Qualcomm has denied the allegations about collecting the personal data of Android phone users illegally and without acquiring user consent.
The American semiconductor behemoth, which supplies processors to billions of Android smartphones and tablets worldwide, asserts that its data collection methods are fully transparent and adhere to the relevant legal regulations in the nations where its chips operate.
The report that accuses Qualcomm of the above comes from Nitrokey, a German company specializing in open-source hardware for applications that require bolstered security, data encryption, and data privacy.
Nitrokey tested the Snapdragon 630-powered Sony Xperia XA2 running the ‘/e/OS’ system, which lacks Google proprietary services and closed-sourced components, and it found that the device sends a DNS request to “android.clients.google.com” and then contacts an unknown service named “izatcloud.net.”
Upon further investigation, Nitrokey found that Izat Cloud belongs to Qualcomm, and contact with it is made via the XTRA service, which is part of the company’s Assisted GPS (A-GPS) technology.
As Qualcomm explained to Nitrokey when asked about the data collection, the XTRA service helps speed up GPS positioning and enhance accuracy when the device’s signals are obstructed.
Based on XTRA service’s privacy policy, the data that Qualcomm might collect and keep for up to 90 days to improve the A-GPS service on devices include the following:
- Unique ID
- Chipset name
- Chipset serial number
- XTRA software version
- Mobile country code
- Mobile network code (allowing identification of country and wireless operator)
- Type of operating system and version
- Device make and model
- Time since the last boot of the application processor and modem
- List of the software on the device
- IP address
While none of the above is personally identifiable information, and the XTRA service may not collect all of them just because it declares it in the privacy policy, some of the mentioned data types could be used for deanonymization and persistent profiling or even tracking.
Nitrokey also reports that the requests sent by the devices to Izat Cloud are of the unencrypted HTTP type, meaning that if intercepted, they could be used to infer the user’s geographical position and other details.
No matter how sensitive or privacy-risking the data is, the worst part of this data collection is that it happens by a service (XTRA) that runs at a lower level than the user-facing operating system (Android), as it’s part of Qualcomm’s firmware (AMSS).
This practically means that it cannot be disabled, and no matter what OS restrictions or privacy settings are selected by the user, they can all be bypassed. Qualcomm AMSS directly manages real-time communication with cell towers and has full control over the device’s hardware, and is out of the user’s control.
Qualcomm’s Response
When asked by RestorePrivacy about Nitrokey’s report, a Qualcomm spokesperson answered with a comment that reflects their strong feelings about the allegations made in the post, rejecting them all.
“The article is riddled with inaccuracies and appears to be motivated by the author’s desire to sell his product. Qualcomm only collects personal information when permitted by applicable law. As disclosed in our publicly available privacy policy, the relevant Qualcomm technologies use non-personal, anonymized, technical data to enable device manufacturers to provide their customers location-based apps and services that end users expect from today’s smartphones.”Qualcomm
Furthermore, the spokesperson explained that all current Qualcomm chips rely on HTTPS for the communication exchange and that the use of HTTP has been deprecated from 2016 onwards. This means that if you’re using a fairly recent device, the AMSS communications are at least secured from man-in-the-middle attacks.
Nitrokey claims its smartphones, which runs a privacy-enhanced Android distribution named GrapheneOS, aren’t susceptible to XTRA-induced data leaks because the SUPL (Secure User Plane Location) configuration for the A-GPS service stops the exfiltration of IMSI and phone numbers and passes all data through a proxy.
Regarding the legal aspect of obtaining user consent for data collection by the AMSS, RestorePrivacy has requested clarification from Qualcomm about the process and stage at which consent is acquired, and we will update this article once we receive their response.
Update: April 26, 2023 – Qualcomm has provided us with an additional statement on the XTRA service below:
The XTRA service does not collect data that can be used to identify specific individuals. The information used by the XTRA service is non-personal and technical (and also necessary to support the expected functions of the phone). It does not collect any location data of the end user device and since none of the data is personally identifiable, applicable laws don’t require us to collect user’s opt-in consent.
Qualcomm
Denzel
It’s not what you know, it’s what you can prove these days. It’s even difficult to prove water is wet in our current culture if it hasn’t been challenged in the past. In fact, we have some denying water is wet.
User
The key is how to really avoid real-time communication with cell towers.
Harold
In 2024 they continuing feeding “big names” with baseband tracking as usual. #donotbeevil_lol
Arsenio
Perhaps Restore Privacy can conduct a research (assuming you have paid sponsors) and run ads for the research/survey to gauge public interest and concern about mobile phone privacy?
If we look at TikTok and Meta as the major players examples, I’m willing to bet dollars to donuts that most people (with few exceptions) don’t care. They’ve already accepted there’s no privacy while on the internet just like they’ve accepted greed and shrinkflation.