completely Taped" by Byung Kyu Park available on Flickr

141 Million handsets have a software program deployed on them which purports to only collect network diagnostic information for mobile phone service carriers. However, this software program is secretly running because is not easy for an average mobile phone user to see the program running on their phone because it does not appear as a “running application” on the applications list. Nor is there a clear disclosure of what data is being collected by the application, or a way to easily opt out of the application running on the mobile device. Nor is there any easy way to stop it from running on the Android phones. On November 28, 2011 Trevor Eckhart uploaded a seventeen minute video (shown above) exposing the extent of the data being captured by Carrier IQ, an application that mobile phone providers and/or carriers install on mobile phones. The video shows an Android developer searching his phone for privacy policy disclosures, and not finding any privacy disclosures related to the Carrier IQ program, he proceeds to show the type of data that is logged by Carrier IQ onto the phone’s debug log. For example, each time he presses a key that key press is logged, even when he enters information into a web page over his own local WiFi connection and the session is protected with SSL (which is an encrypted means of communicating between a client and host and forms the backbone of all secure communication over the Internet; as a standard and all data transferred within an SSL connection should be encrypted and protected after the SSL handshake). As of January 25, 2012, Eckhart’s video received over 1.9 Million views on YouTube.

In response, Carrier IQ sent Eckhart a letter threatening legal action unless he retracted his research, characterizing his analysis and posting of privacy policies as a breach of copyright which could expose him to an excess of $150,000 in damages. In response, Eckhart reached out to the E.F.F., who agreed to represent him; Carrier IQ has since backed off from its legal action and apologized for the cease and desist letter. The question remains now – has Carrier IQ, or the mobile phone manufacturers, or the mobile service carriers violated the E.C.P.A. by secretly running a software program on the mobile phones?

The Electronic Communications Privacy Act (E.C.P.A., 18 U.S.C.A. § 2510) was enacted to expand the scope of the Wiretap Act (which was focused on the interception of voice communication) to protect data transferred by computers. Title I of the Act protects messages that are in transit, and Title II of the Act protects messages that are in storage on a device. Within the E.C.P.A., it is unlawful for a person to distribute “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications” (18 U.S.C.A. § 2512(1)(a)). However carriers do have an exception, where under the normal course of their business in maintaining their communication systems, they can use devices to intercept wire communications.

Senator Al Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, has requested more information regarding what data is being collected and where the data is being sent. Depending on the type of data that is actually collected and sent to the carriers, they may be able to claim that they were operating within their normal course of business in maintaining the stability of the wireless networks. A criminal or civil case under the E.C.P.A. may not be a guaranteed success in a court of law. However, the public surprise of the extent of data being captured, and the lack of notice and control that users are able to exercise over how much activity is being tracked has already made the carriers and Carrier IQ losers in the court of public opinion.

"If the Price is too Good to be True, it Probably is” - ICE Director John Morton

Photo by: mollyali's 

A coordinated government effort to crackdown on websites selling counterfeit goods is in full force, most recently seizing 150 websites on Cyber Monday 2011. The rationale for the seizures is based on the idea that these websites steal creative ideas, cost our economy jobs and revenue, and can threaten the health and safety of American consumers by selling inferior goods in the market. Opponents argue the seizures are unconstitutional because the government does not afford the site owners adequate due process protection prior to seizing the sites.

Operation in our Sites is the effort of DOJ and DHS/ICE to halt intellectual property crimes at the national level. ICE is leading the charge, and derives its authority from the seizure and forfeiture laws of 18 U.S.C § 981 and 2323. As Margaret A. Esquenet and Justin A. Hendrix explain, (http://www.ecommercetimes.com/story/72344.html) “Under Section 2323, property used to a commit federal crime, such as criminal trademark or copyright infringement, is subject to forfeiture to the U.S. government. Under Section 981, the government can apply to a federal court for a warrant to seize that property. To obtain the warrant, the government must show there is probable cause that the website violates federal criminal law. The owner of the domain name may challenge the seizure warrant in the district court that issued it. During a later forfeiture proceeding, the owner also may challenge the basis for forfeiture.”

