User outcry prompts OnePlus to step down its excessive data collection

Earlier this week, it was revealed that independent phone maker OnePlus was collecting all manner of information from phones running its OxygenOS — without telling users, of course. Caught red-handed, the company is backing off from the opt-out data collection program, giving users a choice up front instead of buried in the options.

The offending telemetry was discovered earlier this week, when software engineer Christopher Moore happened to snoop on his phone’s traffic for a hacking challenge. He noticed that the device was phoning home to OnePlus when it crashed — which is expected and benign — but also every time the phone was woken up or put to sleep — which is odd and intrusive.

Looking closer, he found that the device was also repeatedly sending its IMEI, phone number, serial number, wi-fi network and MAC address, and numerous other metrics. Having the option to send this information with, say, a bug report would be understandable, but it was sending this information every time an app was launched.

OnePlus said at the time that the data was to “fine tune our software according to user behavior” and “provide better after-sales support.” It could be partially turned off in advanced settings, or totally removed with a command line tool.

Of all phone manufacturers, of course, OnePlus probably has the users most likely to go snooping around for this kind of stuff, so it’s strange that such plainly intrusive metrics would be employed. Users were clearly bothered, so yesterday OnePlus provided a more substantial response on its support forums.

After the standard “We take our users – and their data privacy – very seriously” boilerplate and assuring people that this was all a big misunderstanding, OnePlus co-founder Carl Pei explained the practical steps the company was taking:

By the end of October, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user experience program. The setup wizard will clearly indicate that the program collects usage analytics. In addition, we will include a terms of service agreement that further explains our analytics collection. We would also like to share we will no longer be collecting telephone numbers, MAC Addresses and WiFi information.

He also notes that the company never sent this information to any third parties, which is good. But opting out of the “user experience program” doesn’t appear to stop telemetry data from being sent — it just means “your usage analytics will not be tied to your device information.” Users may prefer to know that their data is not being collected at all, but for now that option appears to be limited to the same command-line tools as it was before.

Published at Sun, 15 Oct 2017 15:22:46 +0000