To get rid of it you have to uninstall the tracking app via adb: (no root access needed)
$ adb start-server
$ adb shell
> pm uninstall -k --user 0 net.oneplus.odm
That was a bit surreal.
In my mind, the only options are either dumping your OnePlus or flashing a third party ROM (I plan to flash Lineage tonight and probably start shopping for a replacement for my OP3 as well)
I'm curious to what phones you're considering to replace your OP3 with, though.
For myself, I've been looking for something that has "much better than average" security and, unfortunately for any mobile platform, that looks like it's probably not going to happen.
The closest ROM I've found is CopperheadOS, but it is only supported on a few devices.
In terms of phones, I don't know. The Pixel 2 XL, Galaxy S8, Note 8, and LG V30 are probably the best Android devices available right now. I haven't done much research so I don't have much of an opinion right now. I'm feeling fairly jaded right now and half-considering switching to an iPhone and away from a lot of Google services because Apple seems to at least half-care about privacy. I know in the end that is likely BS but what can you do at this point short of go back to a dumb phone (which you really can't do if you are an app dev trying to stay on top of current trends)?
Exactly my stance. I am sure Apple is shady as well but it's my opinion (partially supported by numerous stories here on HN) that Google collects and sells anything they can get their hands on.
I'm buying iPhone X for me and my girlfriend (when it finally comes out). We already have iPad Pros. We'll just go full Apple except the gaming PCs. We will change all passwords from inside one of the iDevices as an additional security measure. Most likely gonna use YubiKey 4 as well -- although I am still not informed enough to make the decision.
Already using DuckDuckGo 95% of the time -- sadly it is not as good as Google but really, most of the time it gives me what I need. Still not sure Firefox is up to the task to replace Chrome, but I'm keeping an eye out and using the beta (Quantum).
End-game is gonna be to replace Gmail with something else.
I feel I can't trust Google with telling me the time these days so I am migrating away from them.
The proxy server will aggregate and anonymise the data before uploading it to upstream OnePlus servers. For example, it can strip out IP addresses. Eliminate data points which are too few and can therefore dangerous. Maybe if too few people are using an app, records about the usage of that app aren't uploaded to upstream OnePlus servers. If OnePlus wants to know how many photos an average user is taking, the intermediate server could just that information, or percentiles, not data about each individual user. These are all not possible to do on-device.
With this, we don't have to worry about what code is running on the phone, or what OnePlus servers are doing, both of us are closed-source and unavailable to us to inspect. But the intermediate server will be open-source.
Those are few and far between. I still don't see how you are going to get major players into this. Niche -- maybe, but we already have few of these (other comments in this thread mention them). Also, such server would be a very sweet
target for hackers and high security requirement raises upkeep by quite a bit.
Yes, it will be niche to begin with, but everything starts that way. If minor players adopt this, over time, it can put pressure on the big players to do so as well. It's a long game.
For example, MS opened an Azure datacenter in Germany where MS doesn't have access to user data. So, people are starting to do things to restrict their own access.
adb uninstall -k --user 0 net.oneplus.odm
I'm not sure I understand this logic. Can you explain your reasoning here? What makes Google different?
Is it just about data security (e.g. you don't care what anyone does with your data as long as they don't leak it publicly)?
It's business is fundamentally about trust, people trusting its services, I feel it offers good data security on its accounts and it offers services that I am happy I don't have to pay for. Almost 2 decades of email services, search, and drive space is something I'm glad I never pay for.
In certain cases I do keep data away from Google, I'll never upload all my photos to google photos, or put my media collection on a google drive, and i'll keep certain documents locally, but for the majority of the ephemera in my life, it's a fine place to leave it.
Nothing about my life is really that important or sensitive that security is a must and I need to be completely clandestine, if I leave a trail of breadcrumbs for someone to use to pipe adverts at me, so be it, but I can always stop them in browser with a good ad-blocker or a network level filter.
