CarrierIQ Fails At The Internet: Threatens Security Researcher With Copyright Infringement Claim Over His Research [Update]

from the dear-barbra-streisand dept

Wed, Nov 23rd 2011 6:39am — Mike Masnick

Last week, we wrote about some research by security researcher Trevor Eckhart, detailing how software from CarrierIQ had all the qualities of a rootkit, was installed on a ton of phones from Verizon Wireless and Sprint, and could potentially reveal all sorts of info about what you do on your phone. Much of Eckhart's report came from a training manual explaining the features of CarrierIQ's system, which he found left free and open on CarrierIQ's website. These kinds of stories show up every so often, and the usual thing is for the company either to admit it wasn't careful enough on security or to deny the specific allegations... and everyone moves on. But CarrierIQ apparently doesn't get how the internet works, has never heard of the Streisand Effect, and decided to not just deny the allegations in the report (we got one of those notices), but to threaten Eckhart with copyright infringement for his posting of their training manual.

Oops. Cue Streisand Effect.

Eckhart, via the EFF, has rejected CarrierIQ's requests... and has called a lot more press attention to the original reports (which had died down pretty quickly). CarrierIQ didn't do itself any favors either, by having its marketing manager talk to Wired and stubbornly defend the copyright infringement claim by saying:

�Whatever content we distribute we want to be in control of that,� he said. �I think obviously, any company wants to be responsible for the information that gets distributed.�

What "any company wants" and what is the law are often two different things. It might have helped for CarrierIQ employees to familiarize themselves with the law first. Of course, the EFF's letter attempts a quick crash course in the subject:

With respect to your allegations of copyright infringement, Mr. Eckhart�s analysis and publication of Carrier IQ�s training materials is a classic fair use and, therefore, non-infringing. 17 U.S.C. § 107 (�the fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting . . . or research, is not an infringement of copyright.�). Courts generally consider four factors in a fair use analysis: 1) the purpose and character of the use, 2) the nature of the copyrighted work, 3) the amount and substantiality of the portion used, and 4) the effect of the use on the potential market for the work. Id.; Campbell v. Acuff-Rose Music, 510 U.S. 569, 577 (1994). Each of these factors favors Mr. Eckhart.

CarrierIQ is also claiming false allegations (i.e., defamation) over Eckhart's claims of its software being a rootkit. But, once again, the EFF and Eckhart are explaining the details of the law. Just because you don't like someone's opinion of what you do, or you don't like someone describing factually what you do, doesn't mean you get to accuse them of defamation:

You also claim that Mr. Eckhart published �false allegations� that are �without substance,� �untrue,� and that Carrier IQ considers �damaging to [its] reputation and the reputation of [its] customers.� We have repeatedly asked you to specify the statements you believe are actionable. You have failed to do so, and have instead merely repeated your broad accusations. We believe you are not able to substantiate your allegations because Mr. Eckhart�s factual findings are true. If you are able to specify any statement that you believe is false, Mr. Eckhart will be happy to provide you with the documentation of that finding.

Moreover, your client is a public figure. Under well-established Supreme Court precedent, commentary and criticism regarding Carrier IQ�s professional activities receive additional protections under the First Amendment, because there is a heightened public interest in facilitating such speech. See, e.g., New York Times Co. v. Sullivan, 376 U.S. 254, 270 (1964); Hustler Magazine v. Falwell, 485 U.S. 46 (1988).

And, of course, now we get another round of people paying attention to the allegations regarding CarrierIQ.

Update: And... commence groveling. Just received the following:

As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF�s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.

The company also reiterates that its software doesn't track a bunch of stuff and that it's really designed to make networks and phones perform better...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: research, rootkit, streisand effect, trevor eckhart
Companies: carrieriq

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 23 Nov 2011 @ 6:44am

Is it a Root Kit?
The most relevant questions are still:

--Is this really a "root kit"

--How do you detect/remove it from cell phones

--Will the phone manufacturers, carriers, CarrierIQ, or perhaps all three retain any liability? Will they be served with class action suits?
[ link to this | view in chronology ]
- blaktron (profile), 23 Nov 2011 @ 7:01am
  
  Re: Is it a Root Kit?
  Yes, its a rootkit. Unless you know a LOT about Android, have rooted your phone, or have installed a custom ROM with this crap ripped out by someone that knows a lot about Android its impossible to remove.
  
  This thing is as bad as Sony's attack on freedom last decade with its rootkit.
  [ link to this | view in chronology ]
- Anonymous Coward, 23 Nov 2011 @ 7:28am
  
  Re: Is it a Root Kit?
  "Is it a Root Kit?"
  
  I don't know if it qualifies as a "rootkit", but I know that:
  
  - It is well hidden in the bowls of the operating system
  - It is hard to detect and remove
  - It has the capability of gathering usage data and sending it back home without the user's consent
  - It has access to your contacts, your browser history, your calls, etc., etc., etc.
  - People don't want it
  
  So, it might not be a "rootkit", but it certainly qualifies as spyware (or maybe even malware).
  [ link to this | view in chronology ]
- :Lobo Santo (profile), 23 Nov 2011 @ 7:38am
  
  Re: Is it a Root Kit?
  One person at XDA who's been researched CIQ devised a proof-of-concept exploit, which with minimal permissions can pull tons of information from your phone thru CIQ.
  
  It can be removed but doing so requires a degree of proficiency which most users do not possess.
  
  Haven't not spent much time researching this, I cannot answers simply if it is a rootkit--however, it IS the mother-of-all spyware, recording every little detail about your phone use and reporting it to anybody who knows the right "mother may I" questions to ask.
  
