As the article mentions, this is for assisted GPS. I've worked quite a bit with this system on android and implemented (or rather fixed) it for a custom android device. I've also worked with separate Qualcomm modems in the past. They are basically a whole small Linux computer in a package. You supply voltage, antennas, and connect via serial or USB, and then you can send AT commands to control it.
On the one hand it wouldn't surprise me if the Qualcomm modem accesses the network on it's own - it very much wants to be a black box - on the other hand I doubt this story for two reasons:
- WiFi is implemented on the Android side. In all Android implementations I've seen, the WiFi module is part of the SoC or a separate chip, and Android runs the regular wpa_supplicant and so on. The chip cannot see the contents of packages, it only passes the bytes to the MAC (not sure if it is called that with WiFi).
(Now, of course in the case of a SoC the chip could, with driver support, peel back the encryption and inject it's own traffic, just like some IPMIs can share an ethernet connection with the OS. I just have not seen this yet.)
- In Android, it is usually the responsibility of the OS to fetch the AGPS data / almanach. You have a HAL consisting of a proprietary library (.so) that you get from the GPS vendor, some glue code, and a gps.conf. The gps.conf file lists the URLs to get the AGPS data. I'm not sure if the download is performed in the .so or in Java code, but anyway it is totally in the OS and not in the modem, at least in the cases I know. When a custom ROM, even a "degoogled" one, is made, you include a customized kernel and custom drivers, and the AGPS URLs are part of this "driver".
> When a custom ROM, even a "degoogled" one, is made, you include a customized kernel and custom drivers, and the AGPS URLs are part of this "driver".
Thanks, this should be the top comment.
Both, Sony and Google, provide driver downloads for their smartphones[1][2].
In this case, the tested "de-Googled" OS (/e/OS) did exactly what it promised to do: removed all network connections made by Google – and not by Qualcomm or anybody else.
Since Pixel smartphones now use Google's own Tensor chips (which are based on Samsung Exynos), they obviously don't make any connections to Qualcomm servers.
This blog post is clearly an ad for NitroPhone, which is simply a Google Pixel smartphone with a different open-source OS pre-installed.
GrapheneOS[3] is only targeting Google Pixel line-up at the moment, and therefore is able to make sure that even A-GPS URLs are "de-Googled" on the latest models.
But the older Google Pixel models with Qualcomm chips make exactly the same connections – from the driver, not from the firmware[4]:
> GrapheneOS has modified all references to these servers to use HTTPS rather than a mix of HTTP and HTTPS. No query / data is sent to the server.
It seems that there is something very wrong with the entire Android privacy community, because fighting between different open-source projects in this space never stops.
From the technical point of view, only Daniel Micay's GrapheneOS currently takes security really seriously by providing constant system updates. It seems that you either have to use GrapheneOS, or buy an iPhone, if you care about both – security and privacy.
The people who are attacking Daniel Micay often incorporate a lot of his work into their own projects. And, naturally, that might make many of them feel inferior or even incompetent – if they are doing this for years to stay in the competition.
This seems like a really shallow dive into what’s going on, and seems to exist largely to plug their own hardware?
For example, how is the chipset getting “List of the software on the device” unless the chipset is aware of the operating system?
They don’t actually do any packet data analysis to see what it includes as far as I can tell, so other than seeing some packets go through, the rest feels like idle speculation.
Also, why didn’t they try GrapheneOS which is what their own devices use? Surely if the goal is to try and deduce that the chipset is involved, rather than a driver, then that’s the logical place to start?
Yeah, it manages to subvert its own message by transparently trying to be as scary as possible by being vague and jumping to its own conclusions, in what is clearly a sales pitch. It would be enough to say "hey, did you know that most phones send tracking data to the manufacturer when you download AGPS information? Our phone doesn't do that", instead of saying "oh, this phone makes a connection to a Qualcomm, server even on an open-source ROM, but we couldn't find which bit was making that connection so it must be the firmware. Also we won't actually show what data the phone was sending despite it being unencrypted. buy our phone instead!". I don't know what they did to investigate what was going on in the ROM they used but it clearly wasn't very much as it's something the ROM authors are clearly aware of: https://community.e.foundation/t/connections-to-izatcloud-ne... (this is the first result on google for "e/OS" "izatcloud"). It's annoying because it's pretty unnecessary to add the unsubstantiated claims to actually deliver their core marketing message, they just felt the need to put down the use of open-source ROMs on other hardware.
Agreed. I'm a bit disappointed by Nitrokey, because I would expect a security/privacy-oriented company to be experts. This all seems very shallow (even the explanation of what A-GPS is seems to show that they don't really understand it).
A company that sells trust should know better than posting ads disguised as an approximate technical blog.
> It would be enough to say "hey, did you know that most phones send tracking data to the manufacturer when you download AGPS information?
Someone credible: please write and submit such a blog post to HN so that we can have the discussion from that perspective instead. The current perspective is broken; discussion-wise.
100% this. I was assuming we'd see some Wireshark showing this "personal" data being transferred and some proof that it was the Qualcomm chip doing it. What we ended with was a "trust me bro" explanation and a sales pitch.
According to GrapheneOS: "HTTPS connections are made to fetch PSDS information to assist with satellite based location. These are static files and are downloaded automatically to improve location resolution speed and accuracy. No query or data is sent to these servers".
> how is the chipset getting “List of the software on the device” unless the chipset is aware of the operating system?
The chipset is aware of the operating system, or rather the other way around. Manufacturers use kernel modifications and user space libraries provided by Qualcomm for their chipsets.
Yeah I just mean they blame the chipset, but in reality it’s something in the OS stack.
Qualcomm drivers are blobs, and they’re basically the main game in town for android, so the drivers would be shared by even their own device.
They stopped short of investigating what was causing the pull of the A-GPS data. It could have been something in the distro they used, that the other distro didn’t.
Yea, I'm pretty confused by this write up and a bit skeptical. I would really like to see better information about what they're seeing to conclude that the allegations are credible.
I worked with aGPS a bit when I started my career. As I recall at that time, the chipsets only accessed the aGPS service if something asked the chipset for the current GPS coordinates of the device. The chipset could avoid the long load times of the locations by using the network to assist the GPS and get the current state. And because this is part of the cellular network standards, this would just be another thing the chipset did when working with the network, like receiving an SMS, or registering with the network so it can be notified of an incoming call or packet of data.
I wasn't aware that aGPS could also be done over WIFI, but I suppose it makes sense that it can. That might involve the OS as well, as other comments have pointed out to get to the WIFI network.
So I'm not ready to jump on that Qualcomm chipset is the culprit, or this is nefarious, unless we're sure there is no software process asking the chipset for the GPS coordinates / triggering an aGPS call, and that the identifying information alleged is actually in those messages and this isn't just some generic policy statement. And that this actually always goes over wifi, and when connected to a cellular network, it doesn't use the network operators aGPS. The network operator already knows all the alleged details based on the global standards of how a cellular device communicates with the network.
> For example, how is the chipset getting “List of the software on the device” unless the chipset is aware of the operating system?
This surely isn't "the chip" doing this. It's the driver suite provided by Qualcomm, which is (obviously) required for a functioning device. The open Android distros still need drivers, and are essentially copying these files verbatim without review.
Somewhere Qualcomm has a privileged daemon able to get this info.
Or it's some GPS receiver state visible through the requests that might allow identification of certain apps that leave some form of characteristic fingerprints in the receiver. Could be "why can't Android allow bluetooth without GPS permissions!" all over again.
Idle speculation, idle speculation that picks up just where the compliance handwaving stops: the legal team takes the better safe than sorry approach of listing everything they might perhaps infer from the particulars of aGPS refresh, and the blogger basically continues that line of thought: wow, that would be pretty wild.
The "no packet analysis" is an interesting angle, because it would take all the fun out of complaining about plain http: would we prefer open messages with a known low amount of things to hide, or hidden messages with an unknown amount of secrets?
> They don’t actually do any packet data analysis to see what it includes as far as I can tell, so other than seeing some packets go through, the rest feels like idle speculation.
That's enough under GDPR, which is the point of the article. Even though the GDPR requires active informed consent, there are still so many layers openly sharting on that requirement, and no one holds the big players accountable.
This is all assumptions. Just because izatcloud.net is owned by Qualcomm = they must be exfiltrating personal data? c'mon! Then you go and peddle your own NitroPhone as a "Qualcomm free" alternative? You're just gaslighting your customers to buy. This is a very short-sighted article based on lax assumptions and NO WIRESHARK to back it up. Just because a firmware makes a call home doesn't mean it's sending your personal data. Does it have access to all the hardware? It should, it's a MF'ing driver for a CPU. Name me another CPU that doesn't have access to the hardware via it's user-space blob? The consequences outlined in the article are true for EVERY mobile device, laptop, tablet, consumer electronics w/ wifi.
Wireshark logs or you're just doomsday speculating. Show me the call to izatcloud.net with more than just http header identities every AdTech/MarTech company is already capturing from your web traffic and deanonymizing you.
There isn't actually evidence of that. These connections are actually being done by the OS, which you can control if you are using an open-source ROM. Just because on OS doesn't currently change the defaults from the manufacturer doesn't mean others are the same (in fact, grapheneOS goes to some lengths to strip as much of the identifying information vanilla android sends as they can, proxies this through their own server, and gives you an option of disabling it altogether). The default behaviour of AGPS on android is concerning and a big privacy violation, but this article felt the need to add some extra BS to scare you into buying their hardware specifically.
So it's in Qualcomm's privacy policy. So what? Where did the consumer agree to that? If the phone never went through Google activation, no transaction ever happened which bound the consumer.
This is a bad faith take. If Google's T&Cs said they could record you anytime they like, but they given you a PCAP showing they don't, you would be outraged at their claimed legal right to do so?
This is the same. Quadcomm have the capability, and the claimed legal right. It essentially doesn't matter whether they do, or do not, actually execute on it today.
> If Google's T&Cs said they could record you anytime they like, but they given you a PCAP showing they don't, you would be outraged at their claimed legal right to do so?
I would, yes. There's some reason that they claimed the legal right to do so. That they aren't actually doing it at the moment I check means nothing, because they could start doing it at any time in the future.
> This is a very short-sighted article based on lax assumptions and NO WIRESHARK to back it up. Just because a firmware makes a call home doesn't mean it's sending your personal data.
Which every iPhone and Android phone do all the time. You agreed to it when you agreed to the terms of use and all that legal crap they hide behind. I'm not saying I'm ok with it. I'm saying I know it's been going on since 2009 and no one with the ability to change it, cares.
This is the heart of the political struggle. Most commenters mention the privacy part, which is valid, but the real meat is the war of nations over data. RESTRICT act or whatever it’s called to ban TikTok because all the congressional members’ grandkids are hooked on it and could care less about their grandparents. Data tracking is already taking place. Your personal data is out there already. When you search for butt cream and then go browse Facebook, they know what you searched for. It’s not that they are reading your browser history, instead they are reading your web logs from some 3rd party tracker server.
You can't. Every call you make to a server includes your browser's user-agent/client-hints as well as your IP. Those cookie consent screens are provided by 3rd party but integrated via 1st party. So the company's website you visit doesn't even have to know it's going on, all they have to do is setup the MarTech correctly with the vendor and create a DNS entry. This, while being used to track you, could be used for good - it's not. Some companies are trying to own some of this to prevent nefarious uses of the data but in the end it's been the wild west of data tracking for the last 10 years or so.
Challenge: Open up your favorite website (not HN :D) and watch the XHR's and network calls in your browser's devtools. How many of those are for the same origin? How many of those are ad calls being blocked by your extension (which also has access to your data)? How many of them are calls for a single pixel gif? Some javascript? favicon.ico? Do some spelunking on WHOIS for each of those domains. All it takes is one of them to proxy the headers. Proxy the headers and check if ad was served by looking at logs of both ad request and page request, if no ad request was found, require them to disable adblocker...
Your Android would need to be connected to an external firewall at all times through which you can monitor and control traffic. pfsense / firewalla are some of the popular firewall devices. Don't forget to remove the SIM card (airplane mode isn't enough). May need a wifi / cellular jammer too, to be absolutely sure the device will always connect via home router / firewall.