To carry out the Operation, ICE agents make undercover purchases of various products covered by trademark, including professional sports jerseys, golf equipment, DVD sets, footwear, handbags, and sunglasses. Once the goods arrive and the trademark holders confirm that the purchased products are counterfeit, seizure orders are obtained. The intent of ICE is to protect the economy and consumers, and ensure that revenue is flowing to the rightful parties instead of to those who steal intellectual property. The objective is a good one, and the websites are property used to commit a federal crime, so the seizures and the process by which they are carried out are legitimate under federal statute.

ICE may need to revisit the effectiveness of some their procedures to reach that end, though. In February 2011, the department rightfully seized 10 sites before the Super Bowl that were accused of offering illegal streaming video of sporting events, and before Valentine’s Day, it seized 18 sites selling counterfeit luxury goods. But somehow along with those, it shut down 84,000 other legitimate sites and posted a notice that the reason was for “advertisement, distribution, transportation, receipt, and possession of child pornography.” Not good. The error may have had to do with linking sites, but the owners of the legitimate sites deserve a more robust due process procedure so as to avoid future errors.

Operation in our Sites is certainly a complicated technological effort without introducing administrative hurdles. But there is likely little harm (expense notwithstanding) in an email notice to domain name owners that their site is subject of investigation and will be shut down in 48 hours without further action on their part.

Carrier IQ: Cell Phone Data Snooping Revealed

Photo by: sam_churchill 

Earlier this week, a 25-year old security researcher named Trevor Eckhart posted a YouTube video detailing a program called “HTC IQ Agent” that was installed on his cell phone. Trevor showed that the program was recording every action taken on his phone, including key presses, text messages, and passwords - and then transmitting this data directly to the offices of the company Carrier IQ. The program started automatically with the phone, ran in the background, and could not be turned off. It wasn’t a virus, nor was it installed by an outside vendor; it came pre-installed on his phone.

The revelation that a company was extensively tracking cell phone users actions lit off a firestorm of controversy. Numerous technology blogs decried Carrier IQ's actions. Carrier IQ soon threatened Mr. Eckhard with legal action, but then apologized after Mr. Eckhard sought the protection of the Electronic Frontier Foundation.

In its defense, Carrier IQ claims that all of the recorded data transmitted is anonymous. The company provides a valuable service to many U.S. cell phone carriers, who contract with Carrier IQ to provide specialized diagnostic, trending, and troubleshooting data for the devices on their network. The issue is the sheer volume and depth of data being recorded, which seems unnecessary for purely diagnostic or reporting purposes.

Whenever I accept a terms of service or license agreement on a website, I assume that I'm giving up all of my rights related to content and privacy. However, even in this digital age, I still consider my right of privacy to extend to my personal belongings; the information in my wallet, my documents, and even information stored on my cellphone. As cellphones have become more powerful and increasingly connected, they have become personal organizers. My calendar, contact list, Christmas shopping ideas, and other personal information are all stored on my cellphone. Given that I've tapped all this information into my cell phone at some point, it is likely that this information is also now stored somewhere on Carrier IQ's servers.

So far, Carrier IQ software has been found on both Android and iOS cell phones for several U.S. carriers. Many guides and how-to documents have been posted with instructions on how to disable the software. The Senate has even gotten involved, giving Carrier IQ until December 14th to address privacy concerns. In addition, it's possible that Carrier IQ has violated federal wiretapping statutes, and already there are rumblings of class action lawsuits.

It's also quite possible that this story has been overblown. Many journalists have noted that the data stored are purely anonymized metrics that carriers use to improve their service, ultimately benefiting consumers. There is no evidence that personal, identifying information has been used in an improper manner. However, given the amount and type of data being recorded, I am uncomfortable with any company having this information on their servers. A line has been crossed, and thanks to Trevor Eckhart, the world knows.

