OnePlus can't catch a break lately. While it's made some legitimate mistakes (eg. the credit card hack), there have also been some incidents where hysteria took precedence over common sense. That was the case with the clipboard story a few weeks back, and now there's another clipboard-related accusation making the rounds. A Twitter post claims OnePlus is identifying and uploading clipboard data like bank account numbers to a Chinese server, but the company says this is incorrect. The file in question specifically stops the OS from monitoring certain types of data, and it's not even active in OxygenOS.
The apparent misunderstanding comes down to a file in the OxygenOS beta called badwords.txt. You can get a rundown of what it contains in the Tweet below. In the resulting Reddit thread, most everyone was happy to hop on the bandwagon and blame OnePlus.
In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...https://t.co/ePQvD1citn pic.twitter.com/3dCh0joVkH
— Elliot Alderson (@fs0c131y) January 25, 2018
This time, the company is wasting no time issuing a clear explanation of the situation. Here's the official statement.
There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS , our global operating system. No user data is being sent to any server without consent in OxygenOS.
In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.
The allegation is that OP uses this file to identify data to upload to a Chinese server. According to OnePlus, badwords.txt is actually a blacklist file—it tells the OS not to monitor matching data for its smart clipboard service. You're probably not familiar with that feature because it's only used in China as part of HydrogenOS. It was originally developed as a way to get around blocking of competitor links in Chinese messaging services like WeChat, and there's no reason to do that in the US. So, the code is inactive in OxygenOS.
So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS beta. The code is inactive, but it's bound to confuse people. Everyone is watching OP closely right now and ready to believe the worst, but the company didn't do anything shady with your clipboard data. It's also important to remember this is beta software. It's possible the inactive (and harmless) HydrogenOS bits won't even be in the final software. Hopefully, OP can keep these builds separate in the future to reduce confusion.
We should absolutely keep an eye on device makers to ensure nothing untoward happens. After all, we're trusting OEMs with a lot of personal data. At the same time, let's not get carried away and turn this into a witch hunt.