If carriers want customers to have a more realistic expectation of the service they'll receive for the expensive, exploitive, inescapable service contracts they sign, the dialog on a few of those happy-time commercials should change a bit so the answer to "Can you hear me now?" is occasionally "No.")
Yes it's spyware; no it's not Carrier IQ's fault
In defending itself from accusations of prying, Carrier IQ's report just digs its hole deeper, though it does make a good point in saying the personal information discovered in log files by researcher Trevor Eckhart was not put there by Caller IQ.
The information was "a result of debug settings remaining in production devices and should be classified as a vulnerability."
The rest of its defense is a little weak:
- Carrier IQ doesn't intercept the text of text messages or emails, except in "unique circumstances described in this documents" in which a bug embedded the text of SMS messages in Layer 3 signaling (networking protocol) data.
- Carriers define the data Carrier IQ (the software) collects and Carrier IQ (the developer) creates profiles that allow it to compile that data into databases used to diagnose network and application conflicts.
- Carrier IQ is not a keylogger – yes, there is a numeric key code the user can enter that will start an upload to its server on the carrier's network. The client software listens to keystrokes to identify this code, but does not capture or transmit keystrokes, the company insists.
- "Carrier IQ has never intentionally captured or transmitted keystrokes and is not aware of any circumstances where this is occurred…No customer has asked Carrier IQ to capture keystrokes." – Understanding Carrier IQ Technology, (PDF) Dec. 12, 2011. [Emphasis mine – KF]
Carriers are the real culprit; Carrier IQ just made their tools
That's really the point, isn't it? That customers haven't asked Carrier IQ to capture keystrokes, but it could if they wanted it to?
And if the functionality exists, it should be accessible to hackers, spies or, say, the FBI – anyone who wants more detail on content than connection and has the resources to turn the function on surreptitiously using malware or physical contact with the device.