Hacker News new | past | comments | ask | show | jobs | submit login
Disguised user location data collection on Huawei phone? (threader.app)
298 points by seapunk on Oct 14, 2018 | hide | past | favorite | 162 comments



I know I sound like a broken record on Huawei posts (too many friends' parents lost their jobs over it) but it's worth pointing out that Huawei has an (alleged) record relating to stealing information for their own gain, ie: they stole a lot of IP from Nortel in the 90s[0], possibly others. Then they competed in the same market with a fraction of the R&D budget and buried Nortel.

Don't think about this in terms of just governments tracking you. Consider if you have any work emails containing company secrets in them. Consider if you have 2FA apps installed that you would use to unlock or change your work password. And since it was almost certainly the Chinese Intel/Military that helps Huawei and other companies, you can be sure that whatever information Huawei gets access to doesn't need to just help them out, but might help any other company the Chinese government wants to see succeed.

Google and Apple might use your data to better target ads against you. That's terrible, but doesn't seem so bad in comparison.

[0]https://www.cbc.ca/news/politics/former-nortel-exec-warns-ag...


Nortel willingly sacrificed its ip to profit from building the great firewall of China

https://cs.stanford.edu/people/eroberts/cs201/projects/2010-...


I was really skeptical when I saw Huawei racks/cabinets being sold/promoted at the HK OpenStack Summit years ago.

I'd feel really uncomfortable running my 'private' cloud on that gear.

I wonder what state-benefits Alibaba is providing upstream given their reach these days.


If you think "promoting" is bad, try giving out free hardware.

I toured datacenters in Malaysia and the amount of Huawei equipment is unbelievable. All major telco DC are using them.

I asked around and most are saying that Huawei gave away their hardware for almost no initial cost. Huawei even supply their engineer to migrate away from Cisco/Juniper.


What do you mean by, "too many friends' parents lost their jobs over it"?

(Thanks for posting this info. about Huawei.)


I grew up in the Ottawa region. One of my closest friends, his Dad lost his job, his pension[0], and the entire local IT market crumbled. The guy became a carpenter I believe- which is awesome- but starting over when you already have teenage kids is really tough.

[0]Nortel's pension plan primarily invested in Nortel stocks. Genius, right? There's now laws in place entirely because of that debacle.


I’m guessing they worked at Nortel


Thanks. That makes sense.


>Google and Apple might use your data to better target ads against you.

Apple does not use your data for ad targeting.


Apple actively uses data about expenditures to build a profile about individuals and then has its retail pawns lie and deceive unknowing customers into unnecessary purchases. Same level of moral bankruptcy, only much more egregious because they present themselves innocently in an immensely self-serving manner. Zero ethics


I think it would be helpful if you explained yourself. Or are you talking about iPhone 6 battery throttling palaver where they slowed down devices with other batteries to stop them crashing. In that case, yes it was stupid they way they failed to communicate that. But the while company has zero ethics? IOS 12 has given my 6 another couple of years of life, I estimate.


Could you explain that a bit better. I don’t understand how it works.


from your link:

"Shields admits he has no proof Huawei was behind the hacking of Nortel. He says there were system infiltrations coming from around the world, but any time information was downloaded, the hack came from China."


I've eyed the lower cost phones from Chinese brands. But I have a hard time generating trust.

I don't know whether or how much better off I am with a U.S. based brand/"manufacturer". All this stuff is is made over there, and brands continue to migrate, as well (Motorola, ThinkPad (it's Lenovo's, now -- as is Motorola, for that matter), etc.). Barring better choices, I'm hoping that the U.S. part of the operation is keeping an eye out and testing for deviations.

With all the Chinese stuff, I keep thinking, TANSTAAFL.


Why is ad targeting "terrible"?


Consider an alternative scenario: you're a business person and you present an alcoholic beverage to someone you know is an alcoholic because you are paid to do so. You know they've had substance abuse problems in the past (you have all the metadata!) but you turn a blind eye because $. Is that morally acceptable to you?

Just because it produces revenue for a few ad tech companies doesn't make it objectively good. Marketing bs products to people through online ads is no different than giving crack to kids, presenting the idea of a major life solution through pretty fonts and flashy user flows when in fact most products are just stupid and ill-conceived from start to finish. If I left a tab after checking out a product and didn't buy it, it probably sucks. But repeatedly shoving it in someone's face through advertising after visits, for one concrete example, basically pushes people into situations they didn't consent to. It is total manipulation and its reprehensible - its just slightly more abstract and people get drawn into the "well just dont buy it!" narrative.

It is a fact that an increasingly large number of people have poor impulse control and pretending it doesn't is not equivalent to predatory activity being OK.


> Consider an alternative scenario: you're a business person and you present an alcoholic beverage to someone you know is an alcoholic because you are paid to do so

I'm sure there's a good counter example to the notion of 'ad targeting is terrible', but this is not it. If one goes by this example, you'd need companies to know that you are an alcoholic in order to avoid advertising to them, which seems to be an extremely personal piece of data. Surely your point is not that this is an acceptable compromise in order to avoid alcoholics ever seeing an ad for alcohol?


