(And it doesn't mean the sky is falling)
Update (Oct. 4): HTC says a fix is on the way. Original follows.
Another week, another bit of scary news that nobody is taking the time to properly explain. This time it's more HTC data logging, and the way HTC is handling the data it collects. Exposed in technical detail by Android Police, you'll see this spread all over the Internet for the next few days, so let's try to break down what is happening in simple terms we all can understand.
What's going on
When you first log in and set up your HTC Sense phone (so far this is only showing up on newer U.S. phones with HTC Sense), you're asked if HTC can collect and send data back home about your usage. If you say "yes," it collects data about apps you're using, where and how your using them, and for how long -- then sends it back to the HTC mothership. HTC has some use for this -- we figure it's to help see how to improve the next versions of HTC Sense. That's not a bad thing. If you opt-out, none of the data is sent back to HTC -- but that doesn't mean it's not still collected.
Here's where it gets sticky. HTC is collecting and logging data that lots of other apps also can collect, and we like it when they collect it. Apps like alogcat (useful when everyone is looking for that OTA update link) or Sensorly collect device and network data. But when you install those apps, you're told up front they are collecting potentially sensitive data. HTC doesn't need to declare permissions to do this, because it's your operating system that's doing it, and not "just an app." This data is then stored on your phone in a manner that other apps can get to it instead of being properly sandboxed. We're not going to say where it's stored, or how to collect it (we don't promote that type of thing here) but the information is out there, ready for anyone else to use, and it's easy enough to get at. You just need to know where to look. Some disruptive individual could write an app that mines this data, and sends back information to another server. And after todays news, someone probably will.
What's being collected, and why the sky isn't falling for everyone
The next question you'll ask is "What kind of data is HTC collecting?" It's not collecting passwords. It's not collecting the text of any SMS message or IM you're sending. What it is collecting is data that is unique to your phone (IMEI and device ID), your account names, geo-location, and phone numbers from your call logs. If you're technically inclined, run a logcat locally to get an idea of the type of data that's available -- this is the kind of information HTC is storing. How sensitive you consider this type of data can to be is something for each of us to decide. Nobody can steal your bank password here, but they can know where you were the last time you used your GPS, and identify the device that did it.
So how to fix it? Well, you can't if you're not rooted. This is all part of your phone's operating system, but it is part that can easily be removed if you have the right permissions to remove it. Head into the forums and look for the threads that are already there about it, or start a new one if you don't see one. The advisers and senior members will be happy to guide you along if you want to take matters into your own hands. If you're not feeling the whole root thing, just be careful what apps you install until HTC fixes the issue. We hope that's soon.
The short, short version
HTC is collecting usage and system logs locally, as in on your phone. It's stored in a way so that other apps can possibly access it and no longer have to collect it from the system in the normal way, properly declaring that it's doing so in the process.
Is this the end of the world? Probably not. And we're willing to bet this isn't a malicious act on HTC's part. But it certainly does raise a few eyebrows.
And it's something HTC needs to fix, and soon.