
OnePlus Is Again Sending User Data to a Chinese Company Without User Consent - pritambarhate
https://twitter.com/fs0c131y/status/956628910308982785
======
veeti
Notice how there is actually no proof at all in these tweets. The author
admits that they could not observe any network requests being made:

> I didn't manage to trigger the network communications to the teddymobile
> servers but I will continue later.

It looks to me like this person is cherrypicking random SDK methods that may
seem suspicious out of context and making very wild assumptions of their
purposes.

For example, they show a function that checks if a string contains a bank
account number
([https://twitter.com/fs0c131y/status/956649951056064513](https://twitter.com/fs0c131y/status/956649951056064513)).
Somehow they then jump to the conclusion that copied text is run through this
function and uploaded to some server! But where is the proof? They could check
where this method is used and show this supposed data upload happening.

In fact, since these methods are coming from some third party SDK and not the
app itself, they could be completely unused.

~~~
franciscop
Playing devil's advocate here, we don't know _the conditions_ of usage. It
could be just inactive, or become active after X date or whatever other
condition they wish. Speculating on use/non-use is a bit pointless until
someone analyzes these in-depth.

What we do know is the intent of those functions, and it paints a quite
horrible image.

------
AlexandrB
Any fight for privacy in the modern technology environment is such an extreme
case of power asymmetry that I'm starting to think it's hopeless.

On the one side you have individuals that don't want their private information
to be revealed without their consent. On the other are device manufacturers,
advertisers, startups, and giants like Google and Facebook. Often, maintaining
privacy while viewing a _single website_ requires either trusting or
subverting the intentions of multiple such organizations.

It's like going to war with the British Royal Navy at the height of its power
in a dinghy. So far it's been possible because the navy has made a promise
that they'll "play fair". But that can change on a whim and there's ultimately
very little you can do if that happens.

~~~
kuschku
Don't worry, the GDPR is coming.

Now you're going to war with the Royal Navy in a nuclear armed ruber dinghy

4% revenue per timeframe in which privacy rights were violated, or 20 million.
EUR, whichever is larger, is absolutely nothing to ignore anymore.

~~~
imglorp
That sounds nice in theory, but in a global setting, how will it really work?

Per GP comment, there is a whole tech stack of N providers, each piece made or
running in a different country, pushing data to servers in another country,
which data is bought by interests in a third country, for M destinations. Then
you get the providers who intentionally don't store data in GDPR countries
specifically so they can avoid these rules. Look at what Uber already does to
skirt the authorities. So you have at least MxN countries possibly involved or
whatever. If your data is released, it'll rattle around in a pachinko machine
of jurisdiction debate for years against well funded, malicious corporations.

It doesn't seem like any rule is enforceable in practice.

~~~
kuschku
The GDPR applies extraterritorially.

If a company even stores a record of a single EU citizen, the GDPR applies to
it, and the EU has the right to seize the assets of the company for the
purpose of enforcing it.

~~~
Azeralthefallen
I am curious about something.

If you were to only offer your service in North America, but someone from the
EU comes over to North America on vacation, and somehow becomes recorded in
your service.

Does the GDPR still apply in this case?

~~~
andor
As long as that someone is still in the US, no. But if the service is used
from the EU, the GDPR applies.

Article 3 defines the territorial scope:

[http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...](http://eur-
lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=DE#d1e1455-1-1)

------
ryandrake
Why does it matter whether the company is Chinese or not? Isn't it bad enough
that there's a background process running, unbeknownst to the user, and
presumably uncontrollable by the user, that monitors the device's clipboard
and has methods like containsBankAccount(String)?

~~~
cletus
Sure it's bad but there are a couple of reasons why it matters that it's a
Chinese company.

1\. It feeds into the suspicion many have that many (most? all?) large Chinese
companies are effectively controlled by the Chinese government. This could go
as far as having backdoors in, say, Huawei routing equipment.

2\. Effectively disclosing a user's personal information to the Chinese
government could, in some cases, imperil their liberty, even their life. I'm
talking about people the Chinese governments views as "dissidents". The same
would be true if it were a Russian, North Korean, Iranian, Syrian or Sudanese
company.

~~~
reaperducer
>It feeds into the suspicion many have that many (most? all?) large Chinese
companies are effectively controlled by the Chinese government.

All is the correct answer. Just like it's not legal to own property in China,
all companies are ultimately owned and controlled by the Chinese government.
They have shiny, pretty, Western-looking front ends to attract foreign
investment, but from a strictly legal standpoint, they're all owned by the
government.