> It is a fact that an increasingly large number of people have poor impulse control

Got a link to this data?


They invade my privacy to do it.


This is unfortunately common with Chinese software. Remember back in the early 2000s when a lot of freeware and shareware shoveled adware onto your PC without telling you? Remember when tools like ad-aware were popular? Nowadays that's the exception, or done by those shady download portals which wrap the installers of everything. And often times there's at least a checkbox in the installer. It seems China is currently where we were back then. User awareness is low, as long as things work nobody cares.

Sure, there's tons of malware on the play store etc., but it's always from some weird vendor nobody has ever heard of. Coincidentally, a couple days ago I noticed a friend's phone running really hot. It was freshly charged, taken off the charger about half an hour ago, but freaking hot. I checked the battery stats and "sougou", a popular Chinese keyboard (if not the most popular one) clocked in with 24 minutes of CPU time. I told my friend and we uninstalled immediately. Two days later he was super happy and told me his phone's battery life increased greatly and he can now even make it through a full day (...). Now I'm still hesitant to claim this was definitely some mining software embedded in the keyboard, it might as well have been a messed up config making some thread spin in an infinite loop, but the suspicion stays...


Umm, I don't doubt that there is a lot of nefarious data collection going on, for both profit and political reasons. But this seems to me like a "Google Now" kind of feature, that suggests modes of transportation based on your current location. Having a list of train stations and airports and doing the detection on the phone as opposed to in the cloud seems even the more privacy protecting way (although they probably still upload your entire GPS history like Google does...).


I'm guessing POI stands for person of interest?

If so, seems more nefarious to me ...

Edit: definitely more likely it's point of interest


POI stands for point of interest probably.

When stand-alone GPS navigation devices were more common it was a pretty common acronym.


Good point .. but if you look at the context, I think person of interest actually makes more sense in a lot of cases.


Context is about location. Point of interest is most probable. That’s standard mapping lingo.


I definitely understand your point, but I'm talking about the specific context the acronym is being used in.

e.g.

callsPoiAtHome() callsPoiAtHomeAtGeoPoint() callsPoiAtFamiliarPlace() callsPoiAtWorkPlace()

Edit: typo


Why would you combine the Boolean for whether a user is nefariously a Person OI with each type of check for their location?

Nefarious POI would have a very limited context in the frontend (after it turns everything on.)

Subcategories of Points OI being coded this way makes a lot more sense.


Yeah, good point - may have been watching too much TV :)


I read this as the POI IS at home, the POI IS at familiar place, etc.


Seems like it is always related to whether a point is a person's X,Y,Z and then what airport given multiple X,Y,Z.. I.e. what airport is in the user's habitual range.

I don't get why you would want the calculate an airport for multiple people of interest on one POI's phone.


Groups of people travelling together?


POI stands for Point of Interest.

People learn something new every day, I don’t know why you’re trying to force it.


This doesn't seem like responsible reverse engineering (specifically: decompiling one app and then publishing strings to give people partial information and assume the worst). There are definitely possible legitimate uses for one apk without a UI to "suggest modes of transportation" to another apk, as another comment on this thread describes.


Sigh, this guy again. He is not a real security researcher, but obviously a novice learning about programming and decompiling. That is fine, except he keeps making outlandish and wrong accusations. He kept doing the same thing to OnePlus, until he basically got laughed away by real security researchers. Something to keep in mind as you read...


I don't known if author is stating any truth.

I have a Honor mobile, some of there apps were system apps. You can't disable them, or uninstall even when you are rooted.

On OTA updates they add new system apps.

It's fine to have bloatware, but forcing users to keep it is not fine.


My Samsung prevents me from uninstalling the Facebook app which came pre installed.

I don't care if Samsung prevents you from removing their camera app but facebook doesn't have anything to do with Samsung so I should at least be able to remove that.


It's a matter of understanding how apps work on Android (at least today). When apps come pre-installed ir can sometimes be part of the system partition, such as Facebook is your example. Apps on the system partition cannot be uninstall, but they can be disabled.

I believe Google has been working to make it so more apps are not in the system partition, but it can be up to each phone manufacturer on how a bundle apps.


You can _disable_ it though. It can't be completely removed because it's part of the somewhat-immutable firmware image. Annoying, but not nearly as bad as force-enabled.


All manufacturers do this, don't they? My Sony phone had mysterious Sony apps and before smartphones there was carrier-customized firmware.


This is one reason I stuck to iPhones. No carrier-customized firmware nor carrier-imposed apps I can’t delete. You get the standard iOS every time - with the only customization a delete-able bookmark to the carrier’s website in Safari.


Please provide some context and links.


