
Go through your family's phone settings and turn on all the privacy features - GordonS
https://twitter.com/matthew_d_green/status/1209500062163832832
======
LeoPanthera
A whole lot of parents are going to be wondering why half their apps don’t
work properly anymore, tomorrow.

~~~
hetspookjee
The Google apps will still probably work but will harass you till you can't
take it anymore and just allow it access. Just now I updated to Android 10 and
Google play prompted me 3 seperate times with pretty serious warning that it
needed acces to my SMS to work properly. I turned it down everytime and it
still works, though I expect to receive more prompts. I knew there is a
notification settings somewhere to turn these off.

I find it really troublesome that Google is allowed to blatantly lie to their
consumers about the required permission by implying the app is utterly broken
while it actually still works. Next year I'm going for an iPhone but as I can
see it's not the promise Land yet.

~~~
izacus
Disabling SMS permission for Play Services will silently break transparent SMS
autofill API for any app on your phone, so the message is more than warranted.
It actually breaks a core component of you phone.

It's not a "blatant lie" if it actually breaks APIs.

~~~
pvorb
What does this SMS autofill API do? I've never heard of it and wonder if it's
needed.

~~~
t0mas88
One use is when you have to verify your phone number for something like
WhatsApp, they send you a text and Google Play will detect receiving it and
skip the step where you enter the code in the app.

So it's a very minor inconvenience that you now have to type a few digits from
an SMS instead of that happening automatically.

~~~
cmroanirgo
But if you think about it, WhatsApp needing your sms is a dark anti pattern
anyway: the only time it needs sms is to uniquely identify you /provide you
with an account. A username/pwd combo does that too. WhatsApp doesn't (or
didn't, last time I used it a few years back) need sms access, let alone your
phone number.

~~~
tripzilch
The alternative is not giving WhatsApp access to SMS, but receiving the SMS
via normal means, and then entering the 5 digit code manually.

My prediction: If people stop allowing this feature becomes even slightly
popular, they're gonna use longer codes "for security".

------
rocky1138
The other day I saw an ad for Barbie on YouTube. I took it as a sign that my
ad blocking methods are working.

~~~
deith
When I go on youtube, my front page is full of the normiest things of my
country. Makes me think... either I'm really good at blocking, or they don't
care enough to actually try harder to track me. Or they do actually track me
hard enough and they are pretending not to by showing me normie stuff, which
gives me false hope about how good I am at hiding my tracks. How far does the
rabbit hole go??

~~~
catalogia
Even when I let youtube track me, I find that they often like to recommend
"normiest" things despite nothing in my view history suggesting I'm into the
things they're advertising. Particularly I mean clips from late night TV
shows, ads for super hero movies, that sort of thing. Very mainstream
corporate content. They know I don't watch that kind of stuff but they keep on
trying.

I don't really get it. I don't think their recommender is that broken, so it
seems to me like they're deliberately injecting those recommendations contrary
to their expectations of what I like. I suspect those videos represent the
content youtube _wants_ me to watch, rather than the content they think I want
to watch. Probably those videos are more profitable for youtube.

~~~
Larrikin
I've had an ad blocker on my computer from day one on my work computer. From
watching exclusively programming conference talks on my work computer their
algorithm has seemed to guess I'm a guy so I get recommendations for
programming videos, action movies, and things featuring large breasted women.
Its pretty annoying for that to constantly show up when I go to the youtube
homepage on my work computer when I've only ever watched conference talks.

~~~
o-__-o
I worked for a content provider who used to market their search as better than
Netflix. Behind the scenes the execs would provide a daily list of what must
be the top X results for specific phrases. Sometimes it was make sure some
title exists as #1 in any relevant searches.

What I’m trying to say is maybe YouTube’s recommendations are very loosely
based off your viewing habits, but they would rather you watch Doug demuro’s
highly monetized channel over randomjoeschmoe’s excellent non-ad enabled
review of a 10 year old car

------
markosaric
This is exactly what I've been doing last few days. Both phones and laptops.

Switch the default browser to Firefox and change the default search engine
too. Firefox will protect them from all the third-party, cross-site tracking.
It's faster too.

And if this causes an issue for something in the next day or two, you're still
there to help them out plus the previous default browser is still there too.

~~~
Austin_Conlon
Curious, do you switch the default from Safari to Firefox if they're on a Mac?

~~~
johnpowell
My sister has 18 year old twins. They got MacBook Pros as graduation presents.
They both got ones with 128GB drives which has turned into massive
frustration. But we will ignore that for now.

But they both used Chrome. Today I switched them over to Firefox with uBlock
Origin. And with some wankery you can make firefox look like a reasonable
Macintosh application.

