With all that in mind, I’m curious how much of that data does Firebase, aka Google, share with all the rest of its services. Does enabling location tracking suddenly causes Firebase to report location data without our knowledge? Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too? I’m not at all accusing Firebase of doing anything without knowledge and maybe it may be a “good citizen” with regards to how it manages and accesses (or doesn’t, even if it can) private data but I’m confident that that’s not the case with every third party tracker.
> Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too?
These are good questions to be thinking about. As for Firebase specifically, I have never seen it automatically collect additional data based on user-granted permissions (at least in iOS apps).
However, there may be a few other SDKs with this sort of issue. It is important for app developers to be careful of this.
For example, when working on similar location tracking research (see: https://guardianapp.com/research/ios-app-location-report-sep...), I noticed that quite a few prominent apps use an SDK from “Braze” (https://www.braze.com/), and if location permission was granted to the “host” app, the SDK automatically sends back the user’s GPS coordinates when communicating with the Braze API. I remember at least one such app developer had no idea Braze was doing that and rushed a fix out soonafter to make it stop sending the GPS information to Braze.
I hope we see more pressure on analytics companies to offer more open source SDKs instead of compiled binaries and headers. This sort of issue would be easier to spot and deal with, instead of being unsure what exactly the SDK was doing.
On the plus side I think more and more developers and users are becoming aware of the dangers and the actual cost to their privacy and/or brand that these 'free' things expose and so it will perhaps get better.
Compared to the budding nightmare I see coming from that direction, merely losing your nudes, while a more acute problem, will have nothing on the chronic changes that's going to bring.
I don't care (that much) about my privacy, I care about everyone's privacy.
But yea, it's going to take a long time. And it's going to be a crazy ride.
I got angry at some things. For instance, ISP app should provide me information about data consumption and means to buy more. However, it decided to do more things behind the scenes, in addition to doing the tasks it was supposed to in a overly complicated manner—requests travelled back and forth over multiple servers over multiple companies before it did anything.
After this exercise, I realized how great it would be if these companies had to provide a clean and well documented API. Users could implement their own apps, liberating themselves from having to trust their private data and resources to companies that would care less if, if allowed.
That's why we don't have those APIs. It's not in the interest of any company to make itself more interoperable. This would allow users to develop ways at getting directly what they want and paying the sticker price, without being exposed to all kinds of garbage. Problem is, this very garbage is an important, and sometimes primary way companies make money.
Put another way: most companies aren't your friends, they're here to abuse you. Hold on tightly to the rare ones that are friendly.
How much would it cost me to have a phone with all trackers turned off? (Or, perhaps, routed through a core application that requires whitelisting?)
If you do not want to root your device:
1. Install NetGuard or No Root Firewall to view what's going on from network perspective.
2. Install ExodusPrivacy to generate a report on apps wrt sdks in use by them.
If you are okay to root the device:
1. Install XposedMod, and then XPrivacyLua module, and work through the options.
If you're okay with flashing a ROM:
1. Consider LineageOS + microG
2. If you are using Pixel, consider ChromeheadOS (edit: CopperheadOS) .
If you're okay with a new device:
1. Consider purchasing puri.sm Librem 5.
For example, did you know that many shopping malls track you with license plate readers? Did you know that your credit card transactions are up for sale? Or that your cell phone provider will give up your location to a third party with a flimsy consent?
Bruce Schneier has written a book on the topic, and you can view him speak on it here: https://youtube.com/watch?v=GkJCI3_jbtg Highly recommend it.
I'm no expert but I do not agree with the 'failing battle' part... still quite a way to go in that regard, I think, specifically because the Math behind crypto hasn't failed us yet (ocassionally, the implementation has) and because the government agencies themselves need tech that helps them stay underground (Tor, for instance, continues to get funding from the US Government).
Is it getting difficult? Yes, absolutely. People still hold the 'nothing to hide' stance and most are okay giving up privacy esp if it means their life becomes a little more secure and things get more convenient (most would support AI powered street surveillance that helps keep tabs on criminals, for instance).
Also: vote with your wallet. If you see a technology that aligns with your ethical goals, pay for it. To that end I will probably buy a Librem 5, even though I don't expect it will actually do much for my privacy.
