Monday, December 19, 2011

Sprint recklessly exposed Carrier IQ logged URL data to easy government access

In recent weeks, there has been considerable controversy around Carrier IQ and the data collected by it and the wireless phone companies who have partnered with the firm. Now that class action lawsuits have been filed, and the FTC is reportedly probing the company, one of the most important questions will be: What is the harm?

As I will attempt to argue in this blog post, by allowing Carrier IQ to collect and retain private user data (such as URLs of pages viewed), Sprint recklessly exposed this sensitive information, which would normally require a court order for the government to obtain, to access with a mere subpoena.

Last week, technical experts Ashkan Soltani and Peter Eckersley reported that Carrier IQ's software was, in some cases, collecting keystrokes and the contents of (SMS) text messages. A 19-page report (pdf) released by Carrier IQ confirmed the researchers' claims, putting the blame on a technical bug and accidental overlogging by Sprint or HTC.

For the purpose of this blog post, lets give Carrier IQ the benefit of the doubt. Instead, it is sufficient to focus our attention on one form of intentional data collection that Carrier IQ and its partner Sprint have acknowledged: the URLs of websites visited by handset owners. [There are others kinds of data that the company has intentionally logged too, for example, location data, but we don't know as much about this right now, so I'm focusing my analysis on URLs]

Carrier IQ and Sprint: Yeah, we log URLs

In a letter to Senator Franken (pdf) last week, Carrier IQ acknowledged that its software has been used by one wireless carrier to collect the URLs of webpages viewed by subscribers:
Embedded versions of IQ Agent allow for the collection of URLs if requested by a Network Operator in a profile. These can be collected together with performance metrics so that Network Operators can determine how devices on its network perform for specific web sites... The profile specified by the Network Operator and loaded on the device dictates if this information is actually gathered. The IQ Agent cannot read or copy the content of a website. Only one of Carrier IQ's customers has requested a profile to collect URLs of websites visited on devices on its network.

In its letter to Senator Franken (pdf), Sprint acknowledged that it was the wireless carrier that collected URLs:
Sprint already knows the website of a URL of a website that a user is trying to reach from routing the request on its network. This information may be collected through the Carrier IQ software as part of a profile established to troubleshoot website loading latencies or errors experienced by a population of subscribers.

Let us ignore the fact that in the same letter, Sprint falsely denies collecting users' search query information (the search terms are in the Google/Bing URL), that it failed to disclose that Sprint collects through Carrier IQ the URLs of webpages viewed over encrypted HTTPS connections which it would never learn by watching the network, or, that it probably also gets through Carrier IQ the URLs accessed by handset owners when they are using WiFI and not Sprint's network. While these are interesting points (and show that Sprint is either lying to a Senator, or their legal team is embarrassingly ignorant about technology), they are unnecessary for our analysis.

It is also worth mentioning, although similarly unnecessary for our analysis, that Sprint's Electronic Surveillance Manager revealed in comments at the ISS World surveillance conference in 2009 that Sprint allows its marketing department to look through the logs of URLs viewed by its subscribers:
On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data.

Legal protections for URL data under US privacy law

It is beyond a cliche at this point to complain that our primary electronic privacy law dates from 1986, and hasn't been substantially updated since. This law not only differs in the legal protections offered to data based on whether it is is content or non-content, but also, based on what kind of company is holding the data.

As a Sprint customer, I am obviously unhappy about the fact that that the company voluntarily logs and retains the URLs that subscribers visit - which are subsequently available to the government. However, I can get at least a tiny bit of comfort from the fact that the Electronic Communications Privacy Act requires a court order issued under 18 USC 2703(d) before Sprint can be forced to disclose these records to law enforcement agencies.

Furthermore, if Sprint wished to do so, it could probably argue that URLs contain communications content, and thus should only be disclosed pursuant to a probable cause warrant. [DOJ has acknowledged in its Search and Seizure manual that URLs can contain content, at least in context of real-time intercepts via a pen register]. However, given Sprint's general pro-government approach to privacy, I wouldn't expect them to lift a finger to protect their customers.

Carrier IQ and ECPA

What about Carrier IQ? Does the government need a court order to get URLs when held by the company?

