

Carrier IQ Tries to Censor Research With Baseless Legal Threat - wglb
https://www.eff.org/deeplinks/2011/11/carrieriq-censor-research-baseless-legal-threat

======
jobu
_"From leaked training documents we can see that portal operators can view and
task metrics by equipment ID, subscriber ID, and more. So instead of seeing
dropped calls in California, they now know “Joe Anyone’s” location at any
given time, what he is running on his device, keys being pressed, applications
being used."_

 _"Verizon has publicly came forward with a statement regarding their usage on
Carrier IQ statistics and give users a way to stop them from selling the
information outside of Verizon"_

Wow. No surprise that they would like to suppress that information, but they
should've known better than to be so heavy-handed with the lawyering. They
might have been able to spin it a little more positive with some decent PR,
but now it just screams that they're being evil.

~~~
nitrogen
"...keys being pressed..."

Is it possible, then, that carriers have in their databases the passwords of
every server that every system admin has connected to over ssh from their
smartphone?

~~~
gergles
Of course not! They promise really hard that they're not keylogging, despite
installing a keylogger that sends opaque encrypted data packets back.

------
rcthompson
Are there really still companies out there that don't know that such a
needlessly hostile response will attract a lot of unwanted attention? Or do
companies just do whatever their lawyers tell them to, and then their lawyers
tell them to do whatever is most likely to lead to a costly legal battle (i.e.
in the interest of the lawyer, but not necessarily in the best interest of the
company)?

Or, to put it more bluntly, what did they expect to accomplish with this C&D
letter? Did they seriously believe that he would just do whatever they said
to?

~~~
kevinalexbrown
1) The lawyer is in-house, apparently. Maybe he bills by the hour, but I'm
guessing not? 2) By providing a lengthy, specific c&d letter I'm guessing they
get more leverage in settlement. At present, the C&D hasn't really cost them
much; they can weigh the EFF response and decide whether or not to invest more
resources. What's the worst that can happen with such a C&D? either the
defendant gets scared, or beefs up legal protection and Carrier drops the
suit.

~~~
jobu
If their lawyer never thought beyond the client/defendant in this case then
that lawyer should lose their job.

The worst that can happen as a result of this C&D is 1) The Streisand Effect
2) Major news organizations smell blood in the water and decide to ramp up
coverage 3) Lawsuits and Senate hearings

If the WSJ picks this up like they did the UDID, you can say goodbye to
Carrier and all of the data they collect.

------
kevinalexbrown
This and SOPA lead me to think at some point we might need technically-trained
judges and congresspeople.

Understanding whether Eckhart was peddling 'inaccuracies' hinges, I think, on
at least some technical proficiency. I'm not a legal expert, and even if there
were inaccuracies I don't know if that establishes the plaintiff's claim or
whatever.

As more and more legal complaints involve more and more complicated tech, how
can we expect even a brilliant legal scholar with no technical expertise to
determine facts in complicated cases?

~~~
lawnchair_larry
Yes, we need a technocracy:
<https://secure.wikimedia.org/wikipedia/en/wiki/Technocracy>

~~~
daeken
While a technocracy is a good thing in theory, I'm always concerned about the
likelihood of it turning into a serious echo chamber. If the only people
involved in, say, banking are people who have domain-specific knowledge, what
is the likelihood that you're going to get anything new out of it? It seems to
me that it'll almost always devolve into a terrible feedback loop. That said,
it isn't necessarily worse than what we have now.

------
scottshea
Getting this post to the front page of HN will help increase the Streisand
Effect for Carrier.

------
iamandrus
I just read what they wanted him to replace his research with. The nerve...

