Hacker News new | comments | show | ask | jobs | submit login
OnePlus Is Again Sending User Data to a Chinese Company Without User Consent (twitter.com)
185 points by pritambarhate 8 months ago | hide | past | web | favorite | 46 comments

Notice how there is actually no proof at all in these tweets. The author admits that they could not observe any network requests being made:

> I didn't manage to trigger the network communications to the teddymobile servers but I will continue later.

It looks to me like this person is cherrypicking random SDK methods that may seem suspicious out of context and making very wild assumptions of their purposes.

For example, they show a function that checks if a string contains a bank account number (https://twitter.com/fs0c131y/status/956649951056064513). Somehow they then jump to the conclusion that copied text is run through this function and uploaded to some server! But where is the proof? They could check where this method is used and show this supposed data upload happening.

In fact, since these methods are coming from some third party SDK and not the app itself, they could be completely unused.

Playing devil's advocate here, we don't know the conditions of usage. It could be just inactive, or become active after X date or whatever other condition they wish. Speculating on use/non-use is a bit pointless until someone analyzes these in-depth.

What we do know is the intent of those functions, and it paints a quite horrible image.

Any fight for privacy in the modern technology environment is such an extreme case of power asymmetry that I'm starting to think it's hopeless.

On the one side you have individuals that don't want their private information to be revealed without their consent. On the other are device manufacturers, advertisers, startups, and giants like Google and Facebook. Often, maintaining privacy while viewing a single website requires either trusting or subverting the intentions of multiple such organizations.

It's like going to war with the British Royal Navy at the height of its power in a dinghy. So far it's been possible because the navy has made a promise that they'll "play fair". But that can change on a whim and there's ultimately very little you can do if that happens.

Don't worry, the GDPR is coming.

Now you're going to war with the Royal Navy in a nuclear armed ruber dinghy

4% revenue per timeframe in which privacy rights were violated, or 20 million. EUR, whichever is larger, is absolutely nothing to ignore anymore.

That sounds nice in theory, but in a global setting, how will it really work?

Per GP comment, there is a whole tech stack of N providers, each piece made or running in a different country, pushing data to servers in another country, which data is bought by interests in a third country, for M destinations. Then you get the providers who intentionally don't store data in GDPR countries specifically so they can avoid these rules. Look at what Uber already does to skirt the authorities. So you have at least MxN countries possibly involved or whatever. If your data is released, it'll rattle around in a pachinko machine of jurisdiction debate for years against well funded, malicious corporations.

It doesn't seem like any rule is enforceable in practice.

The GDPR applies extraterritorially.

If a company even stores a record of a single EU citizen, the GDPR applies to it, and the EU has the right to seize the assets of the company for the purpose of enforcing it.

I am curious about something.

If you were to only offer your service in North America, but someone from the EU comes over to North America on vacation, and somehow becomes recorded in your service.

Does the GDPR still apply in this case?

As long as that someone is still in the US, no. But if the service is used from the EU, the GDPR applies.

Article 3 defines the territorial scope:


>The GDPR applies extraterritorially.

Yeah. Good luck with that.

It'll work for the big, entrenched companies like Facebook who couldn't bear to be without its UK customers, for example. But I don't see the EU successfully going after every little dot-com startup from Alabama to Angola, many of them in jurisdictions that barely have a functioning legal system, let alone respect for EU law.

If such extraterritorial enforcement was actually possible, there would be no 419 scammers.

You can try that, but every major bank will cooperate and simply freeze your accounts if ordered to do so.

If you're in the UK. Some of us Yanks aren't too happy with the state of things either, and don't have people looking out for us.


*EU, the UK won't be part of the GDPR for long enough that it'd have relevant effects.

The UK is implementing GDPR in full in UK law.

For now that is certainly true, but as is obvious, we don't know yet which laws will be retained after Brexit, and with even such major things as the ECHR still undecided, I wouldn't put it past them to repeal this as well in the future.

This whole Brexit thing is sure working out well, isn't it?

Why does it matter whether the company is Chinese or not? Isn't it bad enough that there's a background process running, unbeknownst to the user, and presumably uncontrollable by the user, that monitors the device's clipboard and has methods like containsBankAccount(String)?

Sure it's bad but there are a couple of reasons why it matters that it's a Chinese company.

1. It feeds into the suspicion many have that many (most? all?) large Chinese companies are effectively controlled by the Chinese government. This could go as far as having backdoors in, say, Huawei routing equipment.

2. Effectively disclosing a user's personal information to the Chinese government could, in some cases, imperil their liberty, even their life. I'm talking about people the Chinese governments views as "dissidents". The same would be true if it were a Russian, North Korean, Iranian, Syrian or Sudanese company.

>It feeds into the suspicion many have that many (most? all?) large Chinese companies are effectively controlled by the Chinese government.

All is the correct answer. Just like it's not legal to own property in China, all companies are ultimately owned and controlled by the Chinese government. They have shiny, pretty, Western-looking front ends to attract foreign investment, but from a strictly legal standpoint, they're all owned by the government.