Massachusetts Lawmakers Approve Human Trafficking Bill

Photo By: iragelb 

On November 15th, Massachusetts’ House and Senate approved a Human Trafficking Bill that has been urged by human rights advocates. The bill imposes life sentences for pimps and other traffickers found guilty of coercing children into sex and forced labor. The bill also confronts the important matter of treating children as well as adults forced into prostitution as victims and not as offenders. Additionally, the bill will create a panel to study approaches to prevent trafficking. The sex trade is an increasing problem in Massachusetts, yet the state is one of three states that have yet to enact an anti-trafficking law.

While slavery is often considered obsolete, the exploitation through forced sex and labor is estimated to include trafficking of 27 million people around the world. This modern slavery has evolved through the use of the Internet, which conveniently allows traffickers to recruit and sell victims over websites, taking prostitutes off of the streets and out of the view of the public and law enforcement and placing them into hotel rooms.

Much attention has been given to advertising websites and their “adult” sections, which are intended as a means for consenting adults to find other consenting adults. Inevitably, the advertisements have been used for soliciting sex and in some instances sex with minors. When Craigslist banned sexually related advertising in the US in 2010, a majority of this activity found a new home on BackPage.com. The site has recently received demands from anti-trafficking advocates, including the fifty-one attorneys general and an interfaith social justice group, to remove the section in order to stop the online advertising for prostitution, emphasizing the exploitation of minors made possible through listings.

The letter from the attorneys general states that efforts made by BackPage.com to reduce trafficking of both adults and children have been unsuccessful, and more than 50 instances of trafficking or attempting to traffic minors through the site have been discovered. The letter provides an example of how a trafficker, in Dorchester, MA used the site to exploit a minor by “forcing a 15-year-old girl into a motel to have sex with various men for $100 to $150 an hour” and found the customers by “post[ing] a photo of the girl on BackPage.com.”

While shutting down the advertising will put an end to trafficking on those sites, with the Internet’s infinite domains, any setbacks for traffickers will be minor and clients will merely be required to use some extra effort to find other sites. Sadly, if traffickers are capable of physically abusing, controlling and exploiting children, they are also capable of looking elsewhere and creating other means to continue making a profit off of forcing others to work for it.

The recent Massachusetts bill approval is a great start to shed light on the fact that there is a problem and treating the victims as criminals is not the solution. The bill places the blame where it belongs: on the trafficker. Arguments have been made that not all adult prostitutes are trafficked, and it is a nice theory that a consenting adult has a right to make a living selling their body. However, prostitution by choice is not the rule but the exception. Children are trafficked as young as eleven and twelve years old and often remain in the sex trade into adulthood, demonstrating that even adult prostitutes are unlikely to have chosen this life for themselves. The reality is that all trafficking victims are controlled by fear, coercion, and violence, and the Internet is allowing this activity to go unseen. By shifting the current social stigma surrounding prostitution to victimization, trafficked individuals are more likely to seek help from the medical community and from law enforcement.

The bill, which will more likely than not soon become law, is important in officially recognizing there is a problem that needs to be addressed. A significant part of the bill is the establishment of a panel to study ways to prevent trafficking. Educating young people at risk of being trafficked as well as the entire public is essential. Eliminating the role of the Internet in trafficking is to be expected as a major issue in prevention to be addressed by this future panel.

A Step Towards Anonymous Browsing on Mobile Devices

Photo by: jeffschuler 

As Americans we “get” our right to privacy through provisions of the 1st, 4th and 14th amendments. We have the 1st amendment right to free assembly, the 4th amendment right be free from unwarranted search and seizure and the 14th amendment right to due process. Through these provisions the Supreme Court has addressed and upheld birth control rights, abortion rights, marriage rights, and child rearing rights among other issues related to privacy.