At this point there's so much blatant China panic and propaganda that it's descended into farce. Look at this thread. We've now reached the point where the less evidence behind some baseless anti-China claim (an unecrypted file airport_china.txt!!!111!) the more it will be seized upon and quickly up-voted. The people pushing this don't have any integrity at all and if you call out the total lack of integrity they will just take that as further validation of their paranoid fantasies.


Why don't we read about this for Korean or American companies at all?

The problem with China is that there is a giant trust deficit. And some of this is their own making. For instance, them forcing companies to share intellectual property with them to have access to the market or them deliberately getting countries into large debts as part of BRI initiative - is outrageous. So even if Huawei may not be as bad as what this article makes out to be, but the general narrative is against China. And it is well deserved.


Ah, I see, the endless diarrhea of anti-China propaganda is totally deserved because it's China is untrustworthy. And how can China dare demand access to IP, they're Chinese, their job is just to be dumb cheap labor right?

What is really striking about the logic at work here is that you see the exact same thing happening in the most authoritarian countries. Saudi Arabia, Russia, Venezuela, and America. The media pumps out the same endless propaganda designating some external entity. The same idiots lap it up and whip themselves into a frenzy in daily two minute hate sessions. The same paranoia, the same hatred, the same fear.

As I said before, we've reached the point where this sort of behavior is practiced openly and without shame. This is key. This story was quickly voted to the top of HN and the comments are full of similar nonsense or defenders of the nonsense. That says it all but, ironically, there's not much else to be said because you really think China is the problem here and there's no rational discussion to be had with such committed ideologues.


You've gone way past substantive discussion and dived straight into nationalistic flamewar. We've warned you not to do this before. If you keep doing it, we will ban you. It doesn't matter how right you are, it's a violation of what this site is for.

In particular, "boo China" vs. "fuck you yay China" flamewars are equal parts dumb and destructive, and none of that is welcome here, so please stop it.


Are you chinese?


You have no concrete points. Read my thread again and come back with a solid reply. China is losing the trust battle and it doesn't matter whether they are actually doing anything wrong or not. There is no point getting angry.

BTW while you are at it on Chinese access to IP. It is extremely clear that they are doing everything in their power to get access to it. Whether that is through illegal means such as the recent arrest of Chinese citizen in Belgium, or detention of another Chinese national working for Apple's self driving cars or even DuPont formally launching a complaint to US administration regarding it. Wake up and smell the coffee.


Nationalistic flamewar is not welcome on HN, so please don't do it here.


What do you mean? I really didn't mean anything nationalistic. All I am trying to explain is how China may have lost the trust narrative and that is it. I really admire China and continue to be impressed by the rapid progress they have achieved in the past decade across a no. of fields. However, now they are at a stage where they can't just make decisions unilaterally for just for their own benefit. If they do, then they start losing trust and face repercussions like they are.

The parent commenter is on a mission explaining how China is a target of some anti-China propaganda. My goal was to showcase some examples where he might be wrong.

I apologize if this came off as nationalistic.


Chinese companies have their hands in pretty much most of electronic devices used in the world today. NONE of the other nations such as Russian, etc have capacity.

I would stop having so called anti-China concern once the people of China start electing their government leadership in a meaningful way.

mic drop. I will show myself out.


If you continue to practice nationalistic flamewar on HN, we will ban you. Whichever country you're for or against, it's a violation of what this site is for.

In particular, "boo China" vs. "fuck you yay China" flamewars are equal parts dumb and destructive, and none of that is welcome here.


I'm sorry but I should've made it clear that it's the few in the Chinese govt that are doing this. Average joe Chinese folks only want to live out happy life like every average joe everywhere else.

So I'm sorry that I came across as "boo China" or any of that sort.

However, I were to be banned for that kind attitude (which I apologized and I clarified), would that same rule apply to folks who are "boo US" or "boo UK"? Because there are many here who are angry at western nation govts for spying on citizens without warrants (and, rightly so)?


What is wrong with you?

It's okay to say he is anti-china in this context. I'm anti-china in many ways and suspect that tech is one of them.

You are over sensitive and a bit of a dick too.


it doesn't hurt to be paranoid, especially when it comes to China. If you ran a SaaS, and if a Chinese cloud company there offered to host your SaaS, would you be willing to put your code on those machines? I think you're underestimating not just Chinese companies, but also the Chinese government.


He's about to be your WORST NIGHTMARE, too.


That's the joy of proprietary software, on proprietary hardware, in absence of law that mandate for software to be open, toolchains needed to build and install included and mandate hardware must be open and designed/produced by different subject than software, like in some countries we mandate communication network to be different subject from ISP selling service on top of them.

Freedom must be preserved and when people start to do so dictatorship came physiologically.


It's ok to buy their cheap hardware, but I strongly recommend replacing the software right away with e.g. https://download.lineageos.org/


Application processor firmware is one thing.

But what about baseband firmware? It's quite a bit scarier. It can usually freely read and write into application processor memory and it controls all radios.

