Monday, December 5, 2011

Of RootKits and Cell Phones

Lawyers, this article is for you: Beware…using your cell phone for confidential conversations my violate client confidentiality! Why you ask? Because a 3rd party may be listening in on your 1) voice calls, 3) text messages, and 3) client emails. The company is Carrier IQ, and they have partnerships with every major cell phone carrier and their software works on every major smartphone.

Carrier IQ didn’t want this information to get out. They sued the person who posted the information in a video on YouTube. His video shows detailed descriptions of how they can snoop on even encrypted conversations…and you can’t disable their software. It isn’t clear what terms and conditions that come with your cell phone that authorize this, if any. I should also say that this is unprecedented…even if you accept the claim that this was to help improve customer service…Microsoft never went to these lengths to help analyze their software.

Here’s how it works: If you type a client text email on a smartphone, for example, Carrier IQ will collect that info to help "analyze your usage experience.” Unlike what Microsoft does for their experience monitoring, Carrier IQ collects the actual info you put into your phone. The blogger who discovered this also indicates that it can record voice calls, although he doesn’t demonstrate this on the video. Since there is no opt-out and no privacy policy that you agree to with Carrier IQ, presumably there is nothing preventing them from collecting all of your information.

The law in this area is very interesting. As far as I know, there has not yet been a case in the US about whether documents obtained via an Attorney’s hacked computer are admissible in court. There have been a number of other cases over time, the most celebrated being Clark v. State, 261 S.W.2d 339, where a switchboard operator who listened in on a telephone call between an attorney and his client was allowed to testify. Does that mean if Wikileaks gets a copy of a law firm's client correspondence, then that becomes admissible? What if they get recordings of client phone calls?

When last checked, Carrier IQ’s website says that they have their software installed on 141 million handsets. The reporting on Carrier IQ suggests that their software has been installed on every major device for the last 6 years. That’s more intel on phone usage than all the wiretaps in the US that have EVER been authorized. In 2010, there were 3194 authorized wiretaps. Carrier IQ’s Intel includes information from all major carriers including Verizon, AT&T, and TMobile customers. That’s half of America being watched without their knowledge. Since they’re calling other people with their smartphones, it’s a good chance that Carrier IQ knows who all of your friends are, whom you’re having an affair with, where you’re having it, and when you wife is calling her lawyer to file for divorce.

6 years ago, Sony installed a rootkit on people’s computers and ended up settling with 39 states for $4.25 million. They also agreed to have regular privacy audits and a number of other concessions to individual states. The figures aren’t clear for how many users this effected. One study suggested that there were 12,588 networks that had a Sony rooted machine on them. Each network could have had multiple computers on it. This scandal for Sony still falls far short of what Carrier IQ has done.

So the question on everyone's mind is what will happen to Carrier IQ? Lawsuits? Congressional Hearings? Will the major carriers drop their contracts with Carrier IQ and remove their software from customer cell phones?

Senator Al Franken (D-Minnesota) wrote a letter to the company last week demanding to know what data the company was collecting. You'll recall that earlier this year, Senator Franken introduced his "Location Privacy Protection Act" after it was revealed that Apple's iPhone had been logging GPS data in their phones (possibly inadvertently). No word yet on if the company has responded.