With the surge of people using the Internet over the past 2 decades, from children to college students to baby boomers, there is endless amounts of personal information on the internet, some of it intentionally put there and some of it not intentionally publicized. It is harder to maintain ones privacy in this world of instant Facebook access and oversharing on Twitter. Adding to this dilemma is the advent of the smart phone, from Iphones to Blackberries, you can now remotely upload a picture to Facebook, you can browse the Internet on the train, and update your blog while out to dinner.

Using these devices can leave the user or others vulnerable to their privacy being invaded. Not only can others access public Facebook profiles and see content that 3rd parties in pictures or mentioned may not be aware of, but websites track browsing and respond with ads and suggestions, not to mention the dangerous problems of phishing, hacking and identity theft. For example Google scans emails and then advertises for things mentioned in “personal” emails. Anyone with access to your computer or device can check your history and see where you have been poking around on the Internet.

This week, Apple approved the use of an application that will now be offered in the App Store. This Covert Browser for Ipad will allow users to confidentially browse the Internet (a similar App is also available for the Iphone). Although there are kinks to be worked out, you can purchase the peace of mind of “completely” anonymous web browsing for just $2.99. The Covert Browser is a much more secure way to browse than other secure networks. The technology behind the application is Tor. Tor triple encrypts data and routes it through three computers whereas other secure browsing only route through one computer, leaving users vulnerable to the companies responsible for the routing. The Apple endorsed application is a much needed move towards privacy for mobile devices.

Data Protection Uniformity in the European Union

Image Titled "Internet Global Advertisement" by The Miiz

On Tuesday, Vice President of the European Commission Viviane Reding, announced a plan to harmonize data protection policies throughout the European Union. The plan would allow an Internet company to operate throughout the 27 Member States as long as its data protection policies were approved by a single state.

The new directive will update the EU’s data protection laws, to patch holes created by U.S. law through the introduction of the Patriot Act, and to bring the 1995 Data Protection Directive up to speed on new and developing technologies, such as cloud computing. Based on European data protection standards, the rules Reding would like to introduce are codes of practice ensuring "adequate safeguards" for data transfers between parts of the same corporate group.

Reding hopes the new data protection regulations will make it much simpler to negotiate such binding corporate rules (BCRs) she said Tuesday at a conference in Paris organized by the International Association of Privacy Professionals.

“They [Companies] need ... to have a ‘one-stop-shop’ when it comes to data protection matters, one law and one single data protection authority,” Reding told the American Chamber of Commerce. “I want to drastically cut red tape.

Reding reiterated that European law would apply to any company operating within the European Union, even if the company is based outside the area, such as the United States. Subsequently, any non-European company with customers or clients inside Europe will have to comply fully with European regulations. Details of the plan are expected to be revealed by late January although it may take as long as 18 months before the bill becomes law.

Under the current Data Protection Directive, companies have to have their data protection policies approved by each individual country. The Directive offers basic principles and laws that each member state has built upon. This fragmented approach has made it increasingly difficult for businesses to trade, and comply with the complicated rules and regulations. Germany for example has stricter laws than the UK, making trade between the two countries difficult. Reding estimates that this bureaucratic approval process costs companies approximately $3.1 billion per year.

In order for there to be uniform E.U.-wide privacy rules, the data protection officials in individual countries would have to be granted greater power to enforce their laws and to impose penalties on violators. Under the existing system, privacy officials in some countries can only make recommendations. Jacob Kohnstamm, chairman of a panel that advises the commission on privacy issues, said the Union needed data protection authorities that were “able to bark and bite.”

Reding believes that an overhaul of the privacy regulations is crucial to increasing the competitiveness of the European economy during its present debt crisis. According to a New York Times article, Ms. Reding said, “I think I am persuaded that while bringing member states out of their debt crises, we have to do everything we can to help our companies grow.”

