Android Researcher Hit With C&D After Dissecting Monitoring Software

Android security researcher Trevor Eckhart has recently found himself in some hot water after performing a deep dive into mobile tracking software from a company called Carrier IQ. He managed to figure out how Carrier IQ’s software worked and what it could monitor, but in doing so he has earned the company’s ire.

Carrier IQ has filed a cease-and-desist letter [PDF] against Eckhart claiming that he committed copyright infringement by reproducing some of the company’s training materials in his post and that he made “false allegations” about the nature of their software.

If you haven’t heard of Carrier IQ before, here’s a brief intro: Carrier IQ pitches themselves as the “leading provider of mobile service intelligence solutions,” and provides their services to a number of players in the mobile space. The company’s main U.S. carrier partner is Sprint, and Eckhart claims that their tracking software appears on Android devices from HTC and Samsung among others.

According to Eckhart’s research, Carrier IQ is capable of monitoring everything from where the phone is to what apps are installed, and even which keys are being pressed. Carrier IQ says that the information is collected to give carriers insight into how the mobile use experience can be improved. It sounds like a noble enough goal, except Eckhart found that the software could run without the user’s knowledge or consent as was the case with the HTC phones he tested.

Carrier IQ maintains that the data they collect is being handled responsibly, and Sprint goes on to say that they only collect information that helps them to understand their customers’ use experience.

“We do not and cannot look at the contents of messages, photos, videos, etc., using this tool,” a Sprint spokesman told CNET.

In addition to taking down the training materials (which were freely available on Carrier IQ’s website), they also want Eckhart to publicly retract his findings and apologize to them. If Eckhart doesn’t comply with their demands, Carrier IQ is ready to take the matter to court. That is, of course, if they have any legal standing.

Eckhart reached out to the Electronic Frontier Foundation for legal representation, and they clearly didn’t think much of Carrier IQ’s chances should things progress to that stage. Here’s a brief snippet from the EFF’s response to Carrier IQ’s allegations:

We have now had a chance to review your allegations against our client, and have concluded that they are entirely baseless. Mr. Eckhart used and made available these materials in order to educate consumers and security researchers about the functionality of your software, which he believes raises substantial privacy concerns. Mr. Eckhart’s legitimate and truthful research is sheltered by both the fair use doctrine and the First Amendment.

The proverbial ball is in Carrier IQ’s court at this point — it’s tough to say what their next step is going to be, but I have a feeling we won’t have to wait too long to find out.