You could use an on-device firewall app, too; but OEMs / ODMs can always bypass it as they pretty much control not only the software but the hardware, as well.
A quite overblown article from a company pitching their own "secure phone".
They installed a custom OS which apparently includes Qualcomm's indoor positioning service iZat, but is missing the EULA item to allow the user to enable/disable the service.
iZat exists for at least 6 years, and the vendors who implemented it usually have a separate checkbox in their startup wizard to allow it to work.
Do you also trust the Intel Management Engine and AMD Secure Processor? Because I see no reason to. It's almost like all these companies were compelled to implement these features by a caring government. Maybe it's for the children
IME’s a poor analogy for what’s happening here. the article ends with
> Affected users could try blocking the Qualcomm XTRA Service using a DNS-over-TLS cloud-based block service, or re-route this traffic yourself to the proxy server from GrapheneOS […]
if these requests were being made below the OS, akin to IME, you wouldn’t be able to substitute the DNS like that.
unless they mean that you could reroute things upstream of the phone — but most users don’t deploy their own fleet of LTE towers, so i doubt that’s what they meant.
why do you shoot the messenger? yeah they did a bit of advertisement to their phone, who cares. what matters is that now even freaking basic hardware pushes your data wherever they want without asking you. I really wonder if this had been a Chinese company the kind of comments we would have seen here.
Because the part about is being the hardware is false. This behaviour is entirely part of the OS. It's still bad, especially if the OSS ROM is not making users aware of it (though neither really are the manufacturers: burying this shit in a pages-long policy which the user cannot freely decline does not qualify for GDPR consent either). It's very easy to make android look bad from a privacy point of view, you don't need to make things up to do so.
Worth to note that on a manufacturer implementation the consent is not buried in some pages-long policy. It's an explicit, separate item, which contains "sends your location data" and "may operate even when no apps are running" in the first paragraph.
My phone (from Sony) uses this and is making these requests, and I can neither find anything in settings which would allow me to opt out, nor do I remember such an example during set-up (and I always go out of my way to refuse such things).
I don't know which Sony device you have, but the setting is probably in [Settings]-[About Phone]-[Usage info settings].
The question about data-collection is asked during initial setup (iirc depending on Android version it's either on the very first page of the startup wizard labeled "Important Information", or it's shown as a Notification after the Wizard is completed), but I admit Sony has a quite elaborate list of License Agreements and they make it quite "frictionless" to just confirm everything.
Anyway, I can't tell how Sony implemented it across all its models and years, but to stay on-topic, community-OS's are not really a benchmark for End-User License Agreements on privacy-data (which is what that company in this article was benchmarking against its commercial product)
It may have a reasonable explanation of benefits it provides, but so does Intel Management Engine and nearly every privacy-invading feature ever.
I know you didn't personally design it so I'm not asking you these questions, more just thinking through this (although anybody knows the answers I'd appreciate hearing them so I can be more informed).
Why does this need to be built in at such a low level that not even flashing a new OS can see it/stop it? Why can't it be something users can opt in to, or at a minimum opt out of? Whether sinister or not, it's a "call home" mechanism built into to the lowest levels of the hardware, an area where users are powerless, even though they "own" the device.
> Why does this need to be built in at such a low level that not even flashing a new OS can see it/stop it? Why can't it be something users can opt in to, or at a minimum opt out of? Whether sinister or not, it's a "call home" mechanism built into to the lowest levels of the hardware, an area where users are powerless, even though they "own" the device.
It's done by the ROM, at the OS level, not the chipset. Some custom ROMs will proxy this request to mask your IP.
You have to manually strip the QCOM additions in the vendor side.
It's just a matter of removing files, but I wouldn't expect to do it without some knowledge how the whole thing works in Android, without breaking GPS as a whole.
An odd article. They find traffic from one domain, don't disclose what the traffic is despite being unencrypted, then make speculation that it's extracting a list of things based on a privacy policy Qualcomm provided—when the authors could have just documented what they found to begin with to inform the reader based on evidence.
Then they conspicuously plug their phone, which doesn't have a Qualcomm chip, and linking to its store. I'd like to see more presented before being accepting of such a story.
I wonder why they didn't actually post the data that's being sent over. Especially because it says:
> Investigating this further we can see that the packages are sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS.
So why not just post the actual data, instead of:
> To clarify, here a list of the data Qualcomm !!may collect!! from your phone according to their privacy policy:
Also, how does Qualcomm's privacy policy affect me as a user directly? I didn't agree to that. Or do I "accept" it because it gets passed over by manufacturers?
This kind of restates what was discussed here yesterday. Android's constant leaking of data to Google is hardly any news, but Qualcomm's firmware doing the same in plain text to izatcloud.net is newsworthy. Apparently Apple is doing the same. Someone has a nice geolocation database of practically everyone in the world.
Uh... They have 0 transparency and were caught in PRISM handing over data to the government. They have worked with multiple authoritarian regimes to give data on their customers.
Everyone operates an AGPS service these days. Without it, you'd have to wait at least 12.5 minutes from a fully cold start (and likely, if you missed a data packet, double or triple that) until the GPS receiver has all the almanac data [1].
I may actually use gps once or twice a week only, disable geolocalisation when it is possible on all apps I am using.
There is no justifiable reason to say gps is not possible without this. Besides you should be able to decide you don't mind waiting 15 minutes to get full gps service.
Also there's not really any good justification for the amount of data sent with the AGPS request. It can be a super plain HTTPS request with nothing else, instead of sending basically all of the tracking data from the device, including from what I can tell the IMEI which google doesn't even let app developers access anymore.
There is no private data in the request. The request is HTTP and authors could have analyzed them and discovered there is nothing in them. Instead, they published a list of things that Qualcomm privacy policy could include.
Do you have an actual copy of a example request (with all headers) from an manufacturer's ROM? There's a lot of discussion but no-one has actually posted the full HTTP request, but there is a lot of stuff which indicates there might be a lot more information in the request on official ROMs (especially those using qualcomm's daemon). I know grapheneOS keeps it to the bare minimum required.
The response post I was reading (and got posted here) didn't include any details. I can't tell if they actually looked at the response or were depending on someone else. But that is better than the original article that didn't even look.
Why would you expect any private data to be sent when requesting static file? That would slow down both the client and server.
I don't know why they would do it, apart from the obvious that it allows some tracking. Here's some more detail I managed to find on it (from /e/OS development): https://gitlab.e.foundation/e/backlog/-/issues/5765 . At least it seems the IMEI is not included (at least in this specific example), but a serial number and a bunch of other information about the phone is.
I might be wrong; it was merely speculated in the article due to the fact that Qualcomm chips are used also in Apple smartphones. An audit would be needed.
iPhone involves a lot of telemetry which Apple sends it to itself. We don’t know what kind of contract Apple has with Qualcomm but if it involves Apple anonymising and sending the data to Qualcomm for using its chips then it’s likely going to be the same just in a different form. I’m pretty sure Qualcomm would like some kind of telemetry from its partners it sells chips to.
This seems like much bigger news than it's being received as. Sure, other chip makers do sketchy things, but is that really where we're at in 2023? We're so beaten down by proprietary user-disrespecting hardware/software that we just shrug it off?
<rant because I hoped for more outrage on this and am not seeing it>
This makes me mad. I'm so sick of this type of thing. It's a horrible time too because the embedded 5G chips are about to be part of everything, sending telemetry back about where they are and what they're being used for. I think it's utterly ridiculous that if you aren't ok with this type of thing, then you have to go way out of the mainstream to find products, and often there's no viable option. "Ownership" now means nothing.
Imagine if you bought a car from somebody, and they secretly kept a spare key and periodically used your car to run their personal errand. Would you be ok with that so long as they always had it back before you needed it so you never knew they were doing it?
That's what is happening when you "buy" a device and the device maker uses it to run code that serves only themselves (without receiving permission), to the detriment of your privacy. I can only hope RISC-V combined with people willing to care can lead to a return to a time when people actually own stuff and ownership is something we respect.
>Imagine if you bought a car from somebody, and they secretly kept a spare key and periodically used your car to run their personal errand.
It's worse than that. It's like you bought a house from somebody and they secretly left cameras all over the living room, bedroom, bathroom, and kitchen so they can get 'telemetry' ostensibly to improve the next house they build, for 'safety' in case there's an accident, and to 'protect the children'.
I think people are so overwhelmed and anxious that there's no space for fighting back against this kind of over-reach. And even if you did have the time and space and energy, how would you even go about it?
And the laws are written such that replacing the software responsible for sending the camera feeds back to Tesla with a FOSS equivalent is illegal, because you're less trusted than the spying psychopathic corporation.
> the covert operating system (AMSS) has complete control over the hardware, microphone and camera. The Linux kernel and deGoogled /e/OS end-user operating system function as a slave on top of the hidden AMSS operating system
me too, and i also remove the camera[s], and put a dab of urethane over the hole.
if i know there is an accelerometer i cut Voltage, and shunt it to ground
Good for you. There are so many examples of cameras on internet-connected devices being used to blackmail people, and criminals are pretty creative, so they'll keep thinking of other nefarious things to do in the future.
> Drawing from existing literature, we found that accelerometer data alone may be sufficient to obtain information about a device holder's location, activities, health condition, body features, gender, age, personality traits, and emotional state. Acceleration signals can even be used to uniquely identify a person based on biometric movement patterns and to reconstruct sequences of text entered into a device, including passwords.
One I could think of is you could use accelerometer data to know if the phone is moving, and how: is it just being lifted and interacted with, is the user walking or running, are they in a car.
For a high profile target you might also be able to track their approximate location if you know their starting point and their acceleration profile - speed up, slow down, turns, time taken. Enough, at least, to execute an ambush.
With enough data and a high SNR, you don't even need the starting point or the velocity profile. Just the turns and distances are enough in combination with a map to uniquely identify most journeys. The problem with applying that more globally is sensor drift.
Because it can be used to roughly track location through 3D space. It's nowhere near as accurate as practically any other method but for "good enough" a lot of the time it'll do the job.
Sorry, but trying to be optimistic about RISC-V is only going to lead to more pain.
It's just an instruction set architecture and it's still going to be made in large SoC fabs by Qualcomm-class companies that want to save a buck on ARM licensing. There's no way to win here.
You're right RISC-V just existing won't save us. I mentioned in a sibling comment, but my hope is that it leads to more competition so there are at least options. It probably is naive since these days there are tech startups and tech giants, and any startup that starts to gain traction will go for an exit strategy to be acquired, then it will killed. So things are probably not going to get much better.
Perhaps though, with RISC-V options there could be a real solid open source option (aka a Linux phone). It wouldn't have to be nearly as mature and polished as the duopoly, but at least something that allows people to participate in modern society (much like desktop linux is now).
> my hope is that it leads to more competition so there are at least options
There are already lots of options within the ARM instruction set. The problem is that Qualcomm makes the best modems and the best (non-Apple) processors and uses their wireless patents and chip lead to squash competition.
> Perhaps though, with RISC-V options there could be a real solid open source option (aka a Linux phone)
The issue isn't the ARM instruction set. We have Linux smartphones (beyond Android) that you can buy today. You can buy a PinePhone and run Ubuntu Touch, postmarketOS, Mobil, LuneOS, and more. You can buy a Librem or Volla Phone or Fairphone. If you want out of the duopoly of Apple and Google, there are devices you could have shipped to you today!
The problem isn't the ARM instruction set and getting RISC-V processors wouldn't make much of a difference for Linux (or FOSS in general) on smartphones. The ARM instruction set isn't what is keeping the tech giants in power.
“ The ARM instruction set isn't what is keeping the tech giants in power.”
Right, it’s the fact that (I’m assuming) simple stuff like checking my email is a nightmare on any phone that isn’t iPhone or Android. I know I could probably switch email clients, but is that worth it?
And all the other apps that either suck on the web or don’t even exist.
It’s such a chicken and egg problem that even Microsoft couldn’t crack it, despite making a perfectly good OS and hardware. By the time you are two years late to the party it’s already over.