Or, fetching the ads from the same hostname as also used by the app itself to provide whichever service the app provides, which means that hostname can't be blocked even by a firewall because the app itself will stop working.
So i agree, the only proper solution is laws to stop the privacy abuse.
The internet isn't a "US" thing. It's not a "EU" thing. It's not even a "China" thing (GFoC aside).
The internet's a worldwide thing. And that means, sure your puny law may say you can't do X (ad tracking). Ok. I'll just make a shell company in shithole country, pay some protection money, and run tracking or whatever. And that data I generate will be sold to anyone who wants to buy. I'll make it so everybody has to buy to compete - even if against the law.
And it too is a failing battle in the US. Experian, Equifax, and Transunion... If what happened regarding Equifax didn't bring the corporate death penalty either by fines or dissolution of their corporate charter, nothing will.
When (for example) Toyota is paying a bunch of money to target customers in France, they're playing with the same rules as Ford is when targeting the same customers. They don't have to do things against the law to compete in advertising, and they'll even be eager to identify competitors breaking advertising law to screw them over; there has been lots of legal action taken as a result of such industry self-policing to ensure that competitors aren't able to benefit from misleading advertising.
Sure, there are lots of businesses who would by "under the table" data and apply it illegally, and it is a huge advertising market - but it's absolutely dwarfed by the much, much, much larger advertising market funded by the major international public companies. The advertising money flowing from a single company such as Procter&Gamble or Nestle is larger than all the total advertising turnover from whole smallish industries. If you cut off the tracking-adtech companies from the legal market, it's like restricting oxygen for them - they'll still have some customers, but they'll get an order of magnitude less money to do their things.
1. spying apps
2. the saudi arabian woman-tracking/permission app
3. chinese social credit app
As well as cell-phone tracking to analyse footfall around the shopping mall (i.e., high-traffic areas, low-traffic areas).
I even remember having to short two pins in the motherboard of my mobile to recover from a particularly bad brick. And it worked fine.
But a complete brick, as in you have to throw away your mobile? Impossible, I'd say.
IMHO the best option for a secure phone is pure Android without Google blobs. That is, AOSP on a Pixel phone. Plus an F-Droid userland.
If a Pixel is too expensive, you can always try to get an AOSP device-independent image on a new phone that supports Treble. For example, the super cheap Nokia 1 seems to work well .
I don't have a supported device so I can't comment.
I want to but I can't even if I "own" it.
> 1. Consider LineageOS + microG
Probably should avoid microG if you care about privacy...
They most definitely do not remove such apps.
Use an app like Charles Proxy or Burp Suite to inspect the traffic of your phone when running the “Perfect365” app. It is really remarkable, and Apple is aware of what they are doing.
One interesting side effect of GDPR is the surprising amount of PC games - games for which I paid price that's presumably profitable to the authors - that started throwing up consent forms.
The closest you could get would be to buy burner phones with cash.
It wasn't a large enough amount (by far) to take it to court, though, so I can't know for sure, but lying about not having the data and keeping it secret when hundreds of employees are in the know (if they are indeed selling it, or at least a handful of employees if it's just storage for billing) sounds rather conspiratorial. A little like dieselgate, so I'm not ruling it out as possible, it just seems very unlikely.
Never buy a phone you don't have root access to.
When speaking to friends and coworkers about these issues, the result is mostly people calling me paranoid.
Developers mostly don't care as long as they get money.
Users mostly don't care as long as they get cheap apps.
As a developer who does not use third party SDKs that track users (other than the OS) because I value my user's privacy and realize that many of my users are in places where data is expensive and scarce, I sometimes feel like I an engaging in a futile and unwanted effort.
I’m not saying this is an ideal situation by any means. However, it’s just two small examples that are ignored by this article.
Further, an Android phone with no 3rd party apps is already sending an enormous amount of tracking data to Google, where it can be purchased by 3rd parties. None of this requires an Advertising ID.
If you read through here, you'll get a sense for the various different IDs and tracking methods that Google is using. It's more than just the Advertising ID.
You'll also get a sense for the collection Google does about your environment. (nearby wifi, GPS position, etc.) And more troublingly, the fact that these services still collect data even when the user sets them to "off." A couple excerpts:
"It’s hard for an Android mobile user to “opt out” of location tracking. For example, on an Android device, even if a user turns off the Wi-Fi, the device’s location is still tracked via its Wi-Fi signal. To prevent such tracking,Wi-Fi scanning must be explicitly disabled in a separate user action, as shown in Figure 4."
