83 comments

[ 3.3 ms ] story [ 174 ms ] thread
I like a lot the LibreM but I don't consider it a viable option for a use in the real world. On the other hand, the /e/ smartphone is doing a great world to keep me out of the Google ecosystem, and I'm very impressed how far they go on this aspect, even removing call to Google server during connectivity checks, replacing Google NTP servers by NTP pool servers. I don't know any other Android custom ROM doing this.
Maybe because the actual privacy benefit for this change is negligible? (Or so I 've been told).
> even removing call to Google server during connectivity checks, replacing Google NTP servers by NTP pool servers.

And audit all android code & third-party apps.

I wish the article was a little more technically competent. It leaves out a lot of other important projects in this space like PinePhone, LineageOS, and even the proprietary alternative of Sailfish.

I also take issue with a lot of articles talking about data collection as the boogeyman without actually explaining how data collection happens and how to minimize it.

You don’t have to actually get rid of Apple or Google, which can massively handicap the usability of your device, to gain some semblance of privacy. There are a lot of simple changes to be made:

- Turning off location history in Google and Apple Maps

- Auditing Google/Apple/social media account privacy settings

- Make sure you’re on a recent/the latest Android version

- Audit and minimize app permissions

- Uninstall apps that you don’t need or have web alternatives

- Installing content blockers on web browsers

- Set up a PiHole

- On Android, you could switch to an alternative App Store like F-Droid

I suggest these sorts of thing only because these projects, while very admirable, are years away from being viable alternatives. Most smartphone users outside the technically inclined would absolutely not make the trade-offs required to live with something like a Librem or even giving up Google Play on LineageOS.

The other issue I take with articles like this is that they fail to understand the value that data collection can provide to consumers as well. A lot of useful features actually depend on using your data. The assumption that the consumer is unhappy about this trade-off is not necessarily correct.

A great example of that concept is how Google and Apple use aggregated location information to determine traffic conditions. This is a highly useful feature to most smartphone owners. It would be impossible to implement without collecting location data.

That’s just one example of many. In many ways the utility of the smartphone outshines the personal computer precisely because it can gather more data from more sensors to be put to use.

Fighting Apple and Google with alternatives is a losing battle if you ask me - privacy will never be protected until strong regulations with real teeth become universal.

In reality, there will never be more than two smartphone operating systems that any significant number of the public use. If you don’t believe me just look to the personal computer world - in 30 years has any operating system gained any more traction than Windows or macOS? Sure, Desktop Linux is more usable and popular than ever, but the fact remains that 95%+ of the general population still doesn’t use it. While me and my technically inclined friends can finally use Linux as a daily driver and even play AAA commercial video games on it, something of a pipe dream 10 years ago, that doesn’t help the 90% of people that are still on Windows. That desktop computing situation is a lot like the future of smartphones - Apple and Google aren’t going anywhere. That’s why I say that regulations and laws are going to be the only way to reign in mass data collection, because getting people to switch to alternatives will never be more than 5% effective.

> I wish the article was a little more technically competent. It leaves out a lot of other important projects in this space like PinePhone, LineageOS, and even the proprietary alternative of Sailfish.

The article, submitted by u/indidea (Gael Duval) [0], sounds like a PR piece for eelo aka https://e.foundation/ which was subject to controversy not long ago [1].

Both https://grapheneos.org/ and https://lineageos.org/ are comparable alternatives, though /e/ really aims to go "full-stack" and comes pre-configured with alternative cloud-services to Google's.

[0] https://www.indidea.org/gael/blog/

[1] https://news.ycombinator.com/item?id=21075675

Thanks for pointing this out!
I really wish /e/ would give more credit to the https://microg.org/ project whose work they're piggybacking on. It's great they're trying to package this stuff and add a layer of consumer-friendly gloss, but it's frankly rude to not acknowledge key FLOSS contributions that make their work possible.
> Turning off location history in Google and Apple Maps

Google dark patterns make this a no-go. I have multiple locations stored on my Google maps. With location history turned off I was fine until a few months ago when maps told me in order to access that data I need to turn location history back on. So google cripples their software unless you turn on tracking.

