Carrier IQ, a maker of software to monitor smartphone performance, has withdrawn a legal attack against Trevor Eckhart and apologized after the Electronic Frontier Foundation came to the security researcher's defense.
Eckhart published his research last week, saying that some Samsung and HTC Android phones include Carrier IQ's software, and that Verizon and Sprint use it. He documented details of what the Carrier IQ software logs, then leveled a heavy charge by calling the software a rootkit--a program that gets privileged access to a computing device but that hides its presence.
The lawyer for the Mountain View, Calif.-based company sent Eckhart a cease-and-desist letter (PDF) last week. The letter demanded he remove his article, replace it with a company-written retraction and apology, declare that Carrier IQ's software is not a rootkit, and distribute the statement in a press release. The company also demanded he "provide Carrier IQ with contact information for...all persons and entities" who got access to the training materials through Eckhart's actions.
"If you do not comply with these cease and desist demands...please be advised that Carrier IQ will pursue all available legal remedies, including seeking monetary damages, injunctive relief, and an order that you pay court costs and attorney's fees," the letter said.
A week later, after the EFF took on Eckhart's case, the company reversed course completely.
The EFF argued in its response to Carrier IQ (PDF) that Eckhart's publication is protected under the Copyright Act's fair use provision: "The fair use of a copyrighted work...for purposes such as criticism, comment, news reporting...or research, is not an infringement of copyright." And, after Carrier IQ didn't substantiate what it said were Eckhart's "false allegations," the EFF concluded that "your threats are motivated by a desire to suppress Mr. Eckhart's research conclusions, and to prevent others from verifying those conclusions."
Evidently the EFF was persuasive.
In its apology (PDF), Carrier IQ completely backed down:
As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.
Carrier IQ also took the opportunity to try to explain what its software does and doesn't do. The software:
Does not record your keystrokes.
Does not provide tracking tools.
Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
Does not provide real-time data reporting to any customer.
And Carrier IQ doesn't sell its data to third parties, the company added.
And while the ordeal may not have been pleasant for the company, it tried to close the chapter on a constructive note:
"We look forward to a healthy and robust discussion with EFF that we believe will be helpful to us, to our customers, and to consumers that use mobile devices," Carrier IQ said.