"Google can ascertain with a high degree of confidence whether a user is still, walking, running, bicycling, or riding on a train or a car. It achieves this by tracking an Android mobile user’s location coordinates at frequent time intervals in combination with the data from onboard sensors (such as an accelerometer)on mobile phones.Figure 5 shows an example of such data communicated with the Google servers while the user was walking."
"Google records the time and GPS coordinates for every photo taken."
Anyhow, the fact is that much of this data is collected whether the user is accessing the phone, or not.
It's a bit complicated, and disabling the Advertising ID may limit some tracking in a few cases, but despite this extraordinarily prolific tracking is still occurring. There's a lot more detail in the document and frankly, it feels a lot like Facebook's privacy invasion in that:
- It's possible to mitigate some of the tracking, although this is intentionally made unintuitive the user.
- Conversely, the user will never be able to prevent a large portion of the tracking, and will have no intuitive sense of what is being collected by google at any different time, and;
- The default values and the data tracked will change over time, and the user will have to try to stay educated with every update about what has changed.
Another decent resource:
"An AP investigation found that Google saves your location history even if you’ve paused “Location History” on mobile devices. This map shows where Princeton privacy researcher Gunes Acar travelled over several days, from data saved to his Google account despite “Location History” being off."
I'm not very informed here, but I suspect those purchase arrangements are made by very large companies, and that by the time small companies or individuals are purchasing data it's been resold and transformed.
Oh, how I wish WhatsApp was an independent company. I am sure Jan Koum and Brian Acton think so too , despite making billions off its sale.
Oh they definitely are and they keep reminding/proving this every chance they get.
> everyone else is amazing
Trackers and advertisers have built a cancerous nexus that we cannot shake. We have every right to think they are the scum of the earth, and if they want to prove that they are not, they should give OUR data back to us. But they don't. Scum of the earth. No words will change this, only actions. I am happy with GDPR because those scums are finally paying the price for their actions. I am not in favor of companies closing and people losing their jobs. I am also not in favor for scums to ab-use MY data.
By installing their app, you can see the trackers for each app that you have installed. If you use Yalp store (an open source front-end for the Play Store), there is also a button to view trackers for each app.
Edit: just saw that you're on iOS. This is probably not allowed by Apple, so I guess there will be no alternative.
This is very welcome news, please do a "Show HN" or post a link to the announcement when it's ready.
For now, before I install an iOS app I run the Exodus Privacy tool on the Android version and must assume the same trackers are present on both platforms. What is worse, Apple fail to label which apps contain ads in the store so I can't even tell which ones are adware before installing (apps with ads are clearly disclosed in Google Play).
Some of them are designed to be compiled into the (encrypted) main app binary.
It's easy enough to have eg two phones - a main one with FDroid only, and a secondary off-most-of-the-time one with YALP store convenience apps. Tablets you can diversify even harder because you don't have to carry them in your pocket.
Separate devices draw a line in the sand, rather than just accepting amorphous insecurity as inevitable. And then you can work on slowly moving your usage patterns away from the surveillance-foregone devices.
It's quite refreshing and works well, out of the box it runs js though unless you turn it off, a neat little reminder to use simpler sites and not support the popup/overlay hell that is the current web.
> The Librem 5 represents the opportunity for you to take back control and protect your private information, your digital life through free and open source software, open governance, and transparency
> As a social purpose company, Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the people—stand up for our digital rights, where you place the control of your data and your family’s data back where it belongs: in your own hands. Let’s declare, “We will no longer allow unfettered access to our photos, videos, email, text messages and application and usage data without our permission.”
you can set it to 'connect on demand', ie always on mode, at the cost of a bit of battery (not enough for me to be bothered). it acts as a vpn but only for your dns queries. afaik this is the best single step privacy option on ios at the moment.
Nope. Safari is by far the most popular browser on iOS.
On desktop I use extensions to limit tracking, but it's harder on iOS.
(not the grandparent, but that user is not alone)
“Physical retail stores and loyalty programs have trackers you know nothing about.”
Am I doing this right?
I feel like a deeper point needs to be made to justify these headlines. The conversation needs to evolve and get more nuanced.