Carrier IQ 'rootkit' maker legal threat to Android dev

Carrier IQ, the maker of a piece of tracking software that logs all user activity on smartphones and tablets by HTC, Samsung and others, has provoked a legal storm by issuing a legal threats the the security researcher who uncovered the software.

On his website, Trevor Eckhart described the little-known software, which is installed on millions of Android, BlackBerry and Nokia handsets, as a "rootkit" - low-level software designed to intercept and analyse activity in a comparable way to malware such as key-loggers.

Eckhart, a member of the XDA Developer community, was last week sent a cease-and-desist letter (PDF) by Carrier IQ's lawyers, claiming that he was infringing copyright by reposting the company's training manuals for the software on his website. The letter demanded he issue a press release with a full retraction, and threatened him with a fine of up to $150,000.

Instead of complying, Eckhart has sought legal advice from campaign group the Electronic Frontier Foundation (EFF), which says it believes Carrier IQ's threat is "motivated by a desire to suppress Mr. Eckhart's research conclusions, and to prevent others from verifying those conclusions."

In a statement (PDF) defending its software, Carrier IQ sought to ally public fears that it was collecting data about user behaviour, saying: "While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools."

Carrier IQ gave Eckhart until 18th November to comply with its demands, but has so far taken no further action.

If the current war of words turns into a legal clash, though, it could backfire massively on the software vendor as the spotlight is turned on its kernel-level tracking software. Doubtless smartphone users would be very interested to know exactly what information the program it supplies about their activities to device manufacturers and network providers.