I have the /e/OS Fairphone 4 and the battery life is pretty good. To be fair, I've only owned the smaller versions (Galaxy Mini) and non-flagship phones before, so this one is quite a bit bulkier in comparison. With my low usage, over a year after purchase the battery still lasts for multiple days. My previous phones I used to charge every night, anyway.
What does an ISA really help with, though? Qualcomm doesn't have an advantage because of an ISA, they have an advantage because creating power efficient RF designs that keep up with the latest standards is incredibly hard. Until someone can compete with them on a bandwidth per watt ratio, they will continue to abuse their position.
> The world we live in gets scarier and scarier every year.
One could accurately summarize progress since the Industrial Revolution as asking whether we could (and how), and not whether we should (and why). You can see this expressed in the growing focus on STEM education vs. the liberal arts and results in things like remote-controlled Teslas.
Cave Johnson said, "science isn't about why; it's about why not". The traditional counterbalance of that "why not" -- classical education, religion, etc. -- have all been falling behind.
yes, and instead of gradually retiring superstitious worldviews in favor of cautious, contemplative secularism, far too often we uncritically shift religious faith to technology
Yes to liberal arts, absolutely, but it’s not liberal arts that’s trying to stick its oar in to the place of science in society. It’s made up bullshit ‘social science’ that’s one step away from parapsychology and crystal healing.
Liberal arts is a natural ally and fellow traveller with science and technology. In fact much of early science grew out of liberal arts endeavours. Geometry from sculpture and perspective in art and architecture. Chemistry from developing pigments for painting.
1) AFAIK Teslas cannot be driven remotely. But even if they could Tesla is not using cars for errands, like wtf c’mon. And if they wanted to do that and paid me for it, I might be interested in helping the environment.
2) Tesla is able to remotely unlock a vehicle if they verify the owner. This replaces a call to a locksmith and/or the towing company and is way more convenient. So yes, people are okay with being able to have their car remotely unlocked by a third party who they authorize, we always have been.
On the other hand, Teslas cannot be driven remotely YET. Enabling this functionality is a core goal of the Tesla company. It remains to be seen if it is abused once it actually works. Ford has already applied for patents for cars that will self repossess for example.
Smart summon is a party trick that requires you to keep LOS to the vehicle the entire time. Like Full Self Driving it is not capable enough to be a problem yet.
If there is any good news about this it is that Full Self Driving appears to be a more difficult problem than Elon expected and they are struggling with it.
Replying to both of you, first off which manufacturers let you choose the 3rd party remote access authorized agent? And which won’t machine new keys if you send them a request and your vin or key code. Second, Tesla comms are encrypted.
Anyway, if you don't want to use vehicles which communicate with a server then good for you. Really. But if you’re taking such a stance I hope it’s based on informed data and consistent principles and not cringy FUD.
There is nothing that leads me to believe that a Tesla is a “surveillance platform” despite it being a machine that is capable of becoming one. It’s a car. It gets me from A to B. Thats the agreement I have with the manufacturer. I primarily use my app/phone instead of physical keys. I opt in to sharing diagnostic info with Tesla to improve the experience. It’s all pretty above board.
> which manufacturers let you choose the 3rd party remote access authorized agent?
None that I'm aware of.
> Tesla comms are encrypted.
Which is very good, but still leaves the problem of Tesla getting the data.
> if you’re taking such a stance I hope it’s based on informed data and consistent principles and not cringy FUD.
I'm taking this stance because the history of the tech industry's practices in this area is full of so much abuse that nobody gets the benefit of the doubt anymore.
> Thats the agreement I have with the manufacturer.
I'm glad that you are comfortable with that level of trust with Tesla (or any car company). I am not. Which is, I suppose, why you'll own a Tesla and I won't.
I think we're on the same page about it being totally reasonable and fair for individuals to have their own tolerances and security postures. We need more principled people in the world, keep it up!
Let me put it this way. In this case, specifically, what you're claiming is pretty outrageous and, if true, sounds like something I should take more seriously too. If you can give me examples of Tesla abusing users' trust and operating in a way that is not in accordance with their privacy policy, user consent, and/or general understanding of techno-decency, then please surface the evidence to support your claims so I can consider your argument more seriously. Otherwise what you're claiming does not align with my experience owning a Tesla and my knowledge about how they're designed and engineered.
The pragmatic in me understands that there is always a risk that a future software update will change the behavior of a product in a way that is not in my interests. That is a risk I take by using any software product and something that responsible people keep an eye on, agreed. I'm just not going to categorically avoid software that can be updated out of fear that it could start spying on me. If it starts spying on me without my consent, good bye.
I also understand that we may even have different tolerances for living with connected hardware and software. If you're the type of person that compiles their own firmware and updates their own devices offline after personally vetting the software, I'd buy your concern about trust a little more too. But honestly it just sounds more like you're saying "yuck Tesla, I wouldn't trust them to build a respectful product", while ignoring the fact that you're likely posting this from a smartphone, if you know what I mean.
> In this case, specifically, what you're claiming is pretty outrageous and, if true, sounds like something I should take more seriously too.
I have made no specific claims, I think. If I did, they were unintentional. What I'm claiming is more general: that in the tech industry, data collection on users has been so widely abusive that I am not comfortable trusting any company with data collection by default. Specific companies can earn my trust, of course. No car company has done that, therefore I trust none of them with my data.
Is this the claim you're referring to?
> But honestly it just sounds more like you're saying "yuck Tesla, I wouldn't trust them to build a respectful product"
I do not intend to be singling Tesla out except insofar as Tesla (as I understand it) engages in more data collection than other car manufacturers. That said, I'm a bit more suspicious of Tesla just because of Musk. Not a lot more suspicious, but some.
> while ignoring the fact that you're likely posting this from a smartphone
I'm not. But I also have mentioned here that when my current smartphone dies, I won't be replacing it with another -- specifically because it's become so difficult to render them safe that it absorbs too much of my time and energy. That makes the cost/benefit of a smartphone too unfavorable for my tastes.
But with the smartphone I currently have, I do not use it for very much online stuff -- certainly not for web browsing -- anyway, because of safety concerns.
> Anyway, if you don't want to use vehicles which communicate with a server then good for you. Really. But if you’re taking such a stance I hope it’s based on informed data and consistent principles and not cringy FUD.
Why can't we just hold the opinion that HTTP and operating an automobile are two separate things entirely?
I've been driving for 20 years without web crap and I've never sensed the need to share telemetry with anyone during that process.
"Into perspective" is exactly wrong, because it means accepting all the tenuous assumptions used to justify the design in the first place.
The problem is not that an automaker wanted to have functionality that could legitimately unlock cars for legitimate customers. The problem is that creating this functionality entailed making a much larger backdoor that will invariably be abused by independent attackers, police, the company itself, etc - to do much more than merely unlock the doors.
There have been numerous talks at security conferences and solid research done on the security of Teslas. I don’t think you realize how sophisticated these things are. The infotainment system and the CAM bus are not the same software, for example. And attackers aren’t gaining remote access to them either (Teslas use stronger ssh keys than you do). So I’m not sure how this mega backdoor FUD even plausibly exists. A car isn’t a safe either, if law enforcement has a warrant for my car, or house, they’re going to forcibly break in if needed (heck they’ll even do that for a safe). Seems better to have Tesla legally complying/cooperating with law enforcement than the alternative where people use force.
I’m not saying we should build backdoors into everything for the kids, just to be clear. But I can be a happy consumer/user of a car with remote unlock functionality that’s implemented more responsibly than your npm account without devolving into “zomg Tesla backdoors your life to give you that feature” histrionics. That’s just not true. Like you, I would love to see, just like I argue for phones, the ability for enthusiasts and/or hyper paranoid people to install their own software roots in a supported manner if they don't want another party having access or if they want to delegate to a different 3rd party. And let me turn it on/off, sure. But having a car with remote unlock is not some gateway drug selling your digital soul.
> Over the last few years, Tesla has been investing a lot in cybersecurity and working closely with whitehat hackers. The automaker has been participating in the Pwn2Own hacking competition by offering large prizes and its electric cars for hacking challengers.
Tesla literally paid people 100k to pentest their car so they could fix any bugs/issues found, so that you don't get hacked.
SSH !?! This supports my point - a remote command prompt is much more functionality than what is required to unlock doors. It's not really appropriate to talk about this level of control as if it's merely a necessity for remote door unlocking.
You're the one engaging in histrionics here - sour grapes about the lopsided relationship that was included with functionality you enjoy, as well as strawmanning those concerned with how ownership is being eroded as rare enthusiasts or "hyper paranoid". FWIW it's perfectly consistent to pragmatically trust specific manufacturer(s) today, while still being concerned about the societal effects of centralized control continuing to be normalized.
It's certainly possible to implement the same functionality you're enjoying in ways that put the owner in charge and treat the company as a possible attacker. But it takes more rigorous design and development, and isn't likely to happen on its own as long as people continue to carry water for simplistic centralization.
I'm not sure if you're aware, but SSH is a flexible protocol of which "terminal emulation" is just one use case (you can implement bespoke command/response actions, I've written an SSH server before FWIW). I don't have the specifics on hand, but even assuming they can get a "terminal to your car", the resulting access is only capable of doing what the environment allows it to do. I highly doubt `spyontheuser -vvvvvvv` is one of the available commands. If it is I want to know too and would also be rightfully pissed.
Yeah. I'm not so naive to try and argue `unlock` is the only thing Tesla can do to your car remotely. Like I've said, they can update your car if you agree. If they can update the car then they can do whatever the hell the hardware allows, in theory. This is true for anything (software/firmware/younameit) that can be updated. Are you reading this on a computer with a modern OS?
I never said we shouldn't be critical of centralization and eroded notions of ownership. I am rebutting the sensationalized "Tesla has a persistent backdoor to your car and is using it to spy on you" spin on the issue. At this point in my life I'm becoming more of a tech pragmatist. One thing that has become clear to me over the years is that people don't want to be single points of failure. Putting people in that position yields poor products/user experiences. I believe there's a way to legislate and lay ground rules for ownership and access to consumer hardware that allows custody to be responsibly shared between a company and a consumer. I don't believe we're socially there yet, but making up fake news about how companies are spying on users and can't be trusted doesn't help progress the dialog. (TFA is another example of not advancing the dialog, which is how this all ties in.)
Trust is always an issue and always present. We have to make trust decisions. What I'm advocating for is making decisions based on facts and evidence, not FUD and slippery slope speculation. What I'm arguing is that it's important whether Tesla is acting in a way that is culpably deceitful and has given users reasons to not Trust them. If the evidence shows Tesla is being dishonest and operating in a way that is not in accordance with their privacy policy, then yeah grab the pitch forks I'll be there right next to you. This goes for anybody asking for trust, not just #companieselonmuskhastouched.
Otherwise name an EV that isn't cloud connected, is somehow innately more trustworthy, and that saves me 5k/year on gas.
> SSH is a flexible protocol of which "terminal emulation" is just one use case
I had hoped we weren't going to go down this path. It's not the responsibility of the free world to try to pry the exact details from closed systems to demonstrate their exact insecurities. Based on the functionality they have (remote update) plus the various bits that have been reported about their infrastructure (remember that reddit post about MSWin+bubblegum?) plus the general pattern when any proprietary system says "trust us we're sooper sequre", Tesla (any every other centralized system) really does not deserve any benefit of the doubt that they have done work to actually design a telemetry/privilege minimizing system.
> If the evidence shows Tesla is being dishonest and operating in a way that is not in accordance with their privacy policy
Meh. The penalty for violating privacy policies in the US is zilch, and even if it weren't such policies are generally non-binding and can be retroactively changed at any time. Without a privacy law ala the GDPR, the sensible thing to do is to assume that any piece of information you feed into the surveillance industrial complex will be stored indefinitely and may eventually be used against you.
> What I'm advocating for is making [trust] decisions based on facts and evidence
I feel like we could have some common ground here, but your previous arguments have carved off way too much in defense of lazily-implemented centralized control, based on seeing no evil. If it's possible to architect systems such that they don't backhaul information to their manufacturer or give their manufacturer ongoing control, then we should criticize those that do - regardless of the pragmatism of using them anyway because they are the least worst option and/or beneficial in other aspects.
