Do Qualcomm chips pass private information to the US government?

Verdict: Misleading
By Shen Ke for Asia Fact Check Lab
2023.11.29
Washington
Do Qualcomm chips pass private information to the US government?
Photo: RFA

Updated Dec. 04, 2023, 10:15 p.m. ET.

Chinese-speaking social media users claimed that phones equipped with Qualcomm chips are “secretly transmitting” users’ personal information to U.S. authorities, citing a report published in May.

But the claim is misleading. The report, written by a German open source security hardware firm, in fact said chips made by Qualcomm can send metadata – information about personal communications – back to the company itself, not the U.S. government. Experts told AFCL that data sent to a U.S.-based server is not automatically accessible to American authorities either in a technical or legal sense.

The claim was shared here on Chinese popular social media platform Weibo on Nov. 7. 

“A German information security firm has released a report claiming that mobile phones using Qaulcomm smart chips transmit personal information to relevant departments in the U.S. without the user’s permission,” the claim reads. The term “relevant departments” is widely used in China’s official context to refer to governmental departments.

Qualcomm is an American company known for designing and manufacturing semiconductors, wireless telecommunications products, and services, primarily known for its Snapdragon series of smartphone processors.

The claim was shared alongside a screenshot of what appears to be a news report. Its headline reads: “Smartphones With Popular Qualcomm Chips Secretly Share Private Information With the US Chip-Maker.”

A keyword search on Google found the report was published by Nitrokey, a Germany-based open source security hardware firm, in May. 

1.png
An influencer on Weibo claimed that phones using U.S. chips are sending data back to “U.S. authorities.” (Screenshot/Weibo) 

Similar claims, citing the same Nitrokey report, were also shared by official Chinese media and other influential users on popular Chinese social media platforms. 

But the claim is misleading. 

Nitrokey report

A close look at the report found that it made no mention of phones equipped with Qualcomm chips secretly transmitting users’ personal information to U.S. authorities.

Instead, the report said chips made by Qualcomm can send metadata – such as the device’s IP address, country code, operating system and installed software associated with its GPS service – back to the company itself, not the U.S. government. Qualcomm’s terms of service also openly state this. 

2.png
The original article on NItrokey only stated that data was being sent back to Qualcomm. It did not suggest that the data was shared with or directly sent to U.S. authorities. (Screenshot/NitroKey) 

3.png
Qualcomm’s terms of service outline both what data its location service collects and when it can share such data. (Screenshot/Qualcomm) 



NitroKey told AFCL that the original article only investigated and found the sharing of metadata had taken place in a phone using a chip designed by Qualcomm, confirming that its team found no evidence of data being sent to U.S. authorities. 

Data sent to a U.S. server is not automatically accessible to U.S. authorities either in a technical or legal sense and companies do not normally just route away all data they collect back to U.S. government intelligence agencies, according to William Budington, a senior staff technologist at the Electronic Frontier Foundation, a nonprofit digital liberties organization.

“It is possible, but not [that’s not] normally how the U.S. government collects information. I’m not aware of any instance where a chip manufacturer automatically siphons information directly to the intelligence community,” said Budington. 

Qualcomm has not responded to AFCL inquiries concerning the claims as of this writing. 

Lack of regulations

Metadata has the potential to reveal personal information about individuals or aid governments in tracking and targeting significant figures, but there is a lack of a broad federal law that safeguards against the collection of personal identifiable information in the United States.

“It’s all too common a practice for device firmware to be sending out all sorts of data to third parties out-of-the-box,” said Budington. “There is no federal data privacy law [in the U.S.].”

In recent years, various states like California, Colorado and Connecticut have enacted data privacy laws. These regulations provide protections for metadata comparable to those for PII, categorizing any data that can be connected or associated with a specific consumer or household, including IP addresses, as personal information.

4.png
California and other U.S. states have defined information that can be linked or associated with a given person as personal information. This includes IP addresses.  (Screenshot/California Legislative Information)

Edited by Taejun Kang and Malcolm Foster.

Updated to clarify the translation of the social media claim.

Asia Fact Check Lab (AFCL) is a branch of RFA established to counter disinformation in today’s complex media environment. Our journalists publish both daily and special reports that aim to sharpen and deepen our readers’ understanding of public issues.

POST A COMMENT

Add your comment by filling out the form below in plain text. Comments are approved by a moderator and can be edited in accordance with RFAs Terms of Use. Comments will not appear in real time. RFA is not responsible for the content of the postings. Please, be respectful of others' point of view and stick to the facts.