TechWeb

Carrier IQ Withdraws Legal Threat Against Security Researcher

Nov 29, 2011 (09:11 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=232200381


10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
After security researcher Trevor Eckhart branded a tool from smartphone monitoring vendor Carrier IQ as a "rootkit," the company fired off a cease-and-desist letter threatening to sue him for copyright and reputational damages unless he retracted his "false allegations" and apologized. Now, however, it is Carrier IQ that has issued an apology and withdrawn its legal threat.

On November 23, Carrier IQ released a statement saying that it had retracted the cease and desist letter it sent to Eckhart one week earlier, which included a threat of $150,000 in damages for copyright violations after he published Carrier IQ training manuals. "Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," it said.

Carrier IQ's cease and desist letter, written by the company's general counsel, Joseph J. Dullea, had accused Eckhart of making allegations "that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers," and demanded that he remove all research related to the company, and cease commenting on it in public. Carrier IQ even penned a statement of apology that Eckhart was to issue via his site, part of which was to read: "The Carrier IQ, Inc. software is integrated by intent by device manufacturers and operators; it does not meet the definition of a rootkit and does not subvert the operation of the device as I previously claimed."

[ Improve mobile security. Read Mobile Device Management: What's Still Missing. ]

Carrier IQ's about-face came after Eckhart had reached out to the Electronic Frontier Foundation (EFF), which took up his case and contacted Carrier IQ, arguing that Eckhart's research into Carrier IQ fell under fair-use rules, which make copyright exceptions in cases of criticism, comment, research, and news reporting. "More broadly, Mr. Eckhart published his analysis of Carrier IQ and the underlying training materials to educate the public about privacy concerns raised by your software, which is installed by default on many mobile devices, unbeknownst to most consumers," according to the letter, which was written by Marcia Hoffman, a senior staff attorney at the EFF. The training materials that Eckhart posted on his website had also been publicly accessible via Carrier IQ's website. (They've since been removed.)

Hoffman also said that while Carrier IQ had made "broad accusations" against Eckhart, after the EFF sought details of specific allegations, it had received none. "We believe you are not able to substantiate your allegations because Mr. Eckhart's factual findings are true," she said.

Eckhart said he'd discovered Carrier IQ's software secretly monitoring "many U.S. handsets sold on Sprint, Verizon, and more." He estimated that it was running on more than 141 million handsets. Furthermore, as installed by carriers, the software oftentimes couldn't be removed, or could be removed only by advanced users willing to root their phones.

A recent Geek.com story backed up Eckhart's research, saying it had found "a potentially significant volume of data being collected" by Carrier IQ. It also noted that as of 2008, Carrier IQ was "working with seven of the top ten major OEMs, as well as Verizon Wireless, AT&T, and Sprint."

In the wake of Eckhart's discovery, Sprint issued a statement saying that it uses Carrier IQ's software solely for diagnostic purposes. Verizon, meanwhile, issued a statement saying that it's not currently working with Carrier IQ. "The reports we have seen about Verizon using Carrier IQ are false," said Verizon Wireless spokeswoman Debra Lewis via email. While she said Verizon had recently revised its privacy policy and begun offering different types of privacy programs, "Carrier IQ is not involved in these programs."

After withdrawing its cease and desist letter, Carrier IQ issued more details about how its software gets used. "Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain," according to a statement released by the company. Carrier IQ likewise said that its software doesn't record keystrokes or "provide tracking tools," that it can't inspect the content of any messages, and that the company "does not provide real-time data reporting to any customer."

But given the tracking and data-collection concerns voiced by privacy experts, especially over the extent to which Carrier IQ may share data not with customers, but law enforcement agencies, expect Carrier IQ to face further questions about its business practices. On a related note, Carrier IQ spokesman Mira Woods said via email that "we are in discussions with EFF and Trevor Eckhart at this time."

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.