Baseband is where you'd hide your spying software. It does not change when you install a different Android version.


Yes. Until Huawei started to lockdown the bootloader in recent phones!


True. I don't see much for Huawei on Lineage, but Xiaomi has builds for most models. Unlocking takes a while, but can be done. My phone actually came unlocked because the seller changed the ROM language, I assume.

If the bootloader is locked or there aren't any good open source builds, just don't buy it.


It really stinks that there are barely any new phones available for purchase with unlocked boot loaders... you have to rely on hacks to replace the software that rapes your privacy.


I have a Nokia. I think keys to unlock most new models are available from Nokia (was in my news a week or two ago.)

BTW: my phone was super cheap, like less than USD300, no strings attached. It is great for most of what I use: mail, hn, local news, signal, slack, telegram.

It's also part of the android one program so I expect it to receive updates faster than my old phones.

The camera (or the camera software) has some real problems though: it's not as good as my older samsung S7 and it sometimes freezes.

Maybe the slightly more expensive models have better cameras, mine was about the cheapest reasonable phone I could get.


Certain Nokia Xperia can run SailfishOS.


I'm fairly certain Xperia is a Sony brand.


Yeah, but given we are complaining about data collection you can buy yourself out with Sailfish OS for 50 EUR or install microG (such as with LineageOS). I've done the latter on a FP2, but Sailfish OS would be a suitable alternative.


How? They locked now all bootloader and you cant unlock them..


Is it possible to replace the baseband to something that's even a little bit more trustworthy?


Not yet. But it's an issue. There was a post on HN recently on how the new iPhone baseband runs x86 code?


Android phones give DMA to the baseband. iPhones link up the baseband via USB so that at least is some form of protection.


Is there as much of a risk when buying a Chinese made Android One phone? Serious question if anyone knows.


Huawei has their own baseband silicon. Other Chinese-made phones (Nokia, Blackberry, Xiaomi) use Qualcomm silicon.


Nokias are about as Chinese made as Apple phones are. Both are made by Foxconn.

HMD is a Finnish company with headquarters at the Nokia Campus in Karaportti, Espoo, Finland, opposite Nokia Corporation's headquarters.


Every Chinese company is at least partially owned, controlled, or heavily influenced by the Chinese government. It's just a fact of life given their current system of government.

Ask yourself this question. Would you buy an iPhone if the US Government owned a significant part of Apple? Or could shut down Apple at any time they wished? Would you trust them not to provide your information to US law enforcement or other government entities without due process under those conditions?

Then why would you purchase a phone manufactured by a Chinese company given the same circumstances?


Every Chinese company is at least partially owned, controlled, or heavily influenced by the Chinese government. It's just a fact of life given their current system of government.

Is this different than American companies who are at least partially funded and/or influenced by the CIA? (Among other sources of government funding...)

https://en.wikipedia.org/wiki/In-Q-Tel


It's vastly different. You're talking about one affiliated company vs. China's ability to control any Chinese company.


I've worked for one IQT company and it couldn't have been more hands-off.

I haven't worked for a Chinese-backed company, though, so I can't say one way or the other.


I'm sure it could easily have been more hands-on, though. I think all governments engage in this to some degree, or try to, or would like to. It's a natural extension of power, control over the country, getting your hooks into your dependencies. We see how rich people and companies have essentially stopped contributing finanically to the running of the country, which isn't free.


Aren't apple phones made by Chinese companies?


Those companies have no access to the software platform and would be under immense scrutiny by Apple.


> Every Chinese company is at least partially owned, controlled, or heavily influenced by the Chinese government.

This is absolutely not true.



The claim was every. Really ? Every company in China is owned or influenced by the government business ? No, not even close.

The companies I have visited and seen are far more interested in minding their own business and wants as little to do with the government as possible.

One thing you will discover if you visit China for a lengthy period is that the government is big on words, but not so much on action.


I mean we just heard about the HEAD of Interpol, who is a Chinese citizen, visit China, disappear for a week with no communication, and suddenly turn in his resignation. And there are other Chinese billionaires who disappeared. And that poor actress.

Does Chinese government need any formal documented ownership of a company to influence its so called owners? I think not.


I'd love to see this type of investigation done on a US model of their phones, for example an Honor 8 pro.


I have a family friend that is 70+ yr olds. Unfortunately, the best deal I could find for him via his AT&T prepaid plan was a $70 Huawei Ascend XT2 @ Walmart (locked to AT&T). It's performance is great: fast charging, long-lasting battery, 2G of RAM, and intuitive UI (despite being Huawei's custom modifications of stock Android).

What are the best alternatives (in terms of security updates and privacy) for Android phones with 2G of RAM and $100-$200 unlocked? The Ascend XT2 is so great for non-power users, that I'm even willing to overlook Huawei's awful practices for my next phone. All other phones are either too expensive or never have official security patches released for the OS.


The display on that model is remarkable for a low-end device.

