Well, that was quick. Carrier IQ just sent out a press statement saying it's withdrawn its cease-and desist letter to Trevor Eckhart, who recently detailed how the company's action worked. Said Carrier IQ:
"Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."
Looks like the Electronic Frontier Foundation's backing of Eckhart paid off, the lawyers have done their thing, and the security and privacy advocate known as TrevE won't be pursued for thousands of dollars of fines after all.
That doesn't change the fact that the Carrier IQ software remains on a number of phones, and many of you aren't crazy about having a hidden background app report how you use your phone back to the manufacturer -- even if you do agree to it up front -- and that's certainly an argument that needs to continue.
We've got the full press release after the break.
FOR IMMEDIATE RELEASE
Carrier IQ Press Statement
Mountain View, CA - November 23, 2011 - As, of today, we are withdrawing
our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr.
Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action
was misguided and we are deeply sorry for any concern or trouble that our letter
may have caused Mr. Eckhart. We sincerely appreciate and respect EFF's work
on his behalf, and share their commitment to protecting free speech in a rapidly
changing technological world.
We would like to take this opportunity to reiterate the functionality of Carrier IQ's
software, what it does not do and what it does:
- Does not record your keystrokes.
- Does not provide tracking tools.
- Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
- Does not provide real-time data reporting to any customer.
- Finally, we do not sell Carrier IQ data to third parties.
Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain.
Here's what our software does:
- Our software makes your phone work better by identifying dropped calls and poor service.
- Our software identifies problems that impede a phone's battery life.
- Our software makes customer service quicker, more accurate, and more efficient.
- Our software helps quickly identify trending problems to help mobile networks prevent them from becoming more widespread.
We look forward to a healthy and robust discussion with EFF that we believe will
be helpful to us, to our customers, and to consumers that use mobile devices.
We welcome feedback on our products and understand that Mr. Eckhart and
other developers like him play an important role by raising questions about the
complicated and technical aspects of the mobile ecosystem.
Reader comments
Carrier IQ withdraws 'misguided' cease-and-desist letter, apologizes to security advocate TrevE
I'm not surprised. As soon as they saw the EFF get involved, they knew they couldn't play the part of bully and backed off.
My thoughts exactly. Without the EFF they would have never have mentioned an apology... However, It bugs me how software execs work, and the actual software engineers (of CarrierIQ) end up getting the blame
Well it's not exactly a unicorn and puppies app they developed.
owned. So good to see that. There is no way that Treve was being malicious at all. Trunk charges, and then trying to be how Apple is for someone informing them about their own security bug. Companies always seem to care more about image and allowing customers to believe things are more secure than they actually are, than manning up to their own vulnerabilities with honesty and humility.
Every phone coming out now had better have CIQ show up in its app list and it had better for damn sure be able to be uninstalled. Or upon activation of the phone you are asked if you want to opt-in or opt-out.
My guess is they started to see "CarrierIQ" pop up on CNN, Techdirt, CNET, Wired, and just about every other technology blog on the 'net, and thought, gee...maybe all this bad publicity isnt really worth it! I am glad this software is back in the public eye, and I hope laws are changed to make the use of software like this ILLEGAL! At the very least, customers should expect to be told if spyware (whatever they call it, that is what it is!) is installed by default on their phone, and the customer should ALWAYS have the option to opt out, or be able to remove such software. I was fortunate enough to learn about this early on, and I found a way to permanently remove it on my Epic4G.
This is what happens when the community stands together and backs their own members in such a struggle as this. It's good to see the bully humbled so; indeed that this story aired on many major publications must have made the company nervous.
Is there a way to see if this software or any like it is on my phone and if so can it be deleted?
You can't delete it if it's on there, unless you flash your phone with a custom ROM that doesn't have it such as Cyanogen Mod.
I had it on a Samsung Exhibit II. Rooted with SuperOneClick, and deleted with Terminal Emulator. The process no longer shows up in Advanced Task Killer and it no longer shows in the list of installed apps generated by Terminal Emulator.
