Telemetry, Spyware, list of privacy threats on FP3 Android 9

IMHO not every telemetry activity must be classified as „spying“ on us. If you do not even trust apps from the company that builds the phone that you have chosen, then who do you trust?

Best wishes,
Thomas

I received an initial answer from the support, saying they were unaware of that and will check back to clear that up. I haven’t heard back from them since and am still waiting.

1 Like

Full Ack! No, not every telemetry activity would be classified as “spying”

Spying is by definition secret.
If a telemetry features is known, it’s presence and purpose documented and the user informed before activation with the ability to opt out, then I would definitely not call this spying. An example would be the dialogue in many app or software installations “Do you want to participate in our anonymous quality assurance. The app will then send anonymous usage data and crash reports which help us make this product better (X) Yes ( )No [Submit]” - ideally with a link to more detailed information about which data is collected.

If a telemetry feature is however added during an over the air update, hidden, without any notification to the user, without any information about the purpose, intend or functionality, and this feature is deliberately implemented as a non de-installable and non de-activatable system application, which sends back unknown, undisclosed data behind the users back, then I would indeed call this spying. Regardless of how little data is actually transferred.

This is more a matter of trust, documentation and openness than about the purpose or amount of data.

5 Likes

I now received a more elaborate reply, here is an excerpt of the relevant parts:


The activation service enables Fairphone to know how many devices have been activated and are still in use. This is very useful data for us, as we aim at having our customers use their phones for as long as possible. It also can also help to determine how many users installed which software update.

As this app is integrated with the phone’s operating system, it is indeed not possible to uninstall it.
The main information collected and useful for us is the IMEI, date of activation and build number.
We figured out that the user’s location was not really necessary for our activation service to work, and we are therefore working on removing it.

As you might be aware, we also developed a partnership with e.Foundation, that is developing an OS specifically for privacy-conscious users.

If you wish to install it you can proceed the following way:

Please be aware that we do not provide support for alternative operating systems other than the Fairphone OS. If you require software support after installing /e/ OS, you should contact e.Foundation support directly

First, you will need to unlock your bootloader. This way you can install alternative operating systems.

Then, follow these instructions to install /e/ OS on your Fairphone 3.

I will be unable to provide you further help regarding /e/ OS, but you can find some on the Fairphone community forum or on the e.Foundation community forum dedicated to Fairphone.

If you want or need to return to the original Fairphone OS, please follow this article on how to manually install Fairphone OS on your Fairphone 3.

note: I can’t access the linked articles on support.fairphone.com for some reason. On Firefox at least the login form does not seem to work.

5 Likes

They haven’t said anything about the GDPR either. That disappoints me now very much.

I do not know what to think of it. A goal was set and the software was planned. Including the data to be transferred, the server backend was set up with the database cells. It must be obvious that the LTE cells are completely unnecessary for there goal. Through the sale they know which IMEI belongs to which customer. Completely in the sense of the modern age, first of all all possible data to grab and store. If no one complains, we just keep doing it. Evil tongues would say now, they have tried it and have hoped it does not fall on.

2 Likes

See also that I’ve found the app “Service menu” to be apparently constantly requesting my (GPS) location. Full thread here:

1 Like

I very much doubt this is GDPR compliant. IMEI is PII. There’s no opt-in. Heck, there’s no opt-out.

It’s pretty obvious that this not GDPR compliant.

Well… in such a case don’t hesitate to collect the necessary evidence and report it to the responsible privacy agency. Also make sure to explain in detail why it violates the GDPR.
On my way to find such one I however could only found a Dutch page. Of course, if you are from the EU, you can however, write them in English.

1 Like

@rae What is the state of this process? When are you going to notify your customers about your illegal data collection?

4 Likes

Intreasted in updates :slight_smile:

3 Likes

Hi everyone,

We completely understand your concerns shared in this thread. Thanks, as always for your feedback.

Using the data collected, our goal is to resolve a number of business challenges we face with regards to the production planning of spare parts and software maintenance.

This information allows us to measure whether Fairphone devices are actually used longer, as a proof point for our company’s mission, and it allows us to better plan production, so that we can order the spare parts our customers need. The collection of the software and device information also helps us recognise certain hardware to network issues more quickly and to resolve these issues more efficiently. For example, showing a device issue was tied to a specific network operator, a specific country and/or a specific security update.

