Sure, that can be done.
For reference, could you create an issue and assign to me? I shall get this done as soon as possible.
Thanks for pointing out and letting me know.
3 Likes
Thanks, this topic summarizes well, what I also think about the blog post:
it’s an alarmist article that took some alarming grains of (not really new) truth, mixed it with partly unproven and even partly wrong information to make it even more alarming. And this was only done for marketing the own product.
6 Likes
Even if Qualcom is technically responsible for such data transfer.
The manufacturer of the smartphone we bought is Fairphone. Fairphone brought the chips and firmware into the EU market. Someone (best would be a dutch customer) should sue them to the officials responsible for EU Data Protection Act (“Datenschutz Grundverordnung”) in the Netherlands.
1 Like
Sorry, @jochen0
That doesn´t make much sense. You should at least phrase it like “someone should sue any manufacturer of devices (not only mobile ones) that include Qualcomm chips which got such a ‘feature’ and that are imported/introduced into the European Market”
Otherwise it just sounds like shallow bickering against Fairphone …
4 Likes
And what if an AVV or similar exist? I doubt its all that black and white with GDPR. So before going against FP, what about reading the data protection policy and asking them what data are being send to who?
Its a bit like the discussion we once had about the Google Data Policy that one need to accept before being able to install another system.
As far as I have understood, much ado about nothing: Yes, this feature discloses personal information, but IMHO it doesn’t violate GDPR because it falls under the “necessary” category, and it isn’t really dangerous because if someone would like to track you, there are way more simple and efficient means.
If you don’t want anybody to know where you are, the first and foremost thing is to not have any mobile phone, not matter the OS: As soon as it connects to a cell tower, your provider and the government (obligatory logs for law enforcement purposes) know exactly where you are and have been…
Now I do not condone tracking people, and I’m pretty much privacy-conscious, but having a smartphone (with Google, of all companies!) in my pocket, I can’t reasonably say I’m horrified that Qualcomm gets my IP and location. Google even knows what I had for lunch. 
12 Likes
No. I can only sue someone for something he did with my data. And if a Fairphone is the only device with Qualcom chips I use, I have to make the manufacturer of that device responsible.
May be. I never accepted any such an agreement before switching my Fairphone 4 on.
1 Like
You are right. My postings were in reaction to those earlier in this thread.
Still doesn´t make sense 
In that last post above you wrote
… and now you´re replying with
You´re mixing “I have an issue with Fairphone” with “someone (else) should sue them”.
This simply doesn´t make sense.
Do it or don´t do it.
That´s up to you.
But please refrain from inciting anyone else here.
Thanks
1 Like
Yes to sue you will have to show a specific loss so Fairphone would be the defendant.
However if the breach of legislation is criminal you only have to make a case to the authorities and they will do all the work.
Not that I’m suggesting you do either, I’m sure you have other things to do 
1 Like
Learn to distinguish between an advise, what someone can do and the reaction (…)
Anyway, I don’t take the time to answer to partly quoted text taken aut of context. Let’s end it now.
1 Like
Language: Uk English born
I didn’t see any incitement which is a general term.
As far as advice goes which is more personal, I didn’t see that either.
So what I did see was the presentation of an idea of assumed responsibility that Fairphone may have and a possible way to check that.
Opinions, although not advice, can still be challenged, else why voice them. All very innocuous and the QC data transfer may be.
3 Likes
Yes, its blown up, but there is some merit, too.
Why does Qualcomm need the serial of the smartphone, and why is A-GPS not handled by the OS instead of baseband? It is in interest of the user to want the baseband and other proprietary blobs to do as little as possible. Besides, there’s no choice here. Under GDPR, anything can lead to you is PII. Your smartphone serial number or IMEI or IP address are each clear examples of that. And nobody here gave Qualcomm conscious consent to collect it. Nor do we have a choice to opt out.
Nor can we audit the software. And there’s a shitload of vulnerabilities found in RF binary blobs, see SEEMOO lab. Its quite easy to set such up for BT and WiFi and RFID but for mobile networking protocols its a bit more complex. For example, I have a HackRF, but its only half duplex, and a good full duplex SDR is expensive.
3 Likes
I’m not sure about those items.
Especially IP address and IMEI. Both or either are used to communicate between device.
Any website accessed must know who’s calling to be able to respond, it’s not like there is a solid wire connection.
An issue may be is that info encrypted and who has a legitimate need for it, it’s a hazy regulation.
Why does Qualcomm need the serial of the smartphone, and why is A-GPS not handled by the OS instead of baseband?
Qualcomm is getting the serial via the PSDS request which is NOT A-GPS.
This above PSDS request is invoked via the userspace xtra-daemon, NOT in firmware.
Actual A-GPS control plane is by the baseband, userplane (SUPL) can however be disabled/configured via userspace.
Nor can we audit the software
I literally sent a picture above of the function that collected serial, that code is actually not even proprietary but Apache-2.0.
Please see my writeup: https://divestos.org/misc/gnss.txt
5 Likes
Now you’re wondering why the world isn’t an ideal place of peace and happiness… 
Why? Because most OSes are a cobbled-together hodgepodge of unfitting pieces, summarily patched together so they won’t collapse (too often).
Most of the infrastructure has grown organically, as people shoehorned in additional and unplanned features. It’s usually the worst (i.e. fastest, cheapest) way to do which has been chosen…
Yes, the users’ interest is to keep things simple and open, the industry’s interest is to keep things cheap and proprietary. Guess who decides… 
(As for opting out, GDPR specifically states that there is no need to ask for permission when collection of PI is required for normal operation (phone doesn’t need to ask your permission to record your voice, for instance). Qualcomm’s use is very likely to fall under that exemption. Keep in mind GDPR is not a silver bullet. It’s a precious tool, but it has limits.)
2 Likes
The phone not, however the Phone App would have to most likely and therefore you cant record easily (even the Google Phone app does not allow it).
My question to this is. what exactly are the motives of Nitrokey to spread out such a news. For me this seems either very incompetent or consciously misleading. And the question in the second case is: What for?
Selling their phones, Pixel7 with Graphene OS for around 1500€…
3 Likes