A solid alternative would be a Moto E5 Plus. A more stock/typical Android experience, with a huge battery. It has another gigabyte of RAM, which should be a tangible upgrade.

You could get an LG Stylo 4 for a little more, but it has lesser build quality and the display is so-so.

I don't think either will get many updates though. The LG will probably receive a few security updates, the Moto might die without ever receiving another update.

There's the Samsung J7, which will receive 5x the updates as the LG and Moto combined, and even might get major version updates, which neither of the aforementioned will receive -- definitely no major version updates for the Moto, but is not totally unheard of for LG's low-end, just unlikely.

I've not used the J7 though. Probably similar performance, just the dunno about the display. Samsung definitely has a far better track record for security updates that either LG or Moto.


Your best bet is Xiaomi.

Go to gsmarena.com and click on the advanced finder and apply your filters. You will be sorted in no time.


Are there many low-end Xiaomi phones that support AT&T?

https://www.frequencycheck.com/carrier-compatibility/p5vW4/a...

I thought they were mostly not useful for US carriers?


I have a Xiaomi Redmi 4G (codename: Dior) that is 3+ years old. It works on T-Mobile.

That chart is helpful. I would also read the reviews of the phone and check if the phone says "Global Edition" or "Global Version" to also check compatibility.

I use the Mokee ROM. It gets regular updates. But, the Huawei Ascend XT2 feels much faster with a longer-lasting battery.


Actually, oops. I heard they do not support the US frequencies before but forgot. Sorry.


Thanks. Which phones are your personal favorites in the sub-$200 range?


I recommend checking out https://bit.ly/2RIt4MF I've purchased multiple xiaomi's from them and their customer service is fantastic, I've always received my phones within 9 days.

Check out the note 6 pro, 4gb ram 64gb storage.

Also look into the /r/xiaomi subreddit as there's a ton of information on compatibility and satisfaction.


Thank you very much. That helps me a lot. Which ROMs do you install on them? Or do you just use the official ROMs that come pre-installed?


Look into xiaomi


+1. Xiaomi is quite hackable. For any phone, look into the available builds on XDA before buying: https://forum.xda-developers.com/xiaomi


This is unfortanate and I expected it for a while now. First OnePlus was exposed a while ago, then Blu, then maybe a few other smaller ones (can't remember, anybody has links?), and now Huawei... I have to wonder if the companies aren't strong-armed by the Chinese government or they are all simply the same kind of greedy shady private info dealers. So it's quite likely Xiaomi will be exposed at some point as well.

I like Xiaomi. Owned two of their phones and it was the best ever Android experience for me -- not because of the iOS look-alike-ness. The devices were just very snappy, the default apps were very functional and comfortable to use and the whole thing just worked pretty well out of the box. I was pretty impressed, still am.

But I seriously don't trust the baseband vendors so I moved to the Apple ecosystem. Now I am left wondering if Apple is simply not better at hiding it if they are doing things like that (remember when they were caught recording the phone screen's activity and sending it to Uber?)...

Are we better off at the Apple side? Or should we all be buying an Xperia X and installing Sailfish OS on it?


I think you got that wrong. They allowed Uber to use the private API that allowed screen recording. Apple didn't record the activity and send it to Uber.


Thanks for the correction. You are right.

Still doesn't make it better though, wouldn't you agree?


Slightly, I’d say. The reason why Apple granted that entitlement was because the Apple Watch API wasn’t powerful enough to perform some of the rendering that Uber needed for their watch app, so they’d render it on iOS and send it over in order to have an app available on launch day. The irresponsibility is that Apple didn’t immediately revoke such access once they developed a replacement API for this use case.


All of that definitely makes sense. It just makes me afraid what possibilities does that open for Apple and any other corp they are willing to scratch of back of. :(

It also makes you wonder what other kinds of these "entitlements" exist.


As far as entitlements go, I don’t think there are any others that Apple has given out. Private API, though, has been approved by Apple for use in certain apps.


I don’t remember the Uber incident. Have you got any links to that?


It was even posted on HN about a year ago:

https://www.businessinsider.com/uber-iphone-app-secret-acces...


Thanks! I hadn’t seen that article, interesting stuff.


I really don't think many in the West understand how interconnected business and government is in China. The scale at which companies work with the government and how the government funds companies makes it very hard to trust any Chinese company. China is the most opaque business world we can imagine and Chinese military intelligence has deep connections to Chinese businesses. They are two sides of the same coin, where Chinese military agents are even implicated in attacks on Western companies to help their own corporations.

We will never be able to truly discern the true data sharing agreements they have, and I think it's safer to ban Chinese communications companies from working in the West until things change. It's clear China has no intention of curbing bad behavior and the current approach is not working.

It is well understood that Chinese military officials carried out the Nortel hacks and gave the IP to Huawei (and others). Nothing coming from China and no Chinese company can be trusted.


