A quite overblown article from a company pitching their own "secure phone".
They installed a custom OS which apparently includes Qualcomm's indoor positioning service iZat, but is missing the EULA item to allow the user to enable/disable the service.
iZat exists for at least 6 years, and the vendors who implemented it usually have a separate checkbox in their startup wizard to allow it to work.
Do you also trust the Intel Management Engine and AMD Secure Processor? Because I see no reason to. It's almost like all these companies were compelled to implement these features by a caring government. Maybe it's for the children
IME’s a poor analogy for what’s happening here. the article ends with
> Affected users could try blocking the Qualcomm XTRA Service using a DNS-over-TLS cloud-based block service, or re-route this traffic yourself to the proxy server from GrapheneOS […]
if these requests were being made below the OS, akin to IME, you wouldn’t be able to substitute the DNS like that.
unless they mean that you could reroute things upstream of the phone — but most users don’t deploy their own fleet of LTE towers, so i doubt that’s what they meant.
why do you shoot the messenger? yeah they did a bit of advertisement to their phone, who cares. what matters is that now even freaking basic hardware pushes your data wherever they want without asking you. I really wonder if this had been a Chinese company the kind of comments we would have seen here.
Because the part about is being the hardware is false. This behaviour is entirely part of the OS. It's still bad, especially if the OSS ROM is not making users aware of it (though neither really are the manufacturers: burying this shit in a pages-long policy which the user cannot freely decline does not qualify for GDPR consent either). It's very easy to make android look bad from a privacy point of view, you don't need to make things up to do so.
Worth to note that on a manufacturer implementation the consent is not buried in some pages-long policy. It's an explicit, separate item, which contains "sends your location data" and "may operate even when no apps are running" in the first paragraph.
My phone (from Sony) uses this and is making these requests, and I can neither find anything in settings which would allow me to opt out, nor do I remember such an example during set-up (and I always go out of my way to refuse such things).
I don't know which Sony device you have, but the setting is probably in [Settings]-[About Phone]-[Usage info settings].
The question about data-collection is asked during initial setup (iirc depending on Android version it's either on the very first page of the startup wizard labeled "Important Information", or it's shown as a Notification after the Wizard is completed), but I admit Sony has a quite elaborate list of License Agreements and they make it quite "frictionless" to just confirm everything.
Anyway, I can't tell how Sony implemented it across all its models and years, but to stay on-topic, community-OS's are not really a benchmark for End-User License Agreements on privacy-data (which is what that company in this article was benchmarking against its commercial product)
They installed a custom OS which apparently includes Qualcomm's indoor positioning service iZat, but is missing the EULA item to allow the user to enable/disable the service.
iZat exists for at least 6 years, and the vendors who implemented it usually have a separate checkbox in their startup wizard to allow it to work.
Example screenshot after a quick google search: https://lgk20.com/wp-content/uploads/2021/09/57-60.jpg