For some reason people forget that China is still a communist country. Nothing's changed other than it's gone from exporting rice to exporting phones.

China does indeed have the concept of private property, to the extent that China de facto recognizes the rule of law (which admittedly isn't that much):


It's not accurate to say China is "still a communist country." It could be more closely defined as a capitalist one-party state. That one party is the CCP, and they still revere Mao, but it's an open secret that they have embraced capitalism under a veneer of socialist populism.

That being said, it's not wrong to say that information in the hands of a Chinese company is a trivial step away from being information in the hands of the Chinese state.

Because China's government has been known to lean on manufacturers in the past to include malware and backdoors.

to be fair though, the NSA has been known to inject malware into american products without even telling the manufacturers

Very good question indeed. European smartphones send tons of data to US companies with are known to proactively cooperate with the NSA and consors, which is the same kind of problem. But for some reasons this seems to be fine for our rulers whereas it’s becoming an issue when China or Russia is involved. Not that I what a free pass for these two countries; on the contrary I would like to see more regulations for every non EU companies.

One reason is court jurisdiction. A domestic company is subject to, and therefore vulnerable to, court action/rulings/judgements. Suing a foreign company (especially one in China) is hopeless.

OnePlus statement that it is a false claim: https://www.reddit.com/r/Android/comments/7t6joy/statement_f...

The recent few "data collection" alarms appears to be smear campaign.

Here is an article about their previous data collection: https://www.chrisdcmoore.co.uk/post/oneplus-analytics/.

On one hand, if you live in the USA maybe it's better that a Chinese company spies on you, because they're far away and the government/other gangsters are less likely to care about you than about local people involved in local politics etc.

On the other hand, there's no guarantee your data isn't also made available to domestic parties, either as it's intercepted in transit or explicitly shared in bulk in exchange for e.g. concessions on a trade treaty

> On one hand, if you live in the USA maybe it's better that a Chinese company spies on you

It depends on who the "you" is.

If it's a couple of internet nobodies like you and me that China is spying on, then it's no big whoop. But if the "you" in question is someone who works at the Pentagon, or at a defense contractor, or a diplomat, or government official, then there's a problem.

Even if you are a nobody, are you sure? Maybe you know someone that is not a nobody (works at the Pentagon, or at a defense contractor, or a diplomat, or government official ...). Or you know someone that has access to a non-nobody. And even that. Probably having access to an allegedly nobody with no connection could be interesting. Which access level has, I don't know, the DevOps of Credit Karma? Or a Data Scientist for Acxiom, or... They are totally mister nobody, but they have access, directly or indirectly to important peoples. So, the risk is actually higher than expected...

How do we remove this?

I'm getting quite tired of one plus. This is the third strike against them in at least the last 6 months.

Anyone has good experience with a custom rom on a one plus 5?

I've been using Lineage on my oneplus 3 for some time, and it's very stable. https://wiki.lineageos.org/devices/cheeseburger

I'm having good luck with the most recent Dirty Unicorns RC.


And what penalty will the company suffer? Virtually none.

This is one of the cases where they will probably suffer if any of this turns out to be true. OnePlus is a small manufacturer with a following of enthusiasts. They aren't large or popular enough to PR their way out of this.

OnePlus is owned by the same company that owns Oppo and Vivo, so they aren't really a small manufacturer.

Wirecutter removed them as a recommendation. Others will probably as well. This should affect sales somewhat and since smart phone margins are so slim it could have a drastic affect.

Seems to me like this might be a requirement for Asian markets or for selling phones in those regions. Author has tweeted that it's specific to Chinese regional locale/headset. Can't it be chalked up to the costs of doing business if sales plummet? OP5s owner here.

I thought this was going to be something interesting like them encoding your private data into the dictionary set to obfuscate the communication. Apparently it's nothing at all.

Also worth noting iPhone sends a lot of information in the HTTP headers about your phone - like model number. Android does the same thing. Also simply plugging your phone in to USB (not accepting any on-screen dialogs) will save the IEMI and other device IDs into your system log. If you ever have a device stolen I suggest you run $(zgrep -i iphone /var/log/*.gz)

This is a smear campaign. It seems like first this only affects Chinese users and second it does not send emails or numerics (tries to protect privacy)

Funny. If you visit a Canada website, it will "Save User Data to a Canadian Company Without User Consent" for sure.

When will the lesson be learned! You cannot reason with China when your head is in its mouth!

Can anyone recommend a similar company that isn't violating privacy?

OnePlus isn't all that special in the hardware category. Buy any device supported by Lineage OS and go nuts. If you want the whole package from a single company keep your eye on the Librem 5


> OnePlus isn't all that special in the hardware category.

I don't know about that. I've found their hardware to offer surprisingly good value for money, and they offer close-to-stock Android for much less than Google now do.

Their privacy failures are deeply unfortunate; I'd have remained a happy customer for the next several years were it not for these issues.

Shocker! Nobody should be surprised by this.

The tweets are blatantly inaccurate.

There's an r/android discussion on this currently, where the consensus is that the twitter poster is a serial clickbaiter.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact