Comment by craftkiller
21 days ago
> very explicit action already, and then you need to allow the application to do harm.
So the email they get which tells them about the 3 viruses also contains a phone number where a "nice tech support person" will walk them through the steps of side-loading the "anti-virus app". You'd be surprised at what warnings/permission boxes people will blindly accept when they think they're talking to someone from Microsoft or Google's tech support.
> You are taking away people's agency.
Agency they don't want and never use. It's taking away agency from people like us but for the average user, Google is taking away nothing they've ever cared about.
> Either you get to control your bank account risking that you get scammed, or someone will control it for you.
I was just saying a couple of days ago that we need a service for old people where any transaction above a certain configurable threshold (for example, $500 in a day) has to be approved by an employee of this service who serves as a neutral 3rd party whose sole function is to try to prevent scams. That way the old folks would still have their agency so they can go out and buy all the hot-rods and transistor radios they want but if they're about to wire money to "Microsoft" then the anti-scam-company would step in and prevent that transaction (or at least require the old person have a discussion about why its an obvious scam first before eventually allowing the transaction through depending on the client).
Whether this change actually takes control away from us remains to be seen. For example, I don't see anything in the article that suggests we wouldn't be able to install a custom ROM with the signature check removed. Personally, I already run GrapheneOS so I expect I actually won't be impacted by this at all.
> You'd be surprised at what warnings/permission boxes people will blindly accept when they think they're talking to someone from Microsoft or Google's tech support.
But I know they do, I've seen this first hand. It's lack of education (except for extreme cases of people who cannot take care of themselves. but that's not the majority)
> Agency they don't want and never use. It's taking away agency from people like us but for the average user, Google is taking away nothing they've ever cared about.
It's agency they don't know they want, until it suddenly becomes useful. I'm not expecting everyone to use side-loaded, unapproved apps every day, it's about keeping OS vendors in check, about limiting their power over devices they don't own. If they act against users, there should be a way to circumvent them. Such ideas take that away.
> I was just saying a couple of days ago that we need a service for old people where any transaction above a certain configurable threshold (for example, $500 in a day) has to be approved by an employee of this service who serves as a neutral 3rd party whose sole function is to try to prevent scams.
Enabling such a service is a choice they would have to make. The default is control. The situation with all side loading restrictions is opposite - you don't get to choose.
Unless you are suggesting that such service should be forced on people that match some vague "old" criteria. Our disagreement goes far besides technology in that case.
> It's lack of education
Saying "the users need to be educated" doesn't solve anything. Google could start an education campaign tomorrow and it would be ignored by most of the people that need it. If they were interested in learning then we wouldn't have this problem.
> If they act against users, there should be a way to circumvent them
Then install a custom rom. All the power you want is already available, just no longer on the official android builds. Seems silly to demand Google screw over the majority of their customers because you don't want to install a custom rom.
> The situation with all side loading restrictions is opposite - you don't get to choose.
On the contrary, you choose when you purchase your phone. If you don't like it, purchase a phone that caters to users like us. There's the librem5 which I sadly own but that phone is a joke (but tolerable if the android landscape starts looking too much like Apple). I've heard good things about the pinephone but personally I'm never touching anything that comes out of pine64 again after the disastrous pinebook pro. I love the idea behind the FairPhone but the security on that device is a joke. I'm hoping the GrapheneOS people launch a decent phone.
> Saying "the users need to be educated" doesn't solve anything. Google could start an education campaign tomorrow (...)
Of course just saying it doesn't fix anything.
I don't want Google or Apple or any other vendor to do any education campaigns (and they clearly don't even want to try), part of my point is that the issue is too deep to be solved by such technological measures. For example, not skipping such warnings (includes invalid/expired certificates in https) and basic cyber hygiene should be taught in schools. There should be more public campaigns about these issues.
So I'm not even sure if Google should be fixing that particular problem (although I can guess why they are really eager to "solve" it this particular way). I would rather they focused even more on a stronger sandbox, making sure system software on licensed phones has no vulnerabilities and making sure the users understand what power they give to an application, than pretend that this fixes much. Sideloading restrictions only barely (because it's not like they are actually going to verify the applications, nothing about that in the post) plug one way to scam people remotely, over many, many other more severe ways. The banks in many countries don't even properly verify identity of people they give loans to, why not focus on that instead? (Yes, Google won't fix this, I'm not asking them to, they shouldn't try.)
We lose more than we gain.
> Then install a custom rom. All the power you want is already available
On most phones it's not, but that's besides my point.
> Seems silly to demand Google screw over the majority of their customers because you don't want to install a custom rom.
I'm not demanding Google to screw over anyone, and the current "sideloading" situation does not screw over anyone. I just believe that the vendors should not have the sole power to decide what applications can be installed on devices they don't own. Maybe let's have multiple certification authorities besides Google, like with TLS, as a start/compromise? I see the point of actually having an expert verify if an application is legitimate, and this isn't even it.
> On the contrary, you choose when you purchase your phone.
That choice should not be made when the phone is purchased.
And also I'm not talking about what I want to do with my phone, I'm talking about what I believe people should be able to do with their phones - for example they should be able to opt out of such protections if they don't want them (and leave them on if they want them), or choose who verifies their applications. Only possible if they know what the protections do and what the risks are, going back to what I wrote about education.