The single most important, most debated subject of being online - privacy and security.
While security is undisputed, privacy aspect is.
So what exactly is the concern? As normal people in normal professions (which is easily more than 90% of the population), is there a need for worry?
For a long time since I started using smartphones, I had a natural inclination towards remaining anonymous and private online. I would always use incognito browsing for everything I do online, never create an account with a service as much as possible (e.g. I would watch YouTube videos without signing in), etc.
With time, I began realizing that I am actually missing out on so many interesting things that matter to me, and much of the content that would interest me would be made available to me without much effort using machine learning and artificial intelligence, an area where huge investments are being made.
So slowly I started accessing content and using services with my Google account. Over time, everything from Google feed to YouTube videos were showing me content that I am interested in, and sometimes they were so intelligent that I have been amazed with the whole technology that is at works. Surely, you cannot expect a doctor to give you the right prescription without giving him complete details about your problems. You can't talk privacy there. So unless the system learns what you like and what you don't, there is no way it will present stuff (including ads) that will be interesting to you.
With that said, why are are we overemphasizing this aspect of our lives? Is the privacy lobby inflating the privacy problem more than is necessary? Especially since much of what Google learns (according to them) about you is private, and only you can access/ control it, and also because the open-source alternatives are overrated. I say overrated because there are no audit reports (from trustworthy audit entities) available. Their codes may be available for audit, but is there a trustworthy source that is actually auditing them? Are the platforms where they are available being audited? So the issue of privacy and security applies to these platforms too, and more so because they aren't scrutinized as heavily as Google products and services.
As far as more personal info is concerned, like location, age, gender, searches I perform, accounts, mobile number, etc - Google already has all those because I provided them with much of that info when I created my account. Sure, one can always provide fake info for some of them. But if you use 'Find my Device', you are pretty much giving away your location to Google REAL-TIME. While this can potentially be misused, how else is Google supposed to help you if you were to lose your device? Mobile numbers and email addresses are necessarily required to be correct because they are needed when you are locked out of your account. They are the only means to get your account back.
While I am a strong proponent of privacy, I also feel that too much is made out about a lot of stuff that aren't really something to worry about. Those stuff are essential to get the service we expect in return, in other words, putting technology to use.
That said, it is still important not to give anyone a free hand over data, and there has to be several layers of checks and balances, and accountability for safeguarding and using them.
All that said, my current position is this. Make best use of the technology at hand, because if you don't provide the necessary inputs, there cannot be a proper output.
As with some things that we do online which we might want to keep completely private, use a non-google browser (like Firefox Focus or Duck Duck Go) in incognito mode with Duck Duck Go search engine.
For everything else, use GOOGLE (assuming there is accountability and severe penalties for violations).
Reserved for additional info.
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Sridhar Ananthanarayanan said:
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Click to expand...
Click to collapse
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
Ultramanoid said:
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
Click to expand...
Click to collapse
You spoke of making 'reasonable compromises' on the MiX thread.
I have only elaborated the same. How does it matter if Google learns what I like to search on the internet? I am willing to give them that information so that they can provide me with content I am interested in, so that my news feed is mostly content I like to read/ watch, and little garbage. In the process, if they are showing me ads relevant to me, what is wrong with it?
My view is based only on this premise that this is how my data is being used. I have never had a financial security issue (like money being stolen from my account) because of what Google learns about my internet activity.
Also, I am assuming that Google won't learn anything about the searches I may do in incognito mode. They are supposed to respect the privacy. I'm aware they have been sued for not adhering to it strictly.
So assuming that they stick with usage of data as per their declared privacy policies and in accordance with laws, what is the problem?
Sridhar Ananthanarayanan said:
You spoke of making 'reasonable compromises' on the MiX thread.
Click to expand...
Click to collapse
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Ultramanoid said:
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
Click to expand...
Click to collapse
I think the moment you are online, you are presenting yourself to be tracked. No matter what tools you use to safeguard your privacy, a country's intelligence has an upper hand because they have the resources and much more advanced technology that is not commercially available.
They can also set up something like the link you shared as just another means to track you (by misleading you into believing that you are remaining private and anonymous).
I think one can truly stay private only by staying away from technology. Otherwise, you are just opening yourself up for tracking.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
indestructible master said:
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
Click to expand...
Click to collapse
This is not a source code ... Just because it says source code, it doesn't mean it's a source code. That's a zip file containing the OEM firmware from Xiaomi.
indestructible master said:
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
Click to expand...
Click to collapse
As I said, we are overemphasizing on many of the things and linking them to privacy. Much of the seemingly private things have no bearing in real life, even when made public. Because, no matter where you are, you have to adhere to the local laws and your internet activity isn't important (unless one is into prohibited activities).
It is a very niche segment of people (like those working for intelligence, journalists, etc.) that must pay special attention. For most others, there isn't too much to worry about, as long as the companies providing services adhere to data regulations and act with responsibility.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
It's not the case with few established ROMs. Lineage OS comes to mind. As they encourage people to build ROMs from source. But device support is problematic. That's why I turn to custom ROMs. It's a great idea, but I thought XDA ROMs guaranteed security with the GPL and Open source philosophy. But it's being violated all over the place.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
Ultramanoid said:
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
Click to expand...
Click to collapse
I didn't say that OEMs make their source codes available. I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition. There is lot of benefits by doing so because OEMs can use this as an opportunity to push sales of their own devices. Example is the clipboard scandal of OnePlus, as well as others.
Compare that to custom ROMs. There are so many custom ROMs available for popular devices. Official builds, unofficial builds, nightlies, etc. etc. The ROMs are available for free. Who cares to audit/ scrutinize these? No one cares because there is nothing to gain. This is also because a very minute % of Android users actually install custom ROMs. So no one cares.
Just like root, the need for custom ROMs is decreasing by the day. OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices. And now the Google-Qualcomm partnership that is making these upgrades easier and faster. Unlike in the past, OEMs are much faster in releasing security updates today.
Lineage official builds, in my experience, isn't feature rich like some other custom ROMs or unofficial forks of Lineage. People may opt for Lineage official builds primarily for two reasons:
1. Debloat their OEM software like those from Xiaomi, Huawei, even Samsung.
2. OEM has stopped providing official support (this is now changing because 3 to 4 years of official support is synonymous to life of the device because a large % of people usually buy a new device every 3 or 4 years).
Some of the developers of custom ROMs are arrogant arses. That's another reason to tell them to eff-off.
Sridhar Ananthanarayanan said:
I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition.
OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices.
Click to expand...
Click to collapse
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
One thing is to express an opinion, another to give facts.
Ultramanoid said:
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
Click to expand...
Click to collapse
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Ultramanoid said:
One thing is to express an opinion, another to give facts.
Click to expand...
Click to collapse
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Sridhar Ananthanarayanan said:
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Click to expand...
Click to collapse
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
Ultramanoid said:
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
Click to expand...
Click to collapse
You are simply exaggerating it.
Like the saying goes, better to trust the known devil than the unknown angel.
Cheers!