Carrier IQ's data collection software is looking shadier than ever. Trevor Eckhart, the security researcher who accused the company's software of monitoring vast swathes of user personal data and phoning home to the likes of Verizon, Sprint, Samsung, HTC, Nokia, and more, has posted alleged video evidence of his claims on YouTube. Originally, Carrier IQ sent Eckhart a cease-and-desist letter, then withdrew and apologized for the threat, all the while representing that the service it provides cell phone manufacturers and carriers did not "record your keystrokes" or "inspect or report on the content of your communications, such as the content of emails and SMSs."
Now, we have a video of an HTC Evo 3D that seems to suggest otherwise, allegedly reading incoming SMS messages even before the phone displays them to you, querying supposedly encrypted HTTPS strings, and logging keypresses, all using an application that the user cannot opt-out of, stop, or remove. Mind you, there's nothing here to suggest that Carrier IQ actually transmits this data back to a carrier, only that it's reading out loud, and perhaps the OEMs that install the service can be trusted to only transmit the minimum amount and shield against malicious software. Still, you could say the same about Sony BMG's CD DRM rootkit in 2005, and look how that turned out. We'd love to hear from manufacturers, carrier partners and OS vendors like Google about the potential privacy and security issues here, and what steps are being taken to safeguard our data and reduce software bloat.