For some reason people forget that China is still a communist country.
Nothing's changed other than it's gone from exporting rice to exporting
phones.

~~~
Cyberdog
China does indeed have the concept of private property, to the extent that
China _de facto_ recognizes the rule of law (which admittedly isn't that
much):

[https://en.wikipedia.org/wiki/Property_Law_of_the_People's_R...](https://en.wikipedia.org/wiki/Property_Law_of_the_People's_Republic_of_China)

It's not accurate to say China is "still a communist country." It could be
more closely defined as a capitalist one-party state. That one party is the
CCP, and they still revere Mao, but it's an open secret that they have
embraced capitalism under a veneer of socialist populism.

That being said, it's not wrong to say that information in the hands of a
Chinese company is a trivial step away from being information in the hands of
the Chinese state.

------
jaxondu
OnePlus statement that it is a false claim:
[https://www.reddit.com/r/Android/comments/7t6joy/statement_f...](https://www.reddit.com/r/Android/comments/7t6joy/statement_from_oneplus_on_the_latest_clipboard/)

The recent few "data collection" alarms appears to be smear campaign.

------
RubenSandwich
Here is an article about their previous data collection:
[https://www.chrisdcmoore.co.uk/post/oneplus-
analytics/](https://www.chrisdcmoore.co.uk/post/oneplus-analytics/).

------
xkcd-sucks
On one hand, if you live in the USA maybe it's better that a Chinese company
spies on you, because they're far away and the government/other gangsters are
less likely to care about you than about local people involved in local
politics etc.

On the other hand, there's no guarantee your data isn't also made available to
domestic parties, either as it's intercepted in transit or explicitly shared
in bulk in exchange for e.g. concessions on a trade treaty

~~~
reaperducer
> On one hand, if you live in the USA maybe it's better that a Chinese company
> spies on you

It depends on who the "you" is.

If it's a couple of internet nobodies like you and me that China is spying on,
then it's no big whoop. But if the "you" in question is someone who works at
the Pentagon, or at a defense contractor, or a diplomat, or government
official, then there's a problem.

~~~
LukaAl
Even if you are a nobody, are you sure? Maybe you know someone that is not a
nobody (works at the Pentagon, or at a defense contractor, or a diplomat, or
government official ...). Or you know someone that has access to a non-nobody.
And even that. Probably having access to an allegedly nobody with no
connection could be interesting. Which access level has, I don't know, the
DevOps of Credit Karma? Or a Data Scientist for Acxiom, or... They are totally
mister nobody, but they have access, directly or indirectly to important
peoples. So, the risk is actually higher than expected...

------
anonu
How do we remove this?

I'm getting quite tired of one plus. This is the third strike against them in
at least the last 6 months.

Anyone has good experience with a custom rom on a one plus 5?

~~~
agentx3r
I've been using Lineage on my oneplus 3 for some time, and it's very stable.
[https://wiki.lineageos.org/devices/cheeseburger](https://wiki.lineageos.org/devices/cheeseburger)

------
PacketPaul
And what penalty will the company suffer? Virtually none.

~~~
Spivak
This is one of the cases where they will probably suffer if any of this turns
out to be true. OnePlus is a small manufacturer with a following of
enthusiasts. They aren't large or popular enough to PR their way out of this.

~~~
enitihas
OnePlus is owned by the same company that owns Oppo and Vivo, so they aren't
really a small manufacturer.

------
quantumfoam
Seems to me like this might be a requirement for Asian markets or for selling
phones in those regions. Author has tweeted that it's specific to Chinese
regional locale/headset. Can't it be chalked up to the costs of doing business
if sales plummet? OP5s owner here.

------
krisives
I thought this was going to be something interesting like them encoding your
private data into the dictionary set to obfuscate the communication.
Apparently it's nothing at all.

Also worth noting iPhone sends a lot of information in the HTTP headers about
your phone - like model number. Android does the same thing. Also simply
plugging your phone in to USB (not accepting any on-screen dialogs) will save
the IEMI and other device IDs into your system log. If you ever have a device
stolen I suggest you run $(zgrep -i iphone /var/log/*.gz)

------
getcrunk
This is a smear campaign. It seems like first this only affects Chinese users
and second it does not send emails or numerics (tries to protect privacy)

------
yingbo
Funny. If you visit a Canada website, it will "Save User Data to a Canadian
Company Without User Consent" for sure.

------
ksec
When will the lesson be learned! You cannot reason with China when your head
is in its mouth!

------
EamonnMR
Can anyone recommend a similar company that isn't violating privacy?

~~~
Spivak
OnePlus isn't all that special in the hardware category. Buy any device
supported by Lineage OS and go nuts. If you want the whole package from a
single company keep your eye on the Librem 5

[https://puri.sm/shop/librem-5/](https://puri.sm/shop/librem-5/)

~~~
zeveb
> OnePlus isn't all that special in the hardware category.

I don't know about that. I've found their hardware to offer surprisingly good
value for money, and they offer close-to-stock Android for much less than
Google now do.

Their privacy failures are deeply unfortunate; I'd have remained a happy
customer for the next several years were it not for these issues.

------
deagle50
Shocker! Nobody should be surprised by this.

------
consciouskernel
The tweets are blatantly inaccurate.

There's an r/android discussion on this currently, where the consensus is that
the twitter poster is a serial clickbaiter.

[https://www.reddit.com/r/Android/comments/7t6joy/statement_f...](https://www.reddit.com/r/Android/comments/7t6joy/statement_from_oneplus_on_the_latest_clipboard/)

