In this amazing set of articles, "How much of your phone is yours" and "Researcher responds to carrieriq with video proof" Russell Holly at Geek.com has been looking into the research results of Trevor Eckhart, a digital security expert who has been examining his Android mobile phones' operation. The interesting news is that Mr. Eckhart demonstrates that within his HTC Android phones, the CarrierIQ software is deeply embedded, does not appear in ordinary setup operations, is difficult or impossible to remove, does not shut down when told to do so and worst of all, transmits almost every single action taken by the user of the phone directly to CarrierIQ, often including transmitting secure information in fully readable text. Here's the link to one of Mr. Eckhart's demonstration videos showing what the CarrierIQ software does:
Review of this information shows pretty clearly exactly what can happen if someone has an interest in finding out almost anything about you, providing they (or their corporation) have sufficient resources. When Mr. Eckhart initially published his videos, he was sent a cease and desist letter from CarrierIQ, which was later retracted. According to the Mr. Holly's articles, the corporate partners involved seem to be pointing fingers at each other in terms of who should be considered responsible for the apparent privacy invasions that may affect millions of Android device owners. Apparently CarrierIQ was initially tasked to provide primarily operating and transmission information to improve network communication. However, they now seem to be providing a huge data mining source to anyone willing and able to pay for the development API and access rights.
Most of us are in the habit of blindly hitting "Accept" on the dozens of privacy policies we are faced with when using any kind of digital service. However, our habits are usually backed by the thought "Well, I pretty much trust this company/service, so I doubt that there could be a problem." Perhaps a little lazy, but think how much productive time would be lost if even half the time we made the effort to read and understand the legal agreements we make every day. We do, however, trust that within a certain range our privacy will be protected to a reasonable degree. That's why if you sign an agreement that you don't fully understand and bad things happen as a result, the burden of proof is on the initiating party to show that the agreement was explained in a reasonably clear manner (again, provided the injured consumer has the resources to pursue a complaint.)
In this particular case, however, the missing piece is the informed consent part. Nowhere does the CarrierIQ software show you what it will collect, how it will transmit and use the information or who will end up possessing the information. This is a different kind of animal and is exactly the sort of thing that needs to be known and discussed in order for us to continue developing our digital society.