Carrier IQ drops cease and desist against security researcher
Carrier IQ has dropped a cease and desist order against a security researcher who examined the company's software and documentation and described it as a "rootkit". Carrier IQ provides what it calls "Mobile Service Intelligence Solutions" which includes software embedded on, according to the company, over 141 million handsets. Carrier IQ says that its software is designed to assist carriers in providing customer support by analysing usage when problems such as dropped calls or rapidly drained batteries are reported.
Android developer and security researcher Trevor Eckhart decided to examine what the Carrier IQ software did and reported his findings. He found that, according to the publicly available Carrier IQ documentation, the range of information that could be captured by the embedded software was very wide. It included details of which apps were opened, when SMS messages were received, when calls were received, key presses and location information. The data collection could be triggered by a message being sent to the mobile device which would report back with a "metrics package" to a central server run by Carrier IQ. Eckhart included parts of Carrier IQ's documentation in his analysis.
Carrier IQ discovered Eckhart's analysis and responded by sending a cease and desist letter to Eckhart claiming he had violated copyright of the manuals and demanding that he stop saying the software was a rootkit; this included a requirement to place a specific apology on his site. Carrier IQ also removed the files in question from its own web site. At this point, Eckhart contacted the Electronic Frontier Foundation (EFF ) who explained in a letter to Carrier IQ how Eckhart's work and opinions was protected under fair use and US First Amendment law.
That cease and desist has – as more attention was drawn to Carrier IQ's operations – now been withdrawn, with the CEO of Carrier IQ, Larry Lenhart, asking the EFF for "help in establishing an open dialogue with Mr. Eckhart as I would like to personally apologize". Lenhart also offers to "start a discussion" with the EFF about the issues raised by Eckhart. In a press release, the company also called its action "misguided" but reiterated its position that its software does not record keystrokes, offer tracking tools, examine the content of communication or provide real-time data reporting to customers. The EFF said that it hopes "this incident will serve as an example to others who would misuse the law to squelch legitimate research and criticism".