It should be noted that there's no evidence (yet) of what is sent to other entities, only what is captured by the software on the device.
This is bad enough, though. But, let's keep our head about this and calmly demand an explanation from HTC. Why them? Because they signed the binaries with their certificate, presumably at the request of carriers, but HTC is the first in line.
And don't believe the response from CarrierIQ. Just prior to that response, they still had very informative high resolution screenshots of their "Device Analyzer" product which showed a scary level of data mining of end user devices. They were probably great eye candy for their customers (carriers), but creepy for anyone valuing their privacy.
I agree that this information is likely for improved QoS, but what can (has) it been mis-used for? Employees can't be trusted, and the government can't be trusted. An end user can't even opt out of it.
Edit: According to Google Image Search, others are mirroring some of the prior shots. Note that nothing is anonymized in the least (nevermind that anonymizing data is practically a myth).
To be fair, the response from CarrierIQ implies that this is the case:
"In an interview last week, Carrier IQ VP of Marketing Andrew Coward rejected claims the software posed a privacy threat because it never captured key presses.
“Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”
I'm not sure why I would care to defend him, but it seems that his claim that the data is not real time can be verified by the first image in the parent comment's list. In that shot there's a column listing the 'Upload Reason'. The reasons include "Scheduled" and "Archive full", which seems to indicate that the software reports back at set times unless the user was particularly active and the data file hit some size limit.
There's also a third upload reason in that image which has it's own disturbing implications: "SMS_PullRequest_CS".
The fact that it has hooks to even know of the keystrokes is the real issue here. Even without recording or logging them afterwards, the fact that it has the ability means its a possible attack vector for things like worms/etc...
Even if they never do anything with keystroke data, just the fact that they can is the dangerous part. What is to prevent some switch to start sending the keystrokes in the future? I'll be blunt, this companies implementation of its business model strikes me as being borderline wiretapping.
This is bad enough, though. But, let's keep our head about this and calmly demand an explanation from HTC. Why them? Because they signed the binaries with their certificate, presumably at the request of carriers, but HTC is the first in line.
And don't believe the response from CarrierIQ. Just prior to that response, they still had very informative high resolution screenshots of their "Device Analyzer" product which showed a scary level of data mining of end user devices. They were probably great eye candy for their customers (carriers), but creepy for anyone valuing their privacy.
I agree that this information is likely for improved QoS, but what can (has) it been mis-used for? Employees can't be trusted, and the government can't be trusted. An end user can't even opt out of it.
Edit: According to Google Image Search, others are mirroring some of the prior shots. Note that nothing is anonymized in the least (nevermind that anonymizing data is practically a myth).
I'll try and tack the URLs below.
http://androidsecuritytest.com/wp-content/uploads/2011/11/ci...
http://www.xda-developers.com/wp-content/uploads/2011/11/met...
http://androidsecuritytest.com/wp-content/uploads/2011/11/me...
http://androidsecuritytest.com/wp-content/uploads/2011/11/tr...
http://androidsecuritytest.com/wp-content/uploads/2011/11/CI...
http://androidsecuritytest.com/wp-content/uploads/2011/11/si...
http://www.carrieriq.com/overview/IQInsightDeviceAnalyzer/De...
This one doesn't need to be big to get the jist:
http://www.carrieriq.com/overview/IQInsightServiceAnalyzer/i...