[zibzab]

My thoughts on this. TLDR version: some are probably innocent but some are worse than presented here.

> Key findings from the study:

>

> With the exception of e/OS, all of the handset manufacturers examined collect a list of all the apps installed on a handset. This is potentially sensitive information since it can reveal user interests, e.g., a mental health app, a Muslim prayer app, a gay dating app, a Republican news app. There is no opt out from this data collection.

This happens when looking for updates anyway

> The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used. This reveals, for example, the timing and duration of phone calls. The effect is akin to the use of cookies to track people’s activity as they move between web pages. This data appears to be sent outside Europe to Singapore.

Can this be "standard" app analytics. Not saying its okay, but this is the norm these days.

> On the Huawei handset the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar, searching for contacts.

Your custom wordlist is on the cloud with them, so they can see much more than that.

> Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, e.g., the hardware serial number, alongside user-resettable advertising identifiers. This means that when a user resets an advertising identifier the new identifier value can be trivially re-linked back to the same device, potentially undermining the use of user-resettable advertising identifiers.

This is probably a major GDPR issue.

Edit: could also be for guarantee reasons. The big question is if this is ever used for advertising.

> Third-party system apps, e.g., from Google, Microsoft, LinkedIn and Facebook, are pre-installed on most of the handsets and silently collect data, with no opt out.

This is horrible!! I specifically avoid using any Facebook services and we all know about their shadow profiles for users who don't own a FB account.

(But what kind of data have the apps access to? In theory they are never used and have no privileges?)

> There may exist a data ecosystem where data collected from a handset by different companies is shared/linked. Notably, the privacy focused e/OS variant of Android was observed to transmit essentially no data.

We need more openness here.

[rhn_mk1]

> This happens when looking for updates anyway

But it doesn't have to. My Debian system does not send a list of installed packages in order to get updates. It queries the list of available ones.

[retSava]

> but this is the norm these days

Norm as in normal, but I'd not say norm as in what most people expect and would accept if they knew.

And norms change, let's not accept a "normal" as the de facto "this is how it should be" but instead work towards a better norm.

That's the hard part, the easy part of how to do this is left as an exercise for the reader.

[black3r]

> This happens when looking for updates anyway

I would still expect to have opt out of "looking for updates". Especially since this study suggests that this data is not collected by Play Store (Google) only, but also by the device manufacturer (possibly by their own store app which nobody really uses)

[illwrks]

Wow. As a Xiaomi phone user, and having not read the article yet, does it mention if that level of tracking happens on Global Rom (Android One) versions of their phones?

[gpas]

I loved my phone until I looked at nextdns logs and noticed it's reaching out to Xiaomi owned servers roughly every 30 minutes. It's definitely tracking something. Now nextdns has a dedicated Xiaomi block list so I should be ok, but who knows?

My bad for not checking the lineageos compatibility list before buying an unsupported device.

Global MIUI 12.5.3 on a note 8 pro.