This. Google maps becomes quite hostile&annoying to use if you deny that data access.
I see it as part of the exchange. You give them your data they give you nice products. If you decide to use it without giving, you get a lower quality product.
AFAIK according to GDPR this (to hold non related features hostage) is specifically not allowed.
"don't store my data" but also "store the data I want you to store for the features I cherry picked" probably doesn't work under gdpr.
Of course it does. Gdpr is about explicit consent. Don't track my movements 24/7 but let me save places on the map is not a hard thing to comply with.
Who says they are unrelated? Providing access to your location data and history can enable a lot of very useful features that aren't possible without it.
Yep. And that would be OK with GDPR again AFAIK.

But in this case it seems clearly wrong.

Maps, thankfully isn't as necessary as it used to be. OSM is getting better, and Maps hasn't. It's less usable and keeps trying to shove businesses in my face.
Use alternative maps -

https://en.mapy.cz/, https://maps.me/ - Google Maps is useless anyway.

> Google Maps is useless anyway

Care to elaborate on that? It seems very useful, considering the amount of people that use it on a daily basis

Here (HereWeGo) maps as well. I use it when I need an offline map.
In one of the older versions of google maps having location turned off meant that the app wouldn't accept any input since a notification 'Turn on your location' kept repeatedly coming up somehow blocking everything. Effectively rendered the app unusable.
> - Turning off location history in Google and Apple Maps

If you want to be a bit more paranoid, on iOS Privacy > Location Services > Off

... not that I would do that, I find it too useful.

To be fair, the PinePhone isn't really trying to compete against Google or Apple, it's just carving a small niche for FOSS enthusiasts. I don't see it as a competitor because:

- they're explicitly not taking a profit, so unlikely to aggressively rev hardware - little to no software development by the parent company - little to no marketing by the parent company

Purism is developing an app store, productivity suite, and revving the software with full time employees. They're pushing the marketing hard even before the product is ready. They're already talking about a new hardware rev (batch Fir). That's pretty much a direct competitor to both Google and Apple. /e/ is essentially an Android fork, so it's a direct competitor to Google.

Sailfish might be a direct competitor, but I just don't see the PinePhone as even being interested in this space. One of the projects that's being ported to the device could become a competitor (e.g. Canonical could take up development of Ubuntu Touch again), but Pine64 just doesn't seem interested. It's a hobbyist device, and I wouldn't be surprised if Android gets ported and Pine64 offers that as a factory installation option.

> - Make sure you’re on a recent/the latest Android version

How can I do that? You do realize it's not exactly easy to update the phone after the support is dropped by OEM. LinageOS lately seems for me to not be a relevant option if you want latest OS for an older phone. I have Nexus 5x and could not find any reliably working ROM for it quite some time ago. Now it may be better, it may be worse.

You have to buy a new phone.

I really mean it. I know that is not what you want to hear, but that’s the reality.

Every version of Android below Android P allows apps to access the camera from the background without consent:

https://www.xda-developers.com/android-p-background-apps-cam...

I don’t like disposable hardware as much as the next person but I’m absolutely not going to go without basic security to die on that hill.

Encouraging people to make settings changes they don't really understand isn't really going to solve anything, especially if another option comes along that has the same problems (e.g. getting people off Facebook, but they just move to Instagram).

We should absolutely encourage awareness of existing privacy solutions, but we also need to point out their weaknesses and build another solution that addresses those weaknesses.

(comment deleted)
If they can come up with a "Play Store" that developers can drop in ungoogled versions of their official apps, that would be killer.
I think you're looking for this: https://f-droid.org/
The store I'm suggesting would contain commercial, non FOSS apps as well. There are some apps I use that will probably never be open source and there's no website version either.

For wider adoption, I think this would be necessary. Otherwise these phones will always remain a niche product.

FlatHub has commercial, proprietary apps in Flatpak sandbox format. It's generally targeted at "desktop" users, but the Flatpak sandbox ought to work just as easily on mobile devices based on mainline Linux, including the Purism phone.
Agree I can install f-droid, but I would still need the play store for most things...
It's been in early development for ages, but MicroG's degoogled Play Store may fit the bill.

https://microg.org/

I could see there being a filter for apps without google dependencies.

That said, I think F-Droid is still the better choice. If the source isn't open, then it'll be hard to prove that the apps aren't degoogled in the first place.

>It's been in early development for ages, but MicroG's degoogled Play Store may fit the bill.

