The video paints a pretty creepy picture about what kind of data this software is able to pick up and I warn you, you may feel a little ill watching it. Eckhart uses a factory-reset, non-rooted HTC Evo (as he says, not to single out HTC but it was just what he had on hand) to show not only how the software is hidden and unable to be shut down, but how it appears to also have a built-in keylogger. Each key press looks like it has its own code, so anyone taking a look can see what letters and numbers are being entered.
The killer is that this also covers passwords, browser entries, and even HTTPS browser entries, which is supposed to be encrypted. HTTPS browsing is designed to encrypt data so anyone planning to pick up any data would be thwarted. Oh right, text message and SMS content counts too. Data from messages gets sent off to Carrier IQ’s servers without anyone being the wiser. Eckhart classifies this as a rootkit, which is a label I wholeheartedly agree with. It gets into your system, acts with administrator privileges, and you can’t get rid of the software unless you void the warranty and do the rooting yourself. But it gets even worse. Even as Eckhart was running in airplane mode (cellular radio off) and on wifi only, the app still logged everything that was going on while “disconnected” from the Sprint network. It’s the sort of thing that makes me wonder if all the conspiracy theorists are right and that I should be equipped with a tinfoil hat.
So where do we go from here? No users were ever explicitly told that data would be collected down to the keystroke and screen tap – if that had been the case no one would have a smartphone right now. And that leads into what may be the inevitable fallout. Paul Ohm, a former prosecutor for the Department of Justice and current professor at the University of Colorado, weighs in with his professional opinion. “If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap.” he says. “And that gives the people wiretapped the right to sue and provides for significant monetary damages.”
Without a law degree, I came up with pretty much the same thing. There wasn’t even an attempt at corporate transparency to the consumer here. A “no, it’s cool guys we’re not doing anything wrong” issued only after they were caught just isn’t enough. From what I’ve determined this seems to not affect all Android devices, but I can confirm that Carrier IQ has dealings with both Sprint (from the video) and T-Mobile (via a T-Force poster on their support forums). I personally have not found any such software on my Verizon Wireless Droid X, so can only speak to that from personal experience.