A couple of days ago the British IT & Tech Blogger Christopher Moore published an analysis of the Oneplus’ data stream back to the manufacturer. From the conversation he intercepted between the manufacturer and the smartphone it becomes clear that Oneplus included mechanisms in their firmware that enables the logging of private user data and sending this data to the manufacturer (Moore, 2017).
Especially problematic is, that these data streams are not even anonymized (containing the phone’s serial number) and comprise all kinds of sensible information. Oneplus smartphones can only be ordered directly over the manufacturer, meaning that it is easily possible to tell which serial number belongs to which customer. Oneplus logs all kind of usage data such as on-time, dates and times of restarts, shutdowns, battery usage as well as phone numbers and mobile network names. Moveover, the phone transmits information about all installed apps, at which times they were used and for how long (Moore, 2017). When asked for further information, Oneplus confirmed that this is not an unwanted error but actually a conscious “feature” (Heise, 2017).
While the standard user might thing this is not too worrisome, personalized data like that can quickly be used to compile very specific personal profiles. With modern data analytics methods and the combination of different data sources, i.e. the Oneplus’ data in combination with social media accounts, personal activities, location and all other sorts of conclusions can be drawn over the user. It is scary to think that some simple datasets can make it possible to surveillance a person’s life.
However Oneplus is by far from the first incident like that. For example it is possible to compile a time profile of a person only from their “last seen” WhatsApp status (Heaton, 2017).
Of course it gets tiring for normal users to have to listen about privacy issues all the time and most people tend to simply shut out the concerns over time. The problem with privacy concerns is, that normal users will only realize the importance of the topic when serious real life negative consequences occur for them personally.
Companies need to start acting more ethically in their use with personal data. Big Data offers great opportunities, however companies should be encouraged and if needed forced to abide by privacy standards. Is it really necessary to know for a smartphone manufacturer to know what apps their users utilize? Probably not. Also user information that is actually beneficial to the company can easily be transferred anonymized, the company does not have a (morally acceptable) use for this kind of private data anyways.
Sources:
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/
https://robertheaton.com/2017/10/09/tracking-friends-and-strangers-using-whatsapp/
https://www.heise.de/newsticker/meldung/Oneplus-loggt-Daten-der-Smartphone-User-3858834.html
Hi Alexander, you gave me some good insights into something I never knew before. Even though I do not have a Oneplus, this does bother me to some extend. I totally agree with you that Oneplus should not gather more personalized information about their users than strictly necessary. However, one thing should be kept in mind in my opinion, Oneplus does need this data.
This data is used to optimise the users experience, in your blog you mentioned that Oneplus has insights into the online-times, the amount of shutdowns and so on. This would be information Oneplus can use to optimise their next smartphone. In addition, knowing which apps users download can be used for the same optimisation steps. However, Oneplus does go too far in my opinion. Where most companies like Google and Apple use aggregated data, Oneplus uses personal information like you mentioned in your blog. This does concern me, and in their formal reaction they have not given any reason why they needed the personalised data instead of the aggregated.
Moreover, they did react to the concerns of the users! Near the end of October users will get OxygenOS on their phones, in which they can opt-out from the collection of data. It is still an opt-out however, so this would probably change not much. But they are also going to stop gathering information about your telephone number, MAC-address and Wifi-points. As one can see, blogging about these things does help and makes companies thing about their strategy.
Thank you for your insights!
Hey Alex,
Pretty cool article. I am very much shocked by the amount of data One Plus gathers.
As of this summer I needed a new phone and decided not to go with One Plus but it seemed like a very good phone, after reading this article I am very glad my data is not all over their server.
However, this doesn’t take away my concern! If one man now talked about One Plus’s data gathering scandal, I wonder if there are more phone manufacturers that are gathering the same sort of data without their consumers knowing.
By just a quick google search I found multiple articles that discussed smartphone security and sending of information to manufacturer’s servers. For example, I found that Blu Phones a Chinese based smartphone manufacturer also had a similar scandal just as One Plus had last week. According to the article (CNN,2016), the logged calls, contacts and other user data was sent to China every 72 hours. This also happened without user permission.
Another example is the other more known budget phone manufacturer: Xiaomi, this firm was also collecting user data without permission. However, this was already in 2014? Don’t you think there are more firms secretly gathering user data, and just keep this under the wraps?
Moreover, I very much agree with your statement that users will start complaining one’s the harm is already done. Companies should be more restricted in their data gathering possibilities and should be more transparent to their consumers about what kind of data they retrieve from your phone.
It all sounds very terrifying, especially when you take into account the amount of very private and person data most phones hold nowadays.
http://money.cnn.com/2016/11/16/technology/china-smartphones-data-security-software/index.html
http://www.reuters.com/article/us-china-mobilephone-xiaomi/china-smartphone-maker-xiaomi-apologizes-for-unauthorized-data-access-idUSKBN0GB0WY20140811
https://www.dailydot.com/debug/oneplus-data-collection/
Thank you for your comments Rick and Annelien. I’m glad my blog post could give you some fresh knowledge and insides.
Rick you argued that Oneplus needs the data to improve their product. While I agree that hardware data can be quite useful for improvements, the apps’ developers are responsible for optimizing their products and not the manufacturer of the smartphone.
Moreover, Oneplus did announce to limit their data collection in some ways, however the main criticism remains as the companies opt-out does not cover hardware information which will still be send without anonymization to the manufacturer whether you deactivate data collection or not. Also the option to collect data will be standardly activated and has the ambiguous name “Join user experience program”, which won’t be understood as data collection by less informed people (Heise, 2017; Oneplus, 2017).
By its excessive data collection policy, without even notifying their customers, Oneplus already lost its credibility to all privacy aware users and will take a long time to regain that lost trust.
Annelien, your comments outlines other instances of data privacy breaches. It is interesting to note that all three phone manufacturers (Oneplus, Blu Phones and Xiaomi) are based in China. However I don’t believe that this is a country specific problem, but rather a global one. I am sure that there are more companies that are collecting their customers private data without their permission.
Additionally, it is also quite unsettling to see how bad some companies protect their customers information, as could be seen in the giant Equifax data breach with 143 million affected customers in the USA (Bloomberg, 2017). It is probably only a matter of time until secretly collected private data will be available to people, you don’t want to look inside your private life.
Sources:
https://forums.oneplus.net/threads/lets-talk-about-oxygenos-analytics.654820/
https://www.heise.de/newsticker/meldung/Smartphone-Hersteller-Oneplus-rudert-beim-Datensammeln-etwas-zurueck-3861951.html
https://www.bloomberg.com/news/articles/2017-09-07/equifax-says-cyber-intrusion-affected-143-million-customers