[https://i.imgur.com/VaMnux3.png](https://i.imgur.com/VaMnux3.png)

But so far so good. And, as I have commented in the past about the pihole and
when people leave the wifi at home they worried their phones were compromised
because ad people have lost their fucking minds.

So now the twins can can have a reasonable internet on their computers.

~~~
rosybox
Will your family members know how to deal with sites that break because of
ublock? I've learned to not "help" people in this fashion, even people I care
about, because unless they understand the software it turns out that this kind
of help just makes using a computer more frustrating for them and they
probably don't even care about these things you're trying to help them with.
I'd ask yourself if you're doing this more for your own sake than for theirs.

~~~
labawi
If some sites or features are broken with tracking blocked, maybe it's a good
thing? Why should malicious sites/services get a free pass siphoning off
and/or infecting devices? This way they are directed towards more respecting
services.

On the other hand, too much frustration is just too much, so you definitely
need to balance.

~~~
rosybox
They could be sites for work, for government business, a school website, or
their doctor's website that is broken when they needed to schedule surgery or
something and they wont have any idea it was ublock that broke it and wont
think to ask you.

Ublock has broken all kinds of sites for me, and I don't know if it's because
these sites used a third party JavaScript library or some video provider or
what, but I know to turn off all the privacy tracking things I have in my
browser when a webpage looks broken, and often that fixes it.

------
drclau
Though, he doesn’t seem to know that literally all settings for a particular
app can be seen in a single place too.

Also, the default behavior is to first ask the user, and with iOS 13 you get
again several notifications from the OS that a particular app used your
location multiple times over the last X days, with a scary map showing where
the app requested the location too, and that’s yet another chance to change
the setting with a single tap. Happened to me with Waze.

Bottom line, his complaints are baseless. And no offense, but if he cares so
much about the privacy of his family, why is he not encouraging them to quit
using FB?

Edit: moved to root, was initially a subcomment by accident.

~~~
hellofunk
I’m using iOS 13 and I’ve never seen what you’re referring to, I wonder how I
can see a history of how location data was used for an app.

~~~
drclau
There’s a screenshot of this feature in action here [0]. It’s about apps using
location in background.

[0]: [https://techcrunch.com/2019/09/19/ios-13-security-
privacy/](https://techcrunch.com/2019/09/19/ios-13-security-privacy/)

------
yters
Why do so many services request to know my location when it is irrelevant to
the main usecase? Also, many time privacy settings screens are opt out instead
of opt in. Why do companies need to know all this stuff about me, when it has
nothing to do with their product that I use? Are they harvesting all this data
to sell to third parties without my knowledge?

~~~
fierarul
> Are they harvesting all this data to sell to third parties without my
> knowledge?

Yes. It's a secondary revenue stream. Even if they don't sell it now, if it
turns out they have a reasonable good dataset they can sell it later on,
especially as the revenue starts dropping.

------
izacus
As an added bonus, visit [https://myaccount.google.com/data-and-
personalization](https://myaccount.google.com/data-and-personalization) with
their Google Account and disable data storage there.

Also make sure to enable automatic data deletion under
[https://myactivity.google.com/myactivity](https://myactivity.google.com/myactivity)
and Location History if for some reason you want to keep those on.

~~~
Nextgrid
This is fine if you want to protect against people cracking your Google
account and looking at that data, but it's very naive to think Google
themselves would actually stop collecting the data.

Their business relies on it. They'd still be collecting it and using it as a
signal for ad-targeting among similar nasty things in a plausibly deniable,
not immediately obvious way.

~~~
izacus
This is going into tinfoil hat territory - Google keeping data after promising
deletion would be a massive breach of GDPR and US contract law and would
trivially result in massive fines.

Sure, you don't have to believe what they say; but then again you should also
probably stop using Apple, Microsoft and any other closed software as well.
After all, they collect data too and they could also lie to your face about
what their devices send to the server. It's not a useful way of thinking.

Besides that - explicitly telling Google you don't want data collected is
strictly better (even as a grounds for class action lawsuit) than not telling
them that.

~~~
Nextgrid
Google is already not GDPR compliant, and they've proven they're acting in bad
faith by all the dark patterns they use to get people to surrender their
privacy.

Regarding Apple, Microsoft, etc, their business is based on selling hardware,
software & services. Ads make a insignificant part of their revenue, so
there's less incentive to be malicious and put the rest of the business at
risk for a tiny share of the profits anyway.

Google? Their entire business is based on ads, there is no other way for them
to stay afloat given their current expenses. So there's much more incentive
there to be malicious, and they've got both the lack of morals (cf dark
patterns) _and_ the engineering talent needed to do the bad thing in a covert,
undetectable manner.

