back to article OnePlus privacy shock: So, the cool Chinese smartphones slurp an alarming amount of data

OnePlus mobiles are phoning home rather detailed information about handsets without any obvious permission or warnings, setting off another debate about what information our smartphones are emitting. Software engineer Christopher Moore discovered that the information collected included the phone's International Mobile …

  1. Anonymous Coward
    Anonymous Coward

    Wow!

    * It's worth noting that iPhones no longer send Wi-Fi hotspot and mobile tower data when location services are switched off – since Apple's 4.3.3 version of iOS, when it fixed the bug.

    And now we are on iOS 11.0.3.

    I guess Apple is now in El Reg's good books for once?

    What No?

    Ok, business as usual then.

    1. BillG Silver badge
      Holmes

      Re: Wow!

      We do not share any analytics data with outside parties.

      Hmmm... does the Chinese government count as an outside party?

      1. ST Silver badge
        Devil

        Re: Wow!

        > does the Chinese government count as an outside party?

        Nope. It's totally inside China. That makes it the inside party.

      2. Bob Dole (tm)

        Re: Wow!

        >>We do not share any analytics data with outside parties.

        >>>>Hmmm... does the Chinese government count as an outside party?

        There is only one party in China.

  2. macjules Silver badge

    We securely transmit analytics in two different streams over HTTPS to an Amazon server

    Well that's ok then. For a second I thought they might be using TCS, Deloitte or even Accenture to do that for them.

    1. Anonymous Coward
      Anonymous Coward

      To domain "net.oneplus.odm" ? Where ".odm" is not a valid top-level domain?

      1. chrislambrou

        "net.oneplus.odm" isn't a domain. The domain here is "oneplus.net". It's a java package name, which includes the OnePlus domain name in reverse. It's the OnePlus Device Manager. Referring to "net.oneplus.odm" as a domain is a mistake on the part of the article's author. The actual domain receiving the analytics data is "open.oneplus.net".

        1. aqk
          IT Angle

          ODM? Not a domain?

          You are mistaken, sir.

          The TLD "odm" refers to the Overseas Department of Mediocrity. They actually host many of my websites.

    2. fidodogbreath Silver badge

      We securely transmit analytics in two different streams over HTTPS to an Amazon server

      Right, because once the data is in an AWS bucket, it is well and properly secured.

    3. ElReg!comments!Pierre Silver badge

      Well, TBH I'm not entirely sure that Google or Apple are securing their streams in any such way. You know, like when their default soft keyboards send home litterally everything you type. Before I switched to Hacker Keyboard, Google keyboard was frequently the app which used the most mobile data on my phone... which tells a lot about both mobile OS vendors and my level of secludedness !

  3. Terry 6 Silver badge

    To be honest

    When I reluctantly went from a Windows 640 to the One+ 5 recently I assumed that I was selling my privacy to Google in choosing an Android. To find that On+ are grabbing some of the data too is no more than a minor annoyance.

    However, the underlying assumption, that it's OK that anyone providing a phone or operating system can take the right to spy on what that phone/user does is the more worrying aspect. You wouldn't buy a house with the option that Bob can come round and watch you in the bath if he wanted to. Or, so far at least, a car that told Ford/Toyota/Insurance company/.. where you were driving to and how long you stayed there.

    1. DainB Bronze badge

      Re: To be honest

      http://fortune.com/2016/01/11/car-insurance-companies-track/

    2. Aladdin Sane Silver badge

      Re: To be honest

      What's wrong with Bob?

      1. Terry 6 Silver badge

        Re: To be honest

        https://www.youtube.com/user/bobthebuilderchannel

      2. Anonymous Coward
        Anonymous Coward

        Re: To be honest

        nothing wrong with bob, bob's your uncle. Google's your friend. Honest, they say so!

        1. Anonymous Coward
          Anonymous Coward

          Re: To be honest

          And Alice is your aunt....

          1. Solarflare

            Re: To be honest

            If Bob is Bombtasic Bob and he comes round to watch me in the bath and says 'micro$haft' a lot then I'd be worried I would start to feel inadequate to be honest

    3. tiggity Silver badge

      Re: To be honest

      Depends what Bob looks like...