If I want that level of privacy I can always go down the proton-mail account route and use PGP or encrypted messaging. Although that's not really necessary when I'm just send my GF a gif of a seal playing a saxophone or deciding if I cook fajitas for dinner!
If anyone has my data, I'd want it to be the one that you can hope is implementing best practices.
Maybe he's American and trusts American companies more. For Europeans, it's tougher: You can choose between being spied on by the Chinese or by the Americans.
The cynic in me would suggest that on a Google phone, only Google gets to peek at what you do, otherwise it's Google plus the vendor. Also - Google, despite being a bit too nosy for my own comfort, at least is likely to have decent security, so this data is less likely to get exfiltrated and end up published (or sold on a darknet).
Additionally, restrictions on things like copyright aren't nearly as draconian in China - last I tried Baidu's cloud drive service they offered a torrent downloader built into the thing. Other speech restrictions are obviously very nasty and present, but as you're not a citizen there's nothing they can really do to you.
IBM took on the personal computer market and made the PC standard, which launched the chain of backwards compatibility that continues to this day. Because they did this in 1981, the idea of "secure bootloaders" was not on their radar. By the time anyone started thinking along those lines, the standard was well entrenched; this same standard gave Linux and other free OSs a relatively static target to hit, just as the internet was gaining ground (a force multiplier for hippie free-software types). Before PC clones took off, every home computer was a different design, OSs were specific to each model, and open alternate OSs were not really a "thing".
For a glimpse of an alternate history where these things happened in a slightly different order, take a look at TI graphing calculators; each is a bespoke microcomputer using very 80s-ish technology (z80/m68k cpus, built-in BASIC etc) and each has RSA signed OS images, the keys for which were only factored in 2009. Even now that every single microscopic detail of the hardware is known, and the keys available, alternative OSs are niche and usually incomplete projects confined to a single model, because there is no standard to target.
All we have now is a reversion to the natural order of things, permitted by the shift to "mobile" breaking all the rules and allowing all the norms to be reset.
Android is pretty much as close as you're getting - I'd say it's quite comparable to the situation on desktop PCs today if not a little better because the open source community around it is quite potent. In fact, OnePlus is quite popular in these communities for making cheap, well-spec'd phones with unlocked bootloaders where you're free to have full control over your device.
And all this is missing one of the biggest sources of this spying - apps. Most apps send pretty much everything they can get their hands on when you start them, I launched a game the other day and had it connecting to 6 services for 2 analytics, ads, and crash reporting, all of which were contacted every time the app was started. For this I'm very grateful for tools like XPrivacy and LineageOS's privacy guard which all you to trivially block this and such tools are not commonly available on other platforms.
Of course, with phones it is more difficult to assemble stuff (everything is much smaller), but the whole concept of a standardized open platform is not there.
Somebody should define the "PC Phone", and declare it an open standard.
The platforms are well known, architectures are standardize, GPU drivers are often proprietary similar to the desktop world, but ultimately I can flash anything I want on my phone, I've run stock Android, several modified variants, Firefox OS, Ubuntu, Sailfish and others.
From a software perspective that's all not too hard to achieve, the hardware side of things does lack standardization but that's because as you say, it's not exactly something you can hand assemble.
But yeah, totally accessible.
"totally libre PC"? All major CPU manufacturers implement hardware level backdoor we can't disable. The newest version of the most popular OS tracks your every step by default. All of these tiny chips in pretty much any modern electronic device are full of binary blobs you have no way to inspect. Maybe we live in different worlds then.
Phones are closed, locked down, and bugged by design.
This was the era of flip phones when carriers had full control. They really didn't want to lose that control. I doubt a company smaller and less influential than Apple could possibly have gotten a full-fledge computer of any kind onto cell networks.
This led the entire mobile ecosystem down a path where the device is locked down by design even though today carriers are less able to influence that.