This is pure bullshit. The idea that Chinese companies and the government are somehow fused has no basis in reality. But it's remarkable to watch people push this sort of conspiracy theory. The exact same people will, when the government cracks down on a company like Tencent, go on to claim that companies are victims of the government.


This rebuttal isn't rooted in reality. China's willingness to use state resources to gain competitive advantages for its corporations is proven without a shadow of a doubt.


Why would a, for example, US citizen be more concerned about a foreign government spying on them than their own government? To play devil's advocate, my government is in a much stronger position to harass me than some country I may never visit again.


The chances of foreign entities using that information for profit or for ill are probably much higher than if it were US govt. spying. US govt. spying would be more concerned about security and criminal issues, if they were indeed inside your computer; Chinese entities could consider the more broad use of that information, maybe even for individual financial enrichment or identity theft.

US citizens at least have some laws in place to protect them, while if China steals your stuff you are just wholesale boned.


Because if a foreign government installs software on your computer for the purpose of spying on your country's government or major corporations, your own government may consider that indistinguishable from an act of deliberate espionage. Even if you manage to avoid prosecution or other extrajudicial punishments (e.g. the no-fly list, or being barred from government-related employment for life), there's a good chance your hardware will be confiscated (and even if you get it back, which is uncertain, are you really ever going to trust that they haven't secretly rooted it?).

TL;DR: it is because of your government that you should be worried about spying by foreign governments.


Am I reading this comment wrong, or is it giving blanket legal advice to an international audience?


You're reading it wrong. It's conjecture. Speculative. I won't weigh in on its validity beyond to point out it's apparent speculation.


Lets say you work logistics for a company who makes weapons systems, or partial weapon systems, for the US military. Your work email has blueprints from engineers and/or customers that aren't technically classified, but are export controlled nonetheless. If the enemy knows you work logistics for this company and they want to know how this system works, they can use the blueprints in your email.

Lets say you work for Samsung in purchasing and someone in China has a knock-off chip that they want to sell to Samsung, but Samsung won't move away from their current provider. They could use your login information to log into your account with the competing supplier and view pricing information that gives them the upper hand in negotiations.

Lets say you work at a business consulting firm who does business with an upstream supplier to Raytheon. China is trying to figure out information on Raytheon's project and is mapping out their supply chain. By targeting your conversations with your client (who is in Raytheon's supply chain) China could learn a lot of valuable information about their target.


To the best of my knowledge, the US government has not stolen corporate secrets and forwarded them to their favored companies.


The European Union's investigation into the ECHELON program found otherwise.

A high level overview is at https://en.wikipedia.org/wiki/ECHELON#Concerns

The actual EU report is available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//...


the only thing approaching 'stealing corporate secrets' in this is detecting bribery by european corporations trying to win contracts


Is there something actually proven and more comprehensive, than speculation from two decades ago? Nearly all of the concerns listed in your Echelon link, are political in nature (eg about Princess Diana, or the five eyes with Canada spying on two British ministers for Britain in 1983), not examples of industrial IP theft.

Baseless claims won't cut it. The US has had by far the world's largest economy for the last two decades. There should be dozens of legally proven - court cases - examples of intellectual property theft far worse and larger than anything China has done, given the scale difference of the economies over that time and the supposed capacity to hoover up global communications and put it to use in industrial espionage.

Saying that well: here's one example, or here's two examples across 30 years, is not good enough to indict the world's largest and most technologically advanced economy for being rampant industrial thieves. To show a comprehensive pattern of deep industrial espionage, and to show that it isn't more along the lines of routine espionage that occurs between any two great economic powers, requires a lot more proof.


There should be dozens of legally proven - court cases - examples of intellectual property theft far worse and larger than anything China has done, given the scale difference of the economies over that time and the supposed capacity to hoover up global communications and put it to use in industrial espionage.

How many legally proven court cases against industrial espionage carried by the Chinese State are there?


Such furious goal shifting. Demand evidence and then assert the evidence doesn't show rampant thievery. It's absolutely shameless.


In an interview with Germany's ARD TV channel, the former NSA contractor said the agency would spy on big German companies that competed with US firms. [0]

President Barack Obama got a list of talking points that United Nations Secretary General Ban Ki-moon hoped to hit on during a one-on-one meeting, courtesy of the NSA's X-Keyscore program. - not economic but it's hard to imagine this tactic wouldn't apply to economy related meetings [1,2]

[0] https://www.bbc.com/news/25907502

[1] https://www.cnet.com/news/nsas-spying-on-united-nations-and-...

[2] https://theintercept.com/document/2015/07/01/un-secretary-ge...


Pen and paper.. best defense.


"The government does not deny it routinely spies to advance American economic advantage"

https://theintercept.com/2014/09/05/us-governments-plans-use...


FWIW, GCHQ's powers are explicitly exercisable in the "interests of the economic well-being of the United Kingdom". Given the close cooperation between the UK and the US, I would not be surprised if the information is also forwarded to the US.

http://www.legislation.gov.uk/ukpga/1994/13/section/3


I'm less concerned with corporate 'secrets' and more concerned with citizen privacy rights.


