ARTS & FARCES internet

Earlier this month we collectively learned that Carrier IQ had installed its software on some 150 million mobile phones and was monitoring users. Without the users’ permission or knowledge. Without warrants. Now comes news from MuckRock, the Freedom of Information Act (FOIA) request proxy, revealing that the US Federal Bureau of Investigation (FBI) used the Carrier IQ data for “law enforcement purposes.”

In response to Michael Morisy’s FOIA request, the FBI acknowledged that it had “responsive documents,” but refused to provide them, citing an exemption to the law allowing disclosure to be refused if it “might reasonably interfere with an ongoing investigation.” Because the FBI’s denial was a blanket denial, it remains unknown if the agency was using the Carrier IQ data to investigate individuals or Carrier IQ (the company) itself.

Responding to MuckRock‘s disclosure of its FOIA request, Carrier IQ denied ever providing “any data to the FBI.” As Morisy points out, that wasn’t the question: “My question was and is, ‘Does the FBI have manuals or instructions on how to access Carrier IQ data?’”

David Kravets, writing for Wired, reports that Carrier IQ met with the US Federal Communications Commission (FCC) and the US Federal Trade Commission (FTC). According to Kravets, the company told him that it was “not aware of an official investigation….” This, of course, coming after US Representative Edward Markey (D-Massachusetts) called on the FTC (.pdf; 201KB) to open just such an investigation.

Last spring, seemingly everyone was wound up about LocationGate: Apple was tracking the whereabouts of iPhone users. Never mind that in order for this to happen, the user had to agree to allow the tracking to take place. The situation was quickly addressed with an iOS update. At the time, Apple accused its competitors of tracking their users, but it wasn’t Appleicious, so the corporate media paid scant attention.

Until now.

Now comes Trevor Eckhart, a Connecticut-based systems administrator, who discovered data-logging software installed on most mobile phones during his research. The software, Carrier IQ, is installed on millions of Android, Blackberry, and Nokia handsets and secretly sends information to the network carrier about installed apps, numbers dialed, text messages sent and received, and other user data. Eckhart re-published the Carrier IQ software manuals on his website and subsequent reports indicate that the various carriers use this data to different levels of granularity.

The Carrier IQ software is what’s known in security circles as a “root kit,” software installed at the deepest level without the user’s consent, knowledge, or control. It cannot be turned off without rooting the smartphone and replacing its operating system.

When Carrier IQ discovered Eckhart’s research findings and that he’d re-published its documentation, the company sent Eckhart a cease-and-desist letter notifying him of breach of copyright. Carrier IQ also removed the manuals from its own website. According to David Kravets writing for Wired, the company demanded Eckhart retract his claims about the software, a clear attempt to suppress Eckhart’s research.

Eckhart refused to comply with the terms of Carrier IQ’s cease-and-desist demand and within a few days, Carrier IQ, as it came under growing scrutiny, apologized to Eckhart and retracted its cease-and-desist demand.

By the end of November 2011, Eckhart had produced a video detailing how the Carrier IQ software works, reporting virtually everything a user does on her smartphone to the carrier.

Last month the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act turned 10 years old. In those 10 years, it’s abundantly clear that the law is being used more for domestic crime than terrorism.

The law enables the government to obtain telephone, internet, banking, and other personal information on individuals without first showing probable cause and obtaining a warrant. Instead, national security letters are used to subvert the warrant process. Instead of showing probable cause, law enforcement—most notably the Federal Bureau of Investigation (FBI)—need only assert that the requested information is “relevant” to an ongoing investigation involving terrorism or national security. Recipients of national security letters are generally prohibited from disclosing the receipt or the information requested.

To make matters worse, at least one politician—US Senator Ron Wyden (D-Oregon) suspects that the government has a secret interpretation of the Patriot Act. Wyden says he can’t expand upon his claims without revealing classified information.

An Inspector General report (.pdf; 4.3MB) reveals that while 143,000 national security letters were served by the FBI between 2003-05, only 53 cases were prosecuted and none were for terrorism.

Another big problem with the Patriot Act is that it allows “sneak-and-peak” searches—mostly for drug-related, not terrorism cases—whereby a property owner is not immediately notified that her property has been searched.

Last May, the US Congress punted yet again by reauthorizing three of the most egregious provisions of the Patriot Act. “Roving wiretaps” allow the FBI to obtain wiretaps from the secret Foreign Intelligence Surveillance Act (FISA) court without identifying a specific target. The “any tangible thing” provision allows secret FISA court warrants for any type of record or document without linking the document request to a specific terrorism or espionage investigation. The “lone wolf” provision allows secret FISA court warrants for electronic monitoring of a suspect without showing an agency connection to a foreign state.

