Data exploitation by design and by default

Our case study of a single low-cost smartphone shows how data exploitation and poor security is often built into the devices that people rely on as their only means of communication.

We discovered multiple security issues with pre-installed apps that can't be updated or deleted. Since the phone is shipped with an out-dated version of Android, it comes with known vulnerabilities that will not be patched and that can be exploited cheaply by anyone, from scammers to government agencies.

More fundamentally though, our findings raise the question of whether cheap phones are at least partially subsidised by exploitative data practices. Aside from Facebook Lite, the apps we highlighted above are all tied to the manufacturer, MyPhone. Some of them offer paid services, which means there will be extra revenue for MyPhone, others like Brown Portal are there to promote MyPhone as a brand and encourage the purchase of other devices. Since these apps make use of vast permissions, they also get access to a lot of user data. The fact that some apps contain religious and patriotic content, raises questions as to the potential for political parties to exploit cheap phones in countries with limited democratic accountability.

Privacy: a human right, not a luxury

Privacy is a fundamental right guaranteed under the Universal Declaration of Human Rights, at least in theory. In reality, there are stark contrasts between regions that uphold high standards of data protection, and places where users at the mercy of what we call the data wild west. In some places, like the Philippines, there might be a legal framework in place to regulate the processing of personal data, but the accountability and enforcement mechanisms remains a challenge.

For those who live in the data wild west and can only afford cheap phones as their sole way to access the internet, we're now also seeing that privacy is becoming a luxury that few can afford. While buying a recent Apple phone will guarantee you a secure Operating System (OS) and good encryption, buying a brand new MyPhone, like we did, will leave you with an OS with vulnerabilities left unpatched for years, and apps like MyPhoneRegistration that share your personal data in plain text. Even downloading apps that offer secure communications proved extremely difficult.

What Google and manufacturers should do

It is time for this double punishment to end. Being economically vulnerable should not mean losing your fundamental rights and companies have a responsibility to protect their consumers. In particular, it is time for Android to confront its duties and obligations: MyPhone is not a random company that happens to be using the open source Android OS, it’s an official Android certified partner.

Android claims that certified partners are "Play Protect certified Android devices [that] are tested for security and performance and pre-loaded with Google apps". The device we looked at is not only insecure, but it's also pre-loaded with apps that cannot be found on the Google Play Store. This, and the fact that the phone comes with an outdated version of Android, raises questions about the criteria Google applies to certify partners.

Ultimately, pre-installed apps undermine the Android brand, especially when certified partners pre-load their phones with insecure apps that scoop up large amounts of user data. It's up to Google to make sure that manufacturers using their trademarks don't sully their brand, and don't take advantage of customers who can only afford cheap phones.

Phone companies themselves, however, should not escape responsibility. While technology needs to be accessible to all, our human rights should not be the price we have to pay for it.

Jam Jacobs of the Foundation for Media Alternatives said the following about Privacy Internationals research:

