Ms. Woods,

I possess and use an HTC EVO 3D smartphone in line with my daily duties for my employer and various clients. This phone contains your employer's software (CarrierIQ for Sprint), which was bundled with the device and zero disclosure that it was installed or of its capabilities.

My device contains HIPPA-protected data (specifically relating to EMR software and the data contained therein) as well as PCI-DSS related information for my company's various clients. As such, it is protected by all manner of privacy laws, the breach of which results in severe penalties under United States law.

After reading Trevor Eckhart's research and doing some of my own, I am curious as to specifically what data your organization is capturing on Sprint's behalf, as well as to what extent they have customized their build of your software, and what its capabilities with their modifications are.

If the software, either in its original form or modified, does indeed capture data from a phone, including the ability to take screenshots or access the contents of e-mail accounts or SMS messages, this could potentially be in violation of all manner of privacy acts, depending on what data is being harvested and whether your client has the option to turn such collection on or not.

Please note that, among other techniques, I will be disassembling the binaries that I possess on my device and will be comparing it against the original ROM image that HTC has issued for this device in order to differentiate what, if any, changes are pushed out through over-the-air updates in order to determine the capabilities of the software as best I can.

To the best of my knowledge, I have never accepted any license agreements or restrictions regarding the software on my device, and as such, I am not bound to refrain from analyzing the software as I see fit, nor from having the results peer-reviewed and published once completed.

If your department is unable to answer my questions, please relay this to someone else inside your organization as you see fit.

I remain,

INSERT_NAME_HERE

It depends on the device you're using.

In Android and Windows Mobile 6.5/6.1/5, your NAI (network access identifier) changes based upon the type of traffic you're pushing. Tethered traffic and DUN changes your NAI to yournumber@dun.vzw3g.com. Traffic from the phone itself is simply yournumber@vzw3g.com.

Verizon has poisoned EVERY phone with Gingerbread - they have modified the OS so that activating any hotspot app, even if the phone is rooted, to trigger the NAI change and show the phrase "Tethering or Hotspot Active." The only SAFE way to tether on a Verizon phone is to run Froyo, then use free-wifi-tether's 3.x version. Alternatively, install CyanogenMod and then you can tether.

For iOS? Hell, you're screwed any way you turn.

They're slate PCs and they're damn good.

In my experience, Motion doesn't skimp on hardware, is reliable as hell, and the external batteries will LAST - my little brother's old LE1600 still gets six hours of battery life off the primary and secondary batteries with everything on and cranked up to full (and Win7 Professional).

No matter what manufacturer you go with, I strongly urge that you go to Windows 7 for this - the handwriting support is worlds better than in Vista, and that was a hell of a leap from XP Tablet.

They are kinda expensive, though.

Think about it. Make a false request for a file - and then do TONS of requests for it from hundreds and thousands of other people. It's a classic DDoS attack.

However, this will rule out a lot of corporate machines from being used as bots in this fashion; most decent sysadmins filter P2P traffic.