I sadly believe we’re fucked
this post was submitted on 07 Jun 2025
61 points (98.4% liked)
Privacy
38567 readers
258 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
IMO the only reason tech world can be authoritarian is people's negligence. Otherwise even if all major brands produce unhackable locked down hardware, people could boycott those and buy the one obscure open device (like pine64) and market force will force big names to revert.
Corporations do not have power by themselves. People refusing to think and understand gives them power. Same applies to mainstream politics.
So unless I can convince my mom to install Firefox we're fucked.
...we're fucked.
yes. also your friends, not only mom.
(/s aside, most people of younger generations don't care as well, not only elderly less tech literate folks)
We are soooo fucked.
It's a rat race. You can only win by not playing.
But if you don’t play, your pay with convenience and your time. You lose the freedom of installing a lot of apps. You lose a lot :( - to the point where it would make most people give up
If you can root your phone and use an xposed module, maybe. Or the EU forces them. Otherwise, there's not much option.
Well the idea of having attestation isn't the problem. The problem is that apps requiring attestation (banks, insurance providers, ID-systems) use the most convenient solution. Slapping on Googles prebuild attestation. Graphene for example, provides alternative attestation for their OS and offers docs for anyone to implement a more fitting set of checks.
There are two approaches here: If you're upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I'd say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data. Breaking those checks is then breaking those compliances in an unsafe way.
If you believe your setup is actually secure and compliant, just not in a way the allmighty Google intended: Try and get an attestation module for your setup. Fight for these apps to accept non-Google attestation and fight for devices that don't artificially limit what can pass as secure.
If you're upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I'd say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data.
Hard disagree. If you own the device, you should be in full control of what's going on. Sure, attestation can give some extra security, but that decision should be up to the user. Everything else is just excuses for user hostile DRM: platforms levaraging technology to secure their own profit margin against the interests of user.
I don't disagree with owning your hardware. I'm saying that a regulatory body can pose rules on where critical software can run. Part of this is data exposure: A banking app running in a tampered environment makes some malwares possible, which is the side you want an "I know what I'm doing"-button for. But it also creates risk for the bank. In letting you look into network-traffic and memory-dumps, you may discover ways to manipulate an unrooted instance or the backend server. This is security through obscurity and I'd much rather have everything open-source, but it's what we're dealing with.
On the other hand, the bank promises to cover damages, whenever they do mess up. You could give them an easy excuse by taking on that responsibility. But regulations don't allow that, much like they don't allow you to do your own high-voltage, high-current electricity. And frown upon you breaking load-bearing walls in a housing complex to have a more open kitchen. There is a line where "let me do what I want" becomes anarchy.
Now bringing DRM into this, misses the point. There is telemetry in these apps. But there is no piracy or copyright infringement to be had. The bank doesn't fear you giving yourself a million dollars by changing your balance in memory. It's all about responsibility in case something goes south. They would love to shift it all onto you, but they're not allowed to do that. Attestation was never about protecting you, it's about protecting them from being blamed.
There is a bunch of parties making guarantees and complying with rulesets. Domino-ing all of them would make you extremely vulnerable. Which is why I opted for "tamper-proof containers running in a unproven host", rather than signing an unlimited waiver.
Yyyyyyupp
"Oh no, this device is rooted! :(" Yes because I know what I am doing, now show me my account balance you stupid piece of ahit banking app.
I switched to a feature phone that has nothing to do with Android for calling (Mocor RTOS) because I'm tired of fighting Android for the moment. I keep an unrooted smartphone at home for online banking. Kinda extreme but that's one way.
Can relate. I have a phone with stock Android and a removable battery for anything won't or I'd rather not have on my primary GrapheneOS phone. I only ever plug in the battery as needed and when I'm settled at the safety of my desk.
I personally don't know how a non-smartphone is better is terms of privacy. Can you explain?
AFAIK, they have the same level of spying, just more restrictions and less features.
Common vulnerabilities: Tracking by carrier, including cell tower triangulation, SMS, and call logs.
Non-smartphone specific vulnerabilities: Lack of security updates. However, the data to be exfiltrated from a non-smartphone is limited. If it's only call logs and text messages, everything's already compromised by virtue of the carrier. So the level of concern will vary with your threat model.
Smartphone-specific vulnerabilities: Tracking by apps, manufacturer, OS vendor, or just about anything that can take advantage of the smartphone's computing power. More data to be exfiltrated if it falls to a security vulnerability.
Smartphone-specific advantages: Can be run Wi-Fi only to avoid tracking by carrier.
Big tech can't win because you can't force the internet to do something.
Depends on what your definition of winning is. If we reach a state where it is literally impossible to run your own software without heavy hardware modification, which would exclude 99.9% of users, that would be like big tech winning in my book. That's why right to repair is important, and we probably also need laws to prevent OEMs from disallowing the use of alternate OS.
They don’t need to make us do anything. They just need to make it too inconvenient not to.
The Net interprets censorship as damage and routes around it.
Gilmore's quote was true then, it is not the current state of play.
If you need to use banking/government/transit apps, you need to play by the rules now
You can hide root/fake play integrity.
They can make it so much harder to do that, to the point where almost everyone just gives up.
i think we are already at this point.
its not necessarily harder, but its so annoying to do and find comprehensive information on the process.