Security advocate, EFF go toe to toe with data collection company CarrierIQ

By Phil Nickinson
last updated

The push and pull between security (and privacy) advocates and a company that supplies several Android manufacturers with application metrics has reached a new level -- and lawyers are now involved. This stems from the CarrierIQ "app" that resides in a number of HTC Android smartphones that gained notoriety in early October when a flaw was discovered in the way it was collecting data. Depending on who you ask, CarrierIQ (recently named a "Company under $100 million to watch") either is a tool that provides OEMs a look at what you're using your device for under the auspices of giving you a better user experience in the long term, or it's an evil agent spying on your every move.

On Nov. 14, Trevor Eckhart -- aka TrevE -- sent us (and presumably other sites) a link to a post he'd written explaining in great technical detail what CarrierIQ does, how it does it, and why he believes it's a bad thing. (We declined to report on Eckhart's post.) Included in the post and mirrored off site are training documents Eckhart copied from the CarrierIQ website, and Eckhart explained how he believed he evaded no security in copying the documents.

CarrierIQ, however, believes Eckhart violated copyright laws by doing so, and has sent a strongly worded cease-and-desist letter demanding cease any infringement or face thousands of dollars in fines, as well as retracting "allegations on your website ... that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers." CarrierIQ also demands that Eckhart contact anyone directly or indirectly sent copies of the training material, send written retractions, issue a press release on the AP (Associated Press) wire admitting "inaccuracies" and to "apologize to Carrier IQ, Inc. for misrepresenting the capabilities of their products and for distributing copyrighted content without permission."

Eckhart has retained the help of the Electronic Frontier Foundation, which responded to CarrierIQ's general counsel that Eckhart's copying and republishing of the training materials falls under fair use, and that CarrierIQ must specify the statements it believes are false. (CarrierIQ was most certainly purposely vague in its initial C&D letter. That's how it works.)

This isn't about fears over data collection anymore, folks. Now that lawyers are involved, it's about whether laws were broken. The short version is CarrierIQ thinks Eckhart copied and used the training materials illegally (remember that just because something's not behind a locked door doesn't necessarily give you permission to distribute it), and the EFF is arguing that CarrierIQ is using strong-arm tactics and threats of thousands of dollars in fines to silence Eckhart and force retractions. (If you're really into the legal stuff, it's also interesting that the EFF claims CarrierIQ is a public figure and that New York Times Co. v. Sullivan and Hustler Magainze v. Falwell apply here.)

It also should be noted that on Nov. 16, CarrierIQ posted a "media alert" titled "Measuring Mobile User Experience Does Matter!" that seeks "to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices." Eckhart's piece isn't explictly mentioned, but it's pretty clear what it's in response to.

The debate over CarrierIQ will continue as well (and as it well should). But it is worth mentioning that there we all gloss over a bunch of legalese every time we boot a smartphone for the first time that should (in small type) tell you your phone is collecting data about what it's doing. And it also needs reminding that when a potential security hole was found in the way CarrierIQ was collecting data, a fix was pushed out pretty quickly (for some phones, at least). And it's also worth mentioning that CarrierIQ's not acting unilaterally here. The manufacturer -- not you -- is CarrierIQ's customer. We'll all have to watch how this one plays out.

Additional links: "What is CarrierIQ?" | "Measuring Mobile User Experience Does Matter!" (pdf) | EFF post | EFF response (pdf) cease and desist letter (pdf)

Thanks to everyone who sent this in.

Phil Nickinson
Phil Nickinson
24 Comments
  • And why, exactly, did you decline to post on Eckhart's post?
  • I was wondering the same thing.....
  • yea thought crossed my mined too
  • Honestly, that's one thing that I found disconcerting on this whole issue. Fact is that most corporations are only interested in increasing their profits by whatever means necessary is nothing new. Corporate willingness to overlook more bothersome parts of privacy laws is not exactly news either. But a failure to report on such a story, which - now that I read about it - was very well documented and argued, not some crazy rumors, this failure is for me a big disappointment with regards to quality of information on this website. Is censorship really a way to go for you?
  • Well, Well, Well...........I now know to stay away from HTC phones.
  • you might want to stay clear of all smart phones then its not just HTC phones
  • It is on Samsung as well...
  • A Conversation With Andrew Coward, Marketing VP of Carrier iQ - http://briefmobile.com/a-conversation-with-andrew-coward-marketing-vp-of...(BriefMobile)
  • This is on all smartphones. And its not just the manufactures. The carriers ask for this too. There is ways around it though. Custom ROMS and Kernels. ROMs like CM doesn't have CIQ since it is built from source. Just another reason why carriers don't consumers rooting their phones.
  • seriously! Eckhart's legal problems with CarrierIQ are troubling to say the least, but this most certainly is about fears over data collection. CIQ is trying to pretect there reputation, but there software is being used, without users knowledge on phones and collecting data. I understand that CIQ tells us that they are not collecting specific data. When its done behind the users back how are we suppose to take them at there word. I don't blame CIQ... I blame sprint and HTC(just an example) for using CIQ and hiding it! last i'd like to say the CIQ's beating up on Eckhart is really sad. This is obviously something that concerns consumers and suing TrevE into giving a disheartened retraction isn't going to ease those concerns!
  • cooperate info suck...get real.
  • The can of whoop-ass has officially been opened. TrEvE is a great developer (I use his ROM on my EVO 3D) and his findings are sound. Glad the EFF has his back - these Apple-like legal tactics are going to come back to bite CIQ. If this goes all wrong for them in the press, I can see them possibly losing quite a bit of carrier business. Not a smart move on their part.
  • Heavy handed legal action like this is almost always a sign of pure evil. Glad I got a great ROM that was exorcised.
  • I just hope enough stink gets raised that the phone carriers drop this little snooping game. I highly doubt that'll be the case, but I can hope, can't I?
  • Sorry, but when lawyers are involved it's not about laws that were broken, it's about money.
  • The fact that AC declined to post something about this when TrevE sent you his illuminating story and that this "almost" sounds like a carrier IQ apologetic story is quite disturbing. Just because we have no real recourse (other than custom ROMs that you can bet your ass I'm running) to agreeing with carrier and OEM agreements doesn't make them ok. Liberty doesn't die with a bang but by slow and methodical parasites.
  • The dumb thing is if they would have just let the press release go out with out fighting it, they would have a spot light shinned on them. Now, they will have that spot light on them and if it is something bad even from a PR stand point, they will have screwed themselves. Hello, Barbara Streisand effect.
  • It's a bit alarming that you declined to post what TrevE wrote about CIQ. I've been following this thing on XDA from the beginning. Maybe AC should have read the article written yesterday on XDA. You sound like you're siding with CIQ on this - TrevE did nothing wrong decompiling their product. It's covered by law as long as he did so to find flaws, which he did. You misstated everything on here, misinformed everyone, and worst of all you're selling out a top member of our community. Shame on you Phil, you are a disgrace to Android. You need to get a backbone and write what's correct, not what the coward side of you wants. Do you believe spying on consumers is wrong? Then say it and call out CIQ - otherwise you're no better than the carriers, government, and companies that will go to no end to collect everything about your life.
  • Yeah! I felt a little nauseous reading this thing. I guess this is the difference between a real news organization and a blog site. Some research into this story would have been beneficial to your audience and give you some credibility. The guy does have some credibility in the XDA community and he seemed to be making a genuine effort to bring this information to people's attention.
  • The tone and content of this Nickinson article were not very professional. Proudly Failed to report the original issue, blurry comments about law issues and limits to public domain usage. This is article makes me wonder about the author's bias, or lack of understanding of the actual issues here. Please try to do a better Job in future writing -thanks.
  • I too would like an explanation of why you chose not to report on this. The initial failure to report, combined with the apologetic tone toward CarrierIQ, and the timing of this article (1am the day before a holiday, c'mon) all indicate that informing your consumers is not your top priority. If you feel that CarrierIQ has no responsibility when it comes to how the manufacturers and carriers use their software, then by all means say so. But, please allow us, your consumers, the respect to make our own decision on that matter---especially when it is a hot button issue like privacy and data collection.
    We rely on you to provide us information relevant to us as Android users and enthusiasts. Though we always need to be prudent as consumers, I always thought AC had our best interests at heart. Saying you hid something from us does not feel like our best interest. If it was not an attempt to hide the evidence sent to you on 11/14 then please explain your reason for failure to report on this issue.
  • It shouldn't matter who the direct customers of CarrierIQ are, think about it....If a security hole is exploited WE, the users of the phones are affected, the OEM's couldn't care less about our personal data, it doesnt affect them. If they're only held responsible for the protection of the OEM, then there's a serious legal flaw there. Because it literally means they could leave everything wide open and allow people to steal every bit of data we ever have, and still be within the confines of the law, because our data being stolen doesn't affect the OEM. That doesn't make any damn sense now does it? They should be held responsible for the protection and secutity of all affected by their software. NOT JUST OEM's.
  • When I had an HTC Android phone, I was never once presented with anything, in fine print or otherwise, asking my permission to send "usage" data to/through CarrierIQ or even telling me about it. I found out about it on XDA-Developers. Personally, I solved the problem by rooting the phone and installing Cyanogenmod, but that is not a solution that everybody can or should use. As to AC's bias, well, that became clear a long time ago. It seems like the general AC policy with regard to these issues is to ignore them, softpedal them, or mock those who take them seriously. With this one it just happened to be a hat trick....
  • I removed CIQ the moment I rooted. I don't spend money on my phone to have some company know everything I'm doing on it. The OG article by him was dead on, I actually am very disappointed that you guys didn't place it here.