OnePlus has been caught harvesting personally identifiable information from users’ devices

Just when it seems like the dust around the controversial compromises that went into the OnePlus 5 has had a chance to settle, another controversy pops up. A report by a software engineer reveals that the Chinese company has apparently been collecting personally identifiable data from devices running OxygenOS.

Representative Image

Representational Image

The collected data, according to OnePlus, only comprises of “usage analytics” that are used to “fine tune our software” and “provide better after-sales support.” That’s all fine and dandy, but when the company gets caught collecting phone numbers, IMEI numbers and detailed app usage statistics, one must wonder why it needs that much personally identifiable information. “Fine tuning software” and “better after-sales” do not require phone numbers and IMEI numbers. This collected data also includes MAC addresses, names of mobile networks, Wi-Fi connection information and even IMSI prefix codes.

This information can be used to precisely identify a device and its location. User habits and schedules can also be determined from this data.

Other collected data includes timestamped device wake up and shutdown times, data on abnormal reboots (among the few bits of legitimate data that can be collected), screen on/off times and more.

Worse still, the data is encrypted with your device’ serial number, killing any semblance of anonymity, reports Christopher Moore, the software engineer who first discovered the issue.

The company makes no attempt to inform users that such data is being collected, and neither does it give users an option to opt-in or out of this data collection regime.

Moore tried to contact OnePlus support via Twitter, but got no help. He then later checked out OnePlus forums to find a solution to the issue.

 

OnePlus, in a statement to Android Police revealed that much of this data collection can be prevented by going to ‘Settings>Advanced>Join user experience program’ and disabling that toggle.

Android Police also suggests that you use ADB to remove the OnePlus Device Manager, which is responsible for collecting and transmitting the data to OnePlus’ servers. Doing this could cause problems, however. If you’re still interested in disabling the “feature”, instructions are available at this link.

While it might seem like we’re singling out OnePlus here, it bears mentioning that device manufacturers routinely capture usage data from devices with or without a user’s consent. OnePlus was simply unfortunate enough to have been caught at it.

It’s perfectly alright for manufacturers to collect some usage analytics, with permission, but collecting personally identifiable information without consent is simply not done.

We have reached out to OnePlus India for a response on the matter, and will update the story when we hear from them.


Updated Date: Oct 11, 2017 10:55 AM