The point isn't how many texts they're getting --- one would be too many. The point is "10 gigabytes per day of metrics" doesn't itself imply that they're getting message contents.
You are militantly missing my point. There is no evidence that they are seeing message contents. All we are going on in this thread is the supposition that because they're getting "10 gigabytes a day", it must be message contents.
They themselves use the phrase "raw data" to describe what they collect (as "metrics"). Metrics are not comprised of raw data, but of measurements, so unless they're being hinky with word choice, a plain reading of their own materials would suggest that they do indeed receive user content.
They've said repeatedly that they do not collect that data. This is a common attitude on HN threads: the idea that the only facts for us to discuss are the ones in the article itself or in other comments on the thread. There are more facts just a Google search away for you.
Their own words are not dispositive; I'm not suggesting that they are. But here you're trying to interpret their words in a way that contradicts their own direct statement. Your interpretation is possibly accurate, but implausible.
I read this and don't see how it clears anything up.
My best guess (I know just as little about CarrierIQ as everyone else on this thread) is that CarrierIQ is trying to collect very innocuous information (performance statistics and event information to correlate them to), but is doing a slapdash job of generating that information --- for instance, by logging raw details to the Android filesystem.
I wouldn't want it on my phone either, but that doesn't make them Big Brother --- or, obviously, a "rootkit".
This is an important point that I think some people are forgetting. I use Verizon. They already have access to all of my text messages. I send my text messages to Verizon, who then forwards them on to the person I'm talking to. Just as Google first gets my email.
It is unfortunately a point that the contradicts the thread narrative that casts a hapless, poorly-marketed analytics company as Big Brother incarnate, so nobody's going to pay attention to it.
They put backdoors on basically every phone in secret, threatened the guy who outed them with a lawsuit and are perfectly capable of snooping on everything, whether they do so or not.
What do you know about them that makes you trust them?
Nothing. There's just a likely innocent explanation for all three of those things:
1. CarrierIQ is a "secret" in the same sense as the network management software that Sprint uses that can also see all your SMS messages is a "secret": (a) nobody at Sprint thinks its relevant to you, and (b) nobody at Sprint thinks its any of your business. Which, if you take a breath, strictly speaking about the performance metrics they're collecting, it isn't your business.
2. CarrierIQ was dumb about threatening this guy like lots of other companies have been identically dumb. Companies have threatened to sue me. I remain cordial with the owners of some of those companies. Welcome to security research; we don't have jackets, but we sure get a lot of press.
Incidentally, put yourself in CarrierIQ's position and assume that this particular researcher is full of shit, meaning, no, CarrierIQ is not snooping on people's keystrokes. What would you do? There's a guy out there claiming that their performance agent is a "rootkit". They got pissed. Surprised?
3. Any piece of systems software the carrier agrees to stick on the phone is capable of snooping. Sprint itself could just backdoor their Android distro.
In their shoes, I would have contacted the researcher and explained myself. While unsurprising, that move was unwise, and I would imagine that you agree on that point at least.
I think someone once said that sufficiently advanced incompetence is indistinguishable from malice. Whether they're dumb or malicious, I'm just glad their crap isn't on my phone.
Even they seem to agree with it; rather than just shutting up about their C&D, they actually issued a formal apology to Trevor. That's an uncommon move.
I don't know whether some other shoe is about to drop; for instance, someone could actually show that they're transmitting real keycodes and not just metrics data. But in the absence of that shoe dropping, especially given how many people have jumped to a conclusion about CarrierIQ, I'm inclined to believe that what they do is actually benign. If you want to get upset at someone, get upset at the carriers themselves. When you do, remember, they're already recording all your messages without CarrierIQ.
Ok, now see, I missed that part about the apology somehow; I only knew that they dropped the lawsuit when lawyers stepped in. While there's no way I'd allow this crap on my phone, it does get them a little credit.