I myself use many things that compromise my own privacy through suboptimal implementations, but I'm not going to sit here and defend the companies because they haven't been caught doing anything too hostile at the moment. Rather I accept that they're inherently attackers that I've chosen to trust (NSA definition) with some amount visibility into and control over my activities due to other benefits they provide - while remaining generally interested in more secure alternatives.
> It's not the responsibility of the free world to try to pry the exact details from closed systems to demonstrate their exact insecurities.
Actually you're wrong. It is the responsibility of the person making an accusation to back up their accusation with credible evidence and facts. That's how things work in the free world, at least. Presumption of guilt is just too dangerous and detrimental to a free society and so presumption of innocence is ingrained in our entire legal and judicial framework.
I'm not defending Tesla in the face of evidence that they are naive and abusive. There's simply not evidence in the first place that they're naive and abusive (and if there is, you've certainly failed to procure it). There is, in fact, the opposite, as reported by security researchers and as stated in their privacy policy.
> Tesla (any every other centralized system) really does not deserve any benefit of the doubt that they have done work to actually design a telemetry/privilege minimizing system.
It's not the benefit of the doubt. I was literally in the room at Defcon when Kevin Mahaffey and Marc Rodgers gave the talk that kicked off the Tesla bug bounty and security research program in 2015. And they had good things to say. Certainly their impression was not "this shit's dubious IDK if we can trust Tesla's security engineering" which you seem to be implying is your default impression because Tesla is #bigtech.
And the story only grows from there. I maintain that, to my current working knowledge, Tesla takes security and privacy seriously and invests commendable resources into making sure its platform is secure. They invest in and support security researchers. And their data collection and privacy behavior is above board in all places where they sell cars.
Here are some privacy policy excerpts:
> Your Tesla generates vehicle, diagnostic, infotainment system, and Autopilot data. To protect your privacy from the moment you take delivery, Tesla does not associate the vehicle data generated by your driving with your identity or account by default. As a result, no one but you would have knowledge of your activities, location or a history of where you’ve been. Your in-vehicle experiences are also protected. From features such as voice commands, to surfing the web on your touchscreen, your information is kept private and secure, ensuring the infotainment data collected is not linked to your identity or account.
> Tesla enables you to control what you share. Within your vehicle’s touchscreen you may enable or disable the collection of certain vehicle data (Software > Data Sharing), including Autopilot Analytics & Improvements and Road Segment Data Analytics. If you choose to enabled data sharing, your vehicle may collect the data and make it available to Tesla for analysis. This analysis helps Tesla improve its products, features, and diagnose problems quicker. The collected information is not linked to your account or VIN and does not identify you personally.
Do you have evidence that Tesla is not honoring its privacy policy? If you want to change my mind, show me the data on how Tesla's systems are insecure/naive/user-hostile and I'm happy to continue the conversation.
PS
Consider this: you can buy a Tesla in the EU, no? You think Tesla has code like `if user.country == "USA" && user.state != "CA" { user.abuse() }`? I think it's actually more likely that, since Tesla is a global company, that they have a better security and privacy story than most strictly-USA focused companies. I actually trust small US startups far less than mature multinational corporations with my data. I've been at both and large companies have swaths of lawyers making sure people are in compliance with the law where small startups have trendy founders that prefer to ask forgiveness rather than ask permission.
> It is the responsibility of the person making an accusation to back up their accusation with credible evidence and facts.
This isn't tenable for security, especially in light of computational complexity. Rather it is up to the party claiming "trust me" to show that they are trustworthy. One major way of doing this is to publish source code that is easier to audit than having to reverse engineer. There is a long history of proprietary companies claiming to be secure while actually being an absolute mess internally. In the face of that dynamic, it is reasonable to be suspect of proprietary systems a priori.
> Do you have evidence that Tesla is not honoring its privacy policy? If you want to change my mind, show me the data on how Tesla's systems are insecure/naive/user-hostile and I'm happy to continue the conversation.
The argument isn't that Tesla is not honoring its "privacy policy" or is currently abusing its backdoors today. Rather it's that the systems they have shipped can be easily abused tomorrow. I've used the words "insecure" and "naive" about the security of Tesla's cars versus Tesla as the attacker - a threat model that bug bounties generally don't address. I do agree that currently, Tesla is (seemingly) not doing much attacking of their customers. The point is that can change tomorrow and the software has been seemingly designed so there will be little the owners of cars can do to protect themselves.
I looked through your comment history to see where you're coming from. Surely as a Linux user you can appreciate that there is a stark difference between software that is widely expected to respect your own interests as the user (and has been decently scrutinized for this quality), and mostly opaque software that has been created by a company to chiefly serve that company's interests? Especially software that has Internet access, so that its behavior can change when the company's interests change?
> And if they wanted to do that and paid me for it, I might be interested in helping the environment.
Let me put it into perspective: making your Tesla (a heavy vehicle probably driving 1 person) drive more is not helping the environment.
If you want to help the environment, don't drive a Tesla, find something that burns less energy (like a smaller car, or public transports, or an electric bike).
Don’t be a nitwit. Ride/time-sharing a car is better than the alternative where gas vehicles are performing the same miles on the road. If timeshared vehicles reduce the number of cars needed per person, then we are winning. Also if they displace ICE miles we are also winning. My family only uses 1 car, which is 100% less than tue average American household. Kindly check your bitching.
> If timeshared vehicles reduce the number of cars needed per person, then we are winning.
Well you are winning on the fix cost of building the vehicle (obviously). But you are still moving people in a vehicle that weighs 2 tons. The fact that it is an EV does not mean that you use less energy to move that weight, does it?
So yeah, if someone decides not to buy a Tesla or equivalent because they can use your shared one, you are winning. Now if someone uses your Tesla instead of any lighter vehicle that would use less energy during its life than the Tesla (which represents a lot of vehicles, not only bikes and public transports), then you are losing.
So let me repeat this: if you buy a Tesla because you think it's a "green" move, then save your money. You should buy a Tesla because you want a cool, expensive, heavy sport vehicle. That's bad for the environment, but I guess that's the cost of being cool.
100% agree. WTF. I'm losing a bit of faith recently in HN, a significant number of people seem to have gone full tinfoil hat.
Edit: downvote all you want, nutters, but this entire discussion is mostly people ranting about things we don't even know to be true, with the justification "well if they aren't for sure doing it now, they will!"
You seem to be assuming that the only reason someone would downvote you is because they are tin foil hatters, or "nutters". I did not downvote you, but I could understand someone doing so for either or all of these reasons:
1. Your comment was kind of a "me too" comment that added nothing (or little) of substance to the conversation. On HN these types of comments are typically downvoted, regardless of topic or whether the voter is wearing a tinfoil hat.
2. You complained about the downvoting, and in addition added a personal insult to the downvoters. Personal insults are typically downvoted on HN as well.
3. You dismissed and strawmanned the "entire discussion" as "mostly people ranting about things we don't even know to be true." This type of thing is also frequently downvoted as it doesn't add anything substantive.
I mean no disrespect, but with nearly 20K "karma" points on HN, I know the rules, and when I'm flouting them a bit. I rarely do, and not the more serious ones. But this whole discussion is such a shit show, filled with so much "of course they're all bad" nonsense that I sacrificed some of that pointless karma to agree with someone in that regard.
I recognize your username from this thread, you were one of the accounts that came to mind as a big bandwagon offender of the "it's all bad and there can be no nuance" rhetoric :).
Have a good day! And I mean that quite sincerely. It's a beautiful spring day here and I'm just visiting my desk momentarily after spending the last hour waking up the swimming pool and preparing it for this weekend. Time to go back outside and forget about the Internet for a while.
Other than this reply, I've ceased posting in this discussion and hidden it to avoid the temptation.
I’m trying to discern your point. If it’s about cars having a data connection then my point makes no sense, obviously. But your comment was in response to someone complaining about “remote control” which is just “remote unlock” (that’s all Tesla does remotely in the context of GGP). So that’s how I interpreted your response.
I see a huge difference between the ability to physically break into a car and having a datastream to a company that can be used to unlock the car. The latter is much more problematic -- especially if I can't choose who does or does not have that ability.
This is all a subset of the problem that modern cars are surveillance platforms.
It seems you're being deliberately obtuse. There is a clear and obvious difference between "well someone can break that" and "someone has built a backdoor into this thing you purchased, for their own use".
No, there is just no foundation to the claim that there is a backdoor in Teslas for their own use. There’s remote unlock and remote software updates, both features that are for my benefit and use. And they don’t come with some naïve backdoor that attackers can exploit. They’re cryptographically secure and don’t expose me to vulnerabilities.
There’s a difference between the government legislating obscure and weak backdoors into all microchips so the NSA can spy on you, and a car company providing features consumers want, agree to, and pay for, in a secure way. One is a surveillance platform, the other is a good product. It’s silly to equivocate the two. Thats what I’m responding to.
> just no foundation to the claim that there is a backdoor in Teslas for their own use.
If it's not for their own use, whose use is it for? It's literally just for their use. They may promise that they won't use that backdoor for purposes that aren't for your benefit, but that's just their promise. And how do they define "for your benefit"?
How secure from other attackers that back door is is only one aspect. It's important (and important to remember the truism that "if there's a way to access it legally, there's a way to access it illegally"), but not the only issue. Even if we assume that hackers really can't get in that way, the backdoor and the data collection are still unacceptable to me.
I don't know if we’re arguing semantics or what at this point but it’s not a backdoor if it’s advertised as part of the product that consumers pay for. It’s just a product feature that needs to be secure like any other—frontdoor. If you’re not comfortable with that feature then don’t buy the car. But don’t go spewing certifiable nonsense about how Tesla backdoors your car and steals your personal data for profit. There is nothing in their terms or privacy policy that indicates this is happening, and data collection that could expose PII is opt in. Like research the product before making crazy claims…
It would help me understand your concern if you pointed to the data collection and use thereof that you consider unacceptable.
The way I see it, you’re essentially uncomfortable with Tesla being able to update the software on your system (which is also opt in BTW). Do you feel this way about all products that auto-update?
> If you’re not comfortable with that feature then don’t buy the car.
This was the only point I was actually making, yes.
> But don’t go spewing certifiable nonsense about how Tesla backdoors your car and steals your personal data for profit.
Aside from niggles about what constitutes a "back door", I was not doing that.
> There is nothing in their terms or privacy policy that indicates this is happening, and data collection that could expose PII is opt in.
None of that is actually reassuring, but the reason why is a whole other, very large, discussion.
> The way I see it, you’re essentially uncomfortable with Tesla being able to update the software on your system (which is also opt in BTW).
No, I'm uncomfortable with the data connection to Tesla. I'm uncomfortable with their data collection, and I'm uncomfortable with them having any sort of control over the car.
> Do you feel this way about all products that auto-update?
Yes. I consider auto-updating to be harmful. But the reasons why are another long, separate, conversation.
Again, I have no idea what you mean by "their data collection". What data are they collecting and how specifically is it being used in an untrustworthy, and harmful way? Our interests are aligned to get to the bottom of how Tesla handles data, because I don't want to own a car that is spying on me and you want a world where the internet doesn't exist (only half tongue in cheek).
EDIT: Also just so you're aware, did you know the car part of a Tesla works entirely offline at 100% capacity? Did you know the infotainment system, hud, etc. software can crash and you remain in complete control and full operation of the vehicle while it restarts. If you went in an disconnected the LTE antenna you'd have a connection-less Tesla. The fact that Tesla has designed the car this way speaks just a little to the quality of their engineering. The car is more like a plane than you'd think.
As I understand it, they are collecting data about the operation of the cars.
> and how specifically is it being used in an untrustworthy, and harmful way?
I didn't claim that it was. I was expressing my objection at it being collected. I have the same objection to similar data collection by software, electronics, etc.
Allowing data collection is an act of trust. Tesla (like most companies) has not earned that trust, and speaking generally, this trust has been so commonly abused that I give nobody the benefit of the doubt.
> you want a world where the internet doesn't exist
Your tongue may only be half in your cheek, but this statement literally could not be more wrong.
