In a recently published report, computer scientists at the University of Edinburgh and Trinity College Dublin said that this personally identifiable information (PII) is kicked back to various entities. This could be phone vendors, mobile networks, or even providers like Baidu, the company widely referred to as the “Google of China” with close government ties. Such personal data could be used to track individual users and determine their identities. China recently adopted a GDPR-style privacy regulation called the Personal Information Protection Law. However, the study found that, as things stand, the country’s phone vendors may be flouting the privacy regulation. “We find that these devices come bundled with a number of third-party applications, some of which are granted dangerous runtime permissions by default without user consent, and transmit traffic containing a broad range of geolocation, user-profile and social relationships PII to both phone vendors and third-party domains, without notifying the user or offering the choice to opt-out,” the study states. Researchers added that they found this PII sharing only with the Chinese firmware, and not the global version.
Scientists Conducted Traffic Analysis on Chinese Android Smartphones
The scientists conducted a traffic analysis on the Android OS variants of OnePlus, Oppo Realme, and Xiaomi. It looked at how much private information the smartphones leaked through pre-installed applications. The researchers set the baseline privacy settings to those of a “privacy-aware but busy” user. This means they opted out of analytics and personalization, did not use any cloud storage service, and did not opt for other optional third-party services. They focused their study on four categories of data, including device-specific information, location-specific data, information from the user profile and information on social relationships. Researchers honed in on whether or not the devices leaked this information. Despite having these restrictive settings, the researchers found the devices sent “a worrying amount” of personal data to the phone vendor and Chinese mobile network operators. In fact, they noted that the device sent PII to Chinese mobile network operators even when they did not insert a SIM card or used a SIM with a different operator. They found the devices grant “dangerous privileges” to a large number of preinstalled system, vendor and third-party apps. These apps gained access to information such as persistent identifiers, GPS coordinates, phone numbers, app usage data, call/SMS history, and contact lists.
Devices Pose Serious Risks of Deanonymization and Tracking
The study noted that the information from the devices, when combined, could pose serious risks of uncovering user identity and enabling extensive tracking. Furthermore, the data transmission continues even when the device and its user moves outside China and into a different data protection jurisdiction. “Phone vendors and some third-parties are still able to track business travelers and students studying abroad, including the foreign contacts they make on their visits,” the study added. If this article piqued your interest, we recommend reading up more about spyware and smartphone privacy. Oppo, Xiaomi, and OnePlus have yet to respond to the study. In the meantime, if you’re concerned about privacy, we recommend avoiding the Chinese versions of their smartphones. For Android users from all over the world, we’ve put together this complete guide to optimizing your Android privacy and security settings.