>https://microg.org/

I think you meant https://f-droid.org/en/packages/com.aurora.store/ ? microg hasn't worked with play store for a while now.

No, I meant microg's Phonesky. Aurora Store is probably why Phonesky's development has been nonexistent; Aurora already seems to do what Phonesky was hoping to accomplish.
As someone who spent some time in the mobile industry the telecom operators are the greatest barrier to overcome in these situations. They're quite inflexible.

When I was involved in a phone project we were provided a firmware blob for the baseband and it had DMA to the main processor. We did quite a bit of RF fuzzing and well, the results are what you would expect.

What I would expect is some snooping by the baseband - I’m curious, could you expand further on your techniques or findings?
Ars Technica recently tested the current version of the Purism Libre: https://arstechnica.com/gadgets/2020/01/librem-5-phone-hands...

It seems that it's still more a prototype than a functioning phone, where even basic functionality like replying to a SMS is not implemented yet. That's not really surprising or discouraging though, it's simply a lot of software that you have to reimplement, so even attaining feature parity with current phones seems quite difficult with this approach.

I think we need a political/organizational solution to the privacy problem, fighting back with technology will not work.

Taking aside the usability issues I think these initiatives are fantastic though and while I don't think they will replace current smartphones they might find unexpected markets that can benefit from the open approach. For example, I think an affordable, fully open mobile computing device could become as successful as the Raspberry Pi and provide a great platform for many innovative, data-driven mobile applications.

> think we need a political/organizational solution to the privacy problem

I agree, and I'd add that that's because there isn't much money in privacy at the moment, and there's a lot of money in violating privacy. And, that's probably because there's too many people who don't understand privacy in technology, or don't consider it a priority. I think that regulation can't come soon enough. Anyone who helps privacy and tech politics move faster is a hero.

Yes, I think there's a trend (maybe fake, I hope real) that people become more savvy in respect to privacy. As the article says, 70 % of people say they learned more about privacy last year. We can already see the first large corporations that use this for their marketing (though with mixed real committments I'd say), and I think more will follow. Also, there are so many privacy legislations now and more are coming, not only in the EU but also in other parts of the world.

It's a real problem and it will get more prevalent the more data we collect. I think we're only at the beginning of the data-driven economy and there's still so much potential for harnessing data to improve things, but we have to ensure the security of the data and the privacy of the persons that it belongs to.

> I think we need a political/organizational solution to the privacy problem

I think Privacy as a right comes when we get rid of politicians beholden to corporate interests. Luckily there's a lot of interest in that right now.

Once we start to remove Corporate interests from the loop then legislation enshrining privacy can allow startups like Purism to really shine, and force Apple and others to step up their game.

It is really hard to beat apple and Google due to their app stores. Windows phone wasn't bad but it lost the market badly because of lack of apps. Any new phone OS is going to lack the apps which people are used to and won't sell. Devs won't make apps for a platform until it has users. It's a classic chicken and egg problem which is very hard to solve.
I'd argue that Windows Phone was poorly executed on Microsoft's part due to redoing the OS 3 times in its short lifecycle. Every redoing forced developers to rewrite their apps in the new platform. Then Microsoft couldn't get cell phone makers to commit to updates leaving a splattering of versions that supported only subsets of features all over the place.

Initially the phone had a following and if Microsoft built that following up, developers would have jumped on board.

This is the killer moat. It's hard enough to build a competent app for 2 app stores and make any money, that developers have no time/energy to build for a third one.

Microsoft screwed up badly while they still had the chance by changing paradigms rapidly. They (correctly) tried to pay developers to build apps for them, since you don't really need a million apps, you just need the top 30 to work. The problem was that Google owns many of these top 30 and they weren't interested in helping Microsoft obviously. You can't have a winning mobile platform without YouTube, Maps, and for many, Photos/Gmail/Translate.

Except a handful of them, most of the apps in the Play store are barely more than spyware disguised as applications. I can see not having them as a feature.

On the other hand the Librem 5 can apparently install the 60000 packages Debian supports, all of them respecting the user out of the box.

