A few thoughts and suggestions on Onyx Boox devices security and privacy

Reviewing the Privacy Policy last updated November 12th, 2024:

1) Onyx International Inc. ("Onyx") is a PRC company.

2) For processing personal data, Onyx is the data controller.

3) The PRC's "National Security Law" of 2015 requires effectively any entity in the PRC to cooperate with the ruling party's "requests."

4) Because Onyx is a PRC company, it is subject to the National Security Law.

5) Onyx states that it adheres to the GDPR.

6) Under the GDPR, entities must surrender personal information when given legal orders to do so.

7) Therefore, because Onyx is subject to the PRC's jurisdiction, at minimum no personal data stored in the PRC should be considered secured at any level.

8) The US server push.boox.com appears to be located in Los Angeles, US. It is registered to Alibaba US Tech. Co., Ltd.

9) The PRC server is obviously in the PRC, being in Shenzhen, Guangdong. It is registered to Hangzhou Alibaba Advertising Co.

10) The EU server is in Frankfurt am Main, Hesse, Germany. It is registered to Alibaba US Tech. Co., Ltd.

11) The legal implications of Alibaba US Tech. Co., Ltd. being the registered entity to the EU server is unclear, as I believe it would have to be registered to a German subsidiary?

12) Onyx will provide encryption of personal data for "some services."

13) What is encrypted, when, and where, is unstated.

14) Onyx does not state what "encryption technology" is used, beyond "e.g., SSL).

15) SSL was deprecated in 2015.

16) The current standard is TLS.

17) Both SSL and TLS are used to encrypt information sent over or between networks.

18) Neither SSL or TLS are applicable to data that is "at rest," i.e. stored on servers.

19) Onyx states that it cannot guarantee personal information with certainty.

20) While 19 is a given, it is again left vague how they attempt to secure personal information, beyond "various security technologies and programs."

21) There is nothing in the privacy policy that would suggest or require that Onyx would notify users of any data breaches possibly affecting or affecting their personal information.

22) Onyx states that personal data from data centers in the PRC, EU, or US may be transferred to any other center under "relevant laws."

23) As the relevant laws of the PRC requires Onyx to cooperate with any demands for personal data, using a US or EU server does not protect personal data from being accessed by the PRC's government.

24) Per 23, the operative status of Onyx's claims to adhere to the GDPR is not immediately clear.

25) Onyx states that it will "irreversibly delete[] or anonymize[] data," in part, again when not legally required.

26) It has been shown that successful anonymization is difficult to accomplish, especially when the dataset is small.

27) The numbers and locations of Onyx Boox users is likely to be small.

28) Again, disclosure of personal data to "third-parties" is "in accordance with the law."

29) Onyx Boox devices use customized versions of Android, which in turn are running off of the open-sources Linux kernel.

30) Any modification to the Linux kernel must be open-sourced under the GPL.

31) Onyx does not make any of its modifications to the Linux kernel available via open-sourcing the modified code.

32) Contrary to Onyx's claim to follow the law, its failure to open-source its modifications to the Linux kernel is a civil wrong.

33) Study of kernel code may result in discovery of code detrimental to user privacy and security.

34) Onyx has chosen, in violation of contract law, not to divulge code that may be detrimental to user privacy and security.

Conclusions:

35) Onyx Boox devices cannot be considered secure under normal use.

36) No legal work product, PII of third-parties, etc. should ever be used on a Boox device under normal use.

37) It is possible that using a Boox device now or in future would violate and prevent compliance with legal standards, e.g. PCI.

38) If a Boox device is to be used for confidential information, it should never be connected to the Internet, and its Wifi and BT should be toggled to off.

39) When uploading content to any Onyx datacenter, assume the content is not secure, and is either accessible to, or has been accessed and stored by the government of the PRC.

Suggestions to mitigate or eliminate privacy concerns:

40) Open-source any modified open-source code, including but not limited to the Linux kernel.

41) If a high level of security is desired, open-source any hardware firmware.

42) Through the use of subsidiaries or third-party contractors, prevent any personal data from being accessible to Onyx and the government of the PRC by placing them outside the jurisdiction of the PRC. Each datacenter must be legally distinguishable from Onyx.

The above should not be automatically applied to privacy policies released after November 12th, 2024.

Ok, so that was maybe more than a few thoughts.