Carrier IQ warned of lawsuit risk

Law professor and former Justice Department prosecutor Paul Ohm took to Twitter to say that if the Carrier IQ “rootkit” story is accurate it could be grounds for a class action lawsuit based on federal wiretapping law.

Ohm was referring to reports on the work of Trevor Eckhart, a researcher who has analysed and filmed the way Carrier IQ’s software operates on his HTC mobile device. Eckhart’s work appears to show the Carrier IQ technology logging button presses, the contents of text messages and the addresses of websites he visits.

Wiretap laws forbid individuals or organisations from acquiring the contents of people’s communications without their consent, says Ohm. But as security consultant Dan Rosenberg, of Virtual Security Research, has pointed out: “There is a big difference between ‘Look, it does something when I press a key’ and ‘It’s sending all my keystrokes to the carrier’.”

Rosenberg claims to have reverse engineered Carrier IQ and could find “no evidence that [the company is] collecting anything more than what they’ve publicly proclaimed: anonymised usage metrics”.

But in an interview with Forbes, Ohm said that “even if [Carrier IQ] were collecting only anonymised usage metrics” it could still be open to a lawsuit.

In his analysis, Eckhart said that at no time was he asked to give his permission for Carrier IQ to operate on his device and attempting a “forced stop” of the application had no effect.

The company initially threatened Eckhart with legal action if he did not takedown his research, but changed tact after the intervention of the Electronic Frontier Foundation.

In a statement dated 23 November, the company said that its software does not record keystrokes, provide tracking tools or inspect and report on the contents of email or text message communications, nor does it provide real-time data reporting to any of its mobile network customers. It is interested only in “counting and summarising performance”, CEO Larry Lenhart said in a YouTube video, posted on 20 November.

Carrier IQ’s website states that its software is installed on more than 140 million phones. Reports say the software has been found running on Nokia, Android and Research in Motion (RIM) devices, along with a cut-down version on Apple iOS phones. But Nokia today said that Carrier IQ “does not ship products for any Nokia devices” while RIM said it does not install or authorise its carrier partners to install Carrier IQ on its BlackBerry smartphones.