The Carrier IQ Story Moves On - Cue the Lawyers

Carl Weinschenk
Slide Show

Security Vulnerabilities at All-time Highs for Mobile Devices

Mobile security recommendations for consumers and administrators.

Multiple sites are reporting that lawsuits have been filed in the Carrier IQ controversy. Mathew Schwartz at InformationWeek hedges his bets a bit by saying "at least three" suits have been filed, as if he expects more to emerge between when he finishes writing and when he hits the "send" button.

His piece identifies suits in the U.S. District Court for the Northern District of Illinois, a class action in federal court in Wilmington, Del., and a suit in the U.S. District Court for the Northern District of California. Computerworld focuses on the Delaware suit, including a link to the complaint.

As many sites reported last week, researcher Trevor Eckhart released information in the form of at least one video and posted written commentary claiming that Carrier IQ is collecting information about users' cellular activities and sending it to carriers. He explains how he believes this is being done.

Over the next few months - or even years - the details of what Carrier IQ did, its legality, what the handset makers and carriers knew and other questions may be litigated. Alternately, the issues may be hashed out and the suits settled. That course is likely if there was no malignant intent by Carrier IQ or its partners. It is worth remembering that much of the technology involved in the mobile sector is new, and what is legal and what isn't is not cut and dry.

Litigation - especially when it involves potential jury pools and touches on hot button issues such as privacy and mobile technology - runs parallel to the real world outside the courtroom. That's one of the reasons companies retain public relations firms. Talking Points Memo reports on "talking points" from Sprint-Nextel and T-Mobile on the Carrier IQ situation. The site notes that the Sprint document initially was posted on the SprintFeed site. Writes Carl Franzen at Talking Points Memo:

Most important for consumers, Sprint's document states that "Sprint uses the Carrier IQ data to only understand device performance on our network so we can understand when issues are occurringEven with Carrier IQ, Sprint does not and cannot look at or record contents of messages, photos, videos, etc. nor do we sell or provide a direct feed of Carrier IQ data to anyone outside of Sprint." (Emphasis original).

There is something nefarious-sounding about "talking points," as if organizing a coherent defense is in some way a tacit acknowledgement of the organizations' guilt. That of course isn't the case. While it is entirely possible that the companies were using the information for illegal or unethical purposes, a more nuanced reality is far more likely.

Wired and unwired carriers have a right - indeed, a responsibility - to watch the flow of data over their networks to ensure efficient and timely delivery to subscribers, to plan for future expansion and to help catch criminals and terrorists. The line where these legitimate requirements end and illegal activity begins is a dicey topic. Indeed, that line is not fully drawn yet. Uncertainty over this issue likely is at the heart of the Carrier IQ controversy. Other issues, such as disclosure requirements to subscribers and oversight over what is done with the collected data flow from that basic issue.

Add Comment      Leave a comment on this blog post
Dec 7, 2011 3:58 AM Braaainz Braaainz  says:

One thing I am leery about with these class action suits is that they might be settled out of court. We need to find out exactly who was involved, how much information was kept on phone logs, how much was uploaded, and how many government requests were made of this information.

I worry that class action lawyers will just be paid off and we'll never know the extent of all this.

Dec 7, 2011 4:01 AM Carl Weinschenk Carl Weinschenk  says: in response to Braaainz

Thanks for your comment.

I have the feeling we'll get the salient info. Too many smart people are working on this, and there are too many lawsuits. My feeling is that it probably was an innocent over reach, but I certainly could be wrong.

Dec 7, 2011 6:05 AM Dan Dan  says: in response to Carl Weinschenk

Good article.

It does raise a lot of talking point, as bad as that sounds.

I think there are a number of things to bare in mind with the legal goings on.

First is who filed the complaint. Not to self was it that guy who you see on late night tv who represents injury victims or a large law firm willing to put forth the due-diligence to find support from Trevor's claims.

Second is the fact that there are security experts out there who are in fact working on it. and many are coming back and stating that Trevor is wrong.

Third Trevor based on his resume worked at Staples until 2005 as a sales associate, does not have any certifications listed, and his current work is as a systems administrator, not a programer or security consultant.

Fourth, what he shows in his videos is a debug log set to verbose. even though Carrier IQ software might recognize at some level keystroke inputs, it doesn't mean it does anything with them. The debug log is not a normal operating log and is stored in volatile memory, so it really means nothing. It isn't showing the the actual work files.

Fifth, He in no way shows what information if any is process by the software and then transmitted off the device.