Foreign governments are not concerned with spying on you for the sake of tailoring ads to you. They are concerned with furthering state objectives, which may include proxying traffic through your computer for the purpose of concealing origin, infiltrating public and private infrastructure for the purpose of sabotage, exfiltrating corporate and state secrets, etc.


The US government has overthrown democratically elected governments in other countries to install a government more friendly to specific US corporations.

The US government has jailed the only known telecom CEO to resist warrant-less spying.

The US government has arguably had a major hand in building Stuxnet, which used two zero-day vulns in MS Windows and two stolen Windows driver signing certificates.


Unfortunately the CIA archives are not open to the public.

I don't even know what the big deal is. Countries don't get prosperous by singing kumbaya and group hug sessions. Mine certainly didn't. Whatever it takes as long as you get away with it.


A foreign entity could use data about the company you work for, found in emails and texts, to disrupt the market. This could eventually lead to a market crash or businesses going under, etc. costing you a job and income.

Extreme example, I get it, but I can’t imagine it is too far from a real scenario.


Don’t forget, the Chinese government runs many businesses that compete with US businesses. If ruining you, or sabotaging your company, helps their their companies steal business they will do it. It’s not dissimilar to Japanese businesses in the 80s except without the pesky moral code.


you might be an ordinary citizen. But what if some day you end up being a high level govt official, or a CEO of a big tech company handling millions of other citizens' private information? That Huawei phone you had, if indeed rootkit-ed and your data was being collected, will come back and bite you.


It's not a matter of just harassing you. There are real consequences with compromised communications.

Think of Midway Battle. Think of Enigma.

You can say, hey look that proves US/UK govt can spy on you. Never mind Japan/German nations were at war with US. But I digress.

But if those didn't happen, you and I all have a high chance of being a second class citizen (or just a person and not a full citizen) in some totalitarian state in modern date, either being forced to use German or Japanese language. And that is if you are lucky. Many in modern time have a high chance of not being born if German/Japan won WW2. And key battles in WW2 were won by Allies due to breaches in communication network of Japan/German.

Yes, US/UK or any western govt spying on citizens is distasteful. But the communist Chinese govt spying on you and using that information will be far worse than that.


would you rather have your mother looking at your phone or that creepy neighbor from down the street?


This is data for app called SmartCare

It is not installed on Huawei phones made for export to capitalist countries, but apparently the data collection part of the app has not been deleted, only UI.

Smartcare is an analogue of google's creepy email scanning program that likes to wake you at 1 am with "your outbound flight is coming in 3 hours" when it isn't


It is installed though, at least for Serbian phones.


it's definitely installed for European markets


Left and right are two wings of the same bird. What many seem to overlook in posts like this is the simple fact that they're being controlled by an authority and you allow that authority to take from you, even if you believe you're doing it voluntarily because that's what everyone else does.

Remember, nothing is truly yours if you have to pay someone else for the right to use it. The cost then for using a Huawei phone as a US citizen is they spying will continue but at least more authoritarian governments (excuse me, Democratic republics) gets a piece.


Eh. To be fair I'm torn between giving my local government the ability to manipulate me vs giving a foreign power my data. I don't read Chinese-owned news, I don't vote in China, I have nothing to do with them (well, except having my electronics made there). So is it really worse when Huawei steals my data instead of Google? At least with Huawei someone might care enough to stop them.


First, you have some level of recourse against agencies of your own government, either directly or via the electoral process. They may or may not have more interest in you than a foreign government, but that depends on what you're doing. The type of people of interest to American intelligence agencies is rather predictable and unimaginative.

Most Western governments do not engage in espionage for private-sector economic gain. (Before the Chinese apologists show up: there have been extremely limited examples, historically, including a few times when US intelligence agencies became aware of spying or collusion on the part of another party in negotiations with a US company and notified them. There is not anything in the US that approaches the "same team" approach that the Russians and the Chinese have.)

So even if you are not engaged in, say, assisting Tibetan independence activists, the Chinese government might still be interested in your work email, and there is reason to believe that any proprietary information might get passed along to a Chinese competitor (in the Russian scenario, it's probably more likely cybercriminal organizations who might sell it).

The type of user who should be concerned about Chinese or Russian hacking, given the significant overlap between private industry (including criminal organizations, particularly in Russia) and government intelligence, is much more broad than the type of user who should be concerned about targeting by US or European intelligence.

Middle Eastern countries are probably somewhere in the middle; they have what appears to be more broad targeting than Western countries but still maintain more of a firewall between industry and government than Russia/China. (That said, the physical threat appears to be greater if you really are a person of interest.)


If your local government attempts to use data against you, at least there's a legal framework to work within and fellow citizens who might be willing to take up your cause. There's not a lot of recourse against a foreign government using data to blackmail/access your company data/intimidate/disparage you.