Add to that the emergence of surveillance-driven advertising as a way to monetize "free." It's very hard to compete with free (or subsidized) products. Most people compare price vs feature set, not privacy or security. So there was a huge economic incentive to turn phones into little surveillance devices to siphon up data to be used to drive advertising.
Without surveillance capitalism most apps would cost money and phones would probably cost a lot more.
In Europe, Nokia did it in 1996, 11 years before Apple's iPhone.
Wat? It was easy to install third-party jars on my Nokia S60 devices, both before and after the iPhone, no carrier approval required.
They met their $1.5 million funding goal and had some backers pitching in at 20k a pop which implies rich people / company interest
It was an accident of history, leading to the ISA bus x86 clones, and Compaq not losing a court case around clean-room engineering.
IBM even tried to roll back that accident with the MCA bus, and possibly would have succeeded if they hadn't been so greedy.
But since you end up with essentially the same OS with essentially the same userspace doing essentially the same thing it raises questions of why go through the effort and hassle. You're completely free to do so, though.
You will, however, still end up with binary black box device drivers. Just like you do on a top of the line desktop if you want to actually fully use the hardware.
Now Librem 5 from Purism got fully funded (1), so in a year you'll have a fully free phone.
The market for a fully free phone is there but it's small(ish). Hopefully they'll get a piece of the pie with their anti-walled-garden mission statement.
Locked or hardtoflash bootloaders.
Not releasing code. Even encrypting stock ROMs.
Punishing power users by blocking root.
Consumers not caring.
How did you manage this?
Most devices are actually sold at barely over cost.
I bet Apple at this point knows FAR more about their users than Google or OnePlus does.
"There is a lot to be said for a company that is focused on hardware and not on serving content to that device"
Lol you can't even install anything on your iPhone without passing through Apple. Come on. And an iPhone comes with a ton of nice shiny Apple apps. They are serving Safari, iTunes and Apple wallet.
Though I get the feeling google's approach of trying to desensitize me (emailing me about how great I am for traveling to mcdonalds like a slob, and gamifying my use of google maps, for example) instead of shamefully hiding it, is a fair bit worse
If it's "normal" to track every step and shove it in your face, surely you must be paranoid to not let them do at least some of that stuff.
I'm not saying there's no use for the data, and the services provided. It's just the opt-out nature of invading my privacy that I personally don't approve of.
IIRC, you're properly asked, the first time you try to do something, whenever you want to enable relevant tracking - e.g. share location history (e.g. when trying to set up "show my location"), or save voice data on Google servers (e.g. when setting up voice unlocking), etc etc.
I'm not exactly sure about app history and in-app search, though - just honestly don't remember about it. But it could be that user is actually asked at account setup time.
Point is, for many things Google actually properly asks for permission. Guess, it works for them, because timing's relevant. (They probably have ton of invisible tracking as well.)
Apparently there's a feature in the Google Home Mini that allows you to long press on the speaker to bypass the hot word detection ("Ok/hey Google"). Apparently there was a bug on this feature and random sounds could activate the listening of the Home, so it was recording data all day long.
redirect server open.oneplus.net.
Ofcourse, it is likely many other android devices have a similar setup.
This data collection is beyond ridiculous and if it's not already illegal, it should be.
Lineage doesn't ship the proprietary Google Apps. It is up to the users to flash it after flashing Lineage
The devices are a mixed bag, some of them are quite decent.
OxygenOS, however, is garbage.
> OnePlus Support: Alright. Please try doing a hard reset http://bit.ly/1TbY1RZ and see if there are improvements.
How this could help improve that situations at all? Do OnePlus Support Team even read user's problem detail?
Very unprofessional I must say.
> ping open.oneplus.net
ryans-mbp:~ ryan$ curl https://open.oneplus.net -D-
HTTP/1.1 200 OK
Granted the data could end up in a Hadoop cluster, but they didn't expose that directly to the internet.
TL;DR: we collect the shit out of you and share it with third parties as we see fit. If you disagree you will get a crippled experience
> Personal information will only be shared by Apple to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.