      Bear Bob? Blackadder Bob? etc.

      1. Aladdin Sane Silver badge

        Re: To be honest

        The one that's saucier than a direct hit on a Heinz factory.

    4. Chemical Bob

      Re: To be honest

      "You wouldn't buy a house with the option that Bob can come round and watch you in the bath if he wanted to."

      Depends. Are we talkin' 'bout me or Bombastic Bob?

    5. Richocet

      Re: To be honest

      Well you best not by a Tesla then.

      1. Adam 1 Silver badge

        Re: To be honest

        By a Tesla then what!? Oh man don't leave us hanging like that.

  4. SJA

    LineageOS

    And I thought the first thing people do is wipe the OPx and put LineageOS on it...

    1. DontFeedTheTrolls

      Re: LineageOS

      Hobbyists and geeks might. The other 99.9% of purchasers don't care.

      1. NonSSL-Login

        Re: LineageOS

        Even the geeks stayed on stock Oxygen if they wanted to use Android pay, banking apps and stream tv content without having to jump through moving hoops.

        From what I understand Android pay now recently works with Lineage but information is all over the place.

        The sucking up of personal data by OnePlus and all the other companies is beyond silly now. The fact you can't turn off their second data slurping stream with an app or setting and have to run ADB commands means the majority of cheap phone buyers won't bother doing it, even if they want the data slurping to stop.

    2. Snorlax
      Facepalm

      Re: LineageOS

      @SJA: "And I thought the first thing people do is wipe the OPx and put LineageOS on it..."

      *You* might think so, but some of us actually have a life.

      1. Anonymous Coward
        Anonymous Coward

        Re: LineageOS

        some of us actually have a life.

        Get NoRoot Data Firewall app. Activate the firewall and select block everything and leave out the ones you do want internet. You can also give the apps permission for 5mins or 1hour to connect to the internet when the apps ask for internet.

        With this at the very least, you'll have the power to choose when your phone will send data.

  5. rmason Silver badge

    Bob

    Wait, Bob *can't* just watch me in the bath whenever he wants?

    The lying *bastard*.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bob

      Wait, Bob *can't* just watch me in the bath whenever he wants?

      Google to the rescue - you could even share it with more people than just Bob..

      :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Bob

        I am sure we have discussed over-sharing on social media before. I hope the bath is suitably full of foam...

        The restraining order on Bob - that's another story...

        1. Anonymous Coward
          Anonymous Coward

          Re: Bob

          You've left the cooker on...

          Bob

        2. Anonymous Coward
          Anonymous Coward

          at the other AC, Re: Bob

          I didn't have to get a restraining order on Bob, after he tried peeking in my window during bath time & the screaming stopped, he's taken out a restraining order on ME. Now he refuses to peek in my window any longer, claiming there isn't enough MindBleach in the multiverse to scrub "the horror" from his mind.

          What has been seen can not be unseen Bob, MUH Hahahahahahahhhahhhahahhahhha!

          1. Chemical Bob

            Re: at the other AC, Bob

            Can you blame me?! I mean, really, you look like an avocado had sex with a much older and uglier avocado.

            https://www.youtube.com/watch?v=xpTycWYX6No&pbjreload=10

    2. Anonymous Coward
      Anonymous Coward

      Re: Bob

      You can Bob in the bath though if you want.

  6. Spindreams

    Not a shock, one plus ask you if you want to participate in their customer experience program and share usage data when you first use the phone and if you say yes then you can turn it off from advanced settings any time. This is a non-story same as it was on neowin..

    1. DropBear Silver badge

      That's funny, because in other places it's reported that the data collection cannot be disabled permanently, only until you restart the phone. Unless you take the time to uninstall the thing through ADB...

      1. Anonymous Coward
        Anonymous Coward

        "Unless you take the time to uninstall the thing through ADB"

        ADB is unfortunately not always capable of disabling unwanted junk on your phone.