> did you know the car part of a Tesla works entirely offline at 100% capacity?
I would certainly hope so! If it didn't, I'd be saying that Tesla's design was inherently broken. I'm not saying that.
Since you are claiming I have opinions that I do not have, I clearly have done a terrible job explaining what my opinion is. It's pretty simple: the collection of usage data has been widely abused for a long time. Because of that, I have zero trust in almost any company that they won't abuse any data they get about me or my use of my machines. I think that's been well-earned. Teslas (as well as other cars) collect a great deal of data. I object to that.
It isn't because "Tesla sucks" or anything specific to Tesla. It's because Tesla (and not only Tesla) is engaging in a practice that historically has been abused.
> As I understand it, they are collecting data about the operation of the cars.
You're missing the part where it's not inherently linked to your PII without your consent (for example during a troubleshooting session).
> Since you are claiming I have opinions that I do not have, I clearly have done a terrible job explaining what my opinion is.
/eyeroll. I said I was playing.
Okay. I understand what you're saying. Removing all other noise, you just don't want data collected and Tesla hasn't done anything to earn your trust.
My response is simply that I think this is a blanket assessment that comes from an uninformed position about how Tesla's product actually works vs other car manufacturers vs tech companies in general, and that you're unfairly lumping Tesla in with #abusivebigtech. There's a lot of security research and evidence that supports the conclusion that Tesla does give a shit about both the security of their platform and the privacy of their users. In the absence of evidence suggesting Tesla abuses user trust, I do not presume guilt because that's a pretty harmful MO. Since your argument is essentially "but they're big tech", I can't help drawing the conclusion that your position on this topic boils down to that of a HN curmudgeon.
---
Anyway... car manufacturers aside, I'm also really struggling to understand what your proposed solution is where service providers don't have any data about users. (Let's not even get into in-product functionality like needing to uniquely key a user's account or send them communications.) Serious question: have you ever built a product? Not having any data whatsoever is great (I've tried it, trust me I used to think very much like you do)... for about 30 seconds until one of your users has a problem. They write in and oh shit now you've got their email. Let's sweep that under the rug for a second, you read their request for support and what do you do? You have absolutely no way to help them so your response is limited to "we don't collect software telemetry in any way sorry frustrated user, you're SOL". That's generally understood to be a wholly unacceptable response from a company the user is paying for a working product, so what privacy conscious companies with good product experiences do is [ask the user if they can] collect anonymous diagnostic and usage information. This gets you a little further, but you still can't do anything to help that user who wrote in because you can't find their telemetry since it's all totally anonymous. So you realize the lesser of two evils is to collect anonymized telemetry. This data doesn't contain the user's PII, but if the user consents, they can share the necessary identifier with the company when they submit the support request, and voila you can investigate and solve the user's issue, leaving the user happy.
The point is that you can't just unilaterally obliterate all data collection and remote connections and end up in a perfect world. You have to have a conversation with users about what data is collected and whether it's okay for it to be collected. I think this idea that the "good" state for software products is zero data and anything more than that is abusive is in fact harmful. It's harmful to product user experiences and it's harmful to protocols and standards when they weirdly hyper focus on specifying things in ways where access to unique identifiers is either nonexistent or controlled (rather than just designing for user permission). It gives incredible power to central authorities when you tell everyone they can't know anything about anyone, unless they're a blessed platform. Anyway I'm rambling at this point, but I'm really just curious how your vision for software actually works in practice. I don't see it without some radical shift where everyone refers to each other by the mnemonic version of their public keys or something incredibly foreign.
> You're missing the part where it's not inherently linked to your PII without your consent (for example during a troubleshooting session).
No, I'm not missing that. It's just not a significant point to me, in large part because I think that the definition of "PII" is too narrow. For instance, I consider the identity of the specific car I drive as being PII.
> you just don't want data collected and Tesla hasn't done anything to earn your trust.
Yes, exactly. And that's not a special stance about Tesla. It's my stance with most companies.
> I think this is a blanket assessment that comes from an uninformed position about how Tesla's product actually works
I'm sure that's true. But, honestly, I have no motivation to spend the time and energy to inform myself about how Tesla handles this stuff. To do so in any meaningful way is a moderate research project that I'd have to have some real reason to engage in. I don't think it's unreasonable to follow a larger heuristic until there's some reason to pay attention to a particular product or company.
> I can't help drawing the conclusion that your position on this topic boils down to that of a HN curmudgeon.
Draw whatever conclusion you wish. I haven't arrived at my attitude arbitrarily or through some sort of "big tech bad" mentality. It's due to years of actual experience.
> Serious question: have you ever built a product?
Not that it matters, but yes, many. Several rather successful ones. The odds are reasonable that you're even using one or two of them.
> You have absolutely no way to help them so your response is limited to "we don't collect software telemetry in any way sorry frustrated user, you're SOL".
This just isn't true at all. I've never had to say anything like that. Blanket telemetry is not necessary to help customers with malfunctions -- if it were, then all the software that I (and everyone else) sold and supported before telemetry was even possible would have been impossible to support.
That said, I have occasionally gathered telemetry as part of the support process. But it's on a case-by-case basis with the full cooperation of the customer, not a blanket thing the I subject all customers to.
And, to be clear, I'm not opposed to telemetry in general. I'm opposed to forcing it on people, or engaging in it without their informed consent.
> I think this idea that the "good" state for software products is zero data and anything more than that is abusive is in fact harmful.
My position is certainly not that all data collection is abusive. My position is that our industry has been widely abusive in terms of data collection.
> For instance, I consider the identity of the specific car I drive as being PII.
So VIN (vehicle identifier) is not included in the data collection, and, though Tesla collects the anonymized data by default in the US (this is not true in countries with stricter laws requiring any data collection to be opt in instead of opt out), you opt in to sharing anything that de-anonymizes it as needed. You also generally opt in to the collection of larger or more sensitive data (even in the US), on a use-case bases. I can go into settings and enable/disable road segment data, for instance. The Tesla privacy policy is a 5 min read and deliberately accessibly worded.
I know you're acting in good faith, but I see this theme reappear on HN (and generally) where people cry out for change, society responds, and then the people who asked for change are too jaded to believe that it's possible that somebody listened. Or it's "too big of a research project" to care. That's the reason I'm even arguing the point here. If we were talking about Facebook I wouldn't give it the time of day because there just isn't anything redeemable about their past actions or current product. But you're talking about how you are compelled to go buy an old used gas guzzler as your next car because there isn't a car company today that is possibly trustworthy. As a person who cares about privacy and security, and as a Tesla owner, I'm simply challenging you to maybe check your gut heuristic on Tesla, because they make a really good product, have been positively received in the security community, and have a privacy policy that reads like they care about treating your data with respect. I could be wrong in the future and you get to say I told you so. But if not, they might be a solution to your problem once you're in the market.
Most new cars do have a constant data connection though, including directly to the main CAN bus, where it has been proven that people can steal your car without a key or even disable it remotely. You shouldn't buy any of those cars either...
Indeed so. And I've said clearly several times that I wouldn't. I'm not actually singling Tesla out (especially not commenting on a story that is about Qualcomm, not Tesla). But Tesla's also not some sort of special exception.
Perhaps, but by the time this happens, I'll probably have died of old age. And if it happens sooner, then I expect that there will be electric cars that, either as designed or through aftermarket modifications, won't phone home.
And if that doesn't happen, then I guess I won't be using a car. Which is probably the best idea in terms of environmental impact, anyway.
Just snip the LTE antenna in a Tesla and you have an offline car. I can't claim to know if Tesla has built in any actively hostile features like the car going into a maintenance required mode if it's been too long since a ping home, but I do know that the car is fully operational without connectivity (not including features that required connectivity, like navigation data, of course). There are even physical RFID keys.
Not banned, but gas will become too expensive to operate them except in special circumstances. Once we start factoring in the cost to recapture the carbon emitted from combustion engines they will be instantly uneconomical.
Piss of Elon and in the morning your car could be parked some couple of miles away OR FSD buggs out on the highway OR someone reports you for something and they disable your car to aprehend you.
> This seems like much bigger news than it's being received as.
This has been widely known for more than a decade (Sorry I can't provide with a source. I was expecting Google search-in-the-past feature to work, but it doesn't).
As to whether the privacy policy has been declared properly or not, it depends on the OEM: See for instance https://www.bsr.at/mediafiles/Handbuch/CipherLab/User_Guide_... which shows Qualcomm's IZat default integration (This documentation shows an Android 7, but that screen has existed since at least Android 4.4)
> Sure, other chip makers do sketchy things, but is that really where we're at in 2023?
Literally all chip makers literally do that exact thing (except maybe the Unique ID part), just because that's how you're supposed to do A-GPS. For A-GPS you need at some point an oracle that is capable to give you an approximate location. There are some privacy-compatible ways to do that, but I'm not aware of anyone who even looked at it. (Looks like GrapheneOS skims that feature altogether, that's a way that works)
> It's a horrible time too because the embedded 5G chips are about to be part of everything, sending telemetry back
Even though Qualcomm can make things worse, the vast majority of IoS already do just that, and don't require 5G.
Of course I overall agree with you on lost ownership of modern electronic devices (and as you point out, everything became electronic devices), I'm just saying that it's nothing new. I think you need to get back at least a decade to see the unstoppable start of it (though DRMs are much older than that)
> I can only hope the RISC-V combined with people willing to care can lead to a return to a time when people actually own stuff and ownership is something we respect.
What does the ISA change in that regards? I would guess that the currently most deployed RISC-V device are nVidia graphic cards. And you're probably very aware that you don't fully own nVidia graphic cards. I'm also aware of other RISC-V devices in the field that are even more locked down.
> > This seems like much bigger news than it's being received as.
> This has been widely known for more than a decade (Sorry I can't provide with a source. I was expecting Google search-in-the-past feature to work, but it doesn't).
Yep. Nitrokey's post was disappointing but understandable from a marketing perspective.
The thing that needs more discussion is the closed source stuff Android OEMs / ODMs run at higher ARM privileges rendering all of Google's grand ceremony around Android security moot (other than on Pixels may be).
> The thing that needs more discussion is the closed source stuff Android OEMs / ODMs run at higher ARM privileges rendering all of Google's grand ceremony around Android security moot (other than on Pixels).
You're mentioning security, which is interesting, because here it's not a question of security (don't get me wrong, izat did have security flaws in the past, and I wouldn't bet that modern devices are all properly corrected), but only to who you are sending your private data to.
It's also fun that you mention Google doing security around Android... because the vast majority of people do send their private data to Google!
My personal take is that if we want to control who we send our data to, we need to start from the easy steps: I personally use a modified Android to send the least amount of data to Google. Disabling gps xtra is pretty easy. I think I already have it disabled, but I'll check.
> You're mentioning security, which is interesting, because here it's not a question of security
I mention security because, by running blobs (sometimes entire OSes) in TrustZone EL3 / Hypervisor EL2 rings, OEMs / ODMs can pretty much do anything they want, including connecting to WiFi / LTE networks to phone home, analyse contents of the RAM, scan UFS / eMMC, track inputs / keys, and what-not; all without Android (Kernel EL1 + Userspace EL0) ever knowing anything about it.
> It's also fun that you mention Google doing security around Android... because the vast majority of people do send their private data to Google!
Agree. One good thing about Google tightening up Android APIs (and CCD certifications) in the name of security (and compatibility) is it only leaves Google with the keys to snoop on users. Careful "De-googling" of the ROM can take one a long way, indeed.
> My personal take is that if we want to control who we send our data to, we need to start from the easy steps: ...
And install the Rethink Firewall (network monitor) while you're at it, phh (:
It seems like much smaller news than what they pretend it is. If you open up the suspicious domain in a web browser, it does explain what it is, who it belongs to. It’s a download location for a GPS almanac, used in assisted GPS. See http://izatcloud.net/
The shocking news is that modern smartphones connect to a huge list of locations for various purposes. A large laundry list of providers can collect your ip addresses. But there’s little way around that. Every phone with a GPS chip will download that almanac from somewhere. Qualcomm uses Qualcomm. Broadcom will likely use Broadcom.
