As discussed in the Techcrunch post Android Researcher Hit With C&D After Dissecting Monitoring Software, Android security researcher Trevor Eckhart posted about the mobile tracking software from a company called Carrier IQ. As explained in the Techcrunch post:
Carrier IQ pitches themselves as the “leading provider of mobile service intelligence solutions,” and provides their services to a number of players in the mobile space. The company’s main U.S. carrier partner is Sprint, and Eckhart claims that their tracking software appears on Android devices from HTC and Samsung among others.
According to Eckhart’s research, Carrier IQ is capable of monitoring everything from where the phone is to what apps are installed, and even which keys are being pressed. Carrier IQ says that the information is collected to give carriers insight into how the mobile use experience can be improved. It sounds like a noble enough goal, except Eckhart found that the software could run without the user’s knowledge or consent as was the case with the HTC phones he tested.
Carrier IQ’s general counsel then fired off a vicious cease-and-desist letter [PDF] against Eckhart, “claiming that he committed copyright infringement by reproducing some of the company’s training materials in his post and that he made ‘false allegations’ about the nature of their software.” In other words, Carrier IQ was trying to squelch criticism of it by using copyright law to censor its critic. These tactics are one reason I not only despise copyright, but that I have begun to really detest what the legal profession has become: a bunch of arrogant bullies. The C&D letter is outrageous: it gave Eckhart two days to commit to all kinds of groveling, making a public apology, replacing his original blog post with one written by Carrier IQ, and so on. While threatening him with tens of thousands of dollars of damages, if not more, with some dubious claims, as discussed in a recent episode of This Week in Law. For example, according to some of the legal pundits on TWiL, the statutory damages and attorneys’ fees threatened are available only for a registered copyright work, and the material in question did not appear to have been registered. Further, Ekhard would probably have a fair use defense (as the Electronic Frontier Foundation (EFF) argues as well).
In any case, after its threats was noticed and blogged and tweeted about on the Internet, and after Eckhart bravely contacted the EFF for help instead of backing down, Carrier IQ realized what a PR disaster its threats had created, and their CEO retracted their C&D and publicly apologized to the developer. (See Techcrunch’s post Carrier IQ Retracts Their C&D, Apologizes To The Android Researcher They Hassled.) From the release:
As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.
The full text of the release is below. The EFF was truly heroic here (see Eckhart’s post Why I love the EFF; and EFF’s post Carrier IQ Tries to Censor Research With Baseless Legal Threat).
[TLS]
The only reason as pointed out in other articles that the C&D was removed is because Trevor walked a grey line as he accessed a server, which is now offline without a password. It is understood that this means that he had free write to it regardless of the fact that there is company confidential written all over it.
To that end Trevor’s mirror site is now offline and other more well established researchers like Tim Armstrong from Kaspersky and Dan Rosenberg from vulnfactory has discredited some if not all of what Trevor posted on Youtube and his blog.
I hear a liable case in the brewing to be honest. Trevor has every right to research all he wants and post his findings for further investigation amongst peers in the programing community, however in this case he yelled fire in a crowded theater, and caused all sorts of panic. I agree answers need to be given, and possibly a change in things but by distributing his video to those who are not experts he caused undue panic in my opinion. Additionally there maybe hundreds of folks who will wind up with bricks instead of phones as they try to flash custom ROMs onto their devices, which voids the warranty as well.
You must log in to post a comment. Log in now.