Mobile
News
11/29/2011
02:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Carrier IQ Withdraws Legal Threat Against Security Researcher

Network diagnostic software vendor issues apology to researcher who discovered its application secretly monitoring smartphone users.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
After security researcher Trevor Eckhart branded a tool from smartphone monitoring vendor Carrier IQ as a "rootkit," the company fired off a cease-and-desist letter threatening to sue him for copyright and reputational damages unless he retracted his "false allegations" and apologized. Now, however, it is Carrier IQ that has issued an apology and withdrawn its legal threat.

On November 23, Carrier IQ released a statement saying that it had retracted the cease and desist letter it sent to Eckhart one week earlier, which included a threat of $150,000 in damages for copyright violations after he published Carrier IQ training manuals. "Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," it said.

Carrier IQ's cease and desist letter, written by the company's general counsel, Joseph J. Dullea, had accused Eckhart of making allegations "that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers," and demanded that he remove all research related to the company, and cease commenting on it in public. Carrier IQ even penned a statement of apology that Eckhart was to issue via his site, part of which was to read: "The Carrier IQ, Inc. software is integrated by intent by device manufacturers and operators; it does not meet the definition of a rootkit and does not subvert the operation of the device as I previously claimed."

[ Improve mobile security. Read Mobile Device Management: What's Still Missing. ]

Carrier IQ's about-face came after Eckhart had reached out to the Electronic Frontier Foundation (EFF), which took up his case and contacted Carrier IQ, arguing that Eckhart's research into Carrier IQ fell under fair-use rules, which make copyright exceptions in cases of criticism, comment, research, and news reporting. "More broadly, Mr. Eckhart published his analysis of Carrier IQ and the underlying training materials to educate the public about privacy concerns raised by your software, which is installed by default on many mobile devices, unbeknownst to most consumers," according to the letter, which was written by Marcia Hoffman, a senior staff attorney at the EFF. The training materials that Eckhart posted on his website had also been publicly accessible via Carrier IQ's website. (They've since been removed.)

Hoffman also said that while Carrier IQ had made "broad accusations" against Eckhart, after the EFF sought details of specific allegations, it had received none. "We believe you are not able to substantiate your allegations because Mr. Eckhart's factual findings are true," she said.

Eckhart said he'd discovered Carrier IQ's software secretly monitoring "many U.S. handsets sold on Sprint, Verizon, and more." He estimated that it was running on more than 141 million handsets. Furthermore, as installed by carriers, the software oftentimes couldn't be removed, or could be removed only by advanced users willing to root their phones.

A recent Geek.com story backed up Eckhart's research, saying it had found "a potentially significant volume of data being collected" by Carrier IQ. It also noted that as of 2008, Carrier IQ was "working with seven of the top ten major OEMs, as well as Verizon Wireless, AT&T, and Sprint."

In the wake of Eckhart's discovery, Sprint issued a statement saying that it uses Carrier IQ's software solely for diagnostic purposes. Verizon, meanwhile, issued a statement saying that it's not currently working with Carrier IQ. "The reports we have seen about Verizon using Carrier IQ are false," said Verizon Wireless spokeswoman Debra Lewis via email. While she said Verizon had recently revised its privacy policy and begun offering different types of privacy programs, "Carrier IQ is not involved in these programs."

After withdrawing its cease and desist letter, Carrier IQ issued more details about how its software gets used. "Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain," according to a statement released by the company. Carrier IQ likewise said that its software doesn't record keystrokes or "provide tracking tools," that it can't inspect the content of any messages, and that the company "does not provide real-time data reporting to any customer."

But given the tracking and data-collection concerns voiced by privacy experts, especially over the extent to which Carrier IQ may share data not with customers, but law enforcement agencies, expect Carrier IQ to face further questions about its business practices. On a related note, Carrier IQ spokesman Mira Woods said via email that "we are in discussions with EFF and Trevor Eckhart at this time."

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
japura941
50%
50%
japura941,
User Rank: Apprentice
12/1/2011 | 5:44:19 PM
re: Carrier IQ Withdraws Legal Threat Against Security Researcher
How could Carrier IQ attempt to publicly lie about collecting virtually every user activity on millions of smartphones they have secretly been installed on?!

This professional security researcher shows clear evidence and proves every bit of spyware activity performed on the device without the user's knowledge! Can't wait for this malicious spyware company to close down and have everyone at the company responsible for breaking wiretapping laws sent to prison for intentional espionage, privacy violations, false accusations, selling private consumer info for financial gain, criminal intent, false representation, and anything and everything unlawful that can be discovered from their illegal practices.
ericm
50%
50%
ericm,
User Rank: Apprentice
12/1/2011 | 2:25:03 PM
re: Carrier IQ Withdraws Legal Threat Against Security Researcher
Who'd be interested in obtaining what Carrier IQ collects? It's clearly been collecting intimate info on a massive scale for some time (150 million phones).-áNow they've been caught red-handed while blatantly lying about what they've been doing.-á-á

And although this collection can be used for metrics, who's to say that one of their clients wouldn't be a government? -áFor someone after real-time sensitive data on 150 million people, this should be a pretty safe & deniable way to obtain it.-á
Mathew
50%
50%
Mathew,
User Rank: Moderator
11/30/2011 | 11:45:34 AM
re: Carrier IQ Withdraws Legal Threat Against Security Researcher
The plot thickens: Trevor Eckhart has posted a video demonstrating Carrier IQ's software logging his keystrokes (dialing a phone number) as he presses them.
-- Mathew Schwartz
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.