Notice how there is actually no proof at all in these tweets. The author admits that they could not observe any network requests being made:
> I didn't manage to trigger the network communications to the teddymobile servers but I will continue later.
It looks to me like this person is cherrypicking random SDK methods that may seem suspicious out of context and making very wild assumptions of their purposes.
For example, they show a function that checks if a string contains a bank account number (https://twitter.com/fs0c131y/status/956649951056064513). Somehow they then jump to the conclusion that copied text is run through this function and uploaded to some server! But where is the proof? They could check where this method is used and show this supposed data upload happening.
In fact, since these methods are coming from some third party SDK and not the app itself, they could be completely unused.
Playing devil's advocate here, we don't know the conditions of usage. It could be just inactive, or become active after X date or whatever other condition they wish. Speculating on use/non-use is a bit pointless until someone analyzes these in-depth.
What we do know is the intent of those functions, and it paints a quite horrible image.
Any fight for privacy in the modern technology environment is such an extreme case of power asymmetry that I'm starting to think it's hopeless.
On the one side you have individuals that don't want their private information to be revealed without their consent. On the other are device manufacturers, advertisers, startups, and giants like Google and Facebook. Often, maintaining privacy while viewing a single website requires either trusting or subverting the intentions of multiple such organizations.
It's like going to war with the British Royal Navy at the height of its power in a dinghy. So far it's been possible because the navy has made a promise that they'll "play fair". But that can change on a whim and there's ultimately very little you can do if that happens.
That sounds nice in theory, but in a global setting, how will it really work?
Per GP comment, there is a whole tech stack of N providers, each piece made or running in a different country, pushing data to servers in another country, which data is bought by interests in a third country, for M destinations. Then you get the providers who intentionally don't store data in GDPR countries specifically so they can avoid these rules. Look at what Uber already does to skirt the authorities. So you have at least MxN countries possibly involved or whatever. If your data is released, it'll rattle around in a pachinko machine of jurisdiction debate for years against well funded, malicious corporations.
It doesn't seem like any rule is enforceable in practice.
If a company even stores a record of a single EU citizen, the GDPR applies to it, and the EU has the right to seize the assets of the company for the purpose of enforcing it.
If you were to only offer your service in North America, but someone from the EU comes over to North America on vacation, and somehow becomes recorded in your service.
It'll work for the big, entrenched companies like Facebook who couldn't bear to be without its UK customers, for example. But I don't see the EU successfully going after every little dot-com startup from Alabama to Angola, many of them in jurisdictions that barely have a functioning legal system, let alone respect for EU law.
If such extraterritorial enforcement was actually possible, there would be no 419 scammers.
For now that is certainly true, but as is obvious, we don't know yet which laws will be retained after Brexit, and with even such major things as the ECHR still undecided, I wouldn't put it past them to repeal this as well in the future.
Why does it matter whether the company is Chinese or not? Isn't it bad enough that there's a background process running, unbeknownst to the user, and presumably uncontrollable by the user, that monitors the device's clipboard and has methods like containsBankAccount(String)?
Sure it's bad but there are a couple of reasons why it matters that it's a Chinese company.
1. It feeds into the suspicion many have that many (most? all?) large Chinese companies are effectively controlled by the Chinese government. This could go as far as having backdoors in, say, Huawei routing equipment.
2. Effectively disclosing a user's personal information to the Chinese government could, in some cases, imperil their liberty, even their life. I'm talking about people the Chinese governments views as "dissidents". The same would be true if it were a Russian, North Korean, Iranian, Syrian or Sudanese company.
>It feeds into the suspicion many have that many (most? all?) large Chinese companies are effectively controlled by the Chinese government.
All is the correct answer. Just like it's not legal to own property in China, all companies are ultimately owned and controlled by the Chinese government. They have shiny, pretty, Western-looking front ends to attract foreign investment, but from a strictly legal standpoint, they're all owned by the government.
For some reason people forget that China is still a communist country. Nothing's changed other than it's gone from exporting rice to exporting phones.