This goes in contrast with most tech companies such as Amazon and Google. However, Apple does have the horrible clause:
> in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
This clause should be considered the antichrist of clauses, because it just makes the entire policy void in case of a merger. Not that I see Apple being acquired by anyone soon, but still.
> This clause should be considered the antichrist of clauses, because it just makes the entire policy void in case of a merger. Not that I see Apple being acquired by anyone soon, but still.
I like Google's more :-).
> We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
How is your occupation and exact location non-personal?
Not only, how many degrees of separation do exist between your "unique device identifier" and your identity (additionally given the restricted area provided by Zip code, area code and/or location)?
What is exactly the "unique device identifier"?
The IMEI, the MAC address, something else?
It probably doesn't matter, given how easy it is to correlate/deanonymize substitute keys.
"Hashing is magic crypto pixie dust which takes personally identifiable information and makes it incomprehensible to the marketing department." -Daniel J. Bernstein
Very well summed up.
Apple is sitting on a gold mine. Meanwhile OnePlus is just a phone maker. Something to keep in mind.
Perhaps they want to see what data is universally collected, where android goes deeper and if apple collects anything android doesn't?
Those kind of stories are keeping me back from buying any Android devices in nearest future. Somebody might say that I can flash it with clean Android ROM but that's great for people who have too much time :-)
Again it shouldn't be necessary to do this and I won't expect anyone to do this, but I don't see why you have to insinuate that only people with too much time would do this...
Anecdata, but 90% of people I know have never installed Linux (and the few times I've had to try and find recovery discs, going to bet reinstalling Windows is at about the same percentage), and not sure I know anyone who's flashed a new ROM on Android.
I'm genuinely curious as to where this expectation that everyone should be au fait with OS tinkering comes from?
I'd support regulation forcing Google to permit users to install our own root CA certs.
Only problem is that you have to explicitly enable the use of custom CA certs in your app, so it won't work with Google apps as you say.
Is there no other way to get at this traffic? Possibly something at the application level, like throwing a debugger at the calls that are originating the telemetry traffic?
Or any other app doing nefarious things.
Enabling apps to ignore user-installed certs is flat-out evil an inexcusable.
If you want to log Google data traffic, you have to put a CA cert into the system cert store (needs root access).
Preventing me from controlling my phone is evil. Preventing me from seeing what the apps on my phone are doing is evil. If I wanted a padded room or a walled garden, I'd be using iOS.
Google can't catch everything from the Play store, hence the CA cert store change.
Think you might need a full stop there. OP might have a reputation amongst the "root/flash/ROM" brigade, but that by no means makes up all of their userbase, and user-blaming that it's your own fault for not randomly knowing about custom flavours of Android isn't really helpful.
This is consumer software, on a consumer product, by a consumer company, that's doing something that raises genuine questions about personal privacy and the access to information we give to hardware manufacturers. The default answer to all of this really shouldn't be "install random OS XYZ", in the same way that questioning Windows 10 analytics isn't "just install Arch".
I always used CM (or LineageOS) before the 5, they never completed the first setup once before I unlocked the bootloader, thereby reset to factory and I flashed a different ROM right away. Right now I'm on the stock ROM (and affected ofc) though.
1) Do you use your camera? I had the feeling that everytime I went from stock to CM/LineageOS I lost features and quality.
2) Why would you pick "Sultan's LineageOS ROM" (not trying to slight Sultan, whoever that might be. I'm curious) instead of going with the official LineageOS builds?
Still, it's not like Apple is really significantly better.
Even if it is declared somewhere, that would not make this behaviour legal in the EU.
The more time I spend with this phone the more I believe that Apple aligns with my interests more (plus their hardware is simply better). Sure, I'll spend a bit more money but at least I won't have Google + OnePlus collecting stats on what apps I use.
But I run LineageOS. It's far better than OxygenOS, which trouble knows no end.
Does Apple collect the same statistics though?