There are very important issues to consider in the ongoing controversy centered on Carrier IQ, a company that makes software to track mobile device usage.
The situation is effectively laid out at OS News. Carrier IQ provides a bit of code called a rootkit that operates independently of the device's operating system, meaning that it can work with Apple iOS, Google Android and others. It is capable of doing some pretty nefarious-sounding things, such as recording keystrokes and other vital information and sending the collected data to outside servers without the knowledge of the user.
Carrier IQ denies that it does such things. Last month, however, a researcher by the name of Trevor Eckhart posted content and recorded video in which he describes what he believes Carrier IQ does. A video by Eckhart - which is labeled "Carrier IQ Part #2" - is available at YouTube.
The company didn't particularly like the accusations, and spoke through its lawyers. A PDF of the letter is here. The one discontinuity is that the cease and desist letter is dated Nov. 16, but the video was posted on Nov. 28. Any earlier video apparently was either taken down or posted under another name.
In any case, the letter accuses Eckhart of illegally using Carrier IQ's training materials and instructs him to take down the video, release a statement written by the company and take a number of other punitive-sounding steps. Those steps are at best a demand that Eckhart acknowledge that he was completely wrong - technically and legally - and at worst an insistence that he humiliate himself.
As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.
This might not be the end of the story. Forbes quotes University of Colorado law professor and former Justice Department investigator Paul Ohm to the effect that Carrier IQ and the carriers with which it works may be breaking the law even if the most innocent interpretation of what it apparently is doing is assumed:
But even if the data were somehow aggregated and anonymized before being communicated to a remote server, Ohm argues, Carrier IQ and possibly even Sprint and other carriers shown to have used the company's services should still expect a costly class action lawsuit. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," says Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."
Those legal threats almost certainly led to Carrier IQ's sudden conciliatory attitude. But the basic questions won't go away: Precisely what were Carrier IQ and its clients doing? Are they still doing it? If so, are safeguards in place to ensure that unknown third parties can't get access to that data? Have they already?
Once those and similar related issues are waded through and the legal questions laid out by Ohm are addressed, the industry must deal with a more simple question: What should carriers and their partners be required to tell people using their handsets and network?