China does indeed have the concept of private property, to the extent that China de facto recognizes the rule of law (which admittedly isn't that much):
It's not accurate to say China is "still a communist country." It could be more closely defined as a capitalist one-party state. That one party is the CCP, and they still revere Mao, but it's an open secret that they have embraced capitalism under a veneer of socialist populism.
That being said, it's not wrong to say that information in the hands of a Chinese company is a trivial step away from being information in the hands of the Chinese state.
Very good question indeed. European smartphones send tons of data to US companies with are known to proactively cooperate with the NSA and consors, which is the same kind of problem. But for some reasons this seems to be fine for our rulers whereas it’s becoming an issue when China or Russia is involved. Not that I what a free pass for these two countries; on the contrary I would like to see more regulations for every non EU companies.
One reason is court jurisdiction. A domestic company is subject to, and therefore vulnerable to, court action/rulings/judgements. Suing a foreign company (especially one in China) is hopeless.
On one hand, if you live in the USA maybe it's better that a Chinese company spies on you, because they're far away and the government/other gangsters are less likely to care about you than about local people involved in local politics etc.
On the other hand, there's no guarantee your data isn't also made available to domestic parties, either as it's intercepted in transit or explicitly shared in bulk in exchange for e.g. concessions on a trade treaty
> On one hand, if you live in the USA maybe it's better that a Chinese company spies on you
It depends on who the "you" is.
If it's a couple of internet nobodies like you and me that China is spying on, then it's no big whoop. But if the "you" in question is someone who works at the Pentagon, or at a defense contractor, or a diplomat, or government official, then there's a problem.
Even if you are a nobody, are you sure? Maybe you know someone that is not a nobody (works at the Pentagon, or at a defense contractor, or a diplomat, or government official ...). Or you know someone that has access to a non-nobody. And even that. Probably having access to an allegedly nobody with no connection could be interesting. Which access level has, I don't know, the DevOps of Credit Karma? Or a Data Scientist for Acxiom, or...
They are totally mister nobody, but they have access, directly or indirectly to important peoples. So, the risk is actually higher than expected...
This is one of the cases where they will probably suffer if any of this turns out to be true. OnePlus is a small manufacturer with a following of enthusiasts. They aren't large or popular enough to PR their way out of this.
Wirecutter removed them as a recommendation. Others will probably as well. This should affect sales somewhat and since smart phone margins are so slim it could have a drastic affect.
Seems to me like this might be a requirement for Asian markets or for selling phones in those regions. Author has tweeted that it's specific to Chinese regional locale/headset. Can't it be chalked up to the costs of doing business if sales plummet? OP5s owner here.
I thought this was going to be something interesting like them encoding your private data into the dictionary set to obfuscate the communication. Apparently it's nothing at all.
Also worth noting iPhone sends a lot of information in the HTTP headers about your phone - like model number. Android does the same thing. Also simply plugging your phone in to USB (not accepting any on-screen dialogs) will save the IEMI and other device IDs into your system log. If you ever have a device stolen I suggest you run $(zgrep -i iphone /var/log/*.gz)
This is a smear campaign. It seems like first this only affects Chinese users and second it does not send emails or numerics (tries to protect privacy)
OnePlus isn't all that special in the hardware category. Buy any device supported by Lineage OS and go nuts. If you want the whole package from a single company keep your eye on the Librem 5
> OnePlus isn't all that special in the hardware category.
I don't know about that. I've found their hardware to offer surprisingly good value for money, and they offer close-to-stock Android for much less than Google now do.
Their privacy failures are deeply unfortunate; I'd have remained a happy customer for the next several years were it not for these issues.
> I didn't manage to trigger the network communications to the teddymobile servers but I will continue later.
It looks to me like this person is cherrypicking random SDK methods that may seem suspicious out of context and making very wild assumptions of their purposes.
For example, they show a function that checks if a string contains a bank account number (https://twitter.com/fs0c131y/status/956649951056064513). Somehow they then jump to the conclusion that copied text is run through this function and uploaded to some server! But where is the proof? They could check where this method is used and show this supposed data upload happening.
In fact, since these methods are coming from some third party SDK and not the app itself, they could be completely unused.