Last week, the phone manufacturer OnePlus was caught collecting an extensive amount of data on its Android smartphones. The company has now said that it will cease these practices in response to user feedback, and that future users will be explicitly presented with the option to opt out when they first activate a device.
The initial investigation into OnePlus’ behavior began earlier this year, when software engineer Christopher Moore was completing the 2016 SANS Holiday Hack Challenge. He proxied the internet traffic from his phone, a OnePlus 2, using OWASP ZAP, “a security tool for attacking web applications.” After seeing a domain he didn’t recognize (open.oneplus.net), he began investigating the situation further. At first, the data that he turned up being relayed to the URL was fairly innocuous, related to whether the phone had just suffered an abnormal reboot. While he wasn’t thrilled to see his device’s serial number relayed at this step, he wasn’t overly annoyed, either. What happened next, however, is something Moore describes as a shock.
Moore describes this code as including “the phone’s IMEI(s), phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, as well as my wireless network ESSID and BSSID and, of course, the phone’s serial number. Wow, that’s quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities.”
And it only got worse from there. Later logs show that the OnePlus 2 was relaying when he opened and closed applications on his phone, which applications were being opened and closed, and data on which specific activities were being conducted on which applications. OnePlus was pulling down a non-trivial amount of data about how users were using its devices; Moore discovered OnePlus had vacuumed roughly 16MB of data off his phone over 10 hours. That’s not very much information compared with a video or audio stream, but it’s a lot of diagnostic text.
The original date on Moore’s article was from early June, but the issue didn’t become common knowledge until this past week. In response to the furor, OnePlus co-founder Carl Pei issued a lengthy forum post, writing:
We take our users – and their data privacy – very seriously. We want to take this opportunity to tell you a little more about data collection on OnePlus devices; explain what we are collecting and why; and map the changes we will make going forward to address your concerns. While data collection is a standard industry practice, we realize that our users have the right to understand how and why it is done…
At any time, users can opt-out of usage analytics collection by navigating to ‘Settings’ – ‘Advanced’ – ‘Join user experience program’…
By the end of October, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user experience program. The setup wizard will clearly indicate that the program collects usage analytics. In addition, we will include a terms of service agreement that further explains our analytics collection. We would also like to share we will no longer be collecting telephone numbers, MAC Addresses and WiFi information.
OnePlus also notes it does not sell this information to third parties, and it claims to have only collected this information in aggregate and not in a way linked to any specific user account. This opt-out, however, doesn’t actually stop the data collection; it stops the data from being directly associated with your specific device. The company’s entire handling of this scenario reeks of bad faith and raises additional questions, including:
- If end user data is only collected in bulk, why was it ever acceptable for the phone send back highly specific and unique information?
- If you realize that your end users have the right to understand how data is collected and why it is done, why did someone have to discover this practice independently before you disclosed it?
- If data collection is an industry practice with no practical concerns for end users, why weren’t customers invited to participate in this program from the beginning?
- If you want customers to feel safe participating in your data collection program, why do you make the program opt-out, and why bury it two menus deep?
The answer to these questions, of course, is that OnePlus was aware that it vacuumed up private information, didn’t want people to know it was doing so, didn’t want people to opt out of its own data-gathering, and knew that if people knew what it was doing, they wouldn’t be so inclined to buy its hardware. The alternative–that the company just magically happened to create a data-gathering utility that happens to scoop up private and personal data on application usage while tying it back to your device–beggars belief. And if treating people like walking private data repositories you’re allowed to harvest at will is standard industry practice, as Carl Pei writes (and tries to hide behind), maybe it’s time to change that.