On Tuesday, 25-year-old Connecticut systems administrator Trevor Eckhart revealed in a video that millions of Nokia, Android, and RIM devices are installed with a keystroke-sniffing software called Carrier IQ, which is hard to spot and even harder to remove.
Eckhart has analysed the company's training videos and debugging logs from his own HTC handset, and is claiming that Carrier IQ captures every single keystroke that you make, as well as your location and other data. These facts and figures are then potentially made available to Carrier IQ's customers.
The 25 year-old systems administrator has found the software installed on Samsung, HTC, Nokia, and RIM (BlackBerry) devices.
According to former Justice Department prosecutor Paul Ohm, the unwanted software may have violated the federal wiretapping law.
"If Carrier IQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap," Ohm said.
If this is indeed the case, Ohm believes that the violation "gives the people wiretapped the right to sue and provides for significant monetary damages".
"When I was at the Justice Department, we definitely prosecuted people for installing software with these kinds of capabilities on personal computers," Ohm explained.
Since Eckhart's accusations were publicised, Carrier IQ has posted a statement on its website, which purports that the company only looks at a "device's performance".
"While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools," the statement claims.
"The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities."
Despite this statement, Ohm believes that there still may be foul play: "Even if they were collecting only anonymized usage metrics, it doesn’t mean they didn’t break the law."