        I've got an el cheapo Alcatel Pixi with OEM bloatware installed which *can't* be removed via adb unless you root your phone. Default user via adb doesn't have sufficient permissions to remove the unpleasant apps, and "su" is unsurprisingly not present in the shell when you connect via adb.

        Given that I use the device as an mp3 player, have never put a sim in it and won't be connecting it to wifi, the bloatware on my device doesn't really matter to me because it can't phone home, but I won't stand for that rubbish on a device I'm using as a smartphone.

        1. Mark 110 Silver badge
          Facepalm

          "Given that I use the device as an mp3 player, have never put a sim in it and won't be connecting it to wifi,"

          Thats a bit weird. Why don't you use your normal phone as an mp3 player? Do you really carry two phones around? One to use as an mp3 player? One to use as a phone? Really? I mean, really? Thats what you do?

  7. Mage Silver badge
    Paris Hilton

    I thought

    It was Eve that watched Alice and Bob in the bath?

    1. Anonymous Coward
      Anonymous Coward

      Re: I thought

      Fortunately Alice and Bob have strong encryption. But they do not know that Carol is hiding in the bathroom cupboard.

      [yes, this is a metaphor].

  8. My Alter Ego

    Already turned off on my One+3

    I have no recollection of having turned this off (of course I could have forgotten doing so).

    1. Boothy

      Re: Already turned off on my One+3

      Same here, just checked, also off, also no memory of doing this myself. Also a One+3

    2. Timmy B Silver badge

      Re: Already turned off on my One+3

      You may have said no thanks in the initial setup wizard. I did nut its on now as I am in their preview release program so help test stuff by getting firmwares early and have it all turned on so the know issues and stuff. I don't mind at all knowing that information will be sent to them to help with this. It's a choice, though, and I think that any information about you and your use of their devices should be by choice. It's like hotpoint saying they need to come look at your skimpies on the washing line without your approval so that they can see what you have been washing....

      1. Anonymous Coward
        Anonymous Coward

        ...And on my One+2

        I remember saying no to this slurp during the initial setup, I've just checked and it's still off. I assume it must be the other data stream that you have to kill manually every time you restart your phone.

  9. Muscleguy Silver badge

    Yawn

    Yes it is pretty standard. I turned this stuff off on my Android handset long ago, and its predecessor.

    I recently upgraded this laptop to Sierra which means Siri! Except, I looked at what I would have to release for Apple to slurp in exchange and went 'no bloody thanks' so Siri remains off. Startpage does me well enough and typing is less subject to misinterpretation than voice instructions.

  10. John Smith 19 Gold badge
    Gimp

    "he Chocolate Factory may associate your device identifiers..with your Google Account.

    May?

    May?

    Try "virtual certainty" instead.

  11. Anonymous Coward
    Anonymous Coward

    And?

    It's a smartphone from a Chinese company. This was inevitable. It's why I've avoid OnePlus phones despite people recommending them.

    1. Anonymous Coward
      Anonymous Coward

      Re: And?

      I've got a Chinese brand smartphone. I don't notice it, but presume that it will do exactly what Microsoft, Apple and Google do, and send data home. As a personal phone I'm not too worried what the People's Liberation Army collect, because it isn't used for serious web browsing, and it isn't used for business purposes. If the PLA have got the time to worry about where I go, and the texts I exchange with the family, then I'll have usefully tied up some of their resources, and they'll be very bored indeed.

      1. fidodogbreath Silver badge
        Big Brother

        Re: And?

        As a personal phone I'm not too worried what the People's Liberation Army collect

        That's exactly the attitude that repressive governments want you to have.

        1. Anonymous Coward
          Anonymous Coward

          Re: And?

          That's exactly the attitude that repressive governments want you to have.

          What, like the UK government with all their shitty snooping laws? I'm in the UK, so I'd far rather that the Chinese government were poking their nose into my business than my own government. I'd prefer that nobody did, but since there's no mileage and no leverage for the Chinese (or other non-Western governments) they are preferrable to my own government or its allies choosing that they should have my data.

          Obviously, if I were doing a role that the Chinese were interested in, then I wouldn't be using a Chinese designed phone (although arguably, in that situation I shouldn't even have any smartphone).

