
Verizon announces plans to install a download-tracking app on its Android phones - ziszis
https://www.eff.org/deeplinks/2017/03/first-horseman-privacy-apocalypse-has-already-arrived-verizon-announces-plans
======
Taek
Between the Google play store, Android's general insecurity, and now cell
carriers actively pushing spyware, what alternatives exist?

And please don't say iOS. It's closed source, which means we really don't know
what's going on under the hood. We may trust it today, but one secret court
order + an overnight update is all we need to lose everything with iOS. Apple
execs may not even be made aware of such an update if the order was delivered
to the engineers directly.

What are my options such that I'll actually feel comfortable when I sleep at
night? My phone knows everything. All my emails (which can typically be used
to get into everything else), all my contacts, all my calendar events, where I
go every day, and I'm even paranoid that it records all of my conversations.
This isn't schizophrenia, we know that devices record people's conversations
without their knowledge. A phone doing the same is just one step away.

So what can I do? How can I get some sanity and security around my mobile
life?

Would be a great step to have a phone that:

\+ Fully open source. (Sorry Android you don't count) \+ Hardware switch for
mic \+ Hardware switch for location services

Or at least a phone that is beginning to move in that direction? Should I just
stop using my phone?

~~~
rsync
"Between the Google play store, Android's general insecurity, and now cell
carriers actively pushing spyware, what alternatives exist?"

There are no alternatives until we have an open baseband.

Every objection you state in your comment about android (and iOS) is dwarfed
by the objections you would have if you truly understood the _two other
general purpose computers inside your phone that you have no control over_ \-
namely, your baseband processor and your SIM card.

Your carrier _owns you_. Your carrier owns you more deeply than any spyware
author ever dreamed of owning you.

Your carrier can upload and run arbitrary java applets onto your SIM card
without you ever knowing. Your carrier, depending on which SOC you have and
how it is implemented, can access your CPU and memory _directly_. As in, read
the passphrase of your cutesy encrypted chat app _as you key it in_.

We cannot begin to speak of a secure mobile platform or any kind of open
source mobile platform until we have an open baseband and control our own SIM
cards. We are very, very far away from this.

In the meantime, you have two choices:

1\. treat your mobile device as fully compromised and behave accordingly. This
is what I do.

2\. Buy a non-cellular mobile device (for instance, the old "samsung galaxy
player" devices that have no mobile chipset or SIM card) and insert a cellular
modem into the USB port and segregate that function there, and use VOIP
software. This actually sounds sort-of workable except for one interesting
problem - in addition to handling cellular communications, the baseband _also
handles voice quality_ like noise cancellation and so on that also needs to be
done in real-time and not interrupted by userland events ... and so your
actual voice quality will drop as a result of using VOIP on a handset.

~~~
M_Grey
I just use my cell phone as a phone... just a phone (it's not a smartphone);
the rest I do on a device that isn't networked. The convenience of a
smartphone comes with far too many hooks in my opinion.

~~~
maxerickson
The tower pings are for many users just as damaging as all the paranoid
fantasies people protect themselves from.

Like how many people with legitimate concerns about baseband tampering can
safely carry a dumb phone?

------
cwyers
"UPDATE: We have received additional information from Verizon and based on
that information we are withdrawing this post while we investigate further.
Here is the statement from Kelly Crummey, Director of Corporate Communications
of Verizon: 'As we said earlier this week, we are testing AppFlash to make app
discovery better for consumers. The test is on a single phone – LG K20 V – and
you have to opt-in to use the app. Or, you can easily disable the app. Nobody
is required to use it. Verizon is committed to your privacy. Visit
www.verizon.com/about/privacy to view our Privacy Policy.'"

------
ziszis
Verizon's plan when buying AOL [0] wasn't to become a media company, but to
become a leader in ad tech. The way to lead in ad tech is to control data.
Technology alone is not a moat.

Verizon has made several attempts at unlocking the carrier data including the
short-lived header injection [1]. Phone data is the holy grail of data
(location, voice conversations, web browsing, apps, address, and potentially
purchase history in the future) etc. Lets see if they have a winner this time

[0] [http://fortune.com/2015/06/24/verizon-gains-
aol/](http://fortune.com/2015/06/24/verizon-gains-aol/)

[1] [https://www.eff.org/deeplinks/2014/11/verizon-x-
uidh](https://www.eff.org/deeplinks/2014/11/verizon-x-uidh)

