In what could be a precursor of legal action to come, mobile software vendor Carrier IQ has been hit with two lawsuits over the use of its controversial tracking technology in tens of millions of mobile phones worldwide.
One of the lawsuits was filed Thursday in U.S. District Court for the Eastern District of Missouri and accuses Carrier IQ, HTC Inc. and HTC America Inc. with unlawfully intercepting communications from private mobile phones, smart phones and handsets.
The lawsuit was filed by Erin Janek, the owner of an HTC Android phone from Sprint. It charges Carrier IQ and HTC of surreptitiously monitoring and collecting data from Janek's private communications on the phone without Janek's permission or knowledge.
The complaint notes that Carrier IQ and HTC's actions raised questions about whether the data collected from Janek's phone was protected under Federal Wiretap law and whether the interception of the data was intentional within the meaning of the law.
The other lawsuit was filed on behalf of four smartphone users from California and names HTC, Samsung and Carrier IQ as defendants. The lawsuit leaves the door open for other carriers and device makers to be included in the complaint later.
That particular lawsuit was filed in District Court for the Northern District of California and accuses the companies of violating the Federal Wiretap Act as well as California's Unfair Business Practice Act.
HTC and Samsung are two of the handset vendors that yesterday admitted to installing Carrier IQ's software on handsets. Both companies have insisted that they did so only at the specific request of their carrier customers.
Carrier IQ has been at the center of what has very quickly ballooned into a full blown privacy firestorm over the use of its software by wireless carriers. Earlier this month, Trevor Eckhart, a security researcher from Connecticut published a report disclosing how the company's software could be used for extensive user tracking by wireless service providers.
Carrier IQ and several of the carriers that have admitted using the technology, including AT&T and Sprint, insist that the technology is nothing more than a useful diagnostic tool for collecting certain network and device data for service and quality assurance purposes.
Eckhart, however, showed how the software can also be used to collect virtually any other metric from a user's mobile device. In an 18-minute YouTube video, he demonstrated how the software can be hard to detect, harder to remove and can be used to capture a lot of data -- including the keystrokes he made on his handset. In his research, Eckhart said that phone carriers could program the software to send user data whenever certain triggers or actions were completed.
Carrier IQ has consistently downplayed the research and has insisted Eckhart's claims misrepresent the true capabilities of its software. Even though its own marketing materials appear to undercut its claims , since the controversy broke Carrier IQ has described its software as doing little more than diagnosing operational network and device issues.
In a email today, Carrier IQ once again reiterated that its software does not log or understand keystrokes.
"It is only looking for numeric sequences that trigger a diagnostic cue within the software. If that cue requires communication with the carrier then the diagnostics are transmitted," the company said.
Carrier IQ's software knows what content has been accessed but not the nature of it. For example, the software will know the URL of a website that has been visited but not the content of the site, the company said.
The company downplayed a query by Computerworld about the claimed ability of the software to report collected data back to operators in real time. "The software has the ability to report real time but it isn't used that way,"
The company said the timing of the reporting function was a decision left to the carriers. Typically, Carrier IQ's software is used to report on a pre-determined daily or weekly schedule, the company said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.