Snapdragon giant and others insist alleged data gathering is overblown:
Analysis Cellphones using Qualcomm chipsets may transmit data sometimes classified as personal information, specifically IP addresses, back to Qualcomm. But where such transmission is occurring, it's not secret and it has been going on for years.
That doesn't mean, however, there's no privacy risk in Qualcomm-based phones or in devices with rival chip sets for individuals like journalists or human rights advocates with sophisticated adversaries. Such scenarios, however, are unusual and not much of a worry for most mobile phone users.
Recently, hardware security firm Nitrokey published an advisory claiming that "smartphones with Qualcomm chips secretly send personal data to Qualcomm" and do so "without user consent, unencrypted, and even when using a Google-free Android distribution."
[...] "Qualcomm's proprietary firmware is not only downloading some files to our phone to help establish the GPS location faster, but also uploads our personal data, such as the devices' unique ID, our country code (Germany in this case), our cellphone operator code (allowing identification of country and mobile operator), our operating system and version and a list of software on the device," as Nitrokey put it, arguing this supplied metadata amounts to a unique per-person signature that harms privacy and occurs even when GPS is turned off.
A Qualcomm spokesperson disputed the research. "The article is riddled with inaccuracies and appears to be motivated by the author's desire to sell his product," a company spokesperson told The Register in an email. "Qualcomm only collects personal information when permitted by applicable law."
[...] Martijn Braam, a core developer for Alpine-Linux-based postmarketOS, has published a similarly scathing dismissal of the research as empty marketing. He noted the Qualcomm-initiated HTTP communication does not contain any private data. "It's just downloading a GPS almanac from Qualcomm for A-GPS [assisted GPS]," he observed.
[...] The Nitrokey post goes on to claim that Qualcomm's XTRA service is not part of /e/OS or Android, but operates from the Qualcomm firmware known as AMSS. "This covert operating system operates on the broadband processor (modem) and manages the real-time communication with the cell towers," the advisory stated.
A former mobile industry executive familiar with Qualcomm technology told The Register that characterizing AMSS as "a covert operating system" is "total nonsense."
However, our source explained, what goes on in phones at a low level isn't really understood by the general public.
"The way chipsets work, there's an application processor family," our source explained. "Underneath there's a kernel that hosts and virtualizes the operating system. And there are various subsystems – the modem, the Wi-Fi, peripherals like USB, the display driver, and the GPU. The vendors all have large amounts of software like AMSS that runs there. And they have a choice on what to compile from that image."
All the chipset makers, such as Huawei, Samsung, Qualcomm, and Apple, our source said, "any of these guys are going to have all kinds of different fetches that they're going to make [over the network]."
GrapheneOS, a privacy-focused version of Android, discloses these sorts of transmissions in its documentation. The only way to be sure about how one's phone behaves is to test it with a network traffic tool like Wireshark, our source said.
That's necessary, our source said, "because you can't get a straight answer from the vendors. Some of these features may have five or 10 switches to turn it on. There is a lot of old software. There's a lot of new software. It's very complex and there is a huge amount of it. And it has evolved from generation to generation. It's pretty much hideous, like any major operating system. The only thing I wouldn't call it is 'covert,' because it's been there forever."
[...] If your life depends on not being tracked through your phone, don't use a phone. For less pressing privacy scenarios, enjoy your chosen handset with the knowledge that you're probably leaving some kind of digital footprints somewhere. ®
More VPNs!
(Score: 3, Interesting) by pkrasimirov on Tuesday May 02, @10:13AM
Wait till you see how much data the tower is recording about you! All unencrypted! If someone thinks Linux solves everything, even the purest Linux with no blobs and running on divine hardware, they are delusional. ISPs, telcos, even shops track you as much as they can. For $$
(Score: 4, Touché) by bradley13 on Tuesday May 02, @12:57PM (1 child)
A VPN doesn't help, in cases like this. The information is being sent. A VPN protects you from eavesdropping by your ISP, or whoever, which is not the issue here at all.
The fact is: mobile phones contains multiple, more-or-less independent processors, each with their own firmware. We kinda, sorta hope that they do only what they need to. Technical folks can do some degree of verification, but really: how many of you have made full logs of your phone's network communications? Do you really know that your phone's modem isn't secretly sending your data somewhere at 2:37 in the morning on Tuesdays?
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Tuesday May 02, @01:13PM
While a VPN might be nice to sort of semi-hide the content of what you are doing. But from a traffic perspective when you are close to the ISP it doesn't really matter all that much. You are not fooling your ISP, you are usually trying to fool someone in the end of the traffic chain. After all your ISP knows you are using a VPN. They can do all sort of funky things about that on their network. So while they might not know what you are doing they know you are doing something. Unless you are creating a constant stream of fake traffic then there is not as much purpose to it as one might think. It's still very susceptible to traffic analysis, they don't need to know the content (while it would be nice), they just care who you are communicating with, how, when, how often etc. That could be enough for a lot of their purposes.
(Score: 3, Interesting) by driverless on Wednesday May 03, @08:31AM
Nitrokey says it's secret tracking, Qualcomm says it isn't.
What Qualcomm gets is a unique software ID, exact location of the device, IP address, and a list of nearby WiFi hotspots and cell towers, sent via the software running on the baseband which the AP on the device and whatever OS it's running has little to no access to or control over.
So both answers are correct, it just depends on what your view is. In my case I'd say quietly having the BB send precise tracking info on you, unencrypted, to a third-party site is covert tracking, but obviously Qualcomm will say it's just them doing what it says in their privacy policy. And as El Reg points out once they get past parroting the Qualcomm party line, anyone who can observe that traffic gets all the tracking data as well, not just Qualcomm.