~~~
izacus
I think you're vastly oversimplifying the mix of incentives and resulting code
that drives all those corporations. You're letting your bias against Google
blind you against things that Microsoft and even Apple did when they saw
profit. You're also hugely overvaluing the incentive of large corporations to
go directly against the law.

~~~
Nextgrid
> You're also hugely overvaluing the incentive of large corporations to go
> directly against the law.

Google currently is not GDPR compliant. I'm not overvaluing incentives, I'm
just looking at facts.

------
paul7986
At our family gathering for our white elephant gift exchange my present was a
Google Home Hub/picture frame (bought it last year yet no longer want any type
of listening device in my house minus Siri on my phone).

I was sorta surprised that wasnt the most coveted prize of the exchange that
the majority wanted to steal. About half said they didnt want any creepy
listening device in their house.

------
undefined_user6
This link to a recent NYT article about mobile privacy options from the tweets
comments is also relevant:
[https://www.nytimes.com/interactive/2019/12/19/opinion/locat...](https://www.nytimes.com/interactive/2019/12/19/opinion/location-
tracking-privacy-tips.html)

------
robbrown451
Isn't going through someone else's phone a privacy violation in itself?

~~~
lostlogin
You’re supposed to present them with a 19 page TOS document first, then sell
their data, present them with a completely different TOS and then leave.

------
DavideNL
Quote from the Tweet/thread:

 _" And even if you turn off location services for an app, the app may still
get this data by examining the metadata from your photos. (I’m not sure if
iOS13 fixes this.)"_

So is this fixed in iOS13 or not?

~~~
drclau
I cannot answer your question (yet), but I have a question of my own: do
people actually think the location stored in a picture is more important from
the privacy perspective than the content of the picture?

I mean, people upload pictures of themselves, their family members, their
homes, offices, places they visit, to a third party, such as FB. Is really the
location stored in EXIF headers the biggest issue here? Think how much can be
automatically extracted from content these days.

I don’t mean to diminish the importance of the location leak, I just find it
odd what our collective priorities seem to be, even among the tech literate.

------
jijji
There is the wife/husband of your relative who will go and reset those
settings back to enabled for logging/geotracking only because they want to see
where the other is going throughout the day... So even if you disable all this
tracking, sometimes its beyond their control... Short of changing their
password to block the other person from changing the settings.... One of my
friends switched back to a flip phone because he was sick of arguing about it.

~~~
Cougher
Spouses who mess with their spouses phone settings, use their spouses' phones
to find out where their spouses have been, and who argue back and forth about
these settings, have fundamental relationship problems that have nothing to do
with phone settings.

~~~
ChrisSD
I'd be very worried about someone that engages in that sort of controlling
behaviour, whatever the state of the relationship may be.

------
eisa01
Making sure their gadgets have the latest software updates is more important.
My mom’s iPhone was stuck on 12.3.1 even though automatic updates was on!

------
dangus
I can see how this whole subject is very difficult for non-technical people. I
think phones should get more of a universal, easy to understand set of privacy
choices that you can simply apply to _all apps_ and only override on a case-
by-case basis temporarily, instead of making it this kind of regular
housekeeping chore.

That said, I'm also surprised a cryptography expert can't figure this all out:

> It’s sort of amazing to me how hard this has gotten, even on iOS, which
> advertises itself as the “privacy” OS.

Let's get this bit out of the way: iOS _is_ the privacy OS. Android apps were
using the _camera_ in the background without user knowledge until Android P:
[https://www.theverge.com/2018/3/7/17091104/android-p-
prevent...](https://www.theverge.com/2018/3/7/17091104/android-p-prevents-
apps-using-mic-camera-idle-background)

And what percentage of Android users have Android P or above as we approach
2020? 30%? Less?

In the past, granular permissions _did not exist_ in Android. You were simply
given a list of permissions that any given app would simply use at any time
and you either downloaded the app or you didn't.

Final example: Android lets apps simply write and read to/from the file system
anywhere they want, until very recently (Android 10?). If I'm not mistaken,
that means that any app that's granted permissions to the file system could
just read common storage locations like your Facebook cache directory to
gather personal information.

> My wife asked me how Facebook knew she walked by a particular store
> yesterday, so I dove into the Settings. What a mess.

iOS does not give these permissions away. The answer is obvious: his wife gave
Facebook location access.

> First, there’s this “Privacy” tab in iOS settings, but under it you’ve got
> this ridiculous and ever-growing list of crap. Every app appears multiple
> times, and you have to know where to look.

On the one side of the ring, people ask Apple to make things simpler, and on
the other side of the ring people ask Apple to expose more granular control.
There's no winning here.

And anyway, the organization is quite logical. It's organized by permission
category.

> Browsing the “Location Services” tab alone is a nightmare. There’s no way to
> sort by “Always”, which is usually the particularly bad permission you care
> about. (Although “While Using” is a bit ambiguous too.)

How many apps do you have where sorting is an issue here?

Also, "While Using" is not ambiguous. It means "While Using." The text on the
original dialog was "While Using the App." What else could it mean?

This is an interesting criticism because it's another piece of granular
location control that Android either doesn't have or gained very recently.

> And don’t get me started on this “Bluetooth” tab. Why do any of these apps
> need direct access to my Bluetooth other than crappy tracking?

Both iOS and Android basically gave away Bluetooth access because it was never
assumed that it could be used for anything serious. We all know better now and
Android 10 and iOS 13 _both_ added this piece of granular permission in. I can
tell you that my Sony Headphones app and Apple Music most definitely need
access to Bluetooth.

> And even if you turn off location services for an app, the app may still get
> this data by examining the metadata from your photos. (I’m not sure if iOS13
> fixes this.)

This is not necessarily something "to be fixed," this is simply the fact that
granting access to your Photos grants access to your Photos. If you gave your
photos metadata in the first place, that metadata will be there. I do admit
that I'd love some more fine-grained control over this (although you may
notice that the iOS share sheet _does_ add some control over whether to
include location data in iOS 13 - I wonder if any other popular smartphone
operating systems have this built in and installed on >50% of their install
base?)