We have a legitimate interest to collect this data but even so, after internal review, we found that in the design of the application certain functionalities were not clearly communicated. Our software developers are currently fixing this to include a toggle for opt-out in the settings.

That said, please note that this information is not shared with third parties, it is only used internally for statistical purposes and you may at any time object to the processing by following the process described in the Fairphone Privacy Policy. To optimize this process and offer a better customer experience, we plan to make this process more user-friendly and transparent in the coming months too.

We’ll keep you updated here as these improvements are implemented.

10 Likes

Thx once more for listening to complaints - and acting (or at least promising to … :stuck_out_tongue_winking_eye: ).
Communication is key!

2 Likes

Hello Rae,

and thanks for the update and the promise to remove data collection. I do not, however, consider this a “legitimate interest” (as long as you don’t tell me). And all the promises to not sell my data are not worth a lot when companies are merged and acquired (see Facebook + Whatsapp).

Looking at Turkey and how dangerous it is nowadays to have a phone call history to somebody who once was best friend to the current president, does not let me sleep well with a company statement that “this information is not shared” - if this data is on some servers, it can be hacked and acquired, so Fairphone cannot reliably make this claim.

So my expectation is clearly that Fairphone implements such a procedure (if they deem it necessary to track issues), deploys it deactivated, offers user to activate upon first boot, and in the event of issues to fix, again asks users to activate the service (to fix the issue and then to turn it off again).

Thanks for the currently best effort in the industry, though!

Danke & Grüße von
nobi

2 Likes

@rae Thanks for your answer.

Please answer the question. When do you plan to tell your customers about the data collection?

Regarding “opt-out” the GDPR legislation provides for an opt-in procedure. Why don’t you want to be privacy compliant?

Hi @Dosenheini

Maybe you would like to share the details of the alleged illegal data gathering so others can respond. Your statement is a very general accusation and could be viewed, from other less worried people, as paranoid or uptight.

Criticism is great but being confrontational, in a none evidential manner, doesn’t give people confidence that there is something to consider.

Adendum By the way this topic is aimed at Android 9 but I imagine you’re questioning Fairphone and hence Android 10 etc

2 Likes

Fairphone has not, to my knowledge, said that they constantly record and store the phone’s location, for example. That happens with the LTE radio cells. The IEMI is linked to the customer data when the order is placed.

The people at Fairphone must have had something in mind where they planned and built the feature. Whether they thought it was ok to store everything we can get, I don’t know. Maybe they intended to make it anonymous, but they didn’t. I think that’s extremely unfortunate. I think Fairphone itself is an extremely great idea and company. Such things disappoint me very much, when after half a year such an answer with a link to the “Fairphone Privacy Policy” comes where nothing of it is in it, but maybe I just do not find it.

Disclaimer: I must say that I do not use Fairphone OS.

Well, I guess, the one thing, that this policy is stating for every data collecting instance is:

When do we delete Your Data and how can you request Your Data to be deleted?

You can request to have Your Data removed by sending an e-mail to privacy@fairphone.com. You might be requested to send us a proof of identity before we proceed with the deletion process.

So that’s obviously the way to proceed to object data processing.
Even though, the privacy policy that @rae has linked to, does not mention data collecting by using the phone with FOS.
But since point 6 “Privacy” of the Fairphone OS End User License Agreement is meant to be linking to the same privacy policy (the link is not available), I would consider that to be good enough an explanation on how to object.

That’s no statement regarding the data-collection in the first place. It’s just about how to object.

@rae confirmed that fairphone collects data directly from the phone if you use the provided OS.

Users not being aware of it, not making it opt in, not being transparent about it violates the Data Protection Directive - Wikipedia , #1 #3 and #6

The linked Privacy Policy violates GDPR because it has to be readable

  • In a concise, transparent, intelligible, and easily accessible form

Mashing everything in one block including b2b rules and event photos with no subheadings and structure, just to cover everything, is not helpful

I see no evidence of ‘illegal data gathering’

Your link provides

" Scope

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a).

This definition is meant to be very broad. Data are “personal data” when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of “personal data” are: address, credit card number, bank statements, criminal record, etc."

And whereas it may be that Fairphone does collect data as described by your reference I have seen no evidence of that.