Recent searches
Search options
So... With all respect @nitrokey , I'd advise you (mostly your PR department) to fact check your article about Qualcomm's A-GPS data... First because it's a load of trash, but it's also a lie in some many levels that only makes you look bad.
First: The qualcomm chipset doesn't send any data. There's a service running in every qualcomm phone's userspace which downloads the A-GPS provisioning data.
1/4
Second: The fact that you don't know about Qualcomm's iZat service only means you don't know your phone. iZat is Qualcomm's all in one location solution, and it exists for almost a decade.
Third: There's no covert operating system. Qualcomm's AMSS firmware is the _center_ of Qcom's business. They even have an SDK and access to the source code is available for OEMs so they can add whatever they need.
2/4
The AMSS firmware also controls the sensors, cameras, and plenty of stuff you could know if you looked at even one of Qcom's sales brochures but you don't know because
Four: Your phone is a rebranded pixel. Which means that, you, unlike Fairphone or Sony, don't actually have access to the baseband source code because you're not the OEM, and depend of Google, from all companies, to provide updated pre-built AMSS, TZ and RPM firmware.
3/4
So not only this article proves you don't know your stuff, it also proves you have no idea of what is actually running inside _your_ phone, which, to be honest, doesn't help your case in selling a "secure phone", when other companies can actually audit the code that's running in their phones and you can't.
DISCLAIMER: I don't particularly like Qualcomm, and I don't work for any of the companies involved in the article. But that article was _so full of lies_ that I had to say something.
Oh, and I almost forgot. If anyone wants to stop using the izat servers to retrieve the almanac (or make some script to download daily and self-host it), you can edit:
/vendor/etc/gps.conf and add:
XTRA_SERVER_1=[url]
XTRA_SERVER_2=[url]
XTRA_SERVER_3=[url]
(Change URL with your own server)
NTP_SERVER=time.xtracloud.net (set another ntp server)
and /vendor/etc/izat.conf:
GTP_PRIVACY_VERSION_URL for some other URL
@biktorgj How did these comments touch upon the fact that a European phone user's PII is sent off to a US company? (The GDPR violation)
@troed That depends.The builds I have tested didn't send any PII, other builds may, maybe depending on the version of the lowi service and the features enabled by the OEM (You have basic / premium feature settings), but in any case, I'm not even sure it would count as a GDPR violation, because that data by itself can't be used as PII for a specific "person".They may be able to identify a device from the imei/iccid, but from the collected data they can't tie it to a particular person when 1/2
@troed downloading a provisioning file. When actively using the Assisted GPS, especially with wlan scanning, they could build a profile of the location for that user, but that's the same for Qualcomm, Apple, Mozilla NLP or any other service. They still wouldn't know your name from all that. I am not a lawyer though, so I could be wrong on that :)
@biktorgj Yeah actually they go straight into GDPR PII as soon as they get the IP address.
https://gdpr.eu/eu-gdpr-personal-data/
Afaik no European customer is told that Qualcomm collects their PII and they have no recourse directly toward Qualcomm in having it removed if they ask.
Now, tying this into having access to realtime location and this sounds like a major GDPR violation (Qualcomm being a US company - we're somewhat sensitive in Europe having our data sent there. See Schrems I & II ;)
(1/2)
@biktorgj Now, with all that said. This is a Sony phone, and Sony might have all this info presented to their customers somehow. This staying behind when flashing with an open OS is thus on the end customer to handle (if they did it).
So, I sort of agree with you that this might all be a big nothingburger. It depends on whether European Qualcomm-phone users are presented with the proper information.
(2/2)
@troed Well, they get the IP address because you connect to their servers, but do we know if they store it? Any company out of Europe would be in violation of the GDPR then if their servers logged the queries, so a little hard to enforce. I don't know fairphone/sony specifics, but for sure my Oneplus, when it was running stock, had a privacy policy from Qualcomm available in the about section. I've never read it though, so no idea if it included it :)
1/2
@troed The service does have a setting that retrieves the current privacy policy version from here: https://info.izatcloud.net/privacy/version.html and by default it does so every 24h
If that triggers something, or if the policy has changed much in the last years, I have no idea
2/2
I am confused by this. Your post implies that merely making an HTTP request (since it contains the IP) to a US server from the EU can constitute a GPDR violation.
i.e. merely by doing " curl https://info.izatcloud.net/privacy/version.html " could trigger this, and it probably does, since many web server logs retain IP addresses by default.
@kop316 @biktorgj "Can go after" is of course always difficult on the Internet.
Better examples here: https://www.ashurst.com/en/news-and-insights/legal-updates/territorial-scope-of-the-gdpr---where-does-the-boundary-lie/