          1. Terry 6 Silver badge

            Re: And?

            That's the thing. The Chinese govt. repressive yes. Able to have any effect on me due to their potentially knowing what apps I use and for how long. No.That's just silly If I were dealing with China, supporting dissenters, or planning to overthrow their govt. I wouldn't be using my One+ 5. But then in most of those cases I wouldn't be using any smartphone.

          2. JAXTC

            Re: And?

            remember this, the british police have the power to come to your house, and kick down your door if their superiors perceive you to be a threat. chinese police do not

        2. JAXTC

          Re: And?

          would u consider the us, canada, britain, switzerland, sweden, australia to be represive?

  12. FlamingDeath Bronze badge
    Devil

    Say what?

    We do not sell share any analytics data with outside parties

  13. ma1010 Silver badge
    Meh

    So add another intelligence agency to the list syping on us

    Whatever the ROC calls their electronic spies - in addition to the NSA, GCHQ, FSB, DGSE, etc.

  14. Yves Kurisaki

    I don't care

    I don't care. Google has been slurping up a million times more personal data.

    The OP5 is the best phone I've ever owned.

    I do have to say, the negative OP articles have conveniently followed the Pixel 2 launches. Someone trying to steal some customers from OP, me thinks.

    1. Mark 110 Silver badge

      Re: I don't care

      I don't care either. Partly because I don't own the device but mostly cos the information they are collecting would be no risk to my safety or peace of mind:

      - International Mobile Equipment Identity: Serial number of the device - they probably knew that already. They made it. I give it other people, Google for one, my insurance company. I wouldn't class it as restricted.

      - phone numbers: I give those out so that people can call me - they are public. Mines on my LinkedIn profile ffs. Linking it to the IMEI and MAC in a database - OK - there's edge cases where if I was a terrorist (or journalist in a bad environment) I might want to object but . . . ? As a normal person I don't have a clue what to worry about.

      - MAC addresses: Err - can't be bothered to answer. Everyone gets those through the network protocols. Manufacturer knows them anyway. Linking them to the phone number achieves little.

      - mobile network: I refer you to the answer I gave some moments ago.

      - among other things: What other things?

      Storm. Tea-cup.

    2. Amorous Cowherder

      Re: I don't care

      No problem then. However. let me remind you of a famous poem.

      "First they came for....and I did not speak out for I was not a...."

  15. Phil O'Sophical Silver badge

    Does IMEI count as personally identifiable info?

    If so then the DPA, and GDPR, may have something to say about this.

    1. Mark 110 Silver badge

      Re: Does IMEI count as personally identifiable info?

      No. No it doesn't. Does the serial number of your TV count as personally identifiable info?

      1. Phil O'Sophical Silver badge

        Re: Does IMEI count as personally identifiable info?

        Does the serial number of your TV count as personally identifiable info?

        No, but no-one has that on record, not even the selling shop. My phone provider has my IMEI, though, and it shows up when I log in to my account. IMEI isn't just "the serial number of the phone".

        1. DougS Silver badge

          Re: Does IMEI count as personally identifiable info?

          It isn't personally identifiable by itself, but all they need is to tie your IMEI and you together ONCE, and then it is personally identifiable info from then on, until you change phones.

        2. Mark 110 Silver badge

          Re: Does IMEI count as personally identifiable info?

          So. If the IMEI is held in a database alongside PII then you could potentially identify the owner of the phone. If you both knew the IMEI and had access to the database.

          Its not the IMEI thats the identifier though. If they are sticking it in a database alongside the phone number (which is PII) then theres a problem.

          A|nd I think you are probably wrong about shops not having records of purchasers versus TVunits serial numbers. I might be wrong. Easy enough to do.

          1. Anonymous Coward
            Anonymous Coward

            Re: Does IMEI count as personally identifiable info?

            If they are sticking it in a database alongside the phone number (which is PII)

            Why should the phone number, which is just an identifier associated with the SIM, be PII but not the IMEI, which is a similar identifier associated with the phone?