~~~
teaneedz
Yep. The reason why we are in this mess and attack on Internet privacy is
because of Ad Tech.

We need to get developers to stop supporting ad tech. The stigma of working in
ad tech needs to result in enough stink on one's employment history that it's
not worth the hassle.

~~~
philipov
Stigmatizing one's employment history only impacts people who are trying to
switch from advertising to a different industry. This means it has the effect
of locking employees into staying in advertising.

I understand that the logic goes that people will avoid going into advertising
in the first place if it limits their employment choices, but that assumes
there isn't enough work to stay in advertising. If advertising is already a
profitable career path, switching industries _later_ is not a significant
consideration _now_ , and your proposal actually makes it easier for
advertisers to hold onto talent.

We should be encouraging people to get out of advertising, not stigmatizing
it.

~~~
teaneedz
Perhaps you're right - though Flash developers had to adjust.

Ad tech really needs to go.

------
jaredandrews
Verizon is the only cell company that has coverage in my home town in central
Massachusetts. Thus I have used them all my life.

I recently had my first "positive" customer service with experience with
Verizon switching to their unlimited plan. My bill dropped significantly.
($120 base -> $80 but really $200 -> $80 because I always go over on data)

I just noticed that I have a "phone upgrade" waiting as well. I am an Android
dev and typically just buy unlocked phones when I need them and switch SIM
cards. This sort of shit is why. Even as it is, Verizon branded phones are
filled with crapware you can't delete. It sucks knowing that thru my monthly
bill that I am subsidizing a "phone upgrade" program that I am never going to
take advantage of due to the way Verizon molests Android before giving you the
phone.

~~~
moltenbobcat
Surely they are going to be loading it using Carrier Configuration tied to the
sim card... As soon as you put a verizon sim card into your unlocked non
verizon phone it installed a bunch of helper apps.

[https://source.android.com/devices/tech/config/carrier.html](https://source.android.com/devices/tech/config/carrier.html)

~~~
jaredandrews
Very interesting, thanks for pointing out. As far as I can tell nothing was
installed by Verizon on my most recent phone. I was using it as a dev device
before using at as my primary phone, so I was pretty aware of what was
installed on it. This was over a year ago and I think I started with a 5.X
version of Android. Will have to see what happens next time I switch phones...
welp.

~~~
criddell
Because of these kinds of shenanigans, I'm seriously thinking about an iPhone
for my next phone.

If Verizon did all this stuff on an opt-in basis, I'd have no problem with it.
If it were opt-out, I'd be grumpy, but would probably deal with it. When it's
required, I'm going to be looking for alternatives.

------
kylehotchkiss
Not trying to be an Apple fanboy here, but at least apple can generate revenue
without resorting to something this low.

Guess they gotta make sure Mr. McAdam can earn his $18,000,000 check.

~~~
cdurth
What does apple have to do with this?

~~~
matt_wulfeck
They fought hard to create a platform where this type of thing doesn't/can't
happen.

~~~
cdurth
IMO, it is very ignorant to think they are not getting the data from apple.
They just have the ability to openly do it on their own with android.

~~~
_jal
If you can demonstrate that, you could use that knowledge to make a ton of
money in various ways.

If you can't, bluntly, you're blowing smoke.

Which is it?

~~~
matt_wulfeck
The FBI paid $1 million to "get the data from apple", and that was a phone
that was several generations of hardware and software security updates old. If
you have a magical iPhone exploit, there are people who will pay you a _lot_
of money.

