EBGAP: Error Between Google and Privacy


#1

Originally published at: https://boingboing.net/2018/08/14/goober.html

The year is 2031, and I’m going to see Avengers 7 in 8K-vision. I hop in my Goober self-driving car and notice something strange – my location is displayed on the Goober Dashboard, even though I opted out of Google AlwaysTrack™! There’s a complete disconnect between what the user interface is telling me and what actually happens without my knowledge or consent.


#2

That… feels like it calls for more explanation?

You can’t jailbreak an iOS device, and as such you have no DIY remedy if Apple turns out to be harvesting or leaking your private data. I guess you could make the fundamentalist argument that this theoretical vulnerability is exactly the same as Android’s abundant actual vulnerabilities.

Still, Apple currently doesn’t do this stuff (not because they’re nice, but because they are specifically trying to get your money by not doing it), and that seems not irrelevant if you’re talking about privacy. It’s easy to manage apps’ access to your data, and Apple’s horrible closedness means they can largely guarantee that control no matter what you do to your phone (unless it’s jailbroken). The default browser supports ad blocking, the default messaging app and cloud services use end-to-end encryption, etc.

It’s possible to be against Apple’s heavy-handed restrictions (and price, and whatever else) while also acknowledging that the average iPhone-using middle-aged housewife currently gets better overall privacy support than the average bleeding-edge Linux-nerd Android user.


#3

Closed ecosystems that thrive on secrecy have a terrible history in regard to respecting the privacy of end-users. At Yale Privacy Lab, we have a strong dedication to Free and Open-Source Software as a security principle: freely-available, auditable software is not a guarantee you’ll be safe, but it’s a prerequisite.

Beyond that, we dug deep into the world of tracker SDKs in Android applications. We know that the iOS app store is polluted with the same trackers we found on Android because the tracking companies advertise it and publish documentation. In fact, the de facto tracking beacon protocol is an iDevice “feature” called iBeacon, which allows for bluetooth and ultrasonic/near-ultrasonic tracking via microphone, to accomplish something that advertisers call geofencing or proximity tracking.

It’s fair to say that iOS has a more vigilant steward in Apple than Android does in Google. However, just because iOS is better at keeping malware out doesn’t mean that it respects the privacy of users.


#4

apologies for the double-reply, but I want to head off any confusion about my perspective, if possible.

Apple and Google do have fundamentally-different business models, though there is some crossover. Apple has focused on selling consumer devices that lock you into the iDevice world, and controlling their supply chain for the iPhone etc. to fulfill that strategy. They keep a tight grip on their proprietary versions of Unix, the Apple-developed apps on top of it, and the UI/UX. The iOS app store is part of this strategy as well, and Apple is notorious for restrictions there, not even allowing Web browsers to compete with Mobile Safari until recently.

In regard to Android, Google is the flip side of this coin. They gained hegemony worldwide on mobile phones by shipping a FOSS operating system with the GPL-license Linux kernel at its core. Google used the fact that vendors and carriers can heavily modify Android as a selling point, to get as many players on board as possible, to become the de facto mobile OS, and to attract as many developers as possible to what’s now called Google Play. If Google had failed in the Android business, they could have abandoned it and moved onto other projects, with the ever-looming cash pile of their search / Web app business behind them.

One of the reasons we can investigate Android and audit it for privacy and security is that we’re (generally) not legally barred from doing so. In the case of iOS, there are usually legal barriers to this (especially in the U.S.). For that reason, and because there is a much smaller modding community behind iOS, there are no generally-available tools to do the types of things we did to identify SDK trackers in Android apps. Jailbreakers have been hounded and are constantly playing a cat-and-mouse game with Apple’s required updates, so installing auditable Free Software via Cydia etc. is often not a long-term solution to get more trusted software in userspace.

Your analysis of Apple is far too kind and very close to the recent marketing literature, which is even being laughed at in mainstream business press: https://www.bloomberg.com/news/articles/2018-08-08/is-apple-really-your-privacy-hero

If Apple respected your privacy in the way they claim, their app store ecosystem would dry up rather quickly. Surveillance via smart sensors on mobile devices is the currency behind these stores, especially with individual purchases of apps being a “race to the bottom” (as it turns out, people don’t want to pay very much for bitstreams, if they pay anything, and will often favor gratis alternatives even if they have spyware and advertising baked in).

Your assertion that Apple is not in the surveillance capitalism game is completely unsupported. Sure, they’re not the world’s largest ad broker, but they’re not a mom-and-pop shop either.

As far as your analogy of “iPhone housewives” and “Android Linux-nerds”, it’s probably not worth replying to but I will. Android is the world’s most popular operating system, and growing, and will likely remain so for a long time. iPhones have a larger marketshare in the U.S. than elsewhere in the world (where they float at, charitably, 10-12% of the worldwide mobiile market). As we found out from the Wikileaks Vault 7/8 disclosures in the past two years, iPhones are disproportionately targeted by CIA surveillance, when compared to Android. Guesses are that this has to do with the class status of Apple buyers, as well as their cache within upper-class social circles, academia, and government.


closed #5

This topic was automatically closed after 5 days. New replies are no longer allowed.