These provisions were originally set to expire in December 2009 but were extended by Congress until the end of February 2010, then February 2011, then May 2011, and now June 2015. Yay Congress.

One bright, shining light on the 10th anniversary of the misguided Patriot Act is the move by the Electronic Frontier Foundation (EFF) to sue for answers to the secret interpretation alleged by Wyden and others under Section 215 (the “any tangible things” provision) of the Patriot Act.

The US government has obtained Jacob Appelbaum’s user information and private data from Google without a search warrant. Applebaum works on the Tor project and is a WikiLeaks volunteer. The Obama administration requested the information under a secret order made possible by the Electronic Communications Privacy Act (ECPA) which allows the government to obtain such information without a warrant and without notification of the target.

Julia Angwin, writing for the Wall Street Journal, reports that Santa Rosa, CA-based Sonic.net, Inc. also received the government’s secret order, resisted it, but lost in court and was forced to disclose the information. Angwin reports the secret order included the email addresses of people with whom Applebaum corresponded over the past two years but not the email content.

The ECPA was intended to extend the same protections to electronic communications as those already in place for land-line telephone calls and paper mail, but was enacted before the advent of the web and email services like Google’s Gmail and the widespread use of internet message access protocol (IMAP) where email is stored on a third-party’s server. If ever there were a time to go back to post office protocol (POP) email—where all email is stored on your local computer—this is it.

US law enforcement regularly uses the provisions of the ECPA to obtain email, mobile phone location information, and other digital data without a warrant (which would require showing probable cause that a crime had been committed). Under the provisions of the ECPA, the government need only show “reasonable grounds” that the material sought would be “relevant and material” to an investigation.

Because most of the orders are secret, and the targets usually never know that the government had gained access to their email and mobile phone records (the information providers are generally prohibited from disclosing the information release to targets), it’s difficult to know just how many such information disclosures take place under these secret orders. As an example, Angwin reports that Google, in the last six months of 2009, received 4,601 such requests and complied with 94 percent of them.

There is some movement to revise the ECPA, bringing it up to date with the existing technology. Angwin reports that US Senator Patrick Leahy (D-Vermont), the ECPA’s original author, has said the law is “significantly outdated and outpaced by rapid changes in technology.” Leahy has introduced revised legislation (.pdf; 66KB).

US Senators Al Franken (D-Minnesota) and Richard Blumenthal (D-Connecticut) introduced a bill, the Location Privacy Protection Act (.pdf; 82KB), that would require platform vendors and app developers to obtain user consent before collecting those users’ location information. It would apply only to non-governmental collection of location information.

US Senators Ron Wyden (D-Oregon) and US Representative Jason Chaffetz (R-Utah) introduced a similar bill, the Geolocation Privacy and Surveillance Act (.pdf; 53KB), that would apply to both government agencies and commercial entities. Law enforcement agencies would be required to show probable cause and obtain a warrant before accessing location information on individuals.

The US Justice Department has consistently maintained that it doesn’t need a warrant to track an individual’s historic movements or current location from transmission towers used by the subject’s mobile phone. Jennifer Valentino-DeVries, writing for the Wall Street Journal, cites an academic paper and a 2010 Newsweek article describing thousands of location requests from law enforcement to wireless carriers each month.

David Kravets, writing for Wired, notes that Wyden’s bill comes on the heels of the Obama administration’s request to the US Supreme Court to allow warrantless installation of GPS tracking devices on suspects’ vehicles. The legislation, as proposed, would apply to real-time tracking and include past location and movement information. This last bit puts it squarely in conflict with a bill introduced by US Senator Patrick Leahy (D-Vermont), the Electronic Communications Privacy Act Amendments of 2011 (.pdf; 66KB), that focuses mainly on requiring probable cause and a warrant to obtain email stored on servers (including in the cloud). Leahy’s bill would require probable cause and a warrant for real-time GPS tracking, but not for past location and movement information.

Scott Thurm and Yukari Iwatani Kane, writing for the Wall Street Journal, reported last year that 47 of 101 surveyed apps transmit location information to third parties without users’ consent (or even knowledge); 56 of the surveyed apps sent the phone’s device identification number. Five of the surveyed apps reported “age, gender, and other personal details.”