Carrier IQ – Has someone violated the Electronic Communications Privacy Act?

Photo Titled "Completely Taped" by Byung Kyu Park available on Flickr

141 Million handsets have a software program deployed on them which purports to only collect network diagnostic information for mobile phone service carriers. However, this software program is secretly running because is not easy for an average mobile phone user to see the program running on their phone because it does not appear as a “running application” on the applications list. Nor is there a clear disclosure of what data is being collected by the application, or a way to easily opt out of the application running on the mobile device. Nor is there any easy way to stop it from running on the Android phones. On November 28, 2011 Trevor Eckhart uploaded a seventeen minute video (shown above) exposing the extent of the data being captured by Carrier IQ, an application that mobile phone providers and/or carriers install on mobile phones. The video shows an Android developer searching his phone for privacy policy disclosures, and not finding any privacy disclosures related to the Carrier IQ program, he proceeds to show the type of data that is logged by Carrier IQ onto the phone’s debug log. For example, each time he presses a key that key press is logged, even when he enters information into a web page over his own local WiFi connection and the session is protected with SSL (which is an encrypted means of communicating between a client and host and forms the backbone of all secure communication over the Internet; as a standard and all data transferred within an SSL connection should be encrypted and protected after the SSL handshake). As of January 25, 2012, Eckhart’s video received over 1.9 Million views on YouTube.

In response, Carrier IQ sent Eckhart a letter threatening legal action unless he retracted his research, characterizing his analysis and posting of privacy policies as a breach of copyright which could expose him to an excess of $150,000 in damages. In response, Eckhart reached out to the E.F.F., who agreed to represent him; Carrier IQ has since backed off from its legal action and apologized for the cease and desist letter. The question remains now – has Carrier IQ, or the mobile phone manufacturers, or the mobile service carriers violated the E.C.P.A. by secretly running a software program on the mobile phones?

The Electronic Communications Privacy Act (E.C.P.A., 18 U.S.C.A. § 2510) was enacted to expand the scope of the Wiretap Act (which was focused on the interception of voice communication) to protect data transferred by computers. Title I of the Act protects messages that are in transit, and Title II of the Act protects messages that are in storage on a device. Within the E.C.P.A., it is unlawful for a person to distribute “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications” (18 U.S.C.A. § 2512(1)(a)). However carriers do have an exception, where under the normal course of their business in maintaining their communication systems, they can use devices to intercept wire communications.

Senator Al Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, has requested more information regarding what data is being collected and where the data is being sent. Depending on the type of data that is actually collected and sent to the carriers, they may be able to claim that they were operating within their normal course of business in maintaining the stability of the wireless networks. A criminal or civil case under the E.C.P.A. may not be a guaranteed success in a court of law. However, the public surprise of the extent of data being captured, and the lack of notice and control that users are able to exercise over how much activity is being tracked has already made the carriers and Carrier IQ losers in the court of public opinion.