This article just has little to no information in it, at least not enough to get all up in arms about. Supposedly this nefarious information is sent in the clear but no analysis was done to see what it actually happening? They're just guessing?
The whole article is "Qualcomm privacy policy says they can do xyz" and then extrapolating from there.
Every time there’s some giant violation of privacy, the rejoinder is “well, it was in the privacy policy, you all agreed to it.” The moral of the story is that we have “to extrapolate from there.”
And they have clever lawyers to write their privacy policies. We don’t, so we have to “round up” in a sense unless we want to be blamed for agreeing to things.
The Qualcomms of the world created this situation, we just have to deal with it.
Also, where in hell is anyone even expected to find the privacy policy of a part of their product? In the box manuals before turning on? By then it's too late. It's not possible to agree to something you're not made aware of.
Agreed, the article is lacking. In some other threads it's come out that this is a GPS sync feature to speed up the time it takes for GPS to get locks. A useful feature to be sure, but IMHO not one that has to be implemented in such a user disrespecting way. It should be a toggleable switch, preferably opt-in. It wouldn't be hard to throw up a dialog on first GPS access that lets the user opt in. As implemented where the user is utterly powerless to stop it, it's an egregious privacy violation.
This angers me as well. At the same time, this sort of thing is so very common. It's hard, and unhealthy, to be in a perpetual state of outrage.
This sort of thing is exactly why I won't be replacing my smartphone when it dies. The only way to avoid being abused by tech companies is to avoid using their products as much as possible. This is where I'm at.
I don't see any other solution in the near term. Tech has been weaponized against us.
Your enemies want you to think eternal outrage is unhealthy. That's how they eventually win; They can play this game longer than you're willing to play it.
I am not willing to live in a state of eternal outrage. It's an incredibly unpleasant place to be and what's the point? My outrage changes nothing, and I don't need to be outraged to do whatever is in my power to change things.
This article finally pushed me over to thinking that we need to start pushing for some laws to limit this sort of thing. It's just pervasive, and "not giving [them] money" is completely ineffective. And for some companies, like Google or Facebook, it's pretty hard for a consumer to actually give them money in the first place, nor is practical [0] to not use their products.
The main reason why I'm eliminating these kinds of things from my life is self-protection rather than trying to get companies to change their behavior. As you say, getting them to change outside of effective legislation is impossible.
> for some companies, like Google or Facebook, it's pretty hard for a consumer to actually give them money in the first place, nor is practical [0] to not use their products.
Well, the only Facebook product I use is WhatsApp, and that's to talk with one person in Europe who only uses WhatsApp. The only Google product I use is YouTube, and I only use that with an account that is not used for any other purpose, and on a tablet that is not used for any other purpose.
So my experience is that avoiding these companies is entirely practical. All you give up is a small amount of convenience.
You also must consider that your family and community need protection as well, and they rely on those who have expertise in these highly complex topics.
A rather late place to draw the line, given the sheer exploitive nature the industry has shown itself capable of stooping to these last couple decades.
I've been fighting this stuff for years. At some point, the best way to fight is just to stop giving them money.
The cost/benefit ratio of having a smartphone is no longer favorable, so I won't have one. That seems like a reasonable stance. I don't know what's unwise about it -- whether or not I own a smartphone will not affect the world in any way.
> whether or not I own a smartphone will not affect the world in any way
But it will: in addition to not giving money to Qualcomm and co, I am giving money to the alternatives and constantly reminding all banks and organizations that alternative systems exist apart from the duopoly (whenever they offer me their apps).
I figure that to the extent anybody is paying attention, I am reminding everyone that there is at least some business being lost because of their abusive practices.
I don't need to go to all the hassle of trying to validate what phones and apps are safe or not to make the point.
The reason some of us have given up on these things may be due to reaching one conclusion or another regarding true motivations & capabilities involved. We all have a finite amount of time to struggle on this planet and picking battles is an important part of living.
For me, this is much broader than some specific technology device. This is about an epic struggle between the "consumer" class and some elite technocratic class.
To quote Ron White:
"And then they squared off with me in the parking lot, and I backed down from the fight, cause I don't know how many of them it would have taken to whip my ass, but I knew how many they were going to use. That's a handy little piece of information, right there."
It might be, but we haven't seen the packet captures yet. I'm not trusting this shallow analysis (from a source I don't have any particular reason to trust) without seeing more details or corroboration.
As mentioned, it's now 2023 and the Snowden revelations were in... 2013, right? There have been at least a hundred similar news events since. The "healthy skepticism" bit on the subject is misdirected at this point. Backwards, really.
It is upsetting, but I am not sure how it can be countered. I am genuinely asking what is the alternative here. We go back to the lack of trust. You basically have to assume everything is trying to communicate with mothership. You mention RISC-V, but was it ever really tested against the same proposition?
I miss the dumb everything days, where the manufacturer simply could not spare compute power on additional features like telemetry.
> You mention RISC-V, but was it ever really tested against the same proposition?
Good point, there's no reason a manufacturer couldn't build it in. My thought was more along the lines of lower barrier of entry that would enable more competition (Qualcomm is near monopoly and has pretty anti-competitive practices that make it super hard to compete with them), and hopefully there will be more transparent options out there. As a user of GPS I'd like the option of enabling something like this because the old days of taking forever to sync with the satellites did suck. But I want to be able to decide for myself, not have the decision forced upon me by the chip's firmware.
> I miss the dumb everything days, where the manufacturer simply could not spare compute power on additional features like telemetry.
Oh man, me too. The nostalgia for this burns like a fire in my soul.
> I miss the dumb everything days, where the manufacturer simply could not spare compute power on additional features like telemetry.
Indeed. The only "smart" things that I'm willing to have anymore are those that I've built myself. Apparently, very nearly no commercial manufacturers can be trusted anymore.
The alternative is to drop the purposeful error in GPS positioning systems.
GPS has a built-in error for the civilian use, and a higher-accuracy system for military use. The concerns when it was deployed included unwanted parties using GPS as a guidance system component for missile / drone attacks, etc.
This led to the early GPS enabled phones needing an enhancement to their positioning system. The early releases (think car navigation systems) would be tuned to un-do the GPS offsets, but as that was rarely a 100% solution, they would "smart match" to the nearest viable alternative. This is why in many older car systems, you are sometimes registered as being on the feeder road (or a parallel road) until the system can no longer resolve your travel with your map position.
For smart phones, the error was deemed to great to have decent customer satisfaction, so enhancements to GPS came into being. The phones would listen for nearby markers (typically wifi stations) and report them back to a data warehouse, effectively building a dynamic map of all the wifi points. Then one could anchor that map based on non-moving items (like cell phone towers) and obtain fine-grained positioning information by running relative strength matches to the nearest 3 or 5 wifi access points.
The system updates eventually for broadcasters that change ids, are powered off, are relocated, etc. It has error checking built-in to reduce confusion around one or two new / missing / relocated markers.
All of this was driven by customer demand, and the data collection necessary was mentioned in the past. As the maps are unlikely to ever be placed inside of phone devices, and would require intensive storage to duplicate into each phone, as well as intensive bandwidth to update each phone, odds are that the calls to the manufacturers (which are selling "enhanced GPS" positioning systems) will continue for a very long time.
The solution? Pressure the government to release accurate GPS positioning, so industry will see the running of an independent positioning system as redundant and not-cost effective. Then, when you get a position with GPS, you get an accurate position, and you need not send a signal to correlate nearby signals with your true position.
Does it suck? Yes. Is the current system subject to abuse? Yes. Is the current system abused? (I'm a skeptic of human nature, so) Yes, but its abuse patterns seem to be nearly identical to its use patterns, with the difference being that the companies providing this service can use it to help people find their way to the grocery or to help other people find their way to a specific customer.
Qualcom and others have a very vested interest in not abusing the system, as they would lose their competitive edge should the government decide to take action against them. That said, many people worry about the government being the party abusing the system.
> As the maps are unlikely to ever be placed inside of phone devices ...
Could you clarify what you mean? Here Maps allows you to download maps into your device and use it to navigate offline (without internet connection in devices with built-in GPS). I've been using this for (I think) more than a decade now and it works great. They also release maps updates frequently to download and update your maps. I believe Google maps has also begin offering similar offline map features.
You have a nice green field in your little town. There is this one guy that notices a gopher every so often and starts panicking and trying to get support to bring some professional to push them out.
Most people don’t walk in the field and have never seen or been bothered about the gopher or his little hole.
So everybody brushes this guy off as paranoid and his fears as exaggerated.
Then one day in your small walk you stumble upon the hole and start panicking yourself and trying to raise the problem.
You are wondering why isn’t everyone outraged by the gophers. Even that guy that used to warn everyone daily about the seems to not care anymore.
Well, it’s not that he doesn’t care. He is tired and defeated.
Trust hasn't mattered for a while. Growth and profit are the pope and king. The "whole model" runs on these companies. They have civilization by the balls, and we have to live with it unless we throw almost every computer advancement from this millenium out.
> That's what is happening when you "buy" a device and the device maker uses it to run code that serves only themselves (without receiving permission), to the detriment of your privacy. I can only hope RISC-V combined with people willing to care can lead to a return to a time when people actually own stuff and ownership is something we respect.
You putting quotes around words such as "buy" and "ownership" push people away from your view, and any view like it, unless they have already adopted it that view or a similar one.
if you want this to change, stop ranting, stop scare-quoting normal English words because you disagree with the way they are used, and approach the problem logically. asking rhetorical questions and being angry is not how you get people thinking about this.
state your case, (we know it, but state it anyway) without emotion of any kind, and without unanswered questions. start by verifying what this article is claiming using your own device. the entire article could be BS designed to enrage people and to see how far it spreads before it is fact-checked.
it is very difficult to listen to someone who is ranting and who is speaking from a point of emotion unless you are emotionally invested yourself. it is much easier to ask someone to think about facts than it is to ask them to feel about emotions if you want them to think about what you are trying to say.
I think you guys are ALL missing the point. Imagine if you bought a brand new car but later found out it had a stolen engine? This is probably why Qualcomm is collecting data from its chipsets. Qualcomm gets a 5% royalty (5% of the cost of the entire handset) payment from each vendor.
Qualcomm needs to know if a vendor is lying about the number of chipsets it has used. They need to know if the vendor claims 10M cheapo handsets and 1M expensive handsets - they need to know if the numbers are actually reversed!
This backdoor can get them the evidence they need to invalidate a license with a vendor - cut of chipsets shipments - and start a new negotiation. Remember, Chinese vendors will cheat like bananas. Chinese vendors asked for a HUGE discount on domestic phones - and they go it - but at the cost of a higher-than-normal royalty for exports. They are probably cheating, it's what they do.
How do you cheat with a physical object like that? Isn’t Qualcomm selling them the chips? It’s not a windows install, it’s a physical item they buy. Don’t they just pay by the unit?
They might pay more for a unit that goes in an expensive phone than in a cheap phone, even if it's the same unit
There are all kinds of licensing agreements that go along with physical products. For example a book or videotape that is licensed to be used in a library costs more than a book or videotape for personal consumption
Outrage is not going to bring about a solution. Either “the gov’mint” has to step in and regulate or consumers have to vote with their wallets. Many of us own iPhones because we choose to trust Apple’s ecosystem over Google’s.
This news will only appeal to very technically minded individuals, like the HN audience. Have you seen the average persons smart phone home screens or social media feeds? They don't care about privacy one bit. Its all about comfort and convenience.
Did I miss something in the article? They see the connections were made, it was plain http, but they didn't actually show any of the real payload/data? Instead they quoted the list of what Qualcomms policy says could be collected? Seems like low hanging fruit...
Disclaimer: work at Qualcomm but have nothing to do with any of this
Yeah, I'd be interested to see what's _inside_ the request, not just that it was made.
Was it a connectivity self-test or empty GET request? That's not ideal, but fairly benign.
Or was it a "phone home" reporting the device's ID, SN, IMEI, etc? That's a lot worse.
Or, did it truly contain PII or geolocation data? that's really bad. It matters a LOT what's inside the request, and it seems a little dishonest to not include it in the report.
