Wow, thanks for going that far this did clear some things up.
I wonder who is at fault here. If you purchase a software license (for example for windows) and accept the EULA, you accepted a contract with that party. The party then has the rights and obligations under DSGVO and e-Privacy-Directive towards you as a contracted party.
But if you purchase a phone, are you ever agreeing to such a contract? Who is the contract partner and legally responsible? Is it Fairphone for selling the phone? Is it Google for making you click on “I accept” on first power on (if so)? Is it Qualcomm?
If it is Qualcomm, based on what contract? I don’t want any services from Qualcomm, I’d happily stop using their stuff and uninstall all their “Qualcomm Mobile Security” software. I wouldn’t even install that myself, the phone came with it as part of the drivers. It was already running when I unpacked it.
I don’t want to file too many complaints without knowing more at this point in time. We should first make sure Fairphone isn’t the one legally responsible for Qualcomm’s wrongdoings.
Can anyone who has recently factory-reset the FP3 tell if there is any notification and/or information about the Qualcomm software that is preinstalled, any contract or software license that one implicitly or explicitly agrees by turning the thing on? Any EULA , end user agreement or privacy information file mentioning ANY of the Qualcomm features? I can’t remember, but I don’t want to factory reset the phone now just to figure that out.
Fairphone seems to be really busy right now with hardware manufacture and delivery hell and a million support requests because stuff isn’t working as it should (hint: microphone )
I don’t think it would be fair to give them even more of a headache by filing legal complaints because of Qualcomm’s potential spyware now, if the issue might be addressed soon by an option to root the phone and get rid of the crap and/or a ROM that doesn’t have this stuff. Then again, it might be Qualcomm’s proprietary drivers which could be the main hold-back from releasing the kernel source so far.
Fairphone might be trapped between the fire and a hot place, by being legally responsible for the effects on end-user-privacy of shipping phones with Qualcomm’s spyware, while at the same time being contractually bound to them (without Qualcomm drivers, the phone would not boot) the only short-term possible solution might be to stop shipping Fairphones, and that’s not something I would want to have enforced before all cards and options are on the table.
We might should contact someone @Fairphone regarding this, before bringing it to the attention of authorities (even though we probably could)
So going forward:
-
A 2nd pcap would be helpful. Can anyone with a Fairphone 3 make a traffic log of the gps daemon calling “home” and record the “User-Agent” identifier. If this identifier is unique to each phone, it allows tracking each device. If it’s not and only identifies the phone as a Fairphone (and maybe the software version) this would be a whole lot less problematic.
-
Who could we best contact at Fairphone to tell us what the contractual base is for software use of Qualcomm products on the Phone by the end-user, how an end user can withdraw from any such contract and uninstall the qualcomm software products, if and what alternatives are /will be/ available and when, etc.
At the intersection of “highly technical” and “legally relevant” this isn’t something the typical support clerk is ready or capable of answering, and it would be better to have a good answer than a quick one.