------
ISL
Disclaimer: I own Tucows shares.

Ting, a MVNO and ISP, views customer privacy as an important value.

While Ting may not be able to prevent their upstream mobile providers from
bundling such an app, everything I've seen from the company would lead me to
believe that Ting would fight it as best it can on principle.

[https://ting.com/blog/congress-votes-repeal-broadband-
privac...](https://ting.com/blog/congress-votes-repeal-broadband-privacy-
rules/)

Also, Ting voice and SMS roam on the Verizon network. Less expensive, too.

------
tabeth
Is this really that different from Verizon phones having Google services
enabled by default (if that's even true -- I don't use Verizon). Why is
Verizon spying on you any worse, or better than Google or Facebook?

No one should spy on you. Period.

~~~
jaywunder
The reason why I'm okay with Google, but not Verizon spying on me is because I
pay Verizon but I don't pay Google. Verizon shouldn't have to sell my data for
more money because they already charge money for their service. If their
service is too expensive then Verizon can charge more money. However Google
gives me services for free so I expect they'll sell my data to other
companies.

~~~
criddell
I actually feel like I'm getting something in return for letting Google index
my personal data. I also trust Google far, far more than any ISP (wired or
wireless) that I have used.

~~~
Bartweiss
I also have faith that Google won't accidentally expose my data to the entire
internet - or at least, they'll only fall to vulnerabilities that affect
everyone.

Verizon's ethics aside, I have no real trust in their competence to keep data
to themselves. I've dealt with their website, I've read the stories of people
getting their accounts hijacked because Verizon can't handle verification
right, and all the rest. I don't want a side channel to track my downloads,
location, and god knows what else because I expect it'll be compromised _far_
faster.

~~~
criddell
That, and the telcos have a history of being very helpful to the government.
I'm thinking about
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A).

Google seems to do a better job protecting their network and defending user
security.

~~~
Bartweiss
Another good point. Even assuming that Google has lots of government ties and
no real respect for privacy, I still don't expect them to roll over with no
discretion whatsoever. I pretty much expect Verizon to do like AT&T and
surrender all their user data unprompted.

------
exabrial
The link says this is related to the repeal of the FCC ruling, I fail to see
that connection, however. What in the repealed rules prevented them from
installing spyware on your phone? They already seemed to have the ability to
do that.

~~~
Mithaldu
They're just stating correlation, not causation.

~~~
exabrial
Gotcha. I wish at some point we could get to the point where I actually can
uninstall things on the things I buy :(

------
hprotagonist
for now, i am nice and cozy in my iOS walled garden. The advantages of doing
business with hardware companies is that it's much more clear that i'm paying
them scads of money for a handset, instead of any other financial transaction.

~~~
gcb0
surprise surprise. apple also is an advertising company.

[https://support.apple.com/en-us/HT205223](https://support.apple.com/en-
us/HT205223)

~~~
ocdtrekkie
Apple has an advertising service, yes. But Apple's revenue primarily comes
from hardware. Apple is ergo, a "hardware company" that has additional
services. Whereas over 90% of Google's revenue comes from ads, Google is an
"advertising company" that also sometimes makes software. (Microsoft, by this
definition, is a "software company".)

This is key because companies are going to make decisions based on what keeps
them in business. Apple would place it's hardware sales over it's ad business
in a heartbeat, whereas Google would abandon Android before it would give up
on ads, because that's it's entire business.

My hope is that companies that don't place advertising as a core part of their
business can be convinced that there is a market in privacy-oriented products,
and that competing on advertising isn't worth it.

~~~
gcb0
the executive driving ad revenue has the same problems and opportunities as
the people driving ad revenue at Google or Facebook.

convince yourself all you want of your fantasy, in the end each business unit
has their own rules. and jobs is not the anymore.