Edit: I say foreign "government" instead of Huawei because of my interpretation of China's policies. If a company there has my information, it seems reasonable to me to assume their government does.


You may want to go there though - I have no desire to at the moment, but I wouldn't want to predict 10 years out.

You are also reliant on Huawei not selling the data to a US actor, or your government compromising it.


is this some wannabe hacker? it's pretty clear from those descriptions it's something for their voice/smart assistant or organizing tool (hivoice, hiboard or whatever, they have million names) which can scan you calendar, SMS and other items to notify you about upcoming flight, train, movie in cinema etc and remind you this or find friends (contacts) based on your location after arriving to destination and they are very clear in their privacy policy about what information how they use and how to opt out from submitting these (sensitive) personal information

i work for several Chinese companies including Huawei, OPPO etc, all of them have this assistant which scan also your SMS for package delivery info so they can track your package and provide you with simplified information in form of cards, i guess closest western equivalent would be Google assistant (never used either), though personally my Honor phone is running Lineage without gapps, because i don't like western/Chinese spyware and most importantly unnecessary battery eaters


Huawei is the rising star in smartphone shipments together with Lenovo and Xiaomi. I see more HN posts against China directed at Huawei than others? Why?


Maybe it's not just anti-Chinese bias, and Huawei really is worse than others?


Maybe - yet recently I see all around youtube, and social media some anti-China build up. I have never been to the country and have nothing to do but just curious [1]. if there's kind of an orchestrated campaign against Chinese economy. I had the same impression from Russia after Ukrainian revolt when hundreds of channels/users have popped up out of nowhere on social media. I feel some people are doing the same against China as part of the trade wars, and conservationist policies.

[1] One example: https://www.youtube.com/user/NTDChinaUncensored


I'm not saying there isn't. But that doesn't explain why Huawei is more attacked than other Chinese companies, which was your question.


..most likely Huawei was also very active in network and mobile infrastructure and they may be more prone to state sponsored hackery. I also forgot ZTE..


Betteridge’s law applies. The guy found a database of train stations, car parks and airports - so what? When it finds you’re nearby it tells the cloud service which presumably grabs your tickets or something, like a geofence. The location data is not ‘user’ location data, it’s point-of-interest map data, and the ‘name’ he found is probably the name of the POI. What a joke.

[0] https://en.wikipedia.org/wiki/Betteridge's_law_of_headlines


Xiaomi Mi A1 also has app named Spock (com.miui.spock) which cannot be disabled/uninstalled


looks to me like he found a google now type facility that triggers actions based on locations?


Second link I've seen from threader. All the images are broken on mobile (Android, Firefox). Can we link to the original?


Indeed, I'd prefer a link to the original twitter thread [1] rather than a broken service.

[1]. https://twitter.com/fs0c131y/status/1051204370543648770


The links are also broken on desktop Firefox/Chrome.


Works fine here


you probably have tracking protection enabled


[flagged]


We detached this subthread from https://news.ycombinator.com/item?id=18212624.


If you want to buy my house, sure. You're free to look at anything you want once you own it. It's yours.

What's not okay is for me to build a house and add recording devices all around and then sell it to you without informing you. Using your house example, that's the most direct comparison and would 100% be illegal.

There's obviously a trade off most users are willing to make between privacy and functionality, but I do believe the exchange should be 100% in the open and a conscious decision made by the user.


In this specific case it’s like I install recording devices... that locally search for faces to turn the lights on to each occupants preferred brightness.

It looks like it’s a convenience app for transportation.

I’m an Android developer and nothing mentioned is suspicious or obfuscated.

In fact, the fact he can get that list of functions he posted means they used less obfuscation than normal (they didn’t do the equivalent of minifying with Proguard, which most devs would say all production apps should)

The use of multiple services makes perfect sense, one app manages background communication instead of dozens of service apps making network calls when they feel like it (bad for battery life since the radio is always in a high power state).

I think this is a bit of an overreaction in this case.


The horrifying thing about your example is you've basically described a "smart home" and we're fast approaching an era where anyone purchasing a home will expect it to be rife with third-party cameras and listening devices, and pay a premium for it.


He's not asking for freedom to look inside other people's phones, he's asking for the freedom to look inside his own phone.


People's freedom is important. Companies' freedom isn't (or, rather, less so - free market is important inasmuch as it's useful to achieve the society's goals).


User freedom, which does indeed require mitigating bad actors.


I think it's a bit sad and funny that the tech industry still seem concerned with this, but when the most extreme cases of data collection are exposed, namely Edward Snowden and Cambridge Analytica, little was done by the people or by organizations to ask for action.

Everybody moved on to the next big headline and every now and then people will shout and complain about "privacy" without actually saying what should be done.

Also, GDPR which I see as an actual attempt to make this whole mess a bit more organized became just a modern version of "I accept the terms and conditions".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: