Thursday, 24 November 2011

Security advocate, EFF go toe to toe with data collection company CarrierIQ

CarrierIQ

The push and pull between security (and privacy) advocates and a company that supplies several Android manufacturers with application metrics has reached a new level -- and lawyers are now involved. This stems from the CarrierIQ "app" that resides in a number of HTC Android smartphones that gained notoriety in early October when a flaw was discovered in the way it was collecting data. Depending on who you ask, CarrierIQ (recently named a "Company under $100 million to watch") either is a tool that provides OEMs a look at what you're using your device for under the auspices of giving you a better user experience in the long term, or it's an evil agent spying on your every move.

On Nov. 14, Trevor Eckhart -- aka TrevE -- sent us (and presumably other sites) a link to a post he'd written explaining in great technical detail what CarrierIQ does, how it does it, and why he believes it's a bad thing. (We declined to report on Eckhart's post.) Included in the post and mirrored off site are training documents Eckhart copied from the CarrierIQ website, and Eckhart explained how he believed he evaded no security in copying the documents.

CarrierIQ, however, believes Eckhart violated copyright laws by doing so, and has sent a strongly worded cease-and-desist letter demanding cease any infringement or face thousands of dollars in fines, as well as retracting "allegations on your website ... that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers." CarrierIQ also demands that Eckhart contact anyone directly or indirectly sent copies of the training material, send written retractions, issue a press release on the AP (Associated Press) wire admitting "inaccuracies" and to "apologize to Carrier IQ, Inc. for misrepresenting the capabilities of their products and for distributing copyrighted content without permission."

Eckhart has retained the help of the Electronic Frontier Foundation, which responded to CarrierIQ's general counsel that Eckhart's copying and republishing of the training materials falls under fair use, and that CarrierIQ must specify the statements it believes are false. (CarrierIQ was most certainly purposely vague in its initial C&D letter. That's how it works.)

This isn't about fears over data collection anymore, folks. Now that lawyers are involved, it's about whether laws were broken. The short version is CarrierIQ thinks Eckhart copied and used the training materials illegally (remember that just because something's not behind a locked door doesn't necessarily give you permission to distribute it), and the EFF is arguing that CarrierIQ is using strong-arm tactics and threats of thousands of dollars in fines to silence Eckhart and force retractions. (If you're really into the legal stuff, it's also interesting that the EFF claims CarrierIQ is a public figure and that New York Times Co. v. Sullivan and Hustler Magainze v. Falwell apply here.)

It also should be noted that on Nov. 16, CarrierIQ posted a "media alert" titled "Measuring Mobile User Experience Does Matter!" that seeks "to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices." Eckhart's piece isn't explictly mentioned, but it's pretty clear what it's in response to.

The debate over CarrierIQ will continue as well (and as it well should). But it is worth mentioning that there we all gloss over a bunch of legalese every time we boot a smartphone for the first time that should (in small type) tell you your phone is collecting data about what it's doing. And it also needs reminding that when a potential security hole was found in the way CarrierIQ was collecting data, a fix was pushed out pretty quickly (for some phones, at least). And it's also worth mentioning that CarrierIQ's not acting unilaterally here. The manufacturer -- not you -- is CarrierIQ's customer. We'll all have to watch how this one plays out.

Additional links: "What is CarrierIQ?" | "Measuring Mobile User Experience Does Matter!" (pdf) | EFF post | EFF response (pdf) cease and desist letter (pdf)

Thanks to everyone who sent this in.



EARTHLINK DST SYSTEMS DISCOVER FINANCIAL SERVICES DIODES INORATED DIEBOLD

No comments:

Post a Comment