Last month, a security researcher from Connecticut published information about a software program installed on some mobile smartphones that may be surreptitiously collecting data about how the phones are used. The software, called Carrier IQ and manufactured by a company of the same name, has been described as hard to detect, hard to remove, and programmed to run by default without the user’s knowledge. The scandal escalated last week when Senator Al Franken sent a letter to Carrier IQ asking for details about the software and the company’s business practices. Privacy analysts are concerned that the software violates the Federal Wiretap Act, as amended by the Electronic Communications Privacy Act, which forbids the intercepting of “wire, oral or electronic communication” and authorizes penalties of $100 per day for each violation. 18 U.S.C. §§ 2511, 2520. Other commentators have suggested that Carrier IQ may also violate the Computer Fraud and Abuse Act. 18 U.S.C. § 1030. So far, at least eight class action lawsuits have been filed against Carrier IQ and various device makers and wireless carriers.
The security researcher’s report on the software, as summarized by Computerworld, described Carrier IQ as a “keystroke logging rootkit” that can collect data about a phone user’s location, application use, web browsing, text messages, and even the individual keys he presses. Forbes reports that Carrier IQ and legal experts consider these to be serious allegations. Carrier IQ posted a statement on its website claiming that the company is “counting and summarizing [mobile] performance, not recording keystrokes or providing tracking tools.” According to former Justice Department prosecutor Paul Ohm, if Carrier IQ is capable of recording keystrokes and sending that information somewhere, the software is very likely a wiretap that violates the Federal Wiretap Act. Under the Act, people who have been illegally wiretapped have the right to sue the perpetrators for significant money damages. Even if the information collected by Carrier IQ is somehow depersonalized and aggregated before being communicated to a remote server, Ohm argues that there would still be an open question as to whether this use of personal data violates the Wiretap Act.
The first class action lawsuit was filed against Carrier IQ and HTC in the Northern District of Illinois on behalf of one Android HTC smartphone user and “all others similarly situated,” reported Talking Points Memo. The lawsuit states that “[d]efendants have unlawfully intercepted private electronic communications emanating from private mobile phones, handsets and smart phones. This practice violates Federal Law.” As a result of the Supreme Court’s recent decision in AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011), legal analysts predict that most class action lawsuits arising from the controversy will be filed against Carrier IQ and device makers instead of against wireless companies like AT&T and Sprint, which have both admitted that their handsets run Carrier IQ software. In AT&T Mobility, the Court ruled that wireless customers waive their rights to a class action lawsuit against AT&T the instant they sign a contract with the company because the contract includes an arbitration clause.
The Digest will continue to report on the legal issues surrounding the Carrier IQ controversy as details unfold.
Abby Lauer is a 3L at Harvard Law School.