With all that in mind, I’m curious how much of that data does Firebase, aka Google, share with all the rest of its services. Does enabling location tracking suddenly causes Firebase to report location data without our knowledge? Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too? I’m not at all accusing Firebase of doing anything without knowledge and maybe it may be a “good citizen” with regards to how it manages and accesses (or doesn’t, even if it can) private data but I’m confident that that’s not the case with every third party tracker.
> Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too?
These are good questions to be thinking about. As for Firebase specifically, I have never seen it automatically collect additional data based on user-granted permissions (at least in iOS apps).
However, there may be a few other SDKs with this sort of issue. It is important for app developers to be careful of this.
For example, when working on similar location tracking research (see: https://guardianapp.com/research/ios-app-location-report-sep...), I noticed that quite a few prominent apps use an SDK from “Braze” (https://www.braze.com/), and if location permission was granted to the “host” app, the SDK automatically sends back the user’s GPS coordinates when communicating with the Braze API. I remember at least one such app developer had no idea Braze was doing that and rushed a fix out soonafter to make it stop sending the GPS information to Braze.
I hope we see more pressure on analytics companies to offer more open source SDKs instead of compiled binaries and headers. This sort of issue would be easier to spot and deal with, instead of being unsure what exactly the SDK was doing.
On the plus side I think more and more developers and users are becoming aware of the dangers and the actual cost to their privacy and/or brand that these 'free' things expose and so it will perhaps get better.
Compared to the budding nightmare I see coming from that direction, merely losing your nudes, while a more acute problem, will have nothing on the chronic changes that's going to bring.
I don't care (that much) about my privacy, I care about everyone's privacy.
But yea, it's going to take a long time. And it's going to be a crazy ride.
I got angry at some things. For instance, ISP app should provide me information about data consumption and means to buy more. However, it decided to do more things behind the scenes, in addition to doing the tasks it was supposed to in a overly complicated manner—requests travelled back and forth over multiple servers over multiple companies before it did anything.
After this exercise, I realized how great it would be if these companies had to provide a clean and well documented API. Users could implement their own apps, liberating themselves from having to trust their private data and resources to companies that would care less if, if allowed.
That's why we don't have those APIs. It's not in the interest of any company to make itself more interoperable. This would allow users to develop ways at getting directly what they want and paying the sticker price, without being exposed to all kinds of garbage. Problem is, this very garbage is an important, and sometimes primary way companies make money.
Put another way: most companies aren't your friends, they're here to abuse you. Hold on tightly to the rare ones that are friendly.
How much would it cost me to have a phone with all trackers turned off? (Or, perhaps, routed through a core application that requires whitelisting?)
If you do not want to root your device:
1. Install NetGuard or No Root Firewall to view what's going on from network perspective.
2. Install ExodusPrivacy to generate a report on apps wrt sdks in use by them.
---
If you are okay to root the device:
1. Install XposedMod, and then XPrivacyLua module, and work through the options.
---
If you're okay with flashing a ROM:
1. Consider LineageOS + microG
2. If you are using Pixel, consider ChromeheadOS (edit: CopperheadOS) [3].
---
If you're okay with a new device:
1. Consider purchasing puri.sm Librem 5.
---
[0] https://news.ycombinator.com/item?id=18788410
[1] https://guardianproject.info/apps/orbot/
For example, did you know that many shopping malls track you with license plate readers? Did you know that your credit card transactions are up for sale? Or that your cell phone provider will give up your location to a third party with a flimsy consent?
I want to but I can't even if I "own" it.
> 1. Consider LineageOS + microG
Probably should avoid microG if you care about privacy...
The closest you could get would be to buy burner phones with cash.
Never buy a phone you don't have root access to.
When speaking to friends and coworkers about these issues, the result is mostly people calling me paranoid.
Developers mostly don't care as long as they get money.
Users mostly don't care as long as they get cheap apps.
As a developer who does not use third party SDKs that track users (other than the OS) because I value my user's privacy and realize that many of my users are in places where data is expensive and scarce, I sometimes feel like I an engaging in a futile and unwanted effort.
I’m not saying this is an ideal situation by any means. However, it’s just two small examples that are ignored by this article.
Further, an Android phone with no 3rd party apps is already sending an enormous amount of tracking data to Google, where it can be purchased by 3rd parties. None of this requires an Advertising ID.
Not cool.
[1] https://techcrunch.com/2019/03/03/facebook-phone-number-look...
By installing their app, you can see the trackers for each app that you have installed. If you use Yalp store (an open source front-end for the Play Store), there is also a button to view trackers for each app.
Edit: just saw that you're on iOS. This is probably not allowed by Apple, so I guess there will be no alternative.
Some of them are designed to be compiled into the (encrypted) main app binary.
It's easy enough to have eg two phones - a main one with FDroid only, and a secondary off-most-of-the-time one with YALP store convenience apps. Tablets you can diversify even harder because you don't have to carry them in your pocket.
Separate devices draw a line in the sand, rather than just accepting amorphous insecurity as inevitable. And then you can work on slowly moving your usage patterns away from the surveillance-foregone devices.
It's quite refreshing and works well, out of the box it runs js though unless you turn it off, a neat little reminder to use simpler sites and not support the popup/overlay hell that is the current web.
> The Librem 5 represents the opportunity for you to take back control and protect your private information, your digital life through free and open source software, open governance, and transparency
> As a social purpose company, Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the people—stand up for our digital rights, where you place the control of your data and your family’s data back where it belongs: in your own hands. Let’s declare, “We will no longer allow unfettered access to our photos, videos, email, text messages and application and usage data without our permission.”
you can set it to 'connect on demand', ie always on mode, at the cost of a bit of battery (not enough for me to be bothered). it acts as a vpn but only for your dns queries. afaik this is the best single step privacy option on ios at the moment.
[1] https://itunes.apple.com/us/app/dnscloak-secure-dns-client/i...
Nope. Safari is by far the most popular browser on iOS.
On desktop I use extensions to limit tracking, but it's harder on iOS.
(not the grandparent, but that user is not alone)
“Physical retail stores and loyalty programs have trackers you know nothing about.”
Am I doing this right?
I feel like a deeper point needs to be made to justify these headlines. The conversation needs to evolve and get more nuanced.