Such changes are necessary because the world is no longer defined by physical borders, she said. "Data races from Barcelona to Bangalore. It is processed in Dublin, stored in California and accessed in Milan. The transfer of data to third countries has become an important part of daily life, and this affects businesses and citizens."

However, getting 27 countries to agree on a uniform policy may be easier said than done. The EU must iron out differences between its members over privacy issues. Countries like France and Germany favor stronger protections for privacy, while Ireland, Britain and others prefer more market-friendly rules. A further example of international divergence is shown in the European consensus on the new plan’s possible ‘right to delete provisions, which would allow European citizens to apply to social networks or companies to delete the data held on them. The UK data protection agency called the proposals “unenforceable” and that the proposed measures should not go ahead. It is also likely that we will see conflicts between the rules in the European Union and other jurisdictions, like the United States, where data protection regulations are also under review.

Compliance and enforcement are two other major concerns surrounding the proposed plan. Kohnstamm urged the commission to draft the new privacy rules through regulation, a measure that would give E.U. member states little room for interpretation in their implementation of the law, rather than via a directive, like the current law, which means the law is not self-executing and the countries may adapt it. However, compliance and enforcement outside the European Union could prove costly. Wojciech Rafal Wiewiórowski, Poland's inspector general, raising this issue, asked, "Who will say whether a company is fulfilling its responsibilities under a BCR? "Let's assume it's the DPAs [Data Protection Authorities]: that works in Europe, but that's not really the problem. The problem is those companies moving data outside Europe. In the U.S., we can count on the support of the Federal Trade Commission, and Mexico too has a strong data protection authority,” he said. "But what about Laos? Who will check what is going on in a data center in Laos?"

The new proposal will likely have strong effects on the world outside of the bloc as well as inside. Ronald Zink, chief operating officer for E.U. affairs at Microsoft, said that harmonizing policies internationally might be just as important as doing it within the Union, but added: “I think the E.U. data protection laws can be a beacon for the U.S. and around the world. They do a lot of things right.” The details of the plan and the dates of its implementation are yet to come.

Carrier IQ, the Electronic Communications Privacy Act, and the Digital Millennium Copyright Act

Image titled Android Virus by Charliesalima

In the same week that Facebook settled its dispute with the Federal Trade Commission (“FTC”) over allegedly deceiving consumers about its privacy practices, an Android developer, Trevor Eckhart, discovered that Android phones run software that logs keystrokes and hides its presence on the phone. The discovery of Carrier IQ (CIQ) software embedded in the Android (and over the following days, other smartphones) raises legal questions that might expose both smartphone vendors and customers to liability.

The Electronic Communications Privacy Act, 18 U.S.C. 2510 et. seq. (2006)(ECPA) expanded the Federal Wiretap Act to prohibit interception of electronic communications through any “system affecting interstate or foreign commerce” without the consent of at least one of the parties to the communication. The Digital Millennium Copyright Act prohibits circumvention of effective measures designed to prevent unauthorized access to copyrighted material. 17 U.S.C.A. 1201 (2006).

Much of the analysis of Carrier IQ misunderstands the ECPA, so some discussion of what the ECPA does and does not cover is in order. The ECPA has been interpreted to allow keystroke logging which intercepted signals sent between the keyboard and the computer, because until an email or other message is actually sent, the computer is not “a system affecting interstate or foreign commerce.” U.S. v. Ropp, 347 F. Supp. 2d 831(C.D. Cal. 2004). The bulk of CIQ’s spying does not violate the ECPA. As Eckhart noted in his criticism of CIQ, when he dialed a phone number, the software logged the number before he made the call. Some states may have privacy laws prohibiting CIQ’s conduct, and certain consumers may have other claims (e.g. copyright infringement if any of their emails or texts contained material they owned a copyright to), but the ECPA does not prohibit keylogging.