Did he actually infringe on anything or does the First Amendment apply here?

~~~
angelbob
Obviously he didn't. If he _did_ infringe, they wouldn't have sent a legal
statement saying that if he complied they would "release all claims" (as they
did). Instead, they would tell him to stop and in return he wouldn't be
continuing "willful infringement".

Saying "do these things immediately and all claims will be fully released" is
usually a sign of weakness to begin with - pretty much any company lawyer is
going to open by overplaying his hand.

This is only an overplay of a weak hand.

------
cubicle67
Is it fair to assume that because Apple doesn't let carriers modify phone
software, the iPhone is likely to be free of this? (not saying Apple can't do
something like this themselves, just that the carriers can't)

------
jrockway
They really need to start teaching "the Internet" in law school. When you try
to suppress something, a bunch of anonymous people will step in to make sure
the information is spread far and wide. If you just let something go, there
probably won't be much damage to your business.

Oh wait, lawyers are paid to send letters, not to minimize the reputation
damage to their clients. Now I know why this comes up all the time.

------
brador
Aside - I haven't visited EFF in a while, but I'm loving that design. Perfect
contrast, great legibility on the writing, just the right amount of white
space. This is how it's done.

------
earl
What their recruiters said on linkedin when they contacted me. I didn't
respond, but I read this article and thought I'd heard the name somewhere...

    
    
       [snip; about recruiter]
    
       We sell software to tier 1 mobile network operators. Our software is running 
       on over 150mm handsets in the US. Each handset collects and reports 100's of 
       metrics of device and user behavior in real time. These metrics comprise 10's 
       of gigs of data per day resulting in Petabytes of data stored to date. 
    
       With our intelligence solutions, the Mobile Operator can for the first time, 
       analyze system, device and user behavior from every enabled smart phone 
       handset/device on their network. From this insight, the MNO can meaningfully 
       improve CAP/OPEX and customer satisfaction. 
    
       We need to hire someone to lead our data analysis effort for our ground breaking
       solutions. This role would report to our VP of engineering. 
    
       [snip -- describing the company]
    

key phrase: " Our software is running on over 150mm handsets in the US. Each
handset collects and reports 100's of metrics of device and user behavior in
real time. These metrics comprise 10's of gigs of data per day resulting in
Petabytes of data stored to date."

~~~
potater
Do the carriers count these reported metrics against data caps? Overage fees
can quickly add up I'm not sure I want my phone using my bandwidth in that
manner. Granted, the amount is relatively small compared to user-triggered
activities (viewing online video, etc), but the point remains...if I'm nearing
my bandwidth limit and am consciously trying to limit my data use, but they're
collecting and sending out as many metrics as they indicate in real time,
that's not cool.

~~~
pilif
Considering 150 million devices and their quoted "These metrics comprise 10's
of gigs of data per day", let's assume 10's of gigs to be 50GB (10's of gigs
is less than a hundred and more than 10, so let's go with the middle ground).

50GB spread over 150 million users comes out as ~333 bytes per user and day.

Of course, the transmission of that data is likely more bursty, but even if it
transmits all the data in one go, that's only 10K per month.

So your argument about the limit doesn't really fly because even if they did
charge for for that data (which they probably do), considering a limit of 1GB
per month, those 10k would be 0.001% of your monthly allowance, so it's
probably not even detectable by their overcharge detection algorithm.

Now. Don't get me wrong: This kind of malware is really bad and shouldn't be
on these phones, or if it is, it should be opt-in for the purpose of remote
support.

It's just important that we hate it for the right reasons (security, privacy).

~~~
nodata
Except that number doesn't make sense. 333 bytes per user per day can't
contain the level of information they purport to offer.

~~~
jrockway
333 bytes is enough to send plenty of information, like your favorite apps and
how long you used them. Consider something like:
"com.android.browser:1.4h;1-800-HI-THERE:2.3min", which is only 47 bytes.

~~~
nodata
and keypresses too?

~~~
jrockway
Since most Android phones have no physical keys...

~~~
nodata
(why mention _physical_ keys?)

------
10101010101
Would the stories making page 1 of /., HN or reddit have something to do with
this?

Research is one thing but making the research known to a wider audience who
generally do not read research papers, maybe that's another.

So given the choice between a handset with CarrierIQ and packed with
"features" or one without all that but which works as it's supposed to, would
all informed consumers continue to choose the one with the features?

Before cell phones, pen registers and wiretaps used to require a warrant.
Would anyone need a warrant to get a postive response from a wireless carrier
if they asked for some CarrierIQ data? They'd probably get a price quote.

Will this type of technology be used only to catch criminals, or might it
someday be used to study consumer behavior? The argument it's used to improve
wireless service and therefore a justified invasion of privacy just doesn't
fly.