~~~
blondin
"while using" IS ambiguous. what does that mean when apps can run in the
background? what is preventing them from accessing the location service then?
i can interact with apps through notifications bubbles, does that count as
using them?

having a set of permission for each app is not sustainable and annoying.
anything annoying is not going to get done. last time i had to go through all
my apps to make sure they all have the correct permissions for notifications.
i do not want to have to do it again. but i will if i ever factory reset or
get a new phone. why aren't there global sensible options?

some apps won't work if you don't grant access to photos or camera. they claim
to be "camera" or "photo" apps.

are we going to pretend there is nothing to fix here and shift the blame on OP
or his wife? seriously?!

~~~
codeisawesome
Wow, I had no idea that "While Using" meant also that they can access while
running in the background!

~~~
drclau
That’s not what it means. That is what “Always” is for.

~~~
codeisawesome
Ah - glad to hear that - thanks.

------
kareemm
If you give photo album access to eg WhatsApp, can it grab and upload EXIF
data from all of your photos?

~~~
ReverseCold
Yup, that's what the warning is hinting at.

~~~
fretn
Do they have access to your photos when you go to the photo picker when you
want to send a picture or do they have all the time access to your photos once
you gave them permission ?

~~~
ReverseCold
There's two ways you can get pictures on iOS.

1\. UIImagePickerController - This opens the system image picker and ONLY
returns the user selected image to the application.

2\. "Access Camera Roll" Permission - This is what WhatsApp, Facebook, etc.
use so that they can show their own image picker UI. It just gives the app
permanent access to APIs that can retrieve photos.

Both leak EXIF information to the app, but the first one only leaks the
information for a specific picture.

------
EastSmith
Mozilla needs to fork Chromium and Android and fix this privacy nightmare.

Or EU should grand couple of billions to someone to do it.

Privacy should be number one feature for every OS, and every browser.

Either that or we need laws to ban location access and web tracking
altogether.

~~~
Wowfunhappy
Why should they fork Chromium when they already have a highly capable browser
engine?

I"m really glad that Firefox is (barely!) holding back a full-on
Chromium/Webkit monoculture.

~~~
EastSmith
"Mozilla makes browsers, apps, code and tools that put people before profit."
\- people are using Chromium, Firefox usage is dropping, so Mozilla should do
the right thing - fork and de-google Chromium and save the web.

Also, I am donating each year real money to Mozilla, without using its
browser. Call it FUD, call it I don't know what, but on desktop I am using
Chrome, with the usual ad-blocking plugins, on Mobile I am using Brave.

------
cdubzzz
The comment about the privacy settings location[0] is a little weird. You can
access the settings by type there or you can just access all the privacy
settings for a single app from the first level of the Settings app by clicking
the app name. Both locations are useful and seem pretty clear and easy to
navigate.

