Of course, if you buy an iPhone in Europe, and you want to use it any significant manner, you're getting spied on by US agencies as well:

- GPS: the wifi and celltower db queries that optimize the service are transferred into a foreign country.

- use Siri: uploads your whole address book to US servers before use

- use iCloud tabs: every URL you visit it uploaded to Apple's US servers

- turn on the only cloud backup solution available on the device, and all your data, including every SMS, every call and all your most private notes and photos are also transferred into the foreign country of the US, with a chance of it being analyzed by certain agencies.

In other words, this might qualify as getting spied on as well.

- GSM/CDMA: location and communications peers can be tracked neatly, over time, forever, in a manner that can be used to easily determine social interactions even based on proximity. Data very frequently extracted from your carrier for 'outsourced billing' purposes to Mossad/NSA via http://amdocs.com/

- use Safari: everything you type in the address field gets sent to a US company.

Same with Chrome.

You can disable suggestions. It's either in privacy or safari settings.

This is even more true for Android phones.

These are cases of making trade-offs for capability, not outright malware. And why limit it to the iPhone? Do you honestly believe Google is capturing less information?

The article already singled out Android. So far as I can tell, "Generic Star N9500" phone in question is an Android phone: http://www.amazon.com/Generic-Star-N9500-Android-MTK6589/dp/...

What is speculation about this?

- wifi and celltower db query servers are indeed hosted outside EU

- Siri indeed uploads your whole address book - it even tells you about that beforehand!

- iCloud tabs must upload every URL to a central server, it would not work otherwise

- the mud puddle test* proves that iCloud backup is extractable from Apple servers by third parties.

*http://www.magnir.com/2012/08/how-secure-is-your-cloud-take-...

The speculation is about whether it's accessible to US agencies.

NSLs exist, and is there any reason to believe they're not enforceable for non-US data?

I think the unresolved issue is if a normal warrant/subpoena can force a US company to hand over data from a EU subsidiary for a EU end user.

> NSLs exist, and is there any reason to believe they're not enforceable for non-US data?

Given the pains the NSA took (no matter how tortured the logic got), to keep trying to claim they weren't spying on Americans [except when they talked to non-Americans, or talked to someone when outside the US, or when an otherwise American communication got routed outside the US, or they accidentally included American data in a sweep "targeted" at non-American data, etc.]... I think we have plenty of evidence that the opposite is true.

Assuming the data is available in the US (so no other country can get in the way), it's easier to demand non-US data than it is to demand US data. Don't forget: part of the detestable legal rationalizations behind this surveillance is that non-US people have no Fourth Amendment rights - eliminating many classes of potential or actual legal barriers.

No, we know the data is being examined by Google.

I wouldn't try to minimize this issue - it's terrible that the Chinese are trying to fit spyware into unbranded phones like this. Perhaps the bright side here is that when the Chinese do try to commit electronic espionage, they're pretty clumsy about it.

BUT...

Given the way smartphones everywhere are made - China and elsewhere - it's impossible for even technical users to know that their phones aren't spying on them. While most of the software running on your smartphone's application processor is now open-source (if you're in the Android majority), the software running on the baseband processor is 100% closed source and secret. We don't know anything about the horrible agreements that have been made between shady government agencies and the baseband manufacturers like Qualcom.

False. The software running on your Android phone's application processor is not open source.

A significant fraction of it is based on a closed source fork of AOSP. The rest (both the Google Mobile Services layer, and the manufacturers customizations) are all closed source and have never been open.

On top of that, there are baseband firmware which runs a realtime OS, which is completely closed source.

Oh heavens. I did say 'most', didn't I?

Almost none of it is open source.

>Is that as good as "open source all the way down"? Of course not. But it is a hell of a lot better than the "opaque binary blobs all the way down" offered by most of the alternatives.

I fail to see how. It's not like a partial binary blob is better than a full on binary blob. The opaque part might do anything too...

>Where was Carrier IQ found first? Why?

The link doesn't say. And if anything it was not because there was an open-source part of the phone OS.

For one, on active, sold, phones, the device code is compiled anyway.

I'm not skipping anything, and at least you are agreeing that shipping Android phones are not using open source software.

I do not dispute that having a related system that is open-source can aid in reverse engineering.

However the source of commercial Android phones is not open source, and does not have the benefits that open source would imply.

Am I the only one to find this article really thin ? Where is the disassembled code ? To whom the public key that signed the software belongs too ? Which server it sends the info to exactly ?

If you start to get as paranoid as the entire forum is at the moment accusing blindly Apple, Google, Qualcomm etc. Why nobody asks for a simple piece of evidence for anything ? This could really be a cheap manipulation ...

Edit: grammar

Um, why is there a running assumption that this is the Chinese government?

A Chinese manufacturer has even more incentive to steal information and sell it given the razor thin margins on making these phones.

More info here, this has been known for some time already:

http://forum.xda-developers.com/showthread.php?p=53391745

http://forum.xda-developers.com/showthread.php?t=2395007

Fortunately the solution is pretty simple, as these generic MTK devices are all easy to root and reflash with new firmware.

The entire american telecom infrastructure is rife with spyware. Why should chinese telecom be any different?

There's a ton of these generic MTK-processor-based phones available online; I bought and played with a few a year or two ago. They range from "really crappy" to "pretty nice", but in most all cases you're stuck with the version of Android that they ship with, as there's no ongoing support, no upgrades from the vendor, etc.

To the surprise of no one.

How are we doing for FOSS cell phones again?

I think that there may be ONE option. RMS probably has it...

It really depends on how FLOSS you want to go?

On the software side of things the closest you can get is a phone running OsmocomBB. That only runs on some dumphones and is not useful from a user perspective, it is only for research. For smartphone software, the closest you can get is a phone running Replicant. That still has all the embedded proprietary software; baseband OS, bootloader, wifi/bluetooth/camera firmware etc.

On the hardware side of things, we have no ASICs with libre designs. I think there have been some cases with libre designs but none manufactured in large quantities. There are myriad patents covering various hardware processes, instruction sets, CPU stuff etc. See bunnie's talk about layers of openness and the Novena laptop for more on this.

RMS uses other people's phones, he doesn't have one himself, mainly due to the network side of things though.

Wow, I guess that there aren't really any "fully open" phones in that case.

For the truly paranoid (with or without reason), I guess that they would have to go the RMS route -- or find a payphone that isn't within sight of a security camera.

I'm currently using an offbrand Chinese Android phone, so this news has made me very very nervous.

Why you think this is true?

Well, I just don't know. I don't have the same phone this but it's made me wonder.

The NSA deliberately weakened crypto keys/code. How is that any different?

Even if it were the same, it would still be news.

Agreed. But my question is still valid (and not deserving of the down votes) given that so many Americans do not react to their government's privacy and anti-democratic intrusions with the same disdain they have toward China's.