Other portions of CIQ’s data collection may violate the ECPA. CIQ apparently also intercepts incoming text messages and emails. Incoming messages satisfy the “affecting interstate or foreign commerce” standard. Whether the manufacturers or carriers who installed CIQ violated the ECPA would then depend on whether they had valid contracts which allowed them to intercept their customers’ messages, a factual question specific to each carrier. Carriers’ recent panicked statements to the media indicate that most do not, as carriers have generally claimed either that they do not collect the data Carrier IQ collects, or that they only collect some less offensive subset of it. Carriers have put themselves in a precarious position by making such assertions, which smartphone manufacturers claim are false. The claim that a carrier does not collect data is only believable if the carrier does not include a data collection provision in its contracts, or includes the provision in a manner designed to keep consumers from recognizing or understanding it. Carriers who try to avoid bad publicity now may find themselves estopped from asserting a contract defense to ECPA claims in a later lawsuit.

A lawsuit may be the only option consumers have. Self-help is available to copyright owners in many scenarios, but is denied to people who want to protect their privacy from their wireless carrier. CIQ cannot be turned off through normal means, at least on the phone Eckhart tested. It can be defeated by hacking the phone. However, because CIQ is protected by digital rights management (DRM) software, consumer attempts to turn CIQ off may violate the DMCA.

In 2010, the Librarian of Congress used its powers under the DMCA to create an exemption for “jailbreaking” smartphone handsets. However, the exemption only applies when the jailbreaking is for purposes of interoperability, offering consumers no hope for protecting their privacy.

The DRM technology in use does not need to be strong to make circumventing it illegal. In spite of the word “effective” in the statute, courts have held that the DMCA also prohibits circumvention of ineffective measures designed to protect copyrighted material, because effective measures don’t need legal restrictions on circumvention and the word “effective” would be mere surplusage if it didn’t also cover ineffective measures. See Universal City Studios v. Reimerdes, 111 F. Supp. 273 F.3d 429 (2d Cir. 2001). The DMCA applies even when no copyright is violated, and it carries criminal penalties.

The DMCA leaves customers of carriers who use CIQ no other option but to accept violations of their privacy, find a carrier which does not use CIQ, or sue. Given the number of misleading press releases put out by carriers in the last few days and the frequent use of adhesion contracts that lock customers in to long periods of service, option 2 may not be so easy. While the case for ECPA violations is not as strong as some have asserted, it is still viable, and may be consumers’ only hope.

SOPA: The New Way to Stop the Feed

Photo by: donkeyhotey 

Introduced in October, the Stop Internet Piracy Act ("SOPA") is the House of Representatives attempt to place greater restrictions on websites hosting copyright infringing material. In the Congressional hearing that have thus far been held, representatives of Hollywood and the Recording Industry Association of America ("RIAA") have strongly supported this bill, as it would attempt to stem the flow of copyright infringing material, especially from websites from foreign states. This controversial bill has come under fire from internet providers, including Google, Verizon, Comcast, and AT&T, specifically focused on section 102 of the proposed bill, the site blocking provision.

Section 102 of SOPA provides the courts with the power to require an internet service provider ("ISP") to block a website that is found to contain infringing material. The location of the website is not relevant to this section, as the provider can be ordered to take measures to "prevent prevent access by its subscribers located within the United States to the foreign infringing site."

Some ISP's, specifically those running smaller servers, have already stated that such a blocking requirement is simply not technically feasible with their current network infrastructure. They would have to completely redesign their system in order to be able to screen access to a list of potentially thousands of sites, placing an immense financial burden on these smaller providers.

In addition to this worry, ISP are concerned at the vagueness of the requirements and responsibility that will be assigned to providers for complying with a blocking order. Proponents of the legislation state the SOPA does not have any specific technology requirements, or methodology for listing and blocking the infringing sites, so that it can be flexible. The problem is that such flexibility means that the court will be required to determine whether an ISP is complying with the spirit of the law, as there is no letter of the law to follow.

Regardless of whether such blocking should be required, potential costs from both possible legislation and network redesign will make the implementation of this legislation difficult to say the least.