Carrier IQ Withdraws Legal Threat Against Security Researcher - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Carrier IQ Withdraws Legal Threat Against Security Researcher

Network diagnostic software vendor issues apology to researcher who discovered its application secretly monitoring smartphone users.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
After security researcher Trevor Eckhart branded a tool from smartphone monitoring vendor Carrier IQ as a "rootkit," the company fired off a cease-and-desist letter threatening to sue him for copyright and reputational damages unless he retracted his "false allegations" and apologized. Now, however, it is Carrier IQ that has issued an apology and withdrawn its legal threat.

On November 23, Carrier IQ released a statement saying that it had retracted the cease and desist letter it sent to Eckhart one week earlier, which included a threat of $150,000 in damages for copyright violations after he published Carrier IQ training manuals. "Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," it said.

Carrier IQ's cease and desist letter, written by the company's general counsel, Joseph J. Dullea, had accused Eckhart of making allegations "that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers," and demanded that he remove all research related to the company, and cease commenting on it in public. Carrier IQ even penned a statement of apology that Eckhart was to issue via his site, part of which was to read: "The Carrier IQ, Inc. software is integrated by intent by device manufacturers and operators; it does not meet the definition of a rootkit and does not subvert the operation of the device as I previously claimed."

[ Improve mobile security. Read Mobile Device Management: What's Still Missing. ]

Carrier IQ's about-face came after Eckhart had reached out to the Electronic Frontier Foundation (EFF), which took up his case and contacted Carrier IQ, arguing that Eckhart's research into Carrier IQ fell under fair-use rules, which make copyright exceptions in cases of criticism, comment, research, and news reporting. "More broadly, Mr. Eckhart published his analysis of Carrier IQ and the underlying training materials to educate the public about privacy concerns raised by your software, which is installed by default on many mobile devices, unbeknownst to most consumers," according to the letter, which was written by Marcia Hoffman, a senior staff attorney at the EFF. The training materials that Eckhart posted on his website had also been publicly accessible via Carrier IQ's website. (They've since been removed.)

Hoffman also said that while Carrier IQ had made "broad accusations" against Eckhart, after the EFF sought details of specific allegations, it had received none. "We believe you are not able to substantiate your allegations because Mr. Eckhart's factual findings are true," she said.

Eckhart said he'd discovered Carrier IQ's software secretly monitoring "many U.S. handsets sold on Sprint, Verizon, and more." He estimated that it was running on more than 141 million handsets. Furthermore, as installed by carriers, the software oftentimes couldn't be removed, or could be removed only by advanced users willing to root their phones.

A recent story backed up Eckhart's research, saying it had found "a potentially significant volume of data being collected" by Carrier IQ. It also noted that as of 2008, Carrier IQ was "working with seven of the top ten major OEMs, as well as Verizon Wireless, AT&T, and Sprint."

In the wake of Eckhart's discovery, Sprint issued a statement saying that it uses Carrier IQ's software solely for diagnostic purposes. Verizon, meanwhile, issued a statement saying that it's not currently working with Carrier IQ. "The reports we have seen about Verizon using Carrier IQ are false," said Verizon Wireless spokeswoman Debra Lewis via email. While she said Verizon had recently revised its privacy policy and begun offering different types of privacy programs, "Carrier IQ is not involved in these programs."

After withdrawing its cease and desist letter, Carrier IQ issued more details about how its software gets used. "Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain," according to a statement released by the company. Carrier IQ likewise said that its software doesn't record keystrokes or "provide tracking tools," that it can't inspect the content of any messages, and that the company "does not provide real-time data reporting to any customer."

But given the tracking and data-collection concerns voiced by privacy experts, especially over the extent to which Carrier IQ may share data not with customers, but law enforcement agencies, expect Carrier IQ to face further questions about its business practices. On a related note, Carrier IQ spokesman Mira Woods said via email that "we are in discussions with EFF and Trevor Eckhart at this time."

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
11/30/2011 | 11:45:34 AM
re: Carrier IQ Withdraws Legal Threat Against Security Researcher
The plot thickens: Trevor Eckhart has posted a video demonstrating Carrier IQ's software logging his keystrokes (dialing a phone number) as he presses them.
-- Mathew Schwartz
User Rank: Apprentice
12/1/2011 | 2:25:03 PM
re: Carrier IQ Withdraws Legal Threat Against Security Researcher
Who'd be interested in obtaining what Carrier IQ collects? It's clearly been collecting intimate info on a massive scale for some time (150 million phones).-áNow they've been caught red-handed while blatantly lying about what they've been doing.-á-á

And although this collection can be used for metrics, who's to say that one of their clients wouldn't be a government? -áFor someone after real-time sensitive data on 150 million people, this should be a pretty safe & deniable way to obtain it.-á
User Rank: Apprentice
12/1/2011 | 5:44:19 PM
re: Carrier IQ Withdraws Legal Threat Against Security Researcher
How could Carrier IQ attempt to publicly lie about collecting virtually every user activity on millions of smartphones they have secretly been installed on?!

This professional security researcher shows clear evidence and proves every bit of spyware activity performed on the device without the user's knowledge! Can't wait for this malicious spyware company to close down and have everyone at the company responsible for breaking wiretapping laws sent to prison for intentional espionage, privacy violations, false accusations, selling private consumer info for financial gain, criminal intent, false representation, and anything and everything unlawful that can be discovered from their illegal practices.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll