Post AV2nQWEDWcrMPRrpLs by biktorgj@fosstodon.org
(DIR) More posts by biktorgj@fosstodon.org
(DIR) Post #AV2gIlq8tk8EpfxsQ4 by biktorgj@fosstodon.org
2023-04-26T04:56:25Z
1 likes, 2 repeats
So... With all respect @nitrokey , I'd advise you (mostly your PR department) to fact check your article about Qualcomm's A-GPS data... First because it's a load of trash, but it's also a lie in some many levels that only makes you look bad.First: The qualcomm chipset doesn't send any data. There's a service running in every qualcomm phone's userspace which downloads the A-GPS provisioning data. 1/4
(DIR) Post #AV2gInt3HteDBHLEES by biktorgj@fosstodon.org
2023-04-26T04:56:51Z
0 likes, 0 repeats
Second: The fact that you don't know about Qualcomm's iZat service only means you don't know your phone. iZat is Qualcomm's all in one location solution, and it exists for almost a decade.Third: There's no covert operating system. Qualcomm's AMSS firmware is the _center_ of Qcom's business. They even have an SDK and access to the source code is available for OEMs so they can add whatever they need. 2/4
(DIR) Post #AV2gIpkyKuNAynZnuq by biktorgj@fosstodon.org
2023-04-26T04:59:50Z
1 likes, 0 repeats
The AMSS firmware also controls the sensors, cameras, and plenty of stuff you could know if you looked at even one of Qcom's sales brochures but you don't know becauseFour: Your phone is a rebranded pixel. Which means that, you, unlike Fairphone or Sony, don't actually have access to the baseband source code because you're not the OEM, and depend of Google, from all companies, to provide updated pre-built AMSS, TZ and RPM firmware. 3/4
(DIR) Post #AV2gIrcXPEoYlDe62y by biktorgj@fosstodon.org
2023-04-26T05:00:44Z
0 likes, 0 repeats
So not only this article proves you don't know your stuff, it also proves you have no idea of what is actually running inside _your_ phone, which, to be honest, doesn't help your case in selling a "secure phone", when other companies can actually audit the code that's running in their phones and you can't.DISCLAIMER: I don't particularly like Qualcomm, and I don't work for any of the companies involved in the article. But that article was _so full of lies_ that I had to say something.
(DIR) Post #AV2gIthZfU21DQ19Au by biktorgj@fosstodon.org
2023-04-26T05:18:45Z
1 likes, 0 repeats
Oh, and I almost forgot. If anyone wants to stop using the izat servers to retrieve the almanac (or make some script to download daily and self-host it), you can edit:/vendor/etc/gps.conf and add:XTRA_SERVER_1=[url]XTRA_SERVER_2=[url]XTRA_SERVER_3=[url](Change URL with your own server)NTP_SERVER=time.xtracloud.net (set another ntp server)and /vendor/etc/izat.conf:GTP_PRIVACY_VERSION_URL for some other URL
(DIR) Post #AV2mabALvE5wfIImv2 by troed@masto.sangberg.se
2023-04-26T12:31:45Z
0 likes, 0 repeats
@biktorgj How did these comments touch upon the fact that a European phone user's PII is sent off to a US company? (The GDPR violation)
(DIR) Post #AV2nQWEDWcrMPRrpLs by biktorgj@fosstodon.org
2023-04-26T12:41:07Z
0 likes, 0 repeats
@troed That depends.The builds I have tested didn't send any PII, other builds may, maybe depending on the version of the lowi service and the features enabled by the OEM (You have basic / premium feature settings), but in any case, I'm not even sure it would count as a GDPR violation, because that data by itself can't be used as PII for a specific "person".They may be able to identify a device from the imei/iccid, but from the collected data they can't tie it to a particular person when 1/2
(DIR) Post #AV2phv0As3pC4fiu80 by biktorgj@fosstodon.org
2023-04-26T12:42:35Z
0 likes, 0 repeats
@troed downloading a provisioning file. When actively using the Assisted GPS, especially with wlan scanning, they could build a profile of the location for that user, but that's the same for Qualcomm, Apple, Mozilla NLP or any other service. They still wouldn't know your name from all that. I am not a lawyer though, so I could be wrong on that :)
(DIR) Post #AV2phvXqqqlNl7TncW by troed@masto.sangberg.se
2023-04-26T13:06:42Z
0 likes, 0 repeats
@biktorgj Yeah actually they go straight into GDPR PII as soon as they get the IP address. https://gdpr.eu/eu-gdpr-personal-data/Afaik no European customer is told that Qualcomm collects their PII and they have no recourse directly toward Qualcomm in having it removed if they ask.Now, tying this into having access to realtime location and this sounds like a major GDPR violation (Qualcomm being a US company - we're somewhat sensitive in Europe having our data sent there. See Schrems I & II ;)(1/2)
(DIR) Post #AV2pzCnTxgdUBk1uAy by troed@masto.sangberg.se
2023-04-26T13:09:50Z
0 likes, 0 repeats
@biktorgj Now, with all that said. This is a Sony phone, and Sony might have all this info presented to their customers somehow. This staying behind when flashing with an open OS is thus on the end customer to handle (if they did it).So, I sort of agree with you that this might all be a big nothingburger. It depends on whether European Qualcomm-phone users are presented with the proper information.(2/2)
(DIR) Post #AV2qOvl9vfUysQD4Uq by biktorgj@fosstodon.org
2023-04-26T13:14:27Z
0 likes, 0 repeats
@troed Well, they get the IP address because you connect to their servers, but do we know if they store it? Any company out of Europe would be in violation of the GDPR then if their servers logged the queries, so a little hard to enforce. I don't know fairphone/sony specifics, but for sure my Oneplus, when it was running stock, had a privacy policy from Qualcomm available in the about section. I've never read it though, so no idea if it included it :)1/2
(DIR) Post #AV36x6nSzw1ADjbmgC by kop316@fosstodon.org
2023-04-26T16:19:52Z
0 likes, 0 repeats
@troed @biktorgj I am confused by this. Your post implies that merely making an HTTP request (since it contains the IP) to a US server from the EU can constitute a GPDR violation. i.e. merely by doing " curl https://info.izatcloud.net/privacy/version.html " could trigger this.
(DIR) Post #AV37Hkh0NNP1kMQhJg by kop316@fosstodon.org
2023-04-26T16:23:39Z
0 likes, 0 repeats
@troed @biktorgj I am confused by this. Your post implies that merely making an HTTP request (since it contains the IP) to a US server from the EU can constitute a GPDR violation. i.e. merely by doing " curl https://info.izatcloud.net/privacy/version.html " could trigger this, and it probably does, since many web server logs retain IP addresses by default.
(DIR) Post #AV37kZfiQjAvxqZOu8 by troed@masto.sangberg.se
2023-04-26T16:28:51Z
0 likes, 0 repeats
@kop316 @biktorgj Yes, in many cases. One of the effects the GDPR is intended to have is for companies to stop storing personal data just because they can.https://gdpr.eu/companies-outside-of-europe/
(DIR) Post #AV38k4ygeKy6irltLs by kop316@fosstodon.org
2023-04-26T16:39:58Z
0 likes, 0 repeats
@troed @biktorgj That seems.....very very poorly written. The example is even bad. Unless they have some treaty with Canada allowing it, I am not even convinced the EU could go after that golf site in the cited example even if wanted to.
(DIR) Post #AV393sNbCOxRRRrc24 by kop316@fosstodon.org
2023-04-26T16:43:34Z
0 likes, 0 repeats
@troed @biktorgj That seems.....very very poorly written. The example is even bad. Unless they have some treaty with Canada allowing it, I am not even convinced the EU could go after that golf site in the cited example even if they wanted to.
(DIR) Post #AV398yrIXOTYz4BnCC by kop316@fosstodon.org
2023-04-26T16:44:30Z
0 likes, 0 repeats
@troed @biktorgj That seems.....very very poorly written. The example is even bad. Unless they have some treaty with Canada allowing it, I am not even convinced the EU could go after that golf site in the cited example even if they wanted to.
(DIR) Post #AV39BMxRuNKqJ0CnKa by troed@masto.sangberg.se
2023-04-26T16:44:56Z
0 likes, 0 repeats
@kop316 @biktorgj "Can go after" is of course always difficult on the Internet.Better examples here: https://www.ashurst.com/en/news-and-insights/legal-updates/territorial-scope-of-the-gdpr---where-does-the-boundary-lie/