According to security consultant Dan Rosenberg, the Carrier IQ spyware in his Samsung Epic 4G is not recording his text keystrokes. Rosenberg also claims that Carrier IQ cannot record SMS text bodies, emails or web page contents:
Carrier IQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.
This contradicts the findings by Trevor Eckhart, who analysed the live Carrier IQ debug logs in two different HTC phones.
Rosenberg says that, at least on his Samsung, Carrier IQ can’t record keystrokes except for those used in dialling phone numbers. It can record GPS location and URLs, however, but he claims that the spyware can’t record SMS text bodies of email content. According to him, HTC should fix the debug logs shown by Eckhart, which are indeed a privacy risk.
The conclusion: even without text logging, Carrier IQ is accessing some private information without warning the user and without any easy way to deactivate it. That’s just wrong. [Vulnfactory via Cnet]