Ask HN: How much is Google collecting and keeping on Android if not signed in?
source link: https://news.ycombinator.com/item?id=28419727
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Thinking about picking up a 5a but CalyxOS isn’t ready for it yet.
It also as a 'traffic log' feature which, when turned on, shows live which app is talking to which tracker.
Note that, especially if you turn on blocking services marked as essential in the setup, you will need to unblock a lot of CDNs and tracking services for many apps to work including Spotify, your browser, etc. Of course you can also just whitelist apps completely, or temporarily turn all blocking off altogether. But by default it will block trackers, since that's kind of its point. This has the side effect of blocking virtually all advertisements.
If anyone else is interested, the app's website is https://trackercontrol.org
I am privacy conscious so I though I would give a try at Graphene OS, it was brutal. It was overall stable and the stock android R was refreshing. The app selection available through F-droid was very limiting and the quality of apps was a struggle compared to those in the app store.
I wish there was some incentive for the better apps to open source and publish on F-droid. I donate to many apps on Patreon, should I just message to the devs and ask them to go open source and publish on f-droid?
Definitely! In addition, offering your time to set up the F-Droid build pipeline would go a long way
The easiest and most approachable one is: install Aurora Store from F-Droid. It gives you access to Google Play + App Updates without logging you into Google. This almost feels identical to Google Play itself.
Next: think about install the Experimental GMS Support that GrapheneOS offers. If you e.g. absolutely need an App that has troubles working without Google SDKs embedded, this might be an option. This is documented in the Usage Guide of the Website.
However, just dont forget that you wanted a Google-FREE Phone. So dont overdo installing proprietär stuff.
Oh and stay as far away from MicroG as possible, it seriouly cripples the security of GrapheneOS by a lot.
Do you mind sharing some details on this? I did not hear strong statements like this one before.
But that is really crippling, because apps can now spoof other apps signatures, essentially apps can pretend to be other apps. That opens a lot of opportunities for an attacker.
Doesn't this severely limit which apps you can install?
That's funny because I would say the exact opposite. On the Play store it's extremely easy to accidentally install apps that have nothing to do with what you were looking for, never mind the absolute garbage it helpfully suggests on the start screen.
First thing I tell people around me is to get Fdroid and look there first. Seems much safer to me.
> I donate to many apps on Patreon, should I just message to
> the devs and ask them to go open source and publish on f-droid?
Yes, you should. This is actually a very effective measure.
Edit: Here you go https://gitlab.com/CalyxOS/calyxos/-/issues/642
https://news.ycombinator.com/item?id=18064537 ("Chrome 69 will keep Google Cookies when you tell it to delete all cookies")
https://news.ycombinator.com/item?id=24817304 ("Chrome exempts Google sites from user site data settings")
https://news.ycombinator.com/item?id=20044430 ("Google to restrict modern ad blocking Chrome extensions to enterprise users")
https://news.ycombinator.com/item?id=17942252 ("Tell HN: Using Gmail? You will be force logged into Chrome")
I believe that webviews and such use Google Safe Browsing.
AOSP doesn't have Google Play Services at all. There's a trivial amount to "de-google".
I'd recommend looking into GrapheneOS too once it gets 5a support.
Protections from spying on emails, texts, right to be forgotten, geofencing warrant grab all’s.
Do you mean your email inbox ? If so, if you're not signed in, there's nothing here for Google to know. If you're using gmail, obviously when you access your gmail from your phone, Google would know. Either you're using gmail or not. Obviously, emails you send to other gmail users, Google has access to them through other's inboxes, but that is completely independent from your device choice. So I'm not sure what exactly you're worried w.r.t. your device setup.
> texts
If you're not signed in, but using Google backed RCS as SMS/text, then Google won't have access to your message if using end-to-end (for non-group messages). If you're using group messages, they are not end-to-end encrypted.
> right to be forgotten
I'm not sure what you mean, w.r.t. phone device. Care to elaborate ?
> geofencing warrant grab all’s
If you're doing Google searches, they would be subject to geofencing warrant, albeit Google won't know who you are, just that a particular type of device with a particular ip address issued a particular query (and if you shared your location with Google, they would know more fine-grained location but obvious assumption here is you wouldn't do that), but that's no different from any device you use.
You are going to have to go pull the SIM and service, and keep your phone in a faraday bag as well. All the network providers do these, along with real time location tracking.
https://www.wired.com/story/google-location-tracking-turn-of...
Full disclosure I work at Google but nothing related to that.
I would be more concerned about vendor packages. For example stock weather widget uses GPS and pinks servers, even when not in use...
Oh, BTW I use pihole at home so tracking is minimized even more
It might help anonymize your device.
If you sign into a network regularly that you use with devices you sign into google with, or a network google associates you.with, they might correlate you with the device.
If you follow your normal routine of locations, browsing or other behaviour google is aware of, google may associate the device with what it knows about you.
It's kind of hard to say though, Google's data collection is somewhat opaque in regards to things it collects to associate you to other things.
I have noticed a few occasions where google has given me suggestions or ads based on searches i've made or on devices that I'm not signed into or associated me with data available only from such devices, other times not.
This is just anecdotal though so make of it what you will.
One of the most common mistakes people make when discussing the data collected by someone like Google is only considering the data in isolation. In reality, data is often combined with other databases.
[1] The minimum number of data points might can be very small: handful of timestamped locations at your home and job is probably unique, matching browser fingerprints if you used the same browser for logged-in and not-logged-in activity, or - as this is Google and their OS - maybe even simply a single even: hearing a MAC address known to be om your home wifi over the radio.
Even technical people really don't seem to understand how far data aggregation can go. Multiple small information points are collated into profiles, you need to be Jason Bourne -levels of vigilant to not create a trackable fingerprint online.
The amazing game "Papers, Please" demonstrated that a game based around an educational ludonarrative is not only possible, but can also be be relatively popular. Unfortunately, just like drawing, video game design is difficult.
> you need to be Jason Bourne -levels of vigilant to not create a trackable fingerprint online.
As Zoz said, "Don't Fuck It Up!"[1]. Any type of OPSEC has become extremely difficult. Even technically knowledgeable people that risk consequences of failure far worse than being tracked by Google screw up their OPSEC.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Search:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK