125 comments

[ 4.6 ms ] story [ 209 ms ] thread
I don't really follow android much anymore, so does anyone know how this would compare to iOS's privacy systems?
Whenever Google talks about privacy they are just joking. Don't take it seriously
Essentially, since Google is an ad company, and is supported by selling ads based on user tracking, they will integrate their ad tracking platform directly into Android itself.

Meanwhile, Apple just blocks tracking behaviors.

Every time Google implements a new "privacy" feature, it's because they've figured out how to be mostly unaffected while harming their competitors.
According to analysts, Apple made $5bn in ad revenue in 2021 [0].

[0] Apple’s privacy changes create windfall for its own advertising business. https://www.ft.com/content/074b881f-a931-4986-888e-2ac53e286...

"According to analysts" tells you that you shouldn't take this very seriously. Analysts have a long and storied history of getting pretty much everything wrong about Apple for decades now.
Please, take the first-hand account of the multi-trillion dollar company over the results of independent studies. Next up, you should ignore the UN's accusations of Apple abusing Uighur labor in China because they're primarily comprised of nations that are not the US, which gives them a vested interest in badmouthing a spotless domestic company like Apple.

It all makes so much sense now!

Permissions for third party apps are pretty much identical to iOS now. People are always brigading these HN posts with useless snark because they think that Apple respects them.
I think the main difference is the default. Android is now opt-out, iOS is opt-in. Defaults are significant.
Defaults of what exactly? Permissions default to off on Android as well. Trackers and analytics default to on on Android and on Apple devices (where Apple devices differ only in the fact that they split tracking from apps and OS itself and enable Apples own tracking by default and prevent non-Apple tracking).

Nevertheless, there's a massive amount of tracking going on in Apples ecosystem as well - all big analytics, marketing and mobile data services (like Facebooks's SDKs, Mixpanel, etc.) are iOS first and still provide massive amount of behavioural data on iOS users first and support Android second.

I think guelo is specifically referring to the Advertising ID that allows for apps' cross tracking. In Android, this ID is on by default, while in iOS is off by default.

Regaring the permission managers, I agree that both are currently on par.

Your comment would have been free of useless snark too if not for the last sentence.
Your comment would have been free of useless snark too if not for the last sentence.
(comment deleted)
They're very simillar these days, although Android is still easier to fingerprint just due to the higher amount of devices available out there. There's simply more informational content that can be gathered by the fact that you have a "T-Mobile firmware version of Galaxy S22" despite Google being pretty decent at plugging identifier leaks since Android 10 to new 12.

Both operating systems assume something very basic though - that you trust the manufaturer of hardware and the developer of the OS. That is - Apple on one side and OEM/Google on the other.

This is completely pointless if they don't also fix the (very deliberate) permission problems.

For example, a lot of innocent operations such as connecting to your headphones have been tied to locations services. Google has been abusing this to extreme lengths to extract exact user location for years now.

Connecting to your headphones requires bluetooth. Getting access to bluetooth means you can scan for nearby bluetooth devices. This may leak your location if identifiable bluetooth beacons are nearby. Hence, you need location access.

iOS is similar. But they do not give apps access to the mac address of scanned bluetooth devices which makes the platform borderline unusable for actual bluetooth apps.

The problem is the permissions for bluetooth are lumped in with fine GPS location permissions.
They're lumped together correctly. If you allow bluetooth access, the nearby bluetooth MAC addresses could be used to identify your location with near-GPS precision.
Or greater precision! GPS (at least as used on most phones) has a ~6 foot margin of error.
Fair enough, as long as those nearby devices have very precisely known locations in some database.

But there's also the factor of battery usage, I'd like to be able to allow bluetooth but deny GPS hardware access for those occasional apps that like to trigger the GPS constantly for no good reason.

iOS is more scary. They don’t give apps the permission, but make no such restrictions on their internal services for analytics/competitor research/private APIs

I’ve dug in much detail through what iOS makes available in the data takeout request on the Apple account level and I find it impossible to believe they include everything they have through iOS at the moment.

The issue with Android is broad permissions.

This is how dictator works; make a broad rule and harm everyone. We should abhor such malpractices. They should have just made separate permission for bluetooth.

This the apology I usually hear, and it is no longer true!

Google has with every android release pushed this a bit further. In Android 12 it demands (1) background (2) precise positioning and (3) a GPS position lock.

Note also that "Bluetooth may leak your location" is actually due to this very type of data gathering.

"Bluetooth may leak your location" is not a result of this. It's the result of the increasingly widespread prevalence of bluetooth location devices. That is, bluetooth modules whose sole purpose it to be location beacons that can be looked up ( eg https://www.inpixon.com/technology/standards/bluetooth-low-e... ). See also the massive amount of bluetooth tags these days from Tile, AirTags, etc...

Android didn't used to require precise location to access bluetooth. This permission got "coarser" over time as the result of people using bluetooth specifically for location.

And you'll note that Google / Pixel don't make any bluetooth tracking beacons. They didn't make this mess, they just reacted to it. The reality is letting an app scan for bluetooth means it can probably get your precise location in a non-trivial amount of places. Same as letting an app scan for wifi.

> Google has with every android release pushed this a bit further. In Android 12 it demands (1) background (2) precise positioning and (3) a GPS position lock.

This is not true. At all.

>For example, a lot of innocent operations such as connecting to your headphones have been tied to locations services

This is a non-issue for me. The last time I had to do that (to get a bluetooth headphone companion app to work), I disabled wifi and location, enabled bluetooth, opened the app, granted it location permissions, and connected to the bluetooth headset. Afterwards I revoked location permissions and reenabled location/wifi, but the app still worked.

Imagine the masses of average users having to put up with that.
As of Android 11, Google actually made this flow easy. Right next to the allow option is an "Only this time" option.
1. How does that make it any better? You didn't want to provide your location, you were strong armed into doing it once and that's okay?

2. If you are using an app for device management (e.g. Google Home, Samsung Wear) it will be started next time you connect and then it's permission-madness all over again.

> 1. How does that make it any better? You didn't want to provide your location, you were strong armed into doing it once and that's okay?

As other commenters have mentioned, allowing bluetooth access also potentially leaks your location. The alternative of not asking for permission isn't exactly better either. Therefore it's hard to characterize this as some sort of nefarious attempt by google to coax location information from you.

>2. If you are using an app for device management (e.g. Google Home, Samsung Wear) it will be started next time you connect and then it's permission-madness all over again.

I'm not sure how other apps work, but for the companion app I was using it continued to work afterwards, even with location permission denied. This persists across app closes and device restarts.

I tried doing that for screencasting. It failed.

It also requested I signed a EULA (xiaomi). Apparently streaming video over wifi requires GPS. Who knew.

I heard that argument a lot, but I still don't quite get it. If you have (stock) Android, then Google has root on your phone. They don't need to hide loopholes for themselves inside the permission system, because they are not bound by it anyway. Or did I miss something?

I think you are still right that the permissions are way too coarse-grained or have weird associations. But it seems to me, they at least partially improved the situation by switching to an ask-on-first-use model.

Of course it might still be that Google is keeping the permissions deliberately coarse to secretly help third parties with data mining. That would be sort of the same spirit as the whole "privacy sandbox" stuff.

As a user, you can decide to never enable GPS.

This scheme forces you to enable it for reasons completely unrelated to your usage.

This is true - but my point was that this doesn't influece Google's ability to track your location in the slightest. Google could design the most privacy-conscious, user friendly permission system, make it super easy to disable location without any side effects - and still have the OS or Google Play Services or whatever else completely ignore the setting and track you anyway.
> As a user, you can decide to never enable GPS.

As a user you can decide this if you never use programms which need access to location, navigation programs, for example. If you look a bit further you will notice that there are a lot of google programs which have access to location like Google play games or google play music or messages etc. There are also some "system" programs for which you cannot disable location access.

A loophole is useful in the scenario that Google wants the good PR of being seen as as privacy-focused by restricting location tracking, even to itself, but still wants to collect as much location data as it can.

That said, I don't believe this is what's happening for the headphone pairing case. It's easier and likely more fruitful to limit functionality of popular apps unless fine grained location and is enabled and you are logged in to your Google account, which is what I believe they do with Maps.

Well ok, from a psychological standpoint it could make sense: Google can shape the available choices in such a way that requesting has immediate negative effects on your user experience with the device - and then Google can claim that users actually don't want any privacy.
One of the features of this proposal is to sandbox advertising SDKs into separate binaries submitted to the app store, which run in a separate process (one instance per app without app-to-app communication allowed) with its own permissions, storage space, and which is only allowed to execute code from the apk. So that would help.
Sounds nice. I’m hoping android becomes a reasonable option once my old SE finally dies. The new SE phones are huge and iPhone Minis are in constant rumors of getting cancelled. Android likely has more options for small size phones.
> Android likely has more options for small size phones.

I wish. The only phones you can get that are of a similar or smaller size to an iPhone Mini are unsupported Chinese gimmick phones or quite old. The smallest Android that still gets support is the Pixel 4a (NOT the Pixel 4a 5g, which is much larger), and that is approaching the end of its support window.

This was fixed with Android 12 and now has a separate permission.

(Although, that permission will also allow everyone to see your location due to how Bluetooth works, but apparently being notified of this fact annoyed you people so much that it's fine to ignore on both iOS and Android. But there's nothing "innocent" at allowing bluetooth scans - it DOES expose your location like the permission said before.)

But the Google Play service will still get data on everything, right?
Seems like a lot of words that don’t say anything.
I'm so confused after reading this. What exactly are they doing?
If you’re familiar with the mobile advertising landscape, on device identifiers are either OS-provided and deterministic or are computed through a “signature” or “fingerprint” based on unique signals the app has access to.

This move is one where either of those will be removed/made universal so there is no way to identify uniquely, one user from another when they perform actions outside your app or for many scenarios within it as well (such as clicking on an ad that takes them to the app)

Lots of advertising companies (predominantly Facebook) have made an industry standard out of selling ads based on THEIR interpretations of users actions across apps and time leading to a conversion. For example, a 7day “click through conversion” means , if your ad is shown to a user through Facebook on any of their apps or partner apps with the Facebook ad network sdk, and a subsequent conversion occurs in the next 7 day window, that user is counted as 100% credit to Facebook.

Is this logical? Nope.

Advertisers pay for the nice looking metrics they can stick in a PowerPoint and be done with it.

Now, Facebook can’t use their “eye of Sauron” to put out numbers such as these and need to compete with companies such as google and Pinterest and Reddit and snap for where users are looking for things, not just “snipe” the attribution at the last minute when they know the user is about to pull the trigger and buy.

Looks like they are trying to create a distinct set of APIs for third-party advertising (and I think everything else) SDK libraries. Those libraries are submitted to Google independently from the app. The apps now have to declare they are using library X version Y and Google will deploy that library to the end user's device when the app installs.
There are a few links which seem to describe what its all about.

https://developer.android.com/design-for-safety/ads/sdk-runt...

https://developer.android.com/design-for-safety/ads/topics

https://developer.android.com/design-for-safety/ads/fledge

https://developer.android.com/design-for-safety/ads/attribut...

The SDK Runtime sounds like a major step in the right direction (separating advertising SDKs into its own process with distinct permissions, separate from a hosting app and with no app-to-app communication).

Also the ability to custom audiences from apps (in the fledge article) and control topics both sound good.

These things dont appear to have any current plans to be required, but in the future I hope they do.

Both iOS and Android desperately need a "Network" permission (as is found on GrapheneOS.) I'd say at least half my apps don't need internet connectivity.
This is available in iOS - but for whatever reason, on devices outside of China, you are only allowed to disable use of cellular data (not WiFi).

This is also available in some Android skins (OxygenOS is one, for example) - but it is not in AOSP.

The fun part is that android.permission.INTERNET is something you have to declare in your app's manifest, otherwise any and all networking for your app will be blocked by the system. It has existed since the very first Android version. This permission is automatically granted by the system upon app installation. So the only thing missing is this permission being a runtime permission that the app has to request and user has to grant.
There are controls to disable internet access on a per-app basis. Seen them in devices from at least two different vendors, one of them being Pixel - thus I believe this is a stock feature on at least Android 10+.
Clarification: looks like I misremembered things; apparently those controls are not present on Pixel.
Absolutely. Currently I'm using solutions like Blokada for that.
I see a lot of comments here reduce the argument to “Ads are bad” . . . Well, Remember that ad-supported business models have underwritten the vast majority of technology R&D and improvements over the past two decades. Yes, including Apple. Hardware devices would never have the utility they do at present without large scale, low margin, high throughput ad models that benefit developers building insanely complex systems around said hardware.

The whole advancement in AI we’re seeing today would never have been accelerated the way it has been this past decade without the monetization models of the present internet.

It is a fine balance to strike where we don’t want to kill off the model that works so well, for fear of parts of it.

The alternative monetization models are things that many people here would despise much more: - More closed-source , paid services , apps, devices that are more expensive without the scale of ad supported models - Smaller (and arguably harder to oversee) spin offs of major ad supported services. - etc

Looked at the Android part of it. Seems Google is trying it make it such that third party will lose access to these data but Google will still have it and now Google can say this is now privacy.

This sounds like a corporate/PR joke.

> Today, we’re announcing a multi-year initiative to build the Privacy Sandbox on Android, with the goal of introducing new, more private advertising solutions.

Translation from corporate-speak:

"Today, we’re announcing a multi-year initiative to build a sandbox on Android that makes complete unrestricted access to your data available only to Google, with the goal of introducing new advertising solutions that keep all those pesky third parties, like Facebook and TikTok, outside of Google's garden."

Calling it the "Privacy Sandbox" is... unintentionally Orwellian.

Yeah, just like Apple did.
And Aol, and Skype, and YouTube and Facebook and Yahoo and Microsoft[0]. The domestic surveillance nightmare never ends! We on HN laugh about this stuff and love to make noise about E2EE and whatnot, but the battle was lost decades ago. There's nothing left, privacy is a myth from a different era of the internet.

[0] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#/...

> There's nothing left, privacy is a myth from a different era of the internet.

GNU/Linux phones (Librem 5 and Pinephone) are here to help.

Well they would be if anyone actually owned them.
Apple isn't an ad company.

Yes they have access to your data if it's not E2EE, but you don't have to worry about their core revenue stream conflicting with your privacy.

But Apple does have an ad-network, and they do sell access to it. It might not be Google/Facebook-level yet, but nothing stops them from continuing that path as a means to generate more revenue in the future.

https://www.forbes.com/sites/johnkoetsier/2021/10/19/apples-... https://searchads.apple.com/

There was a time when Apple wasn't an iTunes company, and then that started making them obscene profits.

There was a time when Apple wasn't an App Store company, and then that started making them obscene profits.

So yes, there is a time now when Apple isn't an ad company. We'll see how that goes.

People always seem to ignore the obvious. In addition to advertising, Apple partners with third parties to sell stuff "directly" (with Apple as the middleman) to the computer owner after the sale of the computer is complete. Apple takes a cut. Music, e-books, software, etc. Apple wants credit card numbers for future use; most purchasers comply.

Buy stuff using an Apple computer and Apple makes money.

There once was a time when Apple computers were just computers, not an intended means for capturing further revenue after purchase by partnering with media companies and other sellers. There was no mandatory data collection after purchase. No submission of credit card numbers. I still have one of those Apple computers. The company changed. Whether that was in response to what other companies were doing, e.g., Google, "changes in the industry", etc., is left as a question for the reader.

A patent application from Apple some years ago described advertising embedded into the operating ssystem. (Imagine the computer refusing to boot until the user has viewed an ad.) Perhaps we could tell ourselves Steve Jobs was trying to protect computer owners from advertising by filing for claims to the most annoying advertising tactics imaginable, with the intent to never practice these inventions and to sue alleged infringers. No doubt online commenters will have more cogent explanations of what this application represents.

http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=H...

(comment deleted)
People always seem to ignore the obvious. In addition to advertising, Apple partners with third parties to sell stuff "directly" (with Apple as the middleman) to the computer owner after the sale of the computer is complete. Apple takes a cut. Music, e-books, software, etc. Apple wants credit card numbers for future use; most purchasers comply.

Buy stuff using an Apple computer and Apple makes money.

There once was a time when Apple computers were just computers, not an intended means for capturing further revenue after purchase by partnering with media companies and other sellers. There was no mandatory data collection after purchase. No submission of credit card numbers. I still have one of those Apple computers. The company changed. Whether that was in response to what other companies were doing, e.g., Google, "changes in the industry", etc., is left as a question for the reader.

There was a patent application from Apple some years ago regarding advertising embedded into the operating ssystem. (Imagine the computer refusing to boot until the user has viewed an ad.) Perhaps we could tell ourselves Steve Jobs was trying to protect us by filing for claims to the most annoying advertising tactics imaginable, with the intent to never practice these inventions and to sue anyone who does. No doubt online commenters will have more cogent explanations of what this application represents.

http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=H...

They are absolutely an ad company [1]. And they absolutely track stuff about you [2].

[1] https://pocketnow.com/apples-ad-business-5-billion-growth-ap...