            A|nd I think you are probably wrong about shops not having records of purchasers versus TVunits serial numbers.

            My newish TV was stolen recently, police asked if I had the serial number. I (foolishly) didn't, so I contacted the shop. No records, unless perhaps the TV had been in for repair, which it hadn't. The number is printed on the labels on the TV & the box, but not stored in any of the documentation relating to the sale. Other countries/shops may be different, of course.

            Tip: when you buy something valuable, take a photo of the label with the serial number & email it to yourself.

            1. Tim Seventh
              Joke

              Re: Does IMEI count as personally identifiable info?

              "My newish TV was stolen recently"

              I'm still waiting for someone to steal the CRT TV in our open garage. Then I'll finally have an excuse to get a new TV for movie night.

              Maybe I should buy one of those apple logo sticker and tape it to the sides. That might make the TV more attractive to the thief.

            2. ElReg!comments!Pierre Silver badge
              Paris Hilton

              Re: Does IMEI count as personally identifiable info?

              Tip: when you buy something valuable, take a photo of the label with the serial number & email it to yourself.

              Tip: don't give tips about emailing photos to yourself on a place where sysadmins and netadmins might hear you, lest you are begging for an unfortunate workplace accident...

              1. ElReg!comments!Pierre Silver badge
                Paris Hilton

                Re: myself on self-emailing photos

                As a sidenote I recently had to ask a PFY for a contact list (off-work event). The guy trawled his phone's directory, took (very badly) handwritten note of the 3 phone numbers, shot two (very blurry) snaps of the piece of paper and sent them to me by email. I was (figuratively) fuming.

    2. Anonymous Coward
      Anonymous Coward

      Re: Does IMEI count as personally identifiable info?

      And if the IMEI is cloned then it's game over yes?

  16. A. Coatsworth

    And I'm still here...

    ... waiting for El Reg to review the new Android "Nokias" before I give up and plunge into the Android ecosystem.

    Is stock Android more or less slurpy than a vendor-backed version?

    1. Mark 110 Silver badge

      Re: And I'm still here...

      Oh stop worrying. Unless you live in old soviet East Germany and are trying to start a revolution theres not much to worry about. Please explain why I should be worried my phone manufacturer can link the details of the phone it made to my phone number and network?

      1. Lars Silver badge
        Flame

        Re: And I'm still here...

        "why I should be worried my phone manufacturer can link the details of the phone it made to my phone number and network".

        Because it's non of their business.

      2. Tim Seventh

        Re: And I'm still here...

        "Please explain why I should be worried my phone manufacturer can link the details of the phone it made to my phone number and network?"

        It's because sometimes you might not want other people to know that you've play candy crush for a total of 748hours and 163hours while in the office washroom without your consent.

    2. MacroRodent Silver badge

      Re: And I'm still here...

      ... waiting for El Reg to review the new Android "Nokias" before I give up and plunge into the Android ecosystem. Is stock Android more or less slurpy than a vendor-backed version?

      Seems to me if you want privacy, it is better to buy one of the old pre-Lumia Nokias...

      1. Anonymous Coward
        Anonymous Coward

        Re: And I'm still here...

        Seems to me if you want privacy, it is better to buy one of the old pre-Lumia Nokias...

        Nah, you want something like my old trusty:

        http://www.itholix.com/products/1476-samsung-gt-e1150-mobile-phone-gsm-flip.aspx

  17. Anonymous Coward
    Anonymous Coward

    Why does anyone think mobiles are secure?

    Aren't they only just slightly better than Internet of Things devices?

    Why does anyone trust them when there are hundreds of millions of them that haven't been patched against threats that have literally been around for years?

  18. aqk
    Big Brother

    I'm not worried! I live in CANADA!

    And I have a trustworthy Huawei phone! They would never do this!

    Why, just read the following reassuring article from a few years ago!

    CBC now alerts you to the following GRAVE CANADIAN CONCERNS!

    But I AM wondering where I can quickly sell my small supply of Plutonium and my bump-stocked AK-47...

  19. JAXTC

    id like to see what similar tests done on google phone, iphone, and samsung would reveal

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019