If you use a smartphone, it’s safe to assume that data on how you use it is being collected — and, in many cases, shared — pretty much constantly. But even the most blasé inhabitant of our brave new post-privacy world might find the behavior of the smartphone manufacturer OnePlus a bit excessive.
OnePlus has carved out a niche in the Android phone market as the maker of smartphones with midrange prices and surprisingly robust features and specs for the cost. ButAccording to British security researcher Chris Moore, the company’s proprietary version of Android, OxygenOS, collects a staggering amount of data on how people use the phone, down to such seemingly mundane details as when they unlock the screen. And every bit of data collected is stamped with the phone’s serial number, theoretically making it possible for the company to tie that usage data to specific individuals.
Based on extensive analysis of the operating system’s code — all of which can be seen on his blog, for those curious — Moore was able to diagnose just how deep OnePlus’s data collection goes.
It looks like they’re collecting timestamped … metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive. At least these are anonymized, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone’s serial number. This I’m less enthusiastic about, as this can be used by OnePlus to tie these events back to me personally (but only because I bought the handset directly from them, I suppose).
As he repeats a few time throughout the post, it gets worse, with OnePlus also collecting data on phone numbers, network information, what apps are being used when, aand even specific activities within the apps.
Such extensive data collection is particularly concerning because OnePlus doesn’t inform users upfront of what it’s up to, and Moore details in his post just how difficult it appears to be to figure out how to stop the phone sending these analytics. In a statement to Engadget, however, OnePlus offered up an explanation, as well as what it says is a way to turn off the data collection:
“We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”
Whether what OnePlus describes here is the “easily accessible off switch” Moore calls for at the end of his post remains to be seen, but it should at least be a start for users of the phone to restore some measure of privacy.