[2] https://www.theregister.com/2021/04/01/android_ios_location/

"..According to Leith, Android and iOS handsets share data about their salient characteristics with their makers every 4.5 minutes on average."

According to https://searchads.apple.com/privacy, the only user information used when showing ads is:

* details provided in your Apple ID profile (location, email, etc.)

* history of App Store downloads and in-app purchases

* contextual information like "device type, iOS version, time of day, device location, and search query."

In other words, while there are some privacy concerns here (really just device location, I guess), it seems like Apple is just using data from the App Store itself to serve App Store ads. In other words, no different than if Facebook only used information about how you use the Facebook app/site, rather than tracking your behavior across the entire internet.

I'm curious why you think this is comparable to what Google/Facebook does.

You have the answer in your comment:

* history of App Store downloads AND ^^in-app purchases^^

So there is no difference in my opinion. Only PR jargon to make it sound better.

From the announcement:

> We’re also committed to working closely with regulators. We’ve offered public commitments for our Privacy Sandbox efforts on the web, including ensuring that we don’t give preferential treatment to Google's ads products or sites. We'll apply these principles to our Android work as well, and continue working with the U.K. Competition and Markets Authority, and others.

That's an insightful take, but to be fair, it's still a massive improvement as far as the end users are concerned.

It's kind of like suggesting that "reducing the number of people peeing in the pool to ONE" isn't a good thing. It is (unless you're a former pool pee-er).

If there's an accurate third-party source, we can change to that. Corporate press releases don't make the best HN submissions (this is a kind of exception to HN's original source rule).

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...

> Corporate press releases don't make the best HN submissions

They do if they come from Apple though and it's quite funny especially with this news.

Not sure what you mean, but we don't care which corporate a press release comes from.
Those participating seem to though or how would you explain the overly overblown popularity of posts from apple compared to this one for example?
After so many years people love apple products much more than they love google products.
It's possible that Apple does a better job of making press releases appealing, but I think the more likely explanation is that this perception is just an illusion. Everyone thinks that the stuff they dislike gets more attention and more favorable treatment. This is the driving dynamic behind perceptions of ideological bias, too. I wrote a bunch about this yesterday:

https://news.ycombinator.com/item?id=30351677

https://news.ycombinator.com/item?id=30346954

and there is a large quantity of past explanations here:

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

There's a ton of details on: https://developer.android.com/design-for-safety/ads

If you feel like revising your hot take based on the provided designs instead of pulling a single sentence out of a PR snippet that's just announcing a dozen-page design proposal.

Thank you. I do think the people behind this are making a sincere effort to reconcile profit-driven targeted advertising with the human right to privacy -- which may not be possible, at least not without sacrificing a lot of revenues.

The thing is, I doubt a corporation like Google will ever be willing to sacrifice revenue for the sake of privacy, and at the end of the day, the corporation controls the underlying software infrastructure on all Android-branded devices.

(comment deleted)
Founder of @Neeva here. In my experience, this is mostly PR that will go nowhere -- these are efforts that are not structurally set up to succeed given the internal constraints at Google. The Chrome sandbox efforts have been going on for 3-4 years with no progress.

The mobile app ads businesses (UAC campaigns) at Google are just too profitable, and depend too much on IDFA/ADID tracking for the Android team to be able to do anything meaningful here. So we all know the stakes here, and to put this abstract "tracking" into "real world" perspective, a big use case of ADID/IDFA tracking is gaming advertisers identifying "whales" (kids/adults who spend a shit ton of money on their games) and accurately targeting them across all their usage on the phone. If your kids are being tricked into spending hundreds of dollars by these ads, this is why.

> Founder of @Neeva here. In my experience, this is mostly PR that will go nowhere

Let's be honest here, this post is clearly your own PR for Neeva.

For sure, there's a bit of that. You would still agree w/ the point I'm making?
Thanks for providing your insights. It is a pretty strong comment against your former employer and presumably former colleagues. Were you not a part of the same spiel, building these very systems for years including those tricking kids into spending hundreds of dollars with ads, presumably with the same passion as you have now?

Working at a corporation as big as Google and at a high position as you had must have left a mark. I am curious what changed for you and how do you look at your friends and colleagues that are still working in Google today?

> The Chrome sandbox efforts have been going on for 3-4 years with no progress.

There has been progress: many APIs have been implemented in Chrome, with several origin trials for testing them and iterating. Ex: FLoC started an origin trial, people raised issues, Chrome proposed a replacement (Topics) which looks like it will be in origin trials soon (https://privacysandbox.com/open-web/#the-privacy-sandbox-tim...).

(Disclosure: I work on ads at Google, speaking only for myself)

Do you think there's any plans for this to replace the current API/advertising ID system?
Apple and Google are doing their best to redefine the term privacy to mean "information choices you make within the confines of our total surveillance."

Prisoners are free to move about in their own cells.

I do not see the prospect of an alternative without a government codifying it into law and funding R&D for alternative devices.
So... you're saying it's possible!
I think that's an open question; FOSS Android ROMs and the assorted non-Android mobile Linux options are somewhat niche, but they're not nothing.
There are alternative devices.
(comment deleted)
So, Google, how about giving me the option to completely delete my advertising id? It would be nice to completely opt out of your advertising empire, at least as far as personal tracking is concerned.
It would mean removing any and all anonymous user identity, right?
You can delete the data that google currently has and reset your advertising id.
Sure, and then they start tracking me with that id. I just want to opt out of the entire experience. I'm fine paying the price by not having any personalized ads sent my way. I'd actually really really like that, in fact.
I think there's a privacy focused firefox browser on the play store which is good for that.

Maybe its possible to also create a service which resets your advertising ID daily or something?

I can delete my advertising ID in Android 12
I guess I need a new phone. I'm on Android 9.
Google is an advertising company. It's not interested in any real privacy because that would negatively affect its revenue.

I'm a very anti-advertising kind of guy. I block ads on all my devices. I wish all forms of cross-app tracking identifiers were simply abolished, and any API that could be used to pass data between apps like this would require explicit user consent. Anything lesser is a pathetic half-measure.

> I wish all forms of cross-app tracking identifiers were simply abolished, and any API that could be used to pass data between apps like this would require explicit user consent.

Real question: how would you try to abolish fingerprinting? Processing identifying info on your device can mostly be done server-side and requires no device permissions, accounts or APIs, just some basic identifiers like screen resolution, storage capacity, software/library versioning, battery health... anything is fair game.

Fingerprinting is "analog" by its nature and thus never 100% reliable.

Besides, here's another idea: not only make internet access a runtime permission like I suggest in another comment here, but also make it per-domain. If you don't trust an app, run it in a "paranoid mode" where you have to explicitly allow it to access every domain it tries to access. Advertisers always use their own infrastructure to prevent fraud among other reasons.

And another one: a docker-style fully isolated container for you to run apps you don't trust. The container simply lies to apps with hardcoded or random values for anything that could possibly be used for fingerprinting.

One possibility is to use Tor (or Whonix on Qubes, which I use).
I'm very anti-advertising as well. I use ublock and youtube vanced, and have a pihole on my home network.

While privacy is certainly a bonus, the main reason is that ads interrupt what I want to look at, consume power, are ugly, intrusive and a vector for malware. I know many content creators consider me to be stealing their content, I wouldn't exactly disagree. But so be it. Some sites block me from visiting them, I think that's completely fair, and I don't put up much effort in circumventing such blocks.

This Privacy Sandbox initiative appears to not at all address the problems I have with advertisements.

I think it could help with being vectors for malware. The proposal wants advertising sdks to be uploaded to the play store as separate apks, and run in a separate process with limited permissions with no remote code execution allowed. Perhaps that might help you install apps without the SDKs as well.

But the sandbox does appear to be computationally costly since the spec says it may not be enabled on starter android 13 phones. Also I doubt it will help regarding aesthetics.

Of course the documents have all this as optional features rather than compulsory ones. But it sounds nice.

> I wish all forms of cross-app tracking identifiers were simply abolished

Interestingly, I noticed today my Android/Pixel phone lets me delete the advertising ID instead of just resetting it to a new one.

I heard on an interview somewhere a security advocate mention that android phones "phones home" basically everything you do every so often (GPS location, app data, even voices recordings). But I couldn't find that anywhere apart from a few "malfunctioning" google nest devices.

Is there any resource about what exactly is communicated to google while using android phones? Everything I read is either conspiracy theories or corporate speak.

[edit] The interview in which the claims were made was with Dr Robert Epstein if that makes any difference

https://open.spotify.com/episode/4q0cNkAHQQMBTu4NmeNW7E

I think one of the problems is "what is google" and "what is phoning home". So many of these services make simple requests that wouldn't be considered "phoning home" but absolutely fall into that category. Additionally, the number of google products and the number of calls being made is vast.
I don't expect apps to be collecting data when not in the app. I think I get a permission warning like "this device uses GPS - allow when in app, allow in background, etc"

But with android, I just want to know if there is a log of every place I go for instance and does this get sent to Google periodically. This is outside of the map app.

Also, I definitely want to know if it's recording data any time apart for when the microphone indicator is on. This is on an OS level.

I know there's some nuances, but I think what I am asking for is pretty basic.

> But with android, I just want to know if there is a log of every place I go for instance and does this get sent to Google periodically. This is outside of the map app.

There's two ways this can happen:

- There's a feature called "Location History" which does exactly what it says - reports your location periodically to Google. You can disable it under Location settings on Android.

- Your location may leak via IP requests in background - the most common way would be via persistent connection to FCM servers (servers that provide push messages, analogous to Apples Push notification services) or when the phone background syncs. Similarlly, you can leak your location to websites by simply browsing with your phone.

> Also, I definitely want to know if it's recording data any time apart for when the microphone indicator is on. This is on an OS level.

As far as I know there new microphone switches and notifications are implemented deep enough in AOSP code that a piece of software can't easily open the microphones without triggering that notification.

What about IP geolocation "leaks" to time.android.com and time.apple.com

It can be periodic. No way to turn it off.

About the same thing - same for internet connectivity checks which go to Apple/Google as well.
Android & iOS both phone home your GPS location combined with things like wifi points that were visible in that area. And on iOS also things like nearby bluetooth devices - this is how eg. AirTags work. Apple re-purposed their entire userbase to be GPS & bluetooth phone-home minions to power that network, and nobody was asked if they were OK with that. For both Android & iOS there's an "off" setting buried somewhere to disable this phone-home tracking.

As for "phones home" app data... I mean, that's what cloud sync & backups are. It doesn't necessarily mean that Google or Apple have access to that data, the device could encrypt it with your user passphrase before sending it. In theory. In practice they probably both do because otherwise password recovery systems kinda don't really work. If you can do a password reset and still access your data, then so could the company hosting that data.

But for both of those this is that awkward spot where very useful features necessarily require something that can sound very malicious depending on how it's described (and could actually be very malicious depending on how it's actually used)

Google basically has tracked the crap out of everybody without caring one bit about it, and now under regulatory pressure finds itself caring about privacy.

They're going for this "reasonable middle-ground" approach but this is an issue where a compromise is not possible.

This Sandbox idea basically means that instead of every 3rd party tracking the crap out of you, it's now exclusively in Google's hands. Where they may track "a little". There's even a privacy budget, where it is decided what "a little" means. Guess who controls this budget?

Tracking should be opt-in. And not the Apple way either, where you "ask" the tracker to stop tracking whilst it happily continues. It should block tracking at a technical level.

Apps can give intelligent options:

  - Enable tracking: app is free, some personalized ads.
  - Disable tracking: app is free, but more ads, that are not personalized.
  - Disable tracking: pay $ for non-tracked non-ad experience.
This is real user choice. A privacy sandbox is no choice, you can't opt-out of it.

To remind myself of how creepy tracking is, I often visualize the physical analogy. You're at home and somebody stands behind you, making notes of every webpage you visit, and when. You take a drive, and a car is following you all day, making notes of where you went. As you arrive at your friends' house, the follower makes photos of your friends and tries to find out their names, the connection is logged and they make a note to follow that person too. The creep following you has plugged a cable in your camera so that when you make a photo or video, they get a direct copy, along with all metadata. You want to send a postcard to your parents but the follower snags it from your hands, opens it, makes a copy and scans it for clues. You put some of your valuables in a storage box but the follower has a spare key and regularly inspects it.

Not a single of the above interactions would be acceptable in the physical world, but it's the norm in the digital world. And to finish the analogy, the output of all of this is junk mail in the mail box which you immediately throw in the paper garbage department.

Also, any of the above can be shared at will with institutions. Which seems totally reasonable, until it's not. Governments can turn against their citizens, it's common, also today.

I don't mean to escalate this to unintended proportions but I can't help but share this powerful example: During WW2, Germany occupied the Netherlands and the one thing that helped them to find Jewish people was a single data field in the population registry: religion.

Would you have ever guessed or anticipated that such a single unimportant piece of data would have led to the ultimate consequence?

That's why privacy is a human right. Stand for it with everything you got.