To emphasize: the article about Qualcomm sending back data is fearmongering to sell their own products. It's unnecessarily alarmist, and phrases things very misleadingly.
Like how "list of software" refers to Qualcomm's baseband processor software, *not* the software you've installed under Android, but they've conveniently phrased it to imply that it's the latter.
I haven't yet settled on whether the information that Qualcomm sends back is actually technically necessary, but Nitrokey's assessment is *definitely* wrong, and seemingly deliberately so. It's marketing, not a legitimate security disclosure.
Also, to my fellow anti-capitalists: please, *please* look critically at these sorts of "evil big company" articles, and who is writing them for what reason.
Just because someone is espousing the aesthetics of anti-capitalism or privacy or whatever, doesn't mean they aren't trying to sell you something.
And if I'm being honest, this one should have been pretty obvious as far as propaganda goes, and y'all should've at least raised some eyebrows about it before boosting it.
@Nulo I mean, the *core* of it seems to be true, in that Qualcomm chips *are* sending HTTP requests. It's just that the reason is completely different from what the article implies, and so is the scope.
I guess it's another case of ye olde "the most convincing lie is one with a kernel of truth".
@joepie91 this sort of misinformation is the one that bad actors produce, like the ones that get people doing important work like @DanielMicay at risk.
in this case nitrokey wasn't aiming that way (after all the whole point of the article is to sell their overpriced GrapheneOS-as-a-service) but it's the same kind of stuff that goes around in the Android community.
@Nulo @joepie91 It's not hidden or secret. Qualcomm has clear documentation on it. It does not need to send that information in an HTTP header and their CDN provides the downloads even without sending the information. It is a privacy issue, and it is something that really shouldn't be the way it is, but they got a lot of details wrong.
They presented it as if they discovered a hidden backdoor when they discovered a known service that's very useful and documented as sending unnecessary data.
@joepie91 @Nulo Qualcomm does PSDS via their xtra-daemon service instead of the standard AOSP PSDS service. xtra-daemon does have code and SELinux policy to be able to send serial number, device model, etc.
There is more than a kernel of truth to it, but they presented it in a bad way and got some major things wrong about how it works like saying the firmware does it when xtra-daemon is what does it on all devices that we have seen.
@joepie91 what set of flags for me was the fact they didn't even show that it was actually sending the information suggested in the privacy policy.
this is a huge lesson for me, because I knew it was questionable (after all, i have a general idea about the subject) but I trigger-happily retooted because I generally trusted The Brand. glad you and other folks are quick to point out the bullshit