new post, he went into great detail about his findings.
Earlier, Carrier IQ had Rebecca Bace of of Infidel Inc., "a respected security expert" look at their product, but for us, it's a lot better if the researcher involved is totally independent.
[This is why we find it laughable when someone who is hired by an oil company discounts global warming, or when research conducted by the mobile phone industry discounts any harm via cellular radiation.]
Rosenberg's key conclusion, and one that should calm folks down, is that "based on my knowledge of the software, claims that keystrokes, SMS bodies, e-mail bodies, and other data of this nature are being collected are erroneous." He said Carrier IQ doesn't have the capability to do so, even if OEMs or carriers wanted it to.
- Carrier IQ can record dialer keystrokes to determine the destination of a call, but it can't record any other keystrokes on a phone.
- Carrier IQ can record GPS data.
- Carrier IQ can record web addresses, or URLs, visited from the phone (including HTTPS URLs), but no content from the sites visited.
It seems that Carrier IQ is telling the truth about the logging being used for network improvement. Rosenberg said, "Taking this information into account, all of the data that is potentially being collected supports CarrierIQ’s claims that its data is used for diagnosing and fixing network, application, and hardware failures. Every metric in the above table has potential benefits for improving the user experience on a cell phone network."
He added the following warning: "I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right. "
These companies, including carriers, OEMs, third-party software developers of all types, etc. should not be surprised when consumers are up in arms when something like this happens. This sort of logging, benign as it might be, was hidden from consumers and even it passes the smell test of carriers' terms of service, people don't want to be surprised.
They also want an opt-out. Or, even better, they'd like something like this to be opt-in.
More transparency. Is that so much to ask?