Carrier IQ, the Electronic Communications Privacy Act, and the Digital Millennium Copyright Act

Image titled Android Virus by Charliesalima

In the same week that Facebook settled its dispute with the Federal Trade Commission (“FTC”) over allegedly deceiving consumers about its privacy practices, an Android developer, Trevor Eckhart, discovered that Android phones run software that logs keystrokes and hides its presence on the phone. The discovery of Carrier IQ (CIQ) software embedded in the Android (and over the following days, other smartphones) raises legal questions that might expose both smartphone vendors and customers to liability.

The Electronic Communications Privacy Act, 18 U.S.C. 2510 et. seq. (2006)(ECPA) expanded the Federal Wiretap Act to prohibit interception of electronic communications through any “system affecting interstate or foreign commerce” without the consent of at least one of the parties to the communication. The Digital Millennium Copyright Act prohibits circumvention of effective measures designed to prevent unauthorized access to copyrighted material. 17 U.S.C.A. 1201 (2006).

Much of the analysis of Carrier IQ misunderstands the ECPA, so some discussion of what the ECPA does and does not cover is in order. The ECPA has been interpreted to allow keystroke logging which intercepted signals sent between the keyboard and the computer, because until an email or other message is actually sent, the computer is not “a system affecting interstate or foreign commerce.” U.S. v. Ropp, 347 F. Supp. 2d 831(C.D. Cal. 2004). The bulk of CIQ’s spying does not violate the ECPA. As Eckhart noted in his criticism of CIQ, when he dialed a phone number, the software logged the number before he made the call. Some states may have privacy laws prohibiting CIQ’s conduct, and certain consumers may have other claims (e.g. copyright infringement if any of their emails or texts contained material they owned a copyright to), but the ECPA does not prohibit keylogging.

Other portions of CIQ’s data collection may violate the ECPA. CIQ apparently also intercepts incoming text messages and emails. Incoming messages satisfy the “affecting interstate or foreign commerce” standard. Whether the manufacturers or carriers who installed CIQ violated the ECPA would then depend on whether they had valid contracts which allowed them to intercept their customers’ messages, a factual question specific to each carrier. Carriers’ recent panicked statements to the media indicate that most do not, as carriers have generally claimed either that they do not collect the data Carrier IQ collects, or that they only collect some less offensive subset of it. Carriers have put themselves in a precarious position by making such assertions, which smartphone manufacturers claim are false. The claim that a carrier does not collect data is only believable if the carrier does not include a data collection provision in its contracts, or includes the provision in a manner designed to keep consumers from recognizing or understanding it. Carriers who try to avoid bad publicity now may find themselves estopped from asserting a contract defense to ECPA claims in a later lawsuit.

A lawsuit may be the only option consumers have. Self-help is available to copyright owners in many scenarios, but is denied to people who want to protect their privacy from their wireless carrier. CIQ cannot be turned off through normal means, at least on the phone Eckhart tested. It can be defeated by hacking the phone. However, because CIQ is protected by digital rights management (DRM) software, consumer attempts to turn CIQ off may violate the DMCA.

In 2010, the Librarian of Congress used its powers under the DMCA to create an exemption for “jailbreaking” smartphone handsets. However, the exemption only applies when the jailbreaking is for purposes of interoperability, offering consumers no hope for protecting their privacy.

The DRM technology in use does not need to be strong to make circumventing it illegal. In spite of the word “effective” in the statute, courts have held that the DMCA also prohibits circumvention of ineffective measures designed to protect copyrighted material, because effective measures don’t need legal restrictions on circumvention and the word “effective” would be mere surplusage if it didn’t also cover ineffective measures. See Universal City Studios v. Reimerdes, 111 F. Supp. 273 F.3d 429 (2d Cir. 2001). The DMCA applies even when no copyright is violated, and it carries criminal penalties.

The DMCA leaves customers of carriers who use CIQ no other option but to accept violations of their privacy, find a carrier which does not use CIQ, or sue. Given the number of misleading press releases put out by carriers in the last few days and the frequent use of adhesion contracts that lock customers in to long periods of service, option 2 may not be so easy. While the case for ECPA violations is not as strong as some have asserted, it is still viable, and may be consumers’ only hope.