> Another tracker which cannot be removed once created is the Google Android ID, a device identifier that's linked to a user's Google account and created after the first connection made to the device by Google Play Services.
Yes, the ID is unique per-app+user BUT the ID would then be useless for tracking you across apps. It is no different from the app itself creating a random ID and saving it.
It's stored on a per-user basis. Note "user" refers to the operating system user, not the logged in google account.
>In versions of the platform lower than Android 8.0 (API level 26), a 64-bit number (expressed as a hexadecimal string) that is randomly generated when the user first sets up the device and should remain constant for the lifetime of the user's device. On devices that have multiple users, each user appears as a completely separate device, so the ANDROID_ID value is unique to each user.
If it takes research by a leading academic to uncover this device behavior then what hope is there for us mere morals who don't want their identity to be tracked and traded?
Is it impossible to use a smart phone with strict privacy, or just very difficult?
It takes more effort, but far less than you're thinking I wager. I protect myself from Google - and a few others - as much as is practical for me through firewalling. On both my previous and current device I have never signed into a Google account, all of Google's apps are disabled (except the gallery, as disabling it breaks a key integration), and Rethink DNS manages all outgoing network connections at the app level. I use Aurora to access the Play Store (and also F-Droid and Obtainium), FairMail for email, and a variety of other alternatives.
It takes a bit to get it all configured initially, but once done it's sufficiently smooth sailing with occasional tweaks. The only thing that annoys me sometimes is that notifications no longer work properly for many apps, as the majority use Google's notifications service. Accessing OS updates may also become problematic, depending on the device OEM.
It's not hard for you mere mortals to figure out that all software from the company that tracks you is going to track you. If your privacy requirements are so strict that you can't permit any information to flow back to Google, consider GraphineOS or any other degoogled rom. This isn't a hard thing to do.
For what it's worth, I disagree with a number of the most important conclusions the author makes in the paper.
It's not really about my privacy requirements, but about living in a society where someone can investigate and organize against the powerful, without their own computers/phones/cars immediately ratting them out, and without needing a team of security experts.
Though the line for when lack of privacy starts to hurt us is much lower than people think, like Doordash stealing tips from their workers, that in a privacy-respecting society Doordash wouldn't even know about: https://news.ycombinator.com/item?id=43040984
Doesn't GrapheneOS only support Google Phones? Do we know everything that's running on a Pixel? At a minimum there's an unknown Qualcomm RTOS running the baseband.
>and you think the Qualcomm RTOS can do what exactly?
Well that's the point, it's a black box so there's no telling what it can and can't do. There's what Qualcomm says it can do, and then there's what it can do.
Then that's a really weak point. There's a lot of things we know it can't do. It can't break the encryption between software, and remote servers.
It also can't cause the phone to levitate. It also can't recharge my battery.
As a rule, I don't worry unlikely hypotheticals, because doing so is a needless denial of service on my brain. Saying it's a blackbox is true, but that doesn't mean you get to invent random things to worry about, without direct evidence it's connected to the specific device we're discussing.
But do think I should at least try to meet you half way, so maybe I can preempt a few things that used to be true or possible. The baseband also can't install software into my android OS. It also can't directly read memory from my phone. It can't directly control my phone's bootup.
These are things poorly designed phones used to be able to do, that aren't possible on the Pixel line of hardware because it was designed to prevent them. That's why GraphineOS targets the pixel line. Because it's hardware is designed in a way to enable a secure device.
>Saying it's a blackbox is true, but that doesn't mean you get to invent random things to worry about, without direct evidence it's connected to the specific device we're discussing.
True, but the corollary is that you also can't say it's not doing certain things. Just because you currently don't have evidence of something happening does not rule out the possibility, but I must admit I am ignorant about the specifics of how the Pixel's RTOS is implemented.
So I'm genuinely inquiring: Could it be sending your GPS ___location to some entity without notifying the GPOS?
> So I'm genuinely inquiring: Could it be sending your GPS ___location to some entity without notifying the GPOS?
With very low confidence, I believe for chips that put GPS on the baseband, yes it can because that's required for E911. (I don't know what the pixel line does) Can it then transmit that ___location using the baseband without you being able to tell? I would assume so, and that's a case where it's safe to assume it can.
Unfortunately, that doesn't matter much. Your ___location is also trivially known by your ISP by triangulating connection strength. Often this can be more accurate than GPS in many real cases. The threat/risk that's able to compromise the baseband SoC, is more easily able to compromise your ISP. And thus the phone simply existing is a risk to ___location privacy, given a perfectly secure ideal baseband SoC.
Can that be used to uniquely identify you, and correlate it with your other actions. That's not really a question I'm prepared to answer in a HN comment (because I have to draw that line somewhere for my own limited sanity), so.... specifically yes, but generally, no. That is to say, it is possible given sufficient resources. But it's non-trivial to do in bulk. And there are many many easier and cheaper ways, so https://xkcd.com/538/ applies here too.
