Comment by steelframe
2 years ago
> So what are the alternatives here?
You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.
Then to extend to services, a lot of it depends on your ability to deploy your own stuff. This can involve a lot of time reading how-to guides after you've installed Linux on a machine in your house. Given how much documentation is readily available online most people with a high school diploma can probably figure it all out, but you have to be motivated enough to refuse to be helpless.
Today you can purchase a Pixel 7[|a|Pro] and flash GrapheneOS on it. There's a lot you can get from F-Droid, but if you really want Google Play Store apps, GrapheneOS does a reasonable job sandboxing it. Create a new Google account just for that installation of Google Play Store.
Never sign into anything Google, Microsoft, Apple, Facebook, Twitter/X, LinkedIn, or whatever from your phone. Or at least if you absolutely have to, use a trusted web browser in Incognito or Private Browsing Mode.
Keep location tracking disabled for everything but your favorite maps app. Put your phone in Airplane Mode when you're traveling if you don't want cell towers to capture your location info. GPS reception still works.
WG Tunnel can get you to your server when you're not on your home network. Some people swear by Tailscale, but you have to trust them with your node info.
Syncthing works for backup for a lot of people.
For private maps I've been using Organic Maps with some success. Searching for places isn't necessarily trivial, but the navigation feature has always worked well for me.
For private comms you really need it to go both ways (you and the recipient). The weak point is likely to be the recipient's environment, but at least something like Signal gives you a chance.
Something like Fastmail works for email and calendar, since they're probably not building a profile on you and selling that to advertisers. DAVx5 is free from F-Droid for calendar sync.
Kagi works really well for search. Also, they probably haven't sold out to advertisers. DuckDuckGo is another option with another set of trade-offs.
For music you can serve FLAC files via minidlnad to VLC. minidlnad was a 3-minute tweak to a config file after I apt-got it. There are tons of options here.
Explore F-Droid for stuff that might do better for privacy, like Spotube, FreeOTP, Podverse, Librara FD, Cheogram, etc. I'm not claiming that the F-Droid apps will all give you perfect privacy, but in general they're probably better than a lot of the stuff that's pushed in the Play store.
Check out e-books and audiobooks from your local library. Or copy them to your device via Syncthing after feeding your e-books through Calibre's DeDRM extension. The idea is to keep from having to context license servers from your phone.
Give up on Apple or Google Pay, credit cards, and loyalty programs if you don't want your eReceipts collected and added to your consumer profile by companies that do that sort of thing.
None of this is a surefire way to give yourself perfect privacy, but it can greatly reduce the amount of your personal information that your government and/or corporations collect on you via your mobile device.
> You have to be willing to live with something less feature-rich than what you can get on the latest iPhone 27 Max Pro(TM). And you have to be gutsy enough to click an "Install some other OS" button in your web browser with your phone plugged into a USB port.
I agree with all of this, but realistically it's not just a simple matter of being willing to live with less features - this is a significant amount of work to investigate, implement, and upkeep for someone who is techy, let alone a less technically-inclined person.
I can barely get my family to use Signal, let alone install F-Droid or learn how to configure Syncthing.
Ultimately, this does indeed come down to "if you use a big product, you're likely being spied on", but this shouldn't be the individual consumer's fault.
This is an excellent reference. It is worth emphasising though, this does not make the device secure.
No matter what OS you put on, there's still a proprietary baseband blob with executuon permissions underneath. All of these devices are built compromised.
Absolutely! I was focusing on moving toward a generally more privacy-centric way of using a mobile device. Of course an insecure device can be made to neutralize any privacy-protecting measures I've described. However just because a device has a vulnerability doesn't necessarily mean that it will be compromised. In fact I'd be surprised if there is more than, say, a 1% chance that any given random Pixel 7 phone is actually compromised via the baseband code.
Also, that said, if you are personally targeted by your government for surveillance, all bets are off. I don't know how to defend against that, but a potential start would be to eliminate all electronic devices from your person and your house and then to set off a powerful EMP every time you walk through your door when coming back home.
It's refreshing that Google, the same company that makes Android, has recently called out baseband blobs for their poor security.
https://googleprojectzero.blogspot.com/2023/03/multiple-inte...
Here's some discussion on the GrapheneOS forum:
https://discuss.grapheneos.org/d/3942-baseband-vulnerabiliti...
While I'm not convinced it's causing widespread exploitation, baseband blobs are definitely a problem, and hopefully some of the advocacy that Google's Android org puts on phone vendors can get us to a better place. And maybe efforts from organizations like Librem can push us toward modems with fully OSS firmware.
> And maybe efforts from organizations like Librem can push us toward modems with fully OSS firmware.
Also Pinephone: https://news.ycombinator.com/item?id=36659544
yes the baseband blobs are still underappreciated.
We are headed in a direction where you will need the Google Play store or Apple's store to do groceries, read messages from the government, use two-factor authentication, pay, show your ID, order food, and much more. Web sites are being phased out and so are physical / legacy alternatives.
> We are headed in a direction
I feel that way too. Which is why I feel it's important to push back by at least asking every business whether they accept cash, and always using cash when they do. If they don't accept cash, I always make it a point to mention that they're paying processing fees for that transaction that they could have avoided if they accepted my cash instead. Simply raising the issue in a non-confrontational and casual way keep them thinking about it, which can lead to some of them acting on those thoughts after it happens often enough.
Simply acquiescing without any mention of cash makes one complicit in the pernicious slide toward a surveillance-infused market.
You have to do both unfortunately, otherwise the lack of a trackable identity in itself will make you a huge target for surveillance.