As for finding out if it's on your phone, go to Settings -> Applications -> Running Services and look for something labeled "IQ Agent Service" (this is what's on my Samsun Moment),"Carrier IQ", "CIQ" or some other variation including "IQ".
The only ways to remove CIQ from your phone is to flash a ROM that doesn't have it, in rare instances (read: if it's available) flash a .zip that removes it (which needs root and overwrites any themes you've put on), or go in and manually delete/edit all the necessary files to completely remove CIQ yourself (it's very time and knowledge intensive).
I've read that it's the app 'System Management' on the Samsung Galaxy SII (T-Mobile). That's the phone I just bought. I'm rooted and used an app to uninstall it successfully.
Odd that I have yet to read a comment showing anger towards HTC for choosing to install this software on their phones. It isn't like this company went out of their way to make the software *and* forcibly inject it onto handsets.
-Suntan
Its supposed to help with make cs faster, how never once while my evo has been serviced has there been any hint of carrierIQ. You think it would offer relevant data so they wouldnt have to ask 100 questions 100 times. I call bs.
I hate companies like this. Stop spying on people, mind your own business.
Companies like this are no better than Patent trolls like Lodsys and Intellectual Ventures. They are parasites, offering no real benefit and just sucking money out of people, be it directly or indirectly.
There really is a low, if non-existent place in this topic for patent discussions. Unfortunately, as hard as anyone here could try, it really is off topic. I understand. You have a hammer (a beef, and not unfounded logically), and to you everything looks like a nail. But, try as I may, patent systems, overhaul, pain and suffering... it's not even close to this topic. Be hopeful, though... There are SO many other forums for THAT debate. But, be honest.. even your best efforts to merge into this forum with that HAMMER is a square peg in a round hole.
CIQ just got bitchslapped.
OK, I'm going to lay this out for everyone...
1. There should NEVER be any software installed that logs keystrokes (Without notice of intent, AND, clear opt IN/OUT user awareness prompts). *This alone would have done a world of good for both the S/W writer, and the end user.*
2. If item 1 is broken, it should only log locally, not across a network.
3. If item 2 is broken, it should NEVER transmit data 'in the clear' over (especially) an HTTPS connection.
4. The logic of this program is, in fact, reversed from any acceptable method, in that it hooks keystrokes for logging externally, prior to ANY encryption. In correct form, the SEND DATA would come only AFTER encryption with a key based on certificates (or various other AUTHENT, AUTHORIZATION schemes).
5. No Certificates are used, as the user never has a chance to opt into or out of them.
6. Sending unencrypted information to ANY destination should NEVER occur. (compounding the issue is the heightend user confidence as surely HTTPS is secure, right?.. wrong).
7. No matter what data this s/w author feels entitled to, despite their intended purpose (Save, Ignore, Delete, Improve), it should NEVER be subjected to 'in the clear' transmissions.
8. Plain as day.. S/W (A) logs keystrokes prior to encryption, sends data in the clear to Server (A). Server (B) is a Man in the Middle server. Server (B) now knows practically EVERYTHING user has typed, including usernames and passwords (Bank, Domain, PayPal). Server (A) may never use information, but based on Server (A)'s lax policies, Server (B) is having a great time at everyone's expense.
Summation ... HTTPS is only for encrypted information. Jumping the gun on HTTPS connections and sending logged keystrokes AROUND/PRIOR should ALWAYS be considered a violation.
*Our software makes your phone work better by identifying dropped calls and poor service.* Really.... you must not send the info to AT&T then.
*Our software identifies problems that impede a phone's battery life.* Samsung must have missed that memo...
*Our software makes customer service quicker, more accurate, and more efficient.* Really, I STILL get asked for my wireless number when I call CS @ ATT...
*Our software helps quickly identify trending problems to help mobile networks prevent them from becoming more widespread.* Like what?