Interesting research. I have booted up Pixels using Qualcomm chips and have not seen the elusive izaticloud.
The one issue with using GrapheneOS's connectivity check is that you're broadcasting to the network that you're someone of interest. An Android phone connecting to Google isn't great for privacy but it is normal. An Android phone connecting to a GrapheneOS domain isn't.
> The one issue with using GrapheneOS's connectivity check is that you're broadcasting to the network that you're someone of interest. An Android phone connecting to Google isn't great for privacy but it is normal. An Android phone connecting to a GrapheneOS domain isn't.
Thanks that's an interesting thought.
I had similar thoughts, but going the other way around. I was wondering whether you gave more entropy be not using Google's generate_204, than by using it (= do more IPs do generate_204 calls). But after trying to compute some estimates, I ended up thinking that not sending generate_204 was still better than sending it.
But yes, as you point out, the entropy provided by pinging /another/ generate_204 is much much higher. At this point, it depends if you want to lower the information you send to Google, or your carrier.
PS: Just in case, Android's connectivity check pings a "generate_204" endpoints that as mentioned literally just responds with a 204
This is old news. Smartphones have been using A-GPS for many years. The izatcloud.net domain was registered in 2012. The gpsonextra.net domain was registered in 2006.
One could just as easily download these A-GPS files ("GPS almanacs") oneself instead of letting Google Play Services or GrapheneOS or whatever do it. There's no need to send any data to any server. Just send a minimal HTTP request.
GET /xtra3grc.bin HTTP/1.1
Host: xtrapath2.izatcloud.net
Connection: close
It's really easy to block A-GPS when using Location. NetGuard can certainly do it. Not using A-GPS might mean GPS is slower to start up in some instances. But it's not very long IME.
In those instances, I use an app from F-Droid called GPSTest to let me know when GPS is ready.
It would be nice if we compiled our smartphone OS ourselves, then we could edit configuration files, like the one that enables A-GPS, and/or remove code we do not like. XDA seems to be the closest to that ideal.
If the data is as they say sent via http then surely they can show a sample request with what data is _actually_ sent from the device instead of the list of what Qualcomm says might be sent (which was probably drafted by CYA lawyers instead of engineering)?
Right? That would be much more interesting, and I wonder why they didn't show packet data. They already went through the work of setting up wireshark, might as well peek into the packet data to see what's going on.
This caught my attention as well. They go out of their way to mention that the requests are HTTP, not HTTPS, which allows spying by all sorts of nefarious types. And then... they don't show the requests. It leads me to believe they are exaggerating all of this.
I think it would be meaningful to introspect that data since clearly it's not encrypted using https - this would be trivial with a MITM proxy on the gateway.
All of this to push your own platform without any data backing it up aside from an http connection and privacy policy. Pretty alarmist. Not that anyone is advocating for unauthorized connections to the manufacturer of your hardware, but the author should at minimum capture what is being sent (if anything) and what is being received in return. From what I can see this is a preseed for GPS data that speeds up GPS acquisition time by sharing the latest constellation data so the phone doesn't have to sit there for 5-30 seconds listening for enough satellite beacons to determine the position. It should not require any input data to provide it's function - that request should be a simple GET to an endpoint that has no extra query params or headers.
If you want to be concerned about something, be concerned about the very likely fact there is nation-state level backdoors sitting in that very same firmware (or hardware itself) that isn't using observable channels to operate. The plethora of "chatter" on the cellular network just to receive phone calls is orders of magnitude more than this request, and much of it is handled in the radio firmware invisibly which also has root-level access to much of the system.
I agree; it was quite a bad article promoting their own "secure" phone. As for your last paragraph, it is hardly a secret that smartphones cannot be trusted in general. It is already a common practice to leave phones out when attending some meetings. I am not sure whether even diplomats and such truly trust the hardened phones their governments give them when located in certain countries. Fortunately, I do not have to worry about such things myself.
The situation is likely far less scary. The article seems to intentionally overblow the accusations without going into any depth in order to push the advertisement for their phone.
Talking about /e/os /their competitor/ in the beginning to make them seem less-competent:
>Surprisingly, the deGoogled phone's first connection is to google.com.
>This makes us wonder. /e/OS did replace Google’s connectivity check, but did they somehow miss out to replace the Google Play Store URL?
/e/os has microG so I'd guess it's on by default and this is "google device registration" that is necessary for safetynet.
Then in the main part they talk about AGPS. Instead of showing the unencrypted traffic that supposedly contains the private information, they just quote qualcomms privacy policy. They make a big deal about the phone requesting agps data even when the location is turned off (unlike theirs amazing one that only requests the agps data when you turn the location on.) My phone also requests agps data only when I turn the location on and it sucks because If I don't have internet access, without fresh agps data the phone can take a really long time to get GPS fix (Especially in bad conditions like snowy forest where I wanted o check if I was still on the right trail but couldn't get fix at all.). It's an oversight on /e/os side not to proxy the agps requests but it can be done. Many service providers do it which seems worse and if you want, you can easily tell android to use a different server, just follow this reddit post: https://old.reddit.com/r/privacy/comments/cldrym/how_to_dego...
I'd love to see more competition in mobile cpu space but fearmongering about qualcomm being evil without any substance is not the right thing to do. What is far more worrying is that both qualcomm and exinos chipsets have terrible track record when it comes to vulnerabilities.
> In spite of its reputation for bolstering users' privacy, all Fairphone models contain a Qualcomm chip probably loaded with the AMSS blobware. The Fairphone has therefor the same issue with sharing of personal data with the Qualcomm XTRA Service.
When calling out a specific brand like that, I was surprised by the "probably".
Why not first confirm it, such as by testing, or by getting a statement from the brand or Qualcomm?
AFAICT from the article, the A-GPS download request may (they didn't show any payload analysis of an unencrypted payload...) include:
- Unique ID
- Chipset name
- Chipset serial number
- XTRA software version
- Mobile country code
- Mobile network code (allowing identification of country and wireless operator)
- Type of operating system and version
- Device make and model
- Time since the last boot of the application processor and modem
- List of the software on the device
- IP address
The A-GPS system downloads current satellite orbits (Ephemeris) from Qualcomm instead of waiting for all relevant satellites to transmit all of them on their own. This reduces the time it takes to fix the position.
I would've preferred that they show the actual data transferred, instead of what the policy says they may transfer.
Contrary to mediatek chips who openly send it to China or apple chips who also openly send it to Apple, and of course let's not forget the intel management engine ;)
Reading the article thinking of GrapheneOS on my Pixel 7 with tensor G2, then they say NitroPhone not based on Qualcomm and equipped with GrapheneOS, getting confused
then see what they sell is just a pre-flashed Pixel. A price of $1299 for P7 pro doesn't even contain desoldered microphone, and that's a $400 addition. That sounds salty and shady.
Also, the test sounds and reads shallow.
I wish to point out this alternative: Let's increase transparency instead.
Require all data sent and received to be in a common well-documented format (XML.)
Require the following be documented in the XML (1) The program sending it, (2) the program receiving it, (3) what it means, and (4) what it is used for.
There should be a single place to go to see all data coming and going so the administrative user of the device can review all data coming and going.
A lot less shenanigan's would happen online if every value sent and received had to be well documented with
Because that a new Windows install sends and receives so much complicated garbage that that networking people can not understand what is going on, this would require rewriting everything. I'm willing to do it.
Can't even avoid spyware web services at the hardware level now.
This is really gross.
Edit: I've long since sink-holed `izatcloud.net`, and have seen countless look up to this subdomain for the duration of ownership of a Pixel 4a (running GrapheneOs).
Question about people in the industry: Is this like "yeah it was a team of 50 programers and then 200 testers involved in making the chip that new about this". Or is it like "fucking brown-nose Dylan who got a bonus to stfu and implement it".
Why all the handwringing on this exactly? This data is necessary for product improvements. Seeing it in aggregate improves troubleshooting and tuning to specific operator's networks as well as end-to-end performance analysis.
If the list of data in this article wasn't exposed by Qualcomm, then it's exposed in other ways like via SS7 in certain scenarios or to the OS and apps. Granted, app permissions are at least a user choice but we all know how that works these days. At least Qualcomm's using it to improve their product and not just harvesting for advertisers.
Also, like others have said, this is a shallow blogspam article trying to sell a "secure" phone. Ick.
"The smartphone is a device we entrust with practically all of our secrets."
That is the main problem to me. Manufacturers building spyware into their products is just the consequence resulting from those products being closed paired with being connected, and the manufacturers' ability to get away with it. Putting aside conspiracies, spying people still is a lucrative business, therefore I don't expect any manufacturer to resist that opportunity.
It's up to people to educate themselves about the dangers when trusting a device that is closed and goes online.
Sooo what this is nothing new.. What you wanna live in a MediaTek world? No thanks... If you truly know how to manipulate the SoC you can mitigate this as well but people are lazy inherently so, carry on! For a bit of color, the technical manual for the Snapdragon Cortex line is 8,767 pages long, you expect some chinese engineer who hates his life and hates you cause the PLA force him to design a certain way is going to read this manual?
Learn how to mitigate security cause you are not going to win the battle head on, simple truth that is hard to swallow.
1) laws that enshrine the right of owners/users to circumvent bullshit like this (a right to digital self defense) and that prevent corporations from making it unreasonably difficult to do so.
2) a healthy community of hackers building the kind of contraception we need to protect ourselves from bullshit like this. I don't know what that is when it comes to an SoC, but we need it.
We can't rely on the companies not to do these thing (in fact you can set your watch by it), so we should just focus on protecting the right to route around it.
I have been aware of this since at least 2019 and the izatcloud.net domain is on my personal dns blocklist that I maintain. I also edit the gps.conf file on my unlocked devices to remove this url.
On the other hand, you never know what the proprietary HW + blobs are capable of.
It's likely to keep track of how many black market chips tsmc is producing, and how many times Qualcomm is not getting royalties ...
If one particular vendor has 25% Black market Qualcomm chips inside for which Qualcomm never gets a royalty then I think they would definitely be getting a phone call from Qualcomm pretty soon...
the NitroPhone's GrapheneOS contacts and downloads the A-GPS files from google.psds.grapheneos.org, a proxy server supplied by GrapheneOS to protect users’ privacy. Whew that's okay then. No possibility of any problems there at all.
How is any of this legal if it wasn’t overtly spelled out in a TOS or user agreement to use the chipset? I hope some legal privacy advocates are ready to take this to court if it’s as bad as everyone is saying it is. Thoughts?
Good luck though. Even the PinePhone has a Qualcomm, and it is probably one of the most promising devices for privacy.
(that said, I'm not sure this particular service is used, especially if you use a custom firmware which provides an open source replacement to many of the original firmware components. GPS does not work very well until the userspace itself sends an xtra A-GPS file to the modem)
Wow, that's a lot of buzzwords and very flashy designs but very few details for a 3k$+ Android phone from 2 years ago running... on a Qualcomm chip. With no source code (the absolute bare minimum for privacy) in sight.
No thanks. What's better about it than a regular Android phone with one of those privacy-oriented OS, privacy-wise?
Also, two comments on HN, both about this phone?
Do you have anything constructive to say about the PinePhone? "Absolute trash" does not really cut it.
Something like this should result in an automatic ban being applied on the manufacturer and phones using their chipset.. but here we are and there is absolutely no noise about this. Shameful
this news was a direct ban of chinese made phones but because it is qualcomm it is fine. we can safely assume there are backdoors into every american-made electronics
and another large Wi-Fi Wireless chipmaker secretly sends data to their mothership + shares with ISPs. What can do you? very little, since the code is binary and it is buried in their FW. Even with Opensource SW, it is hard to get rid of the binary blob.
Intel runs Minix on their CPU's in their "management engine" to deal with boot security and other things which means it is able to override the host OS and even parts of the CPU itself and access the network, storage and memory independently.
If they are really compliant with the GDPR they must answer an information request. I just found the policy[1] . I guess I will write my first letter to Korea.. Also I guess I would need my unique id or chipset serial id: does anyone know how to get them? Then i would be all set to request which Qualcomm actually collected on me. Btw, using unencrypted connections allone probably is an easy gdpr violation. Qualcomm seems to have European offices, so I also wonder which national/regional data protection authority would be the right one for a complaint.
