Follow

To emphasize: the article about Qualcomm sending back data is fearmongering to sell their own products. It's unnecessarily alarmist, and phrases things very misleadingly.

Like how "list of software" refers to Qualcomm's baseband processor software, *not* the software you've installed under Android, but they've conveniently phrased it to imply that it's the latter.

I haven't yet settled on whether the information that Qualcomm sends back is actually technically necessary, but Nitrokey's assessment is *definitely* wrong, and seemingly deliberately so. It's marketing, not a legitimate security disclosure.

Also, to my fellow anti-capitalists: please, *please* look critically at these sorts of "evil big company" articles, and who is writing them for what reason.

Just because someone is espousing the aesthetics of anti-capitalism or privacy or whatever, doesn't mean they aren't trying to sell you something.

And if I'm being honest, this one should have been pretty obvious as far as propaganda goes, and y'all should've at least raised some eyebrows about it before boosting it.

@joepie91 damn

well.. it seemed a bit extra but it seemed plausible. i somewhat trusted Nitro and didn't expect them to pull something like this.

i have already been through enough FUD in the Android "google-less" space, and generally Nitro is on the Right Side by selling GrapheneOS phones (imo, ofc.) sucks.

@Nulo I mean, the *core* of it seems to be true, in that Qualcomm chips *are* sending HTTP requests. It's just that the reason is completely different from what the article implies, and so is the scope.

I guess it's another case of ye olde "the most convincing lie is one with a kernel of truth".

@joepie91 what set of flags for me was the fact they didn't even show that it was actually sending the information suggested in the privacy policy.

this is a huge lesson for me, because I knew it was questionable (after all, i have a general idea about the subject) but I trigger-happily retooted because I generally trusted The Brand. glad you and other folks are quick to point out the bullshit

@joepie91 this sort of misinformation is the one that bad actors produce, like the ones that get people doing important work like @DanielMicay at risk.

in this case nitrokey wasn't aiming that way (after all the whole point of the article is to sell their overpriced GrapheneOS-as-a-service) but it's the same kind of stuff that goes around in the Android community.

@Nulo @joepie91 I think xtra-daemon does do this but they seemingly didn't actually check and they seem to think firmware is doing it when it is a Qualcomm system service that does it. They didn't do enough research before making the post and the way they worded it and presented it is problematic.

@Nulo @joepie91 It's not hidden or secret. Qualcomm has clear documentation on it. It does not need to send that information in an HTTP header and their CDN provides the downloads even without sending the information. It is a privacy issue, and it is something that really shouldn't be the way it is, but they got a lot of details wrong.

They presented it as if they discovered a hidden backdoor when they discovered a known service that's very useful and documented as sending unnecessary data.

@joepie91 @Nulo Qualcomm does PSDS via their xtra-daemon service instead of the standard AOSP PSDS service. xtra-daemon does have code and SELinux policy to be able to send serial number, device model, etc.

There is more than a kernel of truth to it, but they presented it in a bad way and got some major things wrong about how it works like saying the firmware does it when xtra-daemon is what does it on all devices that we have seen.

@joepie91 tbh I didn’t feel like they refered to Software installed on android but to the actual Qualcomm processor software and that ur OS has not really a saying in it at all.

@pandora Right, but a lot of people are interpreting it as "software installed under Android", which makes sense when you don't know how baseband processors work, and it seems very much deliberately written to imply that without outright claiming it

@joepie91 They got some things right and other things wrong. I have given them information and asked them to improve the article. I wish they had contacted us first.

@joepie91 I'm frustrated about it. It's also not a good time for it considered people just attempted to get me killed via swatting and harassment has escalated worse than ever before.

We used the GrapheneOS account to post some clarifications but that's being misinterpreted and it really would have been ideal if NitroKey just let us know before posting that so we could have helped to fix the issues and gotten them to properly confirm things instead of making partly wrong assumptions.

Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.