The RTOS could be used to leak your ___location, the fact that you're using a VPN, any nonVPN traffic, and call traffic. FWIW, I was mistaken and Google uses Samsung radios rather than Qualcomm.
Graphine OS runs in the Normal Zone on an ARM SoC while running Trusty OS in the TEE. In order for an App, or Graphine OS to interact with certain hardware it must use the Trusty Lib and Trusty Driver APIs into the TEE. The entire composition and operation of the Trusty OS operates in the "Trust me bro" space and Google's entire business model is built around spying on users.
So forgive me if I'm a little skeptical that Graphine OS.
Google's business model is selling ads, all the data collection is so they can charge more for the ads they sell. The more you trust the platform, the more info you'll willingly give to Google, the more they can charge for ads. The more you trust your phone, the more you'll use your phone, the more chances Google has to collect information. They don't need to directly "spy" on you using means outside the normal data collection where you give them data. Thus, while I agree the "just trust me bro" attitude is borderline incompetence when it comes to security. I'm unconvinced that Google would take the risk of attempting to spy on anyone out of band.
> The RTOS could be used to leak your ___location, the fact that you're using a VPN, any nonVPN traffic, and call traffic.
Yes, it could... so can the default software on android, and so can your ISP (DPI is shockingly powerful). But, what's the risk there? How does knowing the ratio of traffic I send and receive being VPN, or TLS encrypted expose me to additional risk?
> So forgive me if I'm a little skeptical that Graphine OS.
Even when you carry a dumb phone, your cellular carrier tracks your ___location via cell tower triangulation.
It's less accurate than GPS, but constant.
> The FCC said it found the carriers each sold access to its customers’ ___location information to ‘aggregators,’ who then resold access to the information to third-party ___location-based service providers.
Yes except they only have your ___location and that may not be acceptable to some. Google on the otherhand has much more than just your ___location - everything you look at, everything you buy, every email/text conversation
Your cellular carrier also has your identity and your billing address.
Companies that have chosen a surveillance capitalism business model have way more personal data, but they claim that they aren't selling that data to anyone willing to cut them a check the way that the carriers and app developers do.
However, data hordes stored by Google/Facebook/etc are still subject to warrants, so how much do you trust that warrants will not be abused?
It might be that our only choice is something like the Librem 5 phone.
Disclaimer: I have a Librem 5 but don't use it. I use GrapheneOS on a Pixel.
GrapheneOS isn't supposed to be for privacy though, as they focus on security instead. I don't think it would be too much to ask for a little help on the privacy front, but that might be ignorant of me.
Smartphone isn't really even a device category, it's a legal category. I barely ever use my phone as a phone; I don't talk on it, I type on it and tap on it; it's just a computer and an access point to networks.
But it's a special kind of computer where all the laws are different, I have different rights when I'm near it or using it, and I am in constant battle with the companies that sold the phone to me to 1) try to keep my life as private as I can and 2) not pay them a commission on things I buy.
But what can I say about my phone that I couldn't now say about my TV, or my car?
This will never become less dangerous, this will become increasingly more dangerous.
It's also a surveillance device in its design. The mechanism of it is to connect to one or more third-party-owned towers to bidirectionally transpond data. By the nature of the machine, calculating roughly where the machine is every time it transponds is very straightforward.
"I want to send and receive messages from you but you're not allowed to know anything about me" is, at first pass, a tall order. We can sort of get that from the postal system and very little else in terms of communications technologies (and even then, if you screw with the network the postal service in the US is empowered federally to hunt you down).
What makes you believe it is pushed by government (and which government?) and why do you think that government wants to collect private info of everybody without letting them know and is there any evidence for it?
Sorry for all these questions, but without them answered your claim sounds like a conspiracy theory.
in my country there are plenty of critical services you basically can't access without mobile apps. e.g. interacting with medical services, and official personal id app.
It is a conspiracy theory. My theory is that big tech and government collaborate to surveil us all, sometimes willingly, sometimes openly.
All governments at all levels. Ever see a government service, office, or bureau talk of an app or show a QR code? That is a carrot for those who already use and stick for those who don't. Sometimes there is a paper form you can get and sometimes not. Do you recall all those covid apps?
Why? Because the government desires to know, for a variety of reasons. The US so they can watch your small payments. Europe so they can watch your speech and carbon footprint. Used to be so they could track you if you had a 1% deadly disease.
[EDIT] Evidence? Snowden's leaks and what I mentioned already
One project strongly resembling this was called NTIS, the National Strategy for Trusted Identities in Cyberspace, detailed in a 2011 O'Reilly Radar piece by Alex Howard, now only available via archive:
"A Manhattan Project for online identity: A look at the White House's National Strategy for Trusted Identities in Cyberspace"
The NSTIC proposes the creation of an "identity ecosystem" online, "where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities." The strategy puts government in the role of a convener, verifying and certifying identity providers in a trust framework.