  And it's in your phone by default--your carrier/manufacturer put it there.
  [ link to this | view in chronology ]
  - TEA-Time, 23 Nov 2011 @ 2:40pm
    
    Re: Re: Is it a Root Kit?
    Thanks for the links!
    
    Talk about childish... "We've been caught, so we're taking our toys (documentation) and going home!!"
    [ link to this | view in chronology ]
- Oblate (profile), 23 Nov 2011 @ 7:55am
  
  Re: Is it a Root Kit?
  Does this program upload data to the cell phone company? Using bandwidth that subscribers paid for, and in a way that subscribers can not prevent? I think there's been a lawsuit over a similar situation previously.
  [ link to this | view in chronology ]
- Trails (profile), 23 Nov 2011 @ 7:59am
  
  Re: Is it a Root Kit?
  Yes it really is a rootkit. Rootkit = software that allows elevated access to a (often remote) user/process while appearing not to exist to system owner.
  [ link to this | view in chronology ]
sadf, 23 Nov 2011 @ 7:56am

sdf
Pretty much every custom android rom thats tied to a phone this is installed, thats one of the first things to go.This isnt exactly new news (the discovery of carrierIQ on phones) but its good that the research into its innerworkings are getting more publicity.

I'd be curious to see if there is anything being done maliciously by the carriers who are requesting this to be on the phones.

Dont you have to sign some type of agreement for that type of data to be harvested by a program running on the phone?

Im pretty sure any PC manufacturer would be burned at the stake if they tried this on a windows box.
[ link to this | view in chronology ]
- Trails (profile), 23 Nov 2011 @ 8:02am
  
  Re: sdf
  Verizon's statement on how they use this data:
  https://email.vzwshop.com/servlet/website/ResponseForm?OSPECC_9_0_9hg_eLnHs_uhmpJLE
  
  This includes selling the data to third parties.
  [ link to this | view in chronology ]
The Logician (profile), 23 Nov 2011 @ 7:56am

Do we have a list of exactly which phone models this software exists in? I believe that would be helpful for us to know.
[ link to this | view in chronology ]
- ltlw0lf (profile), 23 Nov 2011 @ 11:30am
  
  Re:
  Do we have a list of exactly which phone models this software exists in? I believe that would be helpful for us to know.
  
  I have AT&T. Looking at my backups for my Samsung Captivate from AT&T, CarrierIQ is listed as an application installed on their stock image. Not sure whether they were using it, but its there. Now that I am using CTMod, CarrierIQ is not installed (though when I originally installed CTMod, I tried to load CarrierIQ back on the phone as I had no idea what it was, but it said my phones OS was incompatible (as did quite a bit of the other stock applications.)
  
  I also checked my blackberry app backups and it was on one of the two Blackberries I owned before I bought my Captivate.
  
  However, I am not sure if AT&T was actually using it, or if they just bought it from the vendor that way. AT&T called me after I loaded the updated code for blackberry from the RIM website and asked me if my phone was working properly because they weren't getting updates...not sure if this is related. They never called me when I rooted my Samsung, but I figure they already knew I "was one of those guys" based on my discussion with them after updating my blackberry.
  [ link to this | view in chronology ]
Anonymous Coward, 23 Nov 2011 @ 8:17am

Does Vodaphone UK use it?
I have a HTC Desire.
[ link to this | view in chronology ]
Dan J. (profile), 23 Nov 2011 @ 9:15am

Really?
�Whatever content we distribute we want to be in control of that,� he said. �I think obviously, any company wants to be responsible for the information that gets distributed.�

Whatever content my Adroid devices distribute I want to be in control of that. I think obviously, any individual wants to be responsible for the information that gets distributed.

I'll make a deal with you. You give me back my phone and I'll give you back your manuals.
[ link to this | view in chronology ]
jason @ voip, 23 Nov 2011 @ 6:17pm

Whoops!
CarrierIQ: give it up. Hold your hands up. You boobed! Admit it!
[ link to this | view in chronology ]
davnel (profile), 24 Nov 2011 @ 9:46am

Hoo Boy!
Now I'm worried. From what I've read so far about CarrierIQ, and how it's spyware works, the Feds will, or likely do, LOVE it. The locals may have a little more problem getting access, but Uncle sure won't. Looks like 1984 is really here. Good thing I'm using a dumb phone. Now I definitely wouldn't have a Not-So-Smart phone. Also, you gotta ask, Who has access to the "Mother May I" codes? The more I think about it, the more certain I am this is a cracker's dream come true.
[ link to this | view in chronology ]
davnel (profile), 24 Nov 2011 @ 9:50am

Data Access Charges
And another thing: who's paying for the bandwidth for this wonderful program to call home?
[ link to this | view in chronology ]
Some Other AC (profile), 28 Nov 2011 @ 6:59am

Definitely possible to remove/get rid of
The CIQ software is removed from most custom ROMs for Android devices, AFIK. I have a Samsung Fascinate running CyanogenMod 7.1 and know it is not in there.
I know there are a lot of people who just want to buy a smart device and have it work, but if you value your privacy, you can remove unwanted bloatware/spyware from your devices with relative ease. There are numerous sites, blogs, forums with instructions for rooting, hacking and reloading your Android device. This does include a solid majority of current and legacy units. Even devices that have a "locked" boot loader(Motorola comes to mind) have been cracked for loading custom ROMs.
Best part, most include instructions and Binaries to reset the unit back to OEM stock with all crap reinstalled.
[ link to this | view in chronology ]