They say they are installed on > 148.3M phones. If we imagine that they are gathering 10GB per day then that's about 76 bytes per phone, if it's 90GB (the upper limit before the recruiter would have been shouting about terabytes) then it's 680 bytes. It's more likely to be in the middle (because otherwise the recruiter would have rounded up) so you are talking 100s of bytes per phone per day. I don't think it's realistic that they are sending all my URLs, all my keystrokes etc. in a few hundred bytes.
Whether they are sending a full log report of my actions TODAY is beside the main point.
I do however know two things. 1) That their local software processes almost every key stroke made. 2) And that they do send at least some portion of this data back to their servers.
At this point it would be trivial for them to send my private information TOMORROW if they decided to do so. I don't know that they don't have a subroutine to begin sending all of my SMS back to their servers if they decide to so for profit or under government coercion.
If they have no plans of using my Google searches, they shouldn't process it in the first place.
This is exactly right. It is the presence of a keylogger, which (at the very least) is echoing keystrokes, that is the problem. Whether they 'send' everything or only parts of it, or whether the data is anonymized, aggregated etc is a whole other discussion.
This is, of course, an attitude that is going to "deftly" shoot down any new fact or analysis brought into the discussion.
Your starting point was that they were collecting† data that could jeopardize national security††. You clearly based that argument on the idea that their own recruiter mentioned "10s of gigabytes a day".
Now, in true message board geek fashion, you're going to steadily move the goalposts. What? They're not collecting messages? Well then they're processing messages! They shouldn't be doing that either!
The problem with this tactic --- make a spectacularly unsupported assertion and then back off it in a series of non-concession-concessions --- is that you cease to be credible. Is this what you really think? Or will you re-harden your position if e.g. it becomes clear that they're not even seeing the keycodes of the keypresses, but rather using an API that could conceivably allow them to get them.
He's based his argument on the recruiter's statement, which is a poor choice. On the other hand, other material from the company supports, in fact, a much larger number.
I don't think there's any goalpost moving here at all: Hundreds of millions of keyloggers -- rootkits, really, as the article states -- are installed and unremovable. Whether they are being abused or not at the moment is irrelevant; it should be outrageous and unacceptable that such a datastream is going through a third-party without any kind of transparency, acceptance, or even tacit acknowledgement.
Likewise, your rhetorical refutation here (very thorough, in the abstract) would be a lot more damning if there wasn't, you know, video evidence of this rootkit collecting exactly this data and sending it back.
Now you're defending/rationalizing whatever disgusting bullshit Carrier IQ is up to.
What's wrong with you?
Just like we didn't have absolute proof that Aaron's indictment was politically motivated, we can't be absolutely sure that Carrier IQ is a company full of shit and devoid of morals.
But it's blindingly obvious that both are very, very likely.
I wouldn't know. But the idea that you can't even fathom how someone might have a different point of view from you and not be bought off by the government is telling.
Great point. The 10s of GB was anecdotal data from a CarrierIQ recruiter.
If we go by the official letter you've posted and assume conservatively CarrierIQ has only 1 Petabyte of data, and that they've been collecting since 2006 (when they received their Series A), they've been collecting 456 GBs of data per day. Its probably more than that today since the data collection rate has surely accelerated over time.
That's an order of magnitude beyond 10s of GB per day.
Well realistically they would not have been collecting 456GB per day from day 1. They would have grown from almost nothing, which means that today they're probably collecting around a terabyte per day. That's two orders of magnitude, 7KB per user per day - and could definitely include all keystrokes of all users.
Its a few hundred bytes on average, that doesn't mean every phone reports every day nor does it take into account the number of phones with this installed whom rarely use the device. This probably lives on both my parents handsets and they make 4-5 calls and 1-2 text messages a week between them. I think that type of minimal usage is actually quite wide-spread which easily offsets higher usage users, and with presumably higher outbound data to CarrierIQ.
An average across 145M users crossing various demographics and phones types is not a good metric to use to determine the possible danger of the data being sent.
I don't think it's realistic that they are sending all my URLs, all my keystrokes etc. in a few hundred bytes.
I tend to agree with you, but at the same time wonder how they're aggregating the data; they could store each day's raw data in however many GB, then crunch it down later.
The only other potential issue that jumps out at me is bandwidth; I'd find it strange if the data isn't being compressed, but if it is, you could cram quite a lot of useful information into those few hundred bytes ;)
For the amount many people who heavily use their phones, I think the numbers are sound. 1% of the users probably consume 99% of the resources. You being that in top 1%.
But simple zip on raw text is what? 3 or 4 to 1?
Particularly when you're talking about urls. So now you're talking about at least a couple kbytes of raw data.
So logging all of everyone's texts is probably still out.
But easily logging their browsing patterns. Probably app installation and use. And certainly they retain the capability to log texts containing keywords without going too far outside that aggregate range of data. Or doing targeted logging of all of selected individuals usage.
I'd just like to point out that what I hypothesized above have been revealed to be actual features of the CarrierIQ software. So I'm not sure what the downvote is for, but it's not inaccuracy or undue cynicism.
If they're only saving, say, online searches and the resulting ip address from each visit, that might be doable, and it seems like the best way to get info passively, and in small sizes.
