In our interview with Carrier IQ, the company was a little cagey about how it stores and protects data on phones before uploading that information to the carriers. That's somewhat understandable for two reasons: CIQ didn't want to "dare" anybody to reverse engineer its system and get access to the data and because apparently at least one piece of that data — the instructions for collecting it — isn't very strongly encrypted. The Electronic Frontier Foundation has begun the project of reverse engineering the CIQ "Profiles," which vary from device to device and carrier to carrier, but on each are the set of instructions that tell the phone what data to collect, when, and how to store it. The profiles do not contain the specific tracking data from each device, just the instructions for collecting it.
EFF volunteer Jered Wierzbicki wrote a program to parse the CIQ profile called, appropriately enough, IQIQ. It reveals that the CIQ profile is stored in a mixture of binary and plain-text data that doesn't need to be decrypted in order to convert it into a standard, human-readable XML file. The EFF has posted an example of a default T-Mobile profile on its site and is looking for volunteers to send in the profiles from any phone with a CIQ profile.
We already have a fairly clear picture from a high-level of what each carrier is tracking with Carrier IQ thanks to their responses to Senator Al Franken, but this EFF project should bring out the nitty gritty technical details. If analyzing XML files parsed by a Forth program isn't your thing, you can still learn more about the current situation by checking out our interview with Franken here.