------
JustSomeNobody
Aren't their protections in place for advertising and children? Parents buy
phones for their children, so will parents be able to turn this off for them?
Verizon has NO business tracking children.

~~~
gcb0
they will fix it just like everyone else. see Facebook. just add a "must be
18" to the eula nobody ever read. and then blame the parents if you did track
kids.

------
rhino369
Spyware on my google phone! Why I never!

------
tbrock
Googlers of hacker news: stop allowing this.

~~~
alphonsegaston
Google lobbied against the FTC rule change that blocked this under Obama, so I
think it's far past time we believe them to be acting benevolently on our
behalf. It's sad how things have evolved and how many smart, talented people
have been swept up in this. But we have to organize and act outside the
context of corporate appeals if we want to resist this kind of stuff.

------
swiley
When people say it's no big deal that Android is hard fot the user to compile,
control, and modify, remember this.

~~~
mtgx
Ironically, this is mainly happening because Android is so "open" (to carriers
and OEMs). Android's openness was never intended to be for _users_ (if we're
talking licenses and such, not feature-wise, which is just a design decision
Google makes, like whether or not to have more advanced camera menus, and so
on).

It's hard to say whether Google would sell everyone's Android's data anyway,
if it had 100% control over Android, but I imagine it wouldn't let carriers or
OEMs add whatever tracking apps they wanted on the devices.

------
devnullmonkey
I rang up Verizon Wireless this morning and asked to speak with a supervisor.
I use a Google Pixel. I told the woman that came on the line my fear of
AppFlash not only ruining the security of my mobile phone, but molesting the
beauty that is pure Google Android.

At first the lady was perturbed that I called, but after calmly explaining to
her what was at stake, she actually seemed to agree with me it was a problem.
I pray she gets to keep her job, considering she agreed with me on a recorded
line.

The takeaway from her is that Verizon does not plan on soiling Google Pixel
devices due to their deal with Google to keep the ecosystem clean and allow
Google alone to push software updates to the Pixel line. I'm praying this is
the real story and I won't come to learn my phone has been infected with
spyware.

------
noxToken
Is this truly just an app or is it functionality tied to base OS
configuration? If its the former, I should be able to uninstall via root like
all the other bloatware crap, correct?

~~~
bichiliad
If it is the former, don't forget that having a rooted phone likely puts you
in the minority. Most people don't have the patience or confidence in their
technical abilities to root their phones.

~~~
chrisper
There is also the fact that the Verizon version of the Pixel is not rootable
as they locked down the bootloader.

~~~
i_cant_speel
Same with the Galaxy S7.

------
danepowell
Can anyone speculate what will happen if I'm using an unlocked Google device
(Nexus 5X) on Verizon? Will the new app be force-installed somehow? And can it
be removed?

~~~
Paul-ish
Someone else said elsewhere*

>Surely they are going to be loading it using Carrier Configuration tied to
the sim card... As soon as you put a verizon sim card into your unlocked non
verizon phone it installed a bunch of helper apps.

>[https://source.android.com/devices/tech/config/carrier.html](https://source.android.com/devices/tech/config/carrier.html)

[1]
[https://news.ycombinator.com/item?id=14004304](https://news.ycombinator.com/item?id=14004304)

------
exabrial
UPDATED:

[http://www.msn.com/en-us/news/technology/eff-withdraws-
veriz...](http://www.msn.com/en-us/news/technology/eff-withdraws-verizon-
spyware-claims/ar-BBz7Qmh)

------
zelos
Increasingly in the U.K. I've noticed it's significantly cheaper to buy an
unlocked phone and get a SIM only plan. Surely it's a bad idea for networks to
make their own phone even less attractive?

------
ourmandave
Well at least they're up front about it instead of hiding it behind a terms of
service or whatever. Doesn't make it right though.

------
dboreham
They probably won't now ;)

------
zpr
Can you hear me now? - Yes.

