Wednesday, 14 December 2011

Is the FBI Using Smartphone Spyware For Law Enforcement Purposes?

Written by 

The narrative continues over smartphone privacy issues involving the data logging program Carrier IQ, which was recently found to be installed on about 150 million handsets worldwide, including many popular Android, iOS, Nokia, and Blackberry devices. Controversy over the invasive software stemmed from allegations that Carrier IQ has the ability to record an array of device information, including keystrokes, text messages, web browsing, and user location, all without the user’s knowledge or expressed consent.

Uproar over the smartphone "spyware" emerged in late November when Trevor Eckhart posted on his blog two videos unraveling how the Carrier IQ program he discovered on an HTC smartphone was able to track virtually every function on the phone. Following Eckhart’s purported revelation, several cellphone providers, including Sprint, T-Mobile, and AT&T, admitted they have used the program on their phones for performance-tracking purposes.

In turn, the software developer and several cellphone providers have been issued a class action lawsuit for violating the Federal Wiretap Act, the Stored Electronic Communications Act, and the Federal Computer Fraud Abuse Act. The filing alleged that the companies committed an "unprecedented breach in the digital privacy rights of 150 million cell phone users" and that the defendants deliberately pre-installed the Carrier IQ software into their products, without any form of consumer disclosure.

As previously reported by The New American, the four consumers who commenced the lawsuit sought compensatory and punitive damages on behalf of all other consumers whose devices contain the spyware program, and the complaint requested that damages of $100 a day per violation should be granted to those affected. AT&T and Sprint quickly released statements explaining that the data extracted through the Carrier IQ program is exclusively used to improve service performance; likewise, Apple admitted to using the program on its iOS devices, but assured that future updates will fully eliminate the program.

However, new information regarding the debacle has provoked speculation of whether the FBI is using the software for law enforcement purposes, after a Freedom of Information Act (FOIA) request filed by Michael Morisy of MuckRock News, a proxy website for filing FOIA requests, shed new light on the controversy:

A recent FOIA request to the Federal Bureau of Investigation for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ" was met with a telling denial. In it, the FBI stated it did have responsive documents — but they were exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation….

Advertisement

What is still unclear is whether the FBI used Carrier IQ's software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both — not unlikely given the recent uproar over the practice coupled with the U.S. intelligence communities reliance on third-party vendors. The response would seem to indicate at least the former, since the request was specifically for documents related directly to accessing and analyzing Carrier IQ data.

In response to MuckRock’s request, the FBI explicitly stated that "records or information compiled for law enforcement purposes" are exempt from disclosure. Specifically, the rejection letter asserted:

In applying this exemption, I have determined that the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceedings.

As MuckRock noted, the FBI’s response could lead to one of a couple distinct conclusions: The Carrier IQ program is being used as spyware for law enforcement tracking; the program is currently being used in an investigation; or the FBI has launched its own probe into Carrier IQ, who has been accused of usurping federal wiretap laws in millions of cases.

Regarding allegations that Carrier IQ is logging user information — which it originally denied — the company admitted that in some capacity the program logs SMS messages and other user activity. According to a lengthy Carrier IQ FAQ document released Monday, "Carrier IQ has discovered that, due to this bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent."

However, soon following MuckRock’s release of the rejection letter, Carrier IQ was quick to deny involvement with any law enforcement agency. "Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ," the company stated. It added that its "data is not designed to address the special needs of law enforcement. The diagnostic data that we capture is mostly historical and won’t reveal where somebody is and what they are doing on a real-time basis."

As the FBI’s response to MuckRock appears rather elusive, and has opened the door to an array of speculation, Mr. Morisy said he will file an appeal in an effort to obtain more information.