To be considered a "remote computing service" (RCS) or an "electronic communication service" (ECS) provider under the Electronic Communications Privacy Act (ECPA), you need to actually provide services to the public. Carrier IQ does not do this -- its customers are wireless carriers. On this point alone, user data held by Carrier IQ is simply not subject to the limited protections of ECPA.

Furthermore, even if we ignore the important requirement relating to providing services to the public, a service provider also has to actually provide the ability to send or receive a users' communication for it to be considered an ECS under the law. See Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private email of users of another company's bulletin board service was not a provider of electronic communication service); State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the ability to send or receive communications was not provider of electronic communication service).

Since Carrier IQ is merely covertly logging the URLs that consumers are viewing, rather than actually delivering web pages to the end user, they also aren't covered under ECPA.

So what?

As Carrier IQ is neither an RCS or ECS under ECPA, any data held by the company can be obtained by the government with a mere subpoena (and potentially, but I'm not as sure of this, by a civil litigant too, such as a divorce lawyer).

As Sprint opted to have user data sent to Carrier IQ, where it was held for 30-45 days, rather than having the carrier IQ software send the data directly to Sprint's servers, I believe that Sprint recklessly exposed this private information to easy access by the government without a court order. There are plenty of ways that the company could have guaranteed that this data would always remain protected under ECPA -- but it didn't do so.

Likewise, while Sprint claims in its letter to Senator Franken that it tells its customers in its privacy policy that it collects information about the sites that they visit, it never discloses to subscribers that this private data is collected and stored by a third party, or the important way this will enable government access to that data. Sprint needlessly kept its customers in the dark about the ways in which the firm was exposing their data to government access.

In its letter to Senator Franken, Carrier IQ denied getting any requests from law enforcement agencies for user data. Sprint had to issue a much more delicately worded statement: it has not disclosed Carrier IQ data to law enforcement (the reason for this careful wording, I suspect, is the presence of 110 employees in Sprint's Electronic Surveillance team who do nothing but supply user data to law enforcement and intelligence agencies).

Although the recent FOIA response that Muckrock received suggests that the FBI has at least some interest in Carrier IQ data, if we rely on the statements of Carrier IQ and Sprint, then, at least as it relates to URL data, the risks I have described in this blog post are largely theoretical. Even so, it doesn't change the fact that Sprint has demonstrated an extremely cavalier attitude towards user privacy.

In a best case scenario, Sprint's legal team simply didn't consider the ECPA/law enforcement related implications of using Carrier IQ's technology. In a worst case scenario, they knew what they were doing, and didn't care. In either case, the company should be held responsible.

Friday, December 16, 2011

Commerce Dept: export licenses for intercept tech have "exploded" over last 2,3 years

Earlier this year, the Commerce Department's Bureau of Industry and Security held a two-day Conference on Export Controls and Policy. It included a workshop specifically focused on the rules governing the export of encryption technologies (which include intercept equipment). The full transcript can be found here: part 1 (pdf), part 2 (pdf).

As a non-lawyer, and non-expert in export control regulations, I was pretty surprised to learn that the government already strictly regulates the export of covert communications surveillance technology. What this means, of course, is that the Commerce Department already has a list of every foreign buyer of US made covert surveillance technology. Unfortunately, they won't provide this information to the public, and as far as I know, they won't provide it in response to FOIA requests.

In any case, reading through the transcript of the event, the following section caught my eye, as it specifically addressed the regulations that apply to surreptitious listening technology:

Michael Pender: Licenses [for "surreptitious listening" technology] are required for export to all end users, all destinations, and there's a general policy of denial.

The exceptions are for U.S. government agencies or communication-service providers there in the normal course of their business. So, if you're representing a U.S. law-enforcement agency and you're partnering with some other organization in another country and you need to send something out of the county, you know, contact us. Licenses are authorized for that situation.

If you represent a telecommunications company and you receive court orders for wiretaps from the local law enforcement and you have to comply with those court orders, you know, that's one of the few circumstances in which we can grant a license.

And you wouldn't think there would be that many licenses for these products in general in a year, but the rate at which they're coming in has just exploded over the course of the last 2, 3 years. I mean, I think I went from getting one a year to like five times as many, and then again, it's at least doubled or tripled in just the last year.