Lastly, I think the big carriers and even Carrier IQ will have certified well respected security experts shoot all sort of holes through Trevor's "findings" and the lawyers will turn and run. They want to make a name for themselves, not spend millions on a case or cases that might not bare fruit for them.

I would say update this article in six months when Trevor is shown to not be an expert in security and the big boys have enough firepower to pretty much stand up to anything the lawyers can throw at them.

Dec 7, 2011 6:16 AM Carl Weinschenk Carl Weinschenk  says: in response to Dan

Thanks, Dan. All legitimate points. Not to be snarky, but I would point out that Einstein worked in the Bern patent office.

Seriously, as a non-expert observer, all I can say that if his findings are not legit, so be it.

Dec 7, 2011 6:42 AM Dan Dan  says: in response to Carl Weinschenk

I agree with you on that Carl.

Although later in life Einstine was working in the university. But, that being said I feel that in today's world, people can do a lot more with less knowledge.

There is the term script kitty for hackers which I think for the electronic age is apropos.

Someone with very little knowledge can gain access to scripts which they did not write themselves, and might not even fully be aware of exactly what it does. If they gain access to areas they shouldn't be, lets say some companies financial records, then decides to wipe them out for fun, he or she has caused a lot of damage and destruction without working to poses the knowledge of how to gain access to restricted spaces in the first place.

I guess simply put it means it is easy to gain a lot of power in the virtual world with out possessing the wisdom on how to use it wisely.

What Trevor did isn't wrong for what he did but he assumed things that were incorrect. By posting in a highly visible arena like the Android developers blogs, and youtube he then gave this interpretation which I will stand by as being wrong for the sake of argument, to millions.

Those people see a video so it must be true yet they don't have the technical background to understand what they are seeing.  This is a case of perception as being reality.

I do feel there are valid questions about privacy, and about how data is used and why. I think that if the data is secure and the carriers can improve quality of service to their subscribers, then it makes sense and would be a good thing.

It will be interesting to see how this plays out.

Dec 7, 2011 6:49 AM Carl Weinschenk Carl Weinschenk  says: in response to Dan

It drives me crazy that they let kids use calculators and spell check in school. I guess to some extent it's okay, but not across the board as they seem to.

Again, on Eckhart's opinions specifically, we shall see how it plays out, as you say.

By the way, Einstein absolutely loved the patent office, and later in life gave it a lot of credit for his ability to visualize what his theories suggested. Outside his office were apparently very famous and beautiful clocks, which got him thinking about the concept of time.

Dec 8, 2011 6:15 AM Dan Dan  says: in response to Carl Weinschenk

Just quick update. I was on Trevor's blog today and it looks like his mirror site is now taken down. Interesting as I haven't seen any press with regard to the androidhostfiles group.

I do know as you pointed out it seems like there is a queue at every court house across the country with class action lawyers filing suites against anyone and everyone they can think of. Even if most are thrown out I don't know how a small start up can deal with so much, whether right or wrong.

I did have a question though. How does it work with these law suites? I mean you have lets say 50 different lawyers filling in 50 states. Or possible more in one state alone, can they be forced to combine them. It seems silly you would have 50 trials all going on at the same time for the same thing? Isn't it like double jeopardy? Any insight would be grateful.

Also on a side note there are some interesting articles from Dan Rosenberg, and Tim Armstrong from Kaspersky. I know there are a lot of technically savvy folks out there that will flash their phones with Custom ROMs and more power to them, but it is a double edged sword as your warranty goes bye bye and if you mess up you might be staring at a $200 or more brick. Just something non technical folks might want to think about as it would be disheartening to loose a perfectly good phone.

Dec 8, 2011 12:23 PM Jeff Jeff  says: in response to Carl Weinschenk

I'm not sure what calculators and spell check have to do with this article.  Please don't be one of those people that warps every news item into a rant against one of your key issues.

Dec 8, 2011 12:26 PM Carl Weinschenk Carl Weinschenk  says: in response to Jeff

Jeff, if you read the string you will see that Dan and I were off on an unrelated tangent. Calculators and spell check indeed don't have anything to do with the Carrier IQ issue.

Dec 9, 2011 5:12 AM carma carma  says: in response to Carl Weinschenk

It is amazing that so many smart peole try to tackle this without knowing the root of the cause.

Does it collect data?  Yes, Immense ? Yes.

But who wanted it?

Sprint and AT&T. they are the aggressive ones who wants to put more and more data logging in the phone for not just analytics...

SO start with ATT and ask them to see what logs they collect and judge form there....


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.