Smartphones are a minefield of potential privacy and security violations on the best of days, and careless software implementations like HTC’s recent Sense UI issue don’t help. So when XDA-Developers poster TrevE found some disturbingly direct violations of Android users’ privacy in the Carrier-IQ tracking software, he made it known to as many people as possible, with citations and evidence as needed. Now Carrier-IQ has sent him a cease and desist letter, threatening legal action if he doesn’t remove his research and allegations. The Electronic Frontier Foundation, a legal defense group for technology enthusiasts and issues, has offered him assistance.
So what is CarrierIQ? Essentially it’s a set of tools that allow wireless carriers to track performance of handsets, nailing down bugs and errors to improve both devices and their overall system. It runs on many Android phones, as well as Nokia, BlackBerry and other devices. But don’t go looking for it in your system/apps folder – Carrier-IQ’s software runs in RAM, making it extremely difficult to find or remove and leading many to label it as a rootkit. The problem comes in the kind and amount of data that Carrier-IQ collects: locations, phone numbers, call durations, which apps are running, even what you’ve typed in on your phone’s keyboard. It’s a treasure trove of information for sysadmins looking to improve their network, but it’s also – and I say this without exaggeration – a privacy nightmare. Users are almost never informed on the information that’s being collected. TrevE found a way to identify and stop Carrier-IQ reporting, and put up an exhaustive documentation of the software’s actions and abilities.
The Carrier-IQ company didn’t take kindly to that. They accused TrevE of distributing copyrighted material, essentially piracy, for exposing what was going on inside his own phone and others. It should be noted here that he’s simply showing what the software is doing, and not actually distributing it. Even so, the legal team of Carrier-IQ demands that he remove all documented information on the software, and issue a public apology. The letter threatened TrevE with a lawsuit far a “large sum” of damages if he didn’t comply within 24 hours. Needless to say, TrevE, XDA-Developers and the EFF aren’t taking this lying down. Claiming First Amendment rights and fair use, TrevE is mounting a defense, outlined in his response letter.
If I may editorialize a bit: this is a pretty clear-cut case of a corporation using legal scare tactics to try and cover up the (massive) flaws in their own product. Logging and reporting is an unfortunately necessary part of network optimization, but the data that Carrier-IQ is gathering from a large portion of cell phone users represents an incredible breach of privacy and ethics. The fact that most of it was undisclosed until now is reprehensible, and the inability of regular users to opt-out of the service is unacceptable. Major carriers need to take a sober look at their involvement with a company that would threaten financial ruin upon a community member whose only crime was informing others of the violations inherent in an established system. We at Android Community wish TrevE and the EFF the best of luck in any forthcoming legal action, and cordially invite Carrier-IQ to stuff it.