Should we be concerned about Privacy with low-level Chinese smartphone firmwares?

Since I’ve started eelo.io, at the end of 2017, I had many discussions about the privacy of Chinese smartphone firmwares. Many people told me:  if it’s technically possible to put some anti-privacy features into the firmware, they do it.

What would be the benefit of running eelo on such smartphones if their proprietary firmware drivers leak some personal data to corporates or to the Chinese government?

I agree that this is the limit of our project – regarding Chinese hardware of course – and that’s the reason why it would be great for eelo to enventually have their own brand of smartphones: this would mean we could access low-level drivers code and make sure it’s Privacy-compliant.

Today I’m feeling better on this topic: the news has circulated that Xiaomi, one of the new big smartphone makers has updated their Privacy Policy terms.

This will take effect on May, 25th, and before you read them, please sit down!

Quick excerpts:

“We may collect the following types of information (which may or may not be personal information):

(…)all personal information you provide to us, like your name, mobile phone number, email address, delivery address, ID card, driver license, passport details, Mi Account details (e.g. your security related information, name, birthday, gender), order, invoicing details, materials or data you may sync through Mi Cloud or other apps (e.g. photos, contact lists)(…)

Financial information: information related to completing purchases. For example, bank account number, account holder name, credit card number etc.(…)

Social information: information related to your social activities. For example, current employer, current job title, education background, professional training background etc.(…)

Location information…(…)”

What does it mean? In short: they collect mostly everything, any piece of your personal data.

Why am I feeling better for eelo about this topic? They obviously think that sucking and processing personal data massively is a normal situation. Which is coherent with recent announces that the Chinese goverment was putting in place a general social scoring system for Chinese people.

But, why would they add data-leaking features to their low-level firmwares? It’s totally useless and costly when it’s already present at operating-system level, and this is going to be everywhere in the Xiaomi MIUI system, in our case. So why would they care for a bunch of 0.00001% users who will replace MIUI by another ROM?

Probably we need to confirm this by auditing network activities of those mobile phones, but as eelo is going to replace the full OS when people flash their device, we will remove all the “features” that damage our Privacy, and it’s likely we’ll get “clean” smartphones.

–Gaël

 

5 Replies to “Should we be concerned about Privacy with low-level Chinese smartphone firmwares?”

  1. chinese, russian..
    more say i am not, so, don’t do this, don’t use chinese Firmware,
    this have us show in the past what’s all possible and was done
    over the whole lands on the east behind the russian borders !
    Also the not alternative energy concern’s like Oil and Gas-Factorys
    and we (germany) become the Stream over ucraine and russian and Germany it is now bound to russian, it’s a big deal and the and Chancellor Schröder before Merkel has it been a/that crime .
    So, it’s a huge Politic and commercial with spy and information’s becoming because alone this, make it a bit more save to hold it in /keep it within reach, or hold the firmware in Github to be sure
    to be all clean …. to always have an insight and to receive /to have in the software, because, firmware it is also an Software and can also store on Github.. so, for have certitude, have a hand on it and let the others also looking in. Hold it in Open Source ..
    The compiling and binary, hold it in 100% surveillance/supervision and build by self the Formwarepatches and give it on https-server outside . For again patchable the Hardware for 101% Savety of the Informations from the Peoples and Security of the Hardware.
    What do you think why Linus Benedict work on his own Kernel today also, he overview/overwatch it to nothing let go wrong or insecure go, this is my supposition why he do it today too.. to hold all savety and secure.. 😉 because this is his baby how it was Bill Gates Windows Baby was .. and eelo it’s a life’s work/live-task
    and it is you baby in the future.. if you make it right.. 😉

    So, don’t give out your hand what you don’t want to change.

    And keep it in Europe, but give it as a finished product outside Europe.. for give the Chinese and American Citizen privacy..
    If you do this in this direction, want 1000% sure to comes different Facility’s with concerns to you *giggle* because they want have looking in and backdoors .. and this can i bet with you :)) so, the only really safety and security, really open source and the hand on it and hold it ever in the puplic and give every information of change / variation / mutation of the software, Hardware and Infrmations like Letters, writings and so to the public, also an letter from Microfist

    (did you try install the newest Win10? i did on a testhartdisk.. Privicy = 0 because at first try it to have a Microsoft-Konto/account, the 2nd step is to make a Local WinNT account and this only if you try penetrant to make a local account as Computer Owner .. holy shit !! Reactos.org have to come !!!!!!!!!!!!!!!!!!! and it is a really issue and must have to save and secure the peoples… !!!!!!!!!!!! holy shit !! ),

    American Facility’s, Europe Facility’s and Russian/Chinese Facility’s on you Blog if something is sending per post to you.. or make it with Wistleblower if they Facility’s try something .. or both way, Wistleblow and Blog ..

    this from me ..

    best regards
    Blacky

    blackysgate.de

  2. >> But, why would they add data-leaking features to their low-level firmwares? <<

    To protect a paranoid one party government from citizens who try to flash their phones to get around the mass monitoring – identifying and locating these individuals will almost certainly be a high priority there.

    Don't fool yourself Gael, just to get the project across the initial goal is one thing (stick with the plan and these base phones or something in production). But beyond that please shift over to images for hardware that should be clean to begin with, Google's phones probably (seems the least likely to have firmware issues – short of Apple). JMHO…

  3. Thinking about this some more – for the most part this discussion may be an academic exercise. Was looking at LineageOS’s image selection…they don’t even have the Pixel, Pixel 2, Essential, s7, s8 or recent Motorola phones available (saw the Z Play which was nice, but the Z3 Play will be released next month for example).

    Probably whatever is cheap and sold in numbers will be what gets a maintained image on LineageOS. Which for the most part is going to be Chinese Smartphone Vendors trying to drive the other vendors out of the world marketplace with low prices. A bit depressing but you can already see it on their image selection list. On with the Chinese vendor phones….Just spent $100 to get a new Le2 on eBay. 😉

  4. The same for samsung, sony, and the others.
    I’ve heard a tech talk where it was all about hiding stuff in microchip directly, it would be worst. Be really who care ? All people is already sharing all their data to facebook and you want to bam the chinese? lol.

Leave a Reply

Your email address will not be published. Required fields are marked *