21
Nov
logo_carrieriq

If you don't know who Trevor Eckhart is, you might remember a little piece we published earlier this year about a massive HTC data vulnerability caused by the company's data-logging operations. Trevor was the guy who found that vulnerability and did almost all of the legwork in investigating it. Since then, Trevor has been hard at work looking at more mobile data logging applications used by various manufacturers, including one written by a company called Carrier IQ.

CIQ, as it's more commonly known, harvests various user data from its host device and sends it back to carriers or manufacturers for analysis and record-keeping purposes. Users of CIQ include HTC, Samsung, Verizon, and Sprint (possibly more - and this does include Android devices). If you want to know exactly what it logs and how it works, you should check out Trevor's website - there's a ton of information available. The summarized version is this: CIQ collects a lot of information about how you use your phone.

CIQ doesn't want the public to know exactly what kind of information this is, or how their system functions. Trevor, ever the apt investigator, found a few training manuals available publicly on CIQ's website describing in detail the inner workings of the CIQ software. He downloaded these materials, and shared them with the community. At this point, CIQ became aware of the sensitive information that they had unwittingly (and, frankly, rather stupidly) exposed, and pulled all the training documentation from their website.

Trevor didn't stop sharing this information. CIQ didn't like this, and sent Trevor a cease and desist letter asking him to remove the offending materials or face legal action under copyright infringement and (impliedly) defamation. Trevor contacted the EFF (Electronic Frontier Foundation) for assistance, and the EFF has taken up his defense. Their response? Carrier IQ is doing nothing more than legal posturing in an attempt to scare Trevor into silence. While I'm not a lawyer, I do study law, and I completely agree - CIQ is way off base here.

Trevor's statements regarding and release of CIQ's documentation are clearly protected under the Fair Use doctrine of the Copyright Act, below:

"... the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright."

17 U.S.C. §107

Trevor's use is obviously for the purpose of criticism, news reporting, and research. There's no case there. As for the defamatory claims, I'd agree with EFF's response to CIQ that any statements criticizing CIQ's product are protected under the First Amendment and the public figure doctrine as espoused in New York Times v. Sullivan and Hustler Magazine v. Falwell. This doctrine protects even untrue speech, meaning even if Trevor is wrong, he's not liable for damages so long as he believed the statements were true. We're pretty sure they're true anyways.

Moral of the story? It's probably not a good idea to put sensitive documentation online, and it's a worse idea to make legally unsupportable threats against your critics.

EFF

David Ruddock
David's phone is whatever is currently sitting on his desk. He is an avid writer, and enjoys playing devil's advocate in editorials, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • http://www.AndroidPolice.com Artem Russakovskii

    Glad Trev has been working closely with EFF on the CIQ issue, and there's someone out there to defend lone developers.

  • Sam

    Trevor, you're our hero. And CIQ, your defense that you aren't documenting emails and text messages is a lie. Even worse, if I go to an https:// banking site, (since you are logging keypresses) you are logging my username and password and sending it to your servers. That's illegal. Furthermore, how many of your/Sprint/VZW employees have access to that data? Where did I agree to that? Did you publish a privacy policy?

  • nastybutler77

    Way to call even more attention to the fact you're a sleazy and probably illegal operation, CIQ.

  • IRISHGREEN-INFECTEDGOON

    They better back off my boy Trev, don't they know he's a BEAST!!! GOONING FOR THE COMMUNITY!!! THANKS TREVOR!!

  • http://www.twitter.com/ScottColbert Scott

    While I applaud Trevor and his actions, I do have to take you to task for your misleading interpretation of the fair use doctrine.

    Fair use doctrine pertains to excerpts from a given work. for example if I were to write a blog post about this article, I could certainly use a quote in my own piece, but I could not use the entire article.

    I can quote an excerpt from the latest Stephen King doorstop novel, but I couldn't put the whole thing up.

    The murky area is to what length I can quote the article, or novel.

    It's my understanding Trevor released the work in its entirety and that could be the only thing that might possibly bite him in the butt.

    • David Ruddock

      That's a consideration, yes. But this kind of document only has thin copyright protection. It's not a work of art or some kind of design, it's mere work product.

      All he'd have to do is just copy the raw text, at which point he's just using the factual information contained in the work, which he relies upon for his criticism/news/research. Unless there's some kind of information in these documents that constitutes art or design, there's no protection beyond the actual replication of the exact pages in the format published. You cannot copyright ideas, concepts, processes, principles, procedures, methods, or discoveries.

      There's a huge public interest in making this sort of information available as well, especially in regard to a public figure, which CIQ is. Fair use is pretty obvious here.

  • blackroseMD1

    I think the most ridiculous part of the C&D that they sent to Trev was telling him to put a retraction on his website...and then putting that retraction, that they had written, into the C&D letter for him to copy and paste.

    Trev, if you read this...thanks.

  • L boogie

    So there's this company collecting various sensitive data for carriers & manufacturers, someone got wise to their operations using their own manuscript against them and the company wants to cry foul..... That works well for graduates of the Wile e. coyote school of business but infinite thanks to Trevor for his hard work.

  • Ray

    I'm taking into consideration in the purchase of my next phone, things I never have before. Further, I am strongly reconsidering my choice of carrier based on their affiliates. Largely due to Trevor's work and discoveries. This only makes me absolutely certain that there is truth to his statements. CIQ clearly fears the effects of the dissemination of their practices for a reason. Thanks Trevor.

  • Mike

    CIQ might have more of a case for a cease and desist if they were private, not properly leaked documents containing company /trade secrets how their software worked...But since they were available publicly for anyone to download...they don't even have that leg to stand on.

    Rock on Trevor!

  • Ray

    Thanks for what you do, Trevor. I only run ROMs with CIQ removed, thanks to you.

  • LJ

    Just so everyone knows, Trev has been working on an app to remove these offenders which you should check out here...
    http://forum.xda-developers.com/showpost.php?p=17612559&postcount=110

    And to support Trev you should purchase pro version for $1 from the market...
    https://market.android.com/details?id=com.treve.loggingkey

    Keep up the good work Trev, we all appreciate it!

  • faceface

    Thank you Trev! Its you and all the other great devs out there that make the Android community such an awesome place to be! Who needs a walled garden?!

  • Deltaechoe

    And this is why I love the android community

  • Arun

    CIQ has been around for some time now, and its about time that its starting to be seen as what it really is (thanks to Trevor). Companies that use software to invade your privacy to that extent, without your knowledge, and claim its for research is clearly in the wrong. I really hope there is some serious actions taken against CIQ

  • Esteban

    Carrier IQ just shot themselves in the foot. Their letter to Trevor put the spotlight on Carrier IQ. Now the WEB is FULL of stories about Carrier IQ's spying. Thanks Carrier IQ for the warning people about Carrier IQ.

  • MicroNix

    Thanks Trevor for exposing the slime that is secretly infiltrating our lives. CIQ was a fool for pushing the issue because it has national attention now. Hats off to your discovery!

  • counsel

    I'd like to work with the EFF on this... Need a licensed attorney in NC to gather data, etc? Contact me :)

  • sanchanim

    I think the product would stand up to any kind of scrutiny. From my understanding the software helps carriers fix problems proactively and it does not do what Eckhart said it did. He has a right to free speech but it looks like he works for a rival company. makes you wonder!!!

Quantcast