This site may earn chapter commissions from the links on this page. Terms of use.

Concluding week, the telephone manufacturer OnePlus was caught collecting an extensive amount of data on its Android smartphones. The company has now said that it will cease these practices in response to user feedback, and that hereafter users will be explicitly presented with the option to opt out when they first actuate a device.

The initial investigation into OnePlus' behavior began earlier this year, when software engineer Christopher Moore was completing the 2022 SANS Holiday Hack Challenge. He proxied the internet traffic from his phone, a OnePlus 2, using OWASP ZAP, "a security tool for attacking web applications." Afterward seeing a domain he didn't recognize (open.oneplus.net), he began investigating the situation further. At first, the data that he turned up being relayed to the URL was fairly innocuous, related to whether the telephone had just suffered an abnormal reboot. While he wasn't thrilled to encounter his device's series number relayed at this step, he wasn't overly bellyaching, either. What happened adjacent, however, is something Moore describes as a shock.

DataCollection

Moore describes this lawmaking as including "the phone's IMEI(s), telephone numbers, MAC addresses, mobile network(southward) names and IMSI prefixes, equally well as my wireless network ESSID and BSSID and, of course, the phone'due south series number. Wow, that's quite a bit of data about my device, even more of which can be tied directly back to me by OnePlus and other entities."

And it only got worse from in that location. Subsequently logs show that the OnePlus two was relaying when he opened and closed applications on his telephone, which applications were being opened and closed, and data on which specific activities were being conducted on which applications. OnePlus was pulling down a non-trivial amount of data about how users were using its devices; Moore discovered OnePlus had vacuumed roughly 16MB of data off his phone over 10 hours. That's not very much information compared with a video or audio stream, just it's a lot of diagnostic text.

The original date on Moore's article was from early June, but the issue didn't go mutual cognition until this past week. In response to the furor, OnePlus co-founder Carl Pei issued a lengthy forum post, writing:

We take our users – and their data privacy – very seriously. We desire to take this opportunity to tell you lot a trivial more about data collection on OnePlus devices; explicate what we are collecting and why; and map the changes nosotros will make going forward to address your concerns. While information collection is a standard industry exercise, nosotros realize that our users have the right to sympathize how and why it is done…
At any time, users can opt-out of usage analytics collection by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'…

By the cease of Oct, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user feel program. The setup wizard will clearly indicate that the program collects usage analytics. In improver, nosotros will include a terms of service agreement that further explains our analytics collection. We would also like to share we will no longer be collecting telephone numbers, MAC Addresses and WiFi information.

OnePlus also notes it does not sell this data to third parties, and it claims to accept only collected this information in amass and not in a way linked to whatsoever specific user account. This opt-out, withal, doesn't actually stop the data drove; information technology stops the information from being straight associated with your specific device. The visitor's entire treatment of this scenario reeks of bad faith and raises additional questions, including:

  • If end user information is just collected in bulk, why was it ever acceptable for the phone send back highly specific and unique information?
  • If you realize that your end users have the right to sympathise how information is collected and why it is done, why did someone have to discover this practice independently earlier you disclosed it?
  • If information collection is an manufacture practice with no applied concerns for end users, why weren't customers invited to participate in this programme from the commencement?
  • If you want customers to experience safe participating in your information collection program, why do y'all make the program opt-out, and why bury it ii menus deep?

The answer to these questions, of course, is that OnePlus was aware that it vacuumed up individual information, didn't want people to know it was doing so, didn't want people to opt out of its ain information-gathering, and knew that if people knew what information technology was doing, they wouldn't be so inclined to buy its hardware. The alternative–that the company only magically happened to create a data-gathering utility that happens to scoop upwards individual and personal data on awarding usage while tying information technology dorsum to your device–beggars conventionalities. And if treating people like walking individual data repositories you're allowed to harvest at volition is standard industry do, equally Carl Pei writes (and tries to hibernate behind), perhaps information technology's time to change that.