I'd learned about this in 2018/19 as Google+ was shutting down, through a Search Engine Journal piece (leveraging Howard's earlier article heavily), similarly only available as an archive, with the original article substituted in place with another at the same URL. This one by Kristine Schachinger:
"In Memoriam: The Rise, Fall & Death of Google Plus"
...Google was only going to be one of many identity service providers for a program run by the Federal Government called the NSTIC, or National Strategy for Trusted Identities in Cyberspace....
I'll note that neither article makes a direct link to mobile phones / smartphones, but clearly as those became widespread and individually identified with a single person for the most part, use of phone numbers as unique identifiers became widespread. Indeed, on Google+, over four billion accounts were eventually compiled, those being automatically granted to every registered Android device through about 2016 (the practice stopped about then). Google increasingly required phone numbers for account registration and recovery, "bribing" G+ members with "vanity" account names if they'd supply same.[1] The use of phone numbers as account validation tokens on numerous other services is now widespread.
________________________________
Notes:
1. I resisted the bait. Ironically, the vanity names couldn't be mapped back to the 20-ish digit UUID that otherwise identified accounts, and those who did make use of the nonnumeric IDs were largely excluded from archival efforts to save G+ content when the service shut down in 2019. I managed to create at least two backups of my own (non-vain) content, for what that's worth.
Switching to an alternative on Android, like GrapheneOS or CalyxOS, can help you regain some of the privacy you've lost. If you are an Apple user, good luck.
There's a significant amount of guesswork in this Register article. PCC[0] is an example of on-device compute being done in a way to ensure Google (and others) don't see certain kinds of data.
I’m ready for a third operating system, not tied to an advertising company, where you have root access to inspect them system, revenue is generated through OS refreshes and SDK licensure.
To this day, I can’t believe that an _operating system _ has provisions in it for advertising.
Linux? You won't have all your apps (unless you get Waydroid working, but that itself relies on an Android image), but it does work well enough that some people daily-drive it.
I think a lot of non-technical users really don’t understand the distinction between how the OS vs. how any given app can spy on you. Even in technical circles, this issue gets confused. Is Android or iOS better for privacy? Well, modern Android (arguably) gives you better privacy controls for apps, however Android OS itself performs an order of magnitude more spying that iOS does.
This[1] is a paper that shows what each operating system tracks and what security model they use. Android generally tracks more and has less effective sandboxing.
The paper you linked is absolutely trash. The actual "meat" of the article is only two pages, and contains nothing of substance, presumably because the authors themselves admit it's "secondary research where we have collected the data from IEEE Xplore and Wikipedia". It also contains some hilariously bad takes like that Android "is not fully stable because as android is free ware". As for the claim that it has less effective sandboxing, that's just a claim taken at face value from an article from 2014 and is no way indicative of how secure iOS or Android is today.
I wonder why you are being downvoted. The abstract of that paper alone doesn't make me confident that the authors know what they are talking about:
Abstract - Mobile operating system is a light weight
operating which is used in mobile device. Some operating
systems have additional features like sensor embedding
and also OTG. In this paper we are going to compare
between android and iPhone Operating System (iOS)
mobile operating systems that available in the market
which is more specific various issues. The issues which we
are going to discuss in this paper is not only concern to
mobile customers but also concern to software developers.
The security requirements for MOS are Memory
Randomization, Encryption, Data Storage Format and
Built-in Antivirus. Memory randomization ensures that the
memory regions of mobile application as well as system
shared libraries are all randomized at device and
application start-up. In this paper we want compare and
analyse the operating system of the Android and iOS.
Can anyone ELI5 what the situation with the Android ID is when no Google account has ever been created, and all app installs are through an alternative store interface, whether a front-end to Google Play (e.g., Aurora) or a freestanding store (e.g., FDroid)?
It's generated by the operating system itself, not google play services. So being logged into a google account or not doesn't affect the value. There's also a gsf id which is generated by google play services, but that's generated regardless of whether you're signed in or not.
Recently, I thought Maps was the app that tracks me everywhere I go.
I put Maps in Incognito mode just as an attempt to disable it, but guess what?
It still tracked me all the time. The only difference Incognito made was not remember my search history
Yes, "Incognito" largely only removes local activity history, doing little if anything to disable remote tracking. Though there's some (very slight) advantage in having cookies and the like be made temporary. Access to other identifiers, including Google's ad identity and device-specific identifiers is probably still available. (I'm hazy on this and the situation changes, though at a ground level capacity-to-track largely remains intact over time).
One could contrast, say, the etiquette and tech of the Fediverse.
... even then, I question if the rhetoric matches the reality. Many users of Mastodon, for instance, will decry the harvesting of data or creation of search engines, then run what is essentially an open relay of every post their users create to any other node that purports to be a legit Mastodon instance. The organic growth goal conflicts with the data-control goal.
When your technology's operation doesn't match the rhetoric, which is it?
No. Silicon Valley as a whole. There are no good guy tech companies because if they were they would be out of business. If there are, let me know because I want to work for them.
The Android ID isn't actually unique anymore. Every app you install will see a different Android ID. https://android-developers.googleblog.com/2017/04/changes-to...