I love a lot of the work of Nitrokey, but I cannot get behind the Nitrophone.
Firstly, the Nitrophone is just a Pixel 4A which contains a Qualcomm Snapdragon 765G CPU. I am confused at how the author claims it is free of Qualcomm control. They are unquestionably an active participant in mass surveillance efforts and there are much more covert ways of doing that when you control a CPU, like making your random number generator not actually that random, potentially compromising -all- TLS, or only activating firmware location tracking features when particular domains or traffic is observed. There are countless ways to hardware backdoor a device that are not as crude and obvious as the ones this article observed.
Secondly, the sole signing key for phone software is under the exclusive control of Daniel Micay who is an undeniably brilliant engineer, but I suggest looking into how they communicate online and comments by anyone who has ever worked with them before. Supply chain integrity for GrapheneOS stops and ends with one person, who has rejected all attempts by me and others to pursue reproducible builds etc for accountability.
Third, GrapheneOS still contains many proprietary blobs with full control over various portions of the hardware. The GrapheneOS team has no choice, because the supported hardware components have not been reverse engineered yet and cannot function without them. The only blob-free Android is Replicant OS but it only runs on reverse engineered but sadly ancient devices long out of production and ancient builds of Android missing many years of security patches. The state of open and private mobile computing is truly a shit show.
Fourth, even if you had a fully trusted hardware and software stack, a device that connects to cell towers, even a dumb phone, will be pinged by three or more towers at a time. All of them collude to log the location of every single phone connected. The only way out is living on Wifi only with airplane mode full time.
Fifth, even if you open source hardware and software you -still- have to worry about state sponsored supply chain attacks at the factories.
The only way forward is to essentially go back in time to decisions we made back in the 90s and start over again, which is what the Precursor project seeks to do.
That is the only hope I have for a high trust messaging device in my pocket any time soon. There is an alpha matrix client, so fingers crossed.
Regarding the first point: Their current offerings are based on more current Pixel devices (6a, 7, 7 Pro), which use Google's chips, which in turn IIRC are mostly Samsung Exynos with a sprinkle of Google. That way they are only shooting their first product into the foot.
The initial HTTP request that they mention to Google is not related to Qualcomm at all but rather a part of the Google Play Services implementation in microG which /e/OS uses [1]. MicroG, as many might be aware, is an open-source implementation of Google Play Services that tries to avoid leaking sensitive user data amongst other things.
The request to android.clients.google.com though is required in order to checkin the device and receive a device ID and security token [2], which is needed for Firebase Cloud Messaging and push notifications [3]. The checkin include hardware details such as available features (GPS, WIFI, Microphone, EGL version) [4] but sensitive details such as HW MAC address, serial numbers and SIM operator ID are spoofed. [5, 6]
Basically if you're running deGoogled and still rely on Google Services, there _will_ be a few calls to Google owned servers. MicroG avoids sending sensitive HW and user data though, more can be read in this thread: https://github.com/microg/GmsCore/issues/1508
It's entertaining that this article clumsily lumps Apple in with Google regarding this stealth data collection, but without offering a single shred of evidence that Apple is doing this at all, let alone doing it secretly.
That's why you install a firewall on your phone and disallow all outgoing traffic by default - possible with Android, impossible with iOS as far as I know - and keep those drivers away from the 'net. Yes, the device works, you just see loads of 'connection errors' in logcat but those just tell me things work as intended by me by not working as intended by the likes of Qualcomm.
As to aGPS being necessary this depends on how often you use GPS. Without aGPS it takes a while for the device to lock after a total cold start but once it has locked it should be able to reacquire lock within a short timeframe. As long as you do not move more than 100 km from the position you were when you last switched off GPS, the clock is within 20 seconds and you're not breaking any speed limits you'll get a fix within a few minutes assuming the receiver can see some satellites. In other words, GPS works fine without aGPS.
The firmware on the SOC does not connect directly to the 'net, it interfaces with Android to do so. Android uses the Linux kernel and the Linux IP stack. That IP stack uses Netfilter [1] for filtering and packet mangling. The firewall uses iptables to define Netfilter rulesets which control which data gets sent where, which application is allowed to send data - this includes the kernel (and modules) itself. Block all outgoing traffic - which I do by default - and no data goes out. Try it if you don't believe this, you'll find out it is how things work.
So yes, Android - or rather the Linux kernel on which Android is built - is going to "save me" in that I am in control over which application (including whatever Qualcomm uses) gets to send data. Apple users are out of luck since iOS does not allow this type of filtering but Android does.
> The firmware on the SOC does not connect directly to the 'net, it interfaces with Android to do so.
Do you have any documentation on this? Even firmware such as Intel ME or UEFI implementations connect directly to the Internet itself. So I have a hard time believing the firmware on a Qualcomm SOC does not directly connect to the Internet itself.
No, I do not have any documentation on this nor do I expect any documentation from the likes of Qualcomm where they claim not to exfiltrate data without prior agreement to be all that convincing. What I do have is experience in using firewalls on Android devices for as long as I've used those (about 12 years). I regularly use packet sniffers to see what these devices send to the 'net both to check whether my own stuff is working OK and to check for unwanted traffic. Setting the firewall to block outgoing traffic before enabling network connectivity has always been effective, this includes devices using Qualcomm modems. I use WiFi for these tests just like described in the article as testing for unwanted traffic going over the 3/4/5G connection is only possible if you have a private 4/5G network which I do not (yet) have. I tend not to use 3/4/5G data though - I only have a single device on which I have data enabled and paid for, the rest goes through life using only WiFi. If Qualcomm has made a deal with all mobile operators to push their telemetry through 3/4/5G even on accounts which have data disabled (as in 'not paid for' as well as 'function disabled in Android') they're in for a world of hurt when that news is brought to the light. I assume they have no such agreements as it would not make any sense seeing how easy it is to just use Android and iOS to push that data back to the mothership - which seems to be what they are doing. They are far from the only ones doing this, it is actually the main reason why I block outgoing traffic by default. Just give it a try sometimes, take a device and hook it up to the network through WiFi. Use a packet sniffer on the router to intercept everything coming from that device and feed the result to something like Wireshark. Do the same with that device with a firewall filtering all outgoing traffic and compare the results.
It's a privileged app ( a service in Android lang ) that once fetched sends the data to the modem, where GPS is actively implemented, and augmented by such extra data.
Pray tell, how does the hardware chip send data to Qualcomm? That data goes over the 'net, right? How does that hardware chip interface with the 'net? The answer here is 'through the OS' since that is how network connections are made on these devices. Even if the hardware chip contained an IP stack it would still need a network connection to get the data back to Qualcomm. That network connection goes either over the wireless interface (3/4/5G), via WiFi, Bluetooth, NFC or any of the other interfaces the device has - all of which are controlled through the OS.
Android, being built on top of Linux which contains Netfilter as I explained elsewhere [1] which allows you to block network access no matter whether the data originates from some hardware chip or somewhere else. The only way data could make its way off the device is if the radio firmware made a covert connection to Qualcomm which could be used to totally bypass the Linux kernel. That connection would not use the system IP stack and it could work even if the user does not have data active. It would need cooperation from network operators (all over the world) to get the data out of the carrier's network to Qualcomm. This is not what this article is about, it is quite possible that the likes of the NSA are up to this type of shenanigans since they may be able to force carriers to do their bidding [2] but Qualcomm is just another corporation looking to 'get to know their customers'. Read the article and you'll see that the data is exfiltrated through Android. A default block for outgoing data - like I use - blocks this just as well as it blocks other similar attempts.
Addendum: To the people downvoting, the article is clear:
> During operation, the covert operating system (AMSS) has complete control over the hardware, microphone and camera. The Linux kernel and deGoogled /e/OS end-user operating system function as a slave on top of the hidden AMSS operating system.
The firmware may have the capability of doing this (it varies from device to device how much it can do compared to the OS), but the article is 100% incorrect about the source of these requests specifically, they are managed by android itself, they just "couldn't find an explanation", which strikes me as odd when an explanation from 3 years ago is literally the top google result for the OS and the domain name in question.
Yes, it claims AMSS can control hardware. It also claims data is exfiltrated. Read carefully and you'll see it does not claim the data is exfiltrated through AMSS - they're using WiFi for their experiment which has nothing to do with AMSS, the mobile radio firmware.
Correlation does not equate causation but they want you to think it does so you run to their web shop to buy a rebranded Google Pixel 7 (with Samsung's Exynos 5300 radio modem and accompanying firmware which has just as much control over the hardware as Qualcomm's AMSS has...).
The AMSS has control of the hardware, but there's different components, each implementing different functionality, they may be able to talk with each other using various IPC mechanism, and they do, but mostly using Android as a middleman ( Linux )
WiFi ( known as cnss on QCOM ) is implemented in a different block than GPS, they don't have direct communication in place. It's routed via the Linux kernel ( and userspace processes )
Complete control over the hardware, microphone and camera may allow more data to be gathered by e.g. turning on the microphone and recording everything it detects but the data still needs to get off the device somehow. The hidden AMSS operating system could theoretically be used to open a covert channel through 3/4/5G independent of the user's mobile subscription but that is not what this article is about - read it again if you missed it:
> We also didn't place a SIM-card in the phone either so it could only send and receive data over the WIFI network which we are monitoring with Wireshark. Wireshark is a professional software tool which allows us to monitor and analyze all traffic being sent over the network.
If the claims of Qualcomm using its hidden AMSS operating system for data exfiltration were true it would not matter whether the device has a SIM card installed or not. Even without a SIM card the thing is still able to reach cell towers, it still has an IMEI, it can still be used to call emergency services (112 or 911 etc), it just won't have an IMSI. Mobile operators are by law mandated to enable connectivity to emergency services to all devices so those connections are passed to their destination. Without an IMSI they do not know who to bill for connectivity so they do not pass any other traffic for such devices. Even with a SIM and thus an IMSI there is no guarantee the subscriber has paid for data so again the operator will only provide connectivity when there is some account to bill it to.
> After we provided our WiFi password in the setup wizard, the router assigned our /e/OS de-Googled phone a local IP address and it started generating traffic.
The data is exfiltrated through WiFi - which goes through the Linux kernel, using the Linux driver for the WiFi hardware. A default block for outgoing traffic puts an end to this just as surely as removing the battery does bar any covert manipulations of the device.
Realise that those who wrote this article are trying to sell you something, hence this rather poor article which tries to insinuate Qualcomm has somehow managed to get mobile operators to cooperate in a scheme to send private customer data through a covert channel. Realise also that they claim their 'Nitrokey' device does not contain a Qualcomm modem. That is quite possible... but it does contain a radio modem and the accompanying RT OS to control it - radio firmware delivered as a blob to be installed on that Nitrophone which is nothing more than a rebranded Google Pixel - using a Samsung Exynos 5300 modem - with GrapheneOS installed.
On the one hand it wouldn't surprise me if the Qualcomm modem accesses the network on it's own - it very much wants to be a black box - on the other hand I doubt this story for two reasons:
- WiFi is implemented on the Android side. In all Android implementations I've seen, the WiFi module is part of the SoC or a separate chip, and Android runs the regular wpa_supplicant and so on. The chip cannot see the contents of packages, it only passes the bytes to the MAC (not sure if it is called that with WiFi).
(Now, of course in the case of a SoC the chip could, with driver support, peel back the encryption and inject it's own traffic, just like some IPMIs can share an ethernet connection with the OS. I just have not seen this yet.)
- In Android, it is usually the responsibility of the OS to fetch the AGPS data / almanach. You have a HAL consisting of a proprietary library (.so) that you get from the GPS vendor, some glue code, and a gps.conf. The gps.conf file lists the URLs to get the AGPS data. I'm not sure if the download is performed in the .so or in Java code, but anyway it is totally in the OS and not in the modem, at least in the cases I know. When a custom ROM, even a "degoogled" one, is made, you include a customized kernel and custom drivers, and the AGPS URLs are part of this "driver".