Carrier IQ has been all over the news of late since it has been outed as a secret keystroke-logging program residing on smartphones everywhere. Now, an excellent legal analysis by Christopher Soghoian at the “slight paranoia” blog (IMO we should all be more than slightly paranoid about this latest privacy scandal) explains how lawyers can use Carrier IQ to circumvent the privacy protections of the Electronic Communications Privacy Act (ECPA).
A little background:
The Electronic Communications Privacy Act (ECPA) outlines the rigid warrant requirements that government agencies must adhere to in order to access (“tap”) citizens’ electronic communications. It also supplements the Stored Communications Act by providing protections for electronic communications stored by communication service providers such as telephone companies, internet service providers, etc… The ECPA is the reason that an ISP requires a court order before it reveals the identity of the owner of an IP address or an email address.
As Mr. Soghoian argues, Carrier IQ, which allegedly logs and stores users’ communications and key taps, is not a communication service provider. So…
As Carrier IQ is neither an RCS or ECS under ECPA, any data held by the company can be obtained by the government with a mere subpoena (and potentially, but I’m not as sure of this, by a civil litigant too, such as a divorce lawyer).
As Sprint opted to have user data sent to Carrier IQ, where it was held for 30-45 days, rather than having the carrier IQ software send the data directly to Sprint’s servers, I believe that Sprint recklessly exposed this private information to easy access by the government without a court order. There are plenty of ways that the company could have guaranteed that this data would always remain protected under ECPA — but it didn’t do so.
Mr. Soghoian’s suspicions are correct (he is not just paranoid). If one can show that Carrier IQ is not a “remote computing service” (RCS) or an “electronic communication service” (ECS) provider under the Electronic Communications Privacy Act (ECPA), then a mere subpoena from any attorney would be enough to force Carrier IQ to reveal sensitive information which could otherwise only be obtained from phone companies via court order.
Enter your email to get started.