If you don't know who Trevor Eckhart is, you might remember a little piece we published earlier this year about a massive HTC data vulnerability caused by the company's data-logging operations. Trevor was the guy who found that vulnerability and did almost all of the legwork in investigating it. Since then, Trevor has been hard at work looking at more mobile data logging applications used by various manufacturers, including one written by a company called Carrier IQ.

CIQ, as it's more commonly known, harvests various user data from its host device and sends it back to carriers or manufacturers for analysis and record-keeping purposes. Users of CIQ include HTC, Samsung, Verizon, and Sprint (possibly more - and this does include Android devices). If you want to know exactly what it logs and how it works, you should check out Trevor's website - there's a ton of information available. The summarized version is this: CIQ collects a lot of information about how you use your phone.

CIQ doesn't want the public to know exactly what kind of information this is, or how their system functions. Trevor, ever the apt investigator, found a few training manuals available publicly on CIQ's website describing in detail the inner workings of the CIQ software. He downloaded these materials, and shared them with the community. At this point, CIQ became aware of the sensitive information that they had unwittingly (and, frankly, rather stupidly) exposed, and pulled all the training documentation from their website.

Trevor didn't stop sharing this information. CIQ didn't like this, and sent Trevor a cease and desist letter asking him to remove the offending materials or face legal action under copyright infringement and (impliedly) defamation. Trevor contacted the EFF (Electronic Frontier Foundation) for assistance, and the EFF has taken up his defense. Their response? Carrier IQ is doing nothing more than legal posturing in an attempt to scare Trevor into silence. While I'm not a lawyer, I do study law, and I completely agree - CIQ is way off base here.

Trevor's statements regarding and release of CIQ's documentation are clearly protected under the Fair Use doctrine of the Copyright Act, below:

"... the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." 17 U.S.C. §107

Trevor's use is obviously for the purpose of criticism, news reporting, and research. There's no case there. As for the defamatory claims, I'd agree with EFF's response to CIQ that any statements criticizing CIQ's product are protected under the First Amendment and the public figure doctrine as espoused in New York Times v. Sullivan and Hustler Magazine v. Falwell. This doctrine protects even untrue speech, meaning even if Trevor is wrong, he's not liable for damages so long as he believed the statements were true. We're pretty sure they're true anyways.

Moral of the story? It's probably not a good idea to put sensitive documentation online, and it's a worse idea to make legally unsupportable threats against your critics.

EFF