It's dumb to target the same market, everybody. This ship has sailed. It doesn't mean that there isn't subset of a market for privacy/security enthusiasts (purism), or for productivity people and digital minimalists who could do with one app like Notion and maybe email.
Even those niche markets are still too small to hit the economies of scale necessary for per unit costs to be remotely affordable. These variable costs are magnitudes higher than just launching some privacy-first service like protonmail.
On the other hand, I'm encountering more and more normal people who refuse to install any additional apps on their phones at all because they don't trust any of them. If that becomes a more common attitude, then there isn't any inherent advantage to having a large app store.
I would argue that it is not that hard to compete with those app stores if you find something important they lack (e.g. freedom/reliability). F-Droid is very popular considering it is not preinstalled.
That's where privacy comes in. That's one area where Google cannot compete, due to its business model. Apple is already capitalizing on that, but the high prices and closed ecosystem can be a turn off, and Apple will never let go of that.

Privacy is an wonderful opportunity. Your system can be worse in pretty much every aspect, but simply by blocking stuff and even better, not doing things, you turn that into an advantage. It may stay a niche thing, but there is a market left open by the tech giants.

I would argue that Windows phone lost the market because it joined late and didn't add anything of value that was not already available through Android or iPhone. But a privacy-focused smartphone already has unique value to me.

That said, my own skepticism with this article comes from the fact that from reading this, I didn't take away anything about their privacy stance except "We don't share your data with Google or Apple" so I can't tell if they're actually pro-privacy or just anti-Google/Apple

These boutique type phones are cute, but they really only serve as a bell-weather on how much consumers are interested in privacy-enabled or unGoogled mobile devices. Between either having to wait 6 months, or pay $2k USD you're I find it unlikely that Librem/Purism will make turn the consumer market toward privacy/security.
Is choose the privacy/security focused phone if they were as good as a mid range android. They're not even close to that but hopefully they'll catch up soon. Can't see Librem or Purism being the ones to do it though tbh
It's hard to imagine that even a smartphone platform dedicated to privacy will be able to out perform the resources of Google, Apple who have entire groups working on solely that problem.

Unless the point is to lock down the phone so strictly that no info can leak or be taken off the phone. That's simple. But that would make a phone that's practically useless for everyday personal use except if you're a paranoid spy.

I guess the need to have privacy and security while offering users some level of reasonable usability through 3rd party apps is why Google and Apple are succeeding in the face of such privacy focused startups.

Google will at best deliver you privacy against everyone but Google.
Which is not at all considering their business model is to prostitute your data to the highest bidder.
If anything, I would expect just the opposite. Keeping hardware the same, a degoogled AOSP rom handily outperforms the stock OS wrt. battery life and general performance/resource use, in a way that actually matters to average users. Of course it's harder to make such claims about Apple devices, since they're limited to running iOS.
> Unless the point is to lock down the phone so strictly that no info can leak or be taken off the phone. That's simple. But that would make a phone that's practically useless for everyday personal use except if you're a paranoid spy.

Agree! In the end, people want to use their phones to socialize online, share pics, use maps, check weather, sync files and photos to the cloud. When you remove too much, and make the entry barrier too high, people will just ignore it.

Honestly, the killers are Google Photos and Google Maps.

Google Photos lets me back up photos from my phone AND copy them to my PC. I haven't found any other way to copy photos from an iPhone into a laptop (unless you use macOS). Since they already handle my photos, I might as well use it for backups.

And Google Maps is pretty uncontested when it comes to moving around. Apple Maps doesn't even have a "biking" option (in a country where > 90% of the population bike everywhere, that's a killer).

Sorry stupid question: how do you copy the photos from G-Photos to your PC? Through Google Drive?
https://photos.google.com/apps - they have a utility for Mac and Windows called Backup and Sync.
What about Linux? The draw for many of these Linux phones is that they run Linux, so tools work the same between them.

I've used third party utilities for mounting GDrive locally, but they're kind of a pain to use and aren't official by any stretch of the imagination. All of my personal computers run Linux exclusively, and only my wife's desktop runs Windows in our house, so Google Photos doesn't mean much to me.

> I haven't found any other way to copy photos from an iPhone into a laptop

Both SyncThing and Resilio Sync work well for this, but require your "server"/laptop to be on in order to sync.

You can also just plug in the device, and it should mount as USB storage on both Windows and Linux.

(I have no financial interest in either pieces of software, other than regularly needing to recommend them to my PhotoStructure users).

So, you have to keep a computer on to sync files. And then, what about automatically tagging people, suggesting fixes (rotation, lights), searching by location name, sharing albums, etc?
That's what I want PhotoStructure to do.

It already has best-of-class deduping, "variant" clustering support, and metadata inference, as well as a UI that makes browsing very large libraries feel serendipitous. I release roughly every month, and it's free (in exchange for feedback) during the closed beta. Here's what's coming soon: https://photostructure.com/about/release-notes/

Do you know how to get SyncThing on an iPhone? This is the last piece in the synchronize-the-whole-family's-media-so-that-it's-easy-to-share-and-backup project! Last time I checked there was no iOS client.
I don't know for iPhones, but Dropbox for Android does this too. Now I've switched to my own NextCloud, and it also syncs photos to your personal cloud (and your PC/Mac).
I think if someone could find a way to make an iOS compatible operating system (e.g. Current iOS applications could be built & run on the system with little modification), then it would be a huge hit. Not sure of the legal implications, for de facto reverse engineering, but it would at least put out another option.
It's legal, but binary blobs are not compatible with privacy first approach. And it's a lot of work to reverse engineer and build such compatibility.
This sounds a bit like what osmeta was doing–although it was ironically acquired by Facebook…
I dont think this is a good idea, because it would need a lot of cash and man-hours to burn just to have a mediocre finished mockup at the end.

Microsoft had a better approach once, still expensive/buggy, but at least more doable, which was adapting the various iOS kits and calling back window primitives in the backend.

And yet, they abandoned because its also a bad move in the sense that nobody will care about your platform if they just need to target iOS.

You will be doomed and have to chase and implement everything they do in iOS, even if it doesnt make sense, and nobody will care about your platform.

You will also end with more bugs and application crashes, so your platform will be seing as something inferior to Apple (emphasizing the "nobody cares about you" effect)

By the way, Blackberry took that route by implementing Android and we can see how nobody cares about Blackberry as an app platform, because in the end you know they will have to follow Android.

For me the only way to get out of this trap, is to have a distinct platform, that for some reason, people want to develop for it.

I mean, the web did this trick once, Linux is also doing this. Its doable, but its a lot of hard work and community effort based a lot in other goals other than cash.

Another way to do this trick, is to create a consortium, and to create some base API, inspired by iOS, Android and the Web, and to have a lot of industry leaders onboard.

They would need to finance the prototype or the reference implementation on top of something like Linux.

It was tried with Tizen, but given it was more of a Samsumg project without community to drive it forward it failed. Also, i dont think it can compete with Android and iOS in platform quality.. so this probably was also one of the reasons they have failed.

Exciting times to live in with multiple privacy focused smartphones in development: we have /e/, purisms librem, and The pinephone. If just one of them succeeds enough to get to gen 3 or 4, the whole industry will be dramatically better
> Rankin warned that tech giants were now "redefining the word "privacy" in their own marketing." While they may claim to protect it, what they really want is to protect privacy from their competitors, he added. "They add security measures to their software and services so only they can capture, view and sell all of your data and others can't."

I've been making this case for over a year now, and I'm very pleased to see someone else making it too. It's an incredibly important point that not enough people are bringing up.

The tech giants redefined the word "privacy" years ago. How did they get away with it? Quite simply because the tech community let them get away with it.

When it comes to privacy, the tech community is full of contradictions and double-standards. Too many people in the field view privacy solely through the lens of security i.e. if your data is securely held and never leaked that is good enough - no matter how much data is captured. This suits the tech giants very well. In fact, it appears to be how many of these tech giants view privacy themselves.

Of course, you can't have privacy without security. But security simply by itself does not equal privacy. Questions about how much data is held about users, or how relentless is the level of tracking are rarely raised. (Until some of that user data gets leaked and we get a glimpse of the sheer volume of data held.)

Another example: the language around tracking users. It's purposefully worded to sound benign or neutral: telemetry, analytics, web beacons, logging. We don't challenge the use of this language - we gladly use it ourselves.

I agree (obviously, I suppose).

> Of course, you can't have privacy without security. But security simply by itself does not equal privacy.

Privacy is not the same as security, and I agree that you can't have privacy without security. I also think that you can't have security without privacy.

This is part of why the argument that some companies make about how securely they're holding our data is a nonstarter for me. That form of security only comes into play after the first form of security: preventing the unauthorized data collection. If the companies don't have my data, then their security practices around how they protect my data don't matter.