[0]
[https://twitter.com/matthew_d_green/status/12095023270250905...](https://twitter.com/matthew_d_green/status/1209502327025090561)

~~~
spsful
Exactly. And he complains about not being able to search for apps that have
location set to "Always" or "While Using", but it is hardly a bother to scroll
through the list of installed apps and do a once-over to check their location
settings.

He also complains about the "Bluetooth tab" in privacy settings, saying that
companies would only need this permission for "crappy tracking". In essence,
he makes it sound like Apple is in the wrong for having this setting
configurable at all. But has he ever used a phone before? Apps didn't even
need to request permission to use Bluetooth radios in older iOS versions.
Besides, disabling them completely would break functionality for apps that
need to search for bluetooth devices (Smart devices, namely).

~~~
gfxgirl
both Bluetooth and wifi need the be more locked down imo

wifi should require a whitelist of sites an app can access by default. any app
that has WiFi access should not be allowed the scan my network for vulnerable
devices etc.

same for Bluetooth. most apps dont need this at all for anything legit. those
few that do should default to some whitelist of devices they are allowed to
access

Apple/Google/Microsoft should be working to make this happen

~~~
scarface74
Really? That would be a major pain if you had to whitelist sites that an app
could access. Besides, that would be easy to get around. If you only allowed
Foo app to access Foo.com, there is nothing stopping the app maker from
proxying to other sites from the backend.

~~~
gfxgirl
There is something stopping them, cost. I doubt most apps want to pay for me
watching videos that they spawn in an embedded webview so they could spy on my
activity.

What's the pain? Why does every app need access to all of the internet. I know
of no apps I use that need that access accept my browsers and I'm fine if
Apple/Google/Microsoft added a new permission

(a) no internet access

(b) access only these sites

(c) full access

I'd only give my browsers full access. You'd be free to give all your apps
full access.

------
namanaggarwal
And while you are at it.. Apply all the security updates as well

~~~
blendo
Also power-cycle everything. Including routers and cable boxes. True, some
systems may not come up cleanly, but at least after patching and rebooting,
they'll fail in the "clean" direction.

~~~
remarkEon
Yep did this with all my dad’s stuff. It’s become something of a Christmas
tradition, which speaks to the completely broken nature of a lot of tech.

------
nesky
This is one way to volunteer yourself to help them with any and all IT needs
on their devices moving forward.

I'm all about helping out on privacy related topics but unless they want to
learn about the how and why you're turning on xyz they won't care in the long
run.

------
DayDollar
I wrote a privacy settings page, that for every turned off option generates a
new privacy setting, making your task truely infinite. Actually, i added a way
to see privacy options as bits, making your turning it off turing complete.
You can admit defeat at the bottom of the page.

------
bagacrap
I had to do this for my mother's roku powered smart TV.

------
forgotmypw
If Facebook, Instagram, etc. app is installed on the phone, the settings won't
help much.

------
braindongle
A way that we technologists can help people understand the ming-boggling
degree to which Surveillance Capitalism™ [1] is running things is to use code
to pull back the veil. Some are trying to help you to see what's really going
on [2]. Also, I'm thinking of things like automated NLP on terms of
use/service. Phone settings will not fix anything. The genie got out when
Larry and Sergey, in the wake of the bubble burst, said "fuck it, we're an ad
company".

[1]
[https://en.wikipedia.org/wiki/Surveillance_capitalism](https://en.wikipedia.org/wiki/Surveillance_capitalism)

[2]
[https://www.icsi.berkeley.edu/icsi/projects/networking/hayst...](https://www.icsi.berkeley.edu/icsi/projects/networking/haystack)

------
bjornjaja
It’s a shame this has to even happen...

------
finnthehuman
>TL;DR If Apple’s going to advertise itself as the “private” phone, they need
to do a much better job than this. “At least we’re aren’t Google!” is pretty
much the best they can say.

It's times like this HN needs to allow the fire emoji.

He's absolutely right and the fact we pretend otherwise is a total fucking lie
that lets everyone feel a bit better about about the wretched state of our
industry.

~~~
neotek
For such a wildly ignorant take as "“At least we’re aren’t Google!” is pretty
much the best they can say" I'd suggest the eye roll emoji instead.

------
Scoundreller
OK, but do you have a fake DNA service for me to sign them up for?

------
xcavier
Or maybe get them to install
[https://www.jumboprivacy.com/](https://www.jumboprivacy.com/)

I’ve been impressed with their approach and how they make improving privacy
easier

~~~
codeisawesome
What does Jumbo get out of all this? I couldn't find much info on 2121 Atelier
Inc. (marked as the company I'm agreeing terms with in the ToS). It doesn't
seem like a paid app either... can't trust without this being transparent.

