Report on Qualcomm data collection suggests risk of misuse


Editor's note: Bradley Blankenship is a Prague-based American journalist, political analyst and freelance reporter. The article reflects the author's opinions and not necessarily the views of CGTN.

It was recently reported by German security company Nitrokey that U.S. chip giant Qualcomm transmits user information, such as IP address, unique ID, mobile country code and other data sets back to the chipmaker's servers. This is estimated to affect about 30 percent of all mobile phones globally, regardless of the operating system, model or whether it has a SIM card.  

The report by the German company said that the data packages were "sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS," which makes them vulnerable to attacks as anyone with access to the network "can easily spy on us by collecting this data, store them, and establish a record history using the phone's unique ID and serial number Qualcomm is sending over to their mysteriously called Izat Cloud." 

It also says that this data sharing is not mentioned in the terms of service from Sony, Android or /e/OS, which is in violation of the European Union's General Data Protection Regulation (GDPR). The firm did not state that this is any kind of "back door" and, in fact, outright denied it was such on a Reddit post. The British tech site "The Register" claims this is "basically a way to make GPS more precise and reliable while reducing the use of energy-intensive radio hardware."

At any rate, even if this is not a back door per se, it still reveals a few things. Number one, this is clearly a violation of many countries' data regulations, such as the EU bloc and China, and could potentially be used by American intelligence for digital forensics. While the U.S. government is not allowed to outright seize data from private firms technically, the government, however, has the right to purchase private data sold by data brokers, who in turn sell data collected by tech firms and various apps.  

The case of Carpenter vs. United States held that the government needs a warrant to compel companies to hand over sensitive location data. However, this does not apply to voluntary data forfeiture, such as selling data on the free market. Government agencies have interpreted Carpenter to mean that they can freely purchase location data for storage and usage in future cases or investigations – whether part of an ongoing investigation or not.  

The Capitol building in Washington, D.C., the United States, March 28, 2022. /Xinhua
The Capitol building in Washington, D.C., the United States, March 28, 2022. /Xinhua

The Capitol building in Washington, D.C., the United States, March 28, 2022. /Xinhua

So far the Courts have not challenged this interpretation, which clearly suspends the Fourth Amendment of the U.S. Constitution that protects against unreasonable searches and seizures. And since legislation from Congress has not kept up to date with technology, and it's unlikely that the current Congress would ever pass legislation restricting Big Tech companies, the Fourth Amendment essentially does not apply anymore. 

The government, and companies themselves, also can't access encrypted data. But since this data is unencrypted, it's essentially fair game for government agencies to purchase on the free market. I think the most important question following the report by Nitrokey is, has Qualcomm been selling this customer data to data brokers? And, if so, who bought it from there on? 

This is actually a major problem in the U.S., with companies selling data that they either collect for legitimate reasons or simply because they can. Facebook, a major social media site owned by Meta, is right now the subject of a class-action $725 million lawsuit impacting hundreds of millions of users who were active in the United States from May 2007 to December 2022. Facebook is accused of making users' data available to third parties without their permission. 

In the case of Qualcomm, one major reason that people might find the company liable to sell or even voluntarily give its data to the U.S. government is that the company actually started out as a contract research and development center for government and security projects. And the company, to this day, is a major U.S. government contractor and, for example, in "to establish an innovative pilot program for the Defense Information Systems Agency (DISA)." 

To be sure, almost every large tech firm in the U.S. has, at one point or another, won or bid for a contract with the defense sector. It is extraordinarily lucrative and any sensible business would jump at the opportunity. Still, when western media consistently accuses, for example, Chinese firms who work with the Chinese military of being intrinsically linked to the Chinese military-industrial complex, doesn't that same logic apply in the United States?  

I think it does. But again, Qualcomm aside, the issue of misuse of customer data and direct or indirect collusion with U.S. intelligence by U.S. tech firms is a deeply systemic issue. And that's why I think that folks around the world ought to be very careful about how they use U.S. technology because of the extraordinarily well-documented risks.  

(If you want to contribute and have specific expertise, please contact us at Follow @thouse_opinions on Twitter to discover the latest commentaries in the CGTN Opinion Section.)

Search Trends