Google lobbied against the FTC rule change that blocked this under Obama, so I think it's far past time we believe them to be acting benevolently on our behalf. It's sad how things have evolved and how many smart, talented people have been swept up in this. But we have to organize and act outside the context of corporate appeals if we want to resist this kind of stuff.
Google has less power than you might imagine here...
Only "desirable" phones can set rules about what the carrier can and cannot do. Today, thats the iPhone only.
Unless customers will leave the network if it does not stock a particular model of phone, then the network can insist the phone manufacturer install crapware, and until the manufacturer agrees, that model won't be sold.
Aren't their protections in place for advertising and children? Parents buy phones for their children, so will parents be able to turn this off for them? Verizon has NO business tracking children.
they will fix it just like everyone else. see Facebook. just add a "must be 18" to the eula nobody ever read. and then blame the parents if you did track kids.
Verizon's plan when buying AOL [0] wasn't to become a media company, but to become a leader in ad tech. The way to lead in ad tech is to control data. Technology alone is not a moat.
Verizon has made several attempts at unlocking the carrier data including the short-lived header injection [1]. Phone data is the holy grail of data (location, voice conversations, web browsing, apps, address, and potentially purchase history in the future) etc. Lets see if they have a winner this time
Yep. The reason why we are in this mess and attack on Internet privacy is because of Ad Tech.
We need to get developers to stop supporting ad tech. The stigma of working in ad tech needs to result in enough stink on one's employment history that it's not worth the hassle.
Stigmatizing one's employment history only impacts people who are trying to switch from advertising to a different industry. This means it has the effect of locking employees into staying in advertising.
I understand that the logic goes that people will avoid going into advertising in the first place if it limits their employment choices, but that assumes there isn't enough work to stay in advertising. If advertising is already a profitable career path, switching industries later is not a significant consideration now, and your proposal actually makes it easier for advertisers to hold onto talent.
We should be encouraging people to get out of advertising, not stigmatizing it.
Ironically, this is mainly happening because Android is so "open" (to carriers and OEMs). Android's openness was never intended to be for users (if we're talking licenses and such, not feature-wise, which is just a design decision Google makes, like whether or not to have more advanced camera menus, and so on).
It's hard to say whether Google would sell everyone's Android's data anyway, if it had 100% control over Android, but I imagine it wouldn't let carriers or OEMs add whatever tracking apps they wanted on the devices.
for now, i am nice and cozy in my iOS walled garden. The advantages of doing business with hardware companies is that it's much more clear that i'm paying them scads of money for a handset, instead of any other financial transaction.
Apple has an advertising service, yes. But Apple's revenue primarily comes from hardware. Apple is ergo, a "hardware company" that has additional services. Whereas over 90% of Google's revenue comes from ads, Google is an "advertising company" that also sometimes makes software. (Microsoft, by this definition, is a "software company".)
This is key because companies are going to make decisions based on what keeps them in business. Apple would place it's hardware sales over it's ad business in a heartbeat, whereas Google would abandon Android before it would give up on ads, because that's it's entire business.
My hope is that companies that don't place advertising as a core part of their business can be convinced that there is a market in privacy-oriented products, and that competing on advertising isn't worth it.
Verizon is the only cell company that has coverage in my home town in central Massachusetts. Thus I have used them all my life.
I recently had my first "positive" customer service with experience with Verizon switching to their unlimited plan. My bill dropped significantly. ($120 base -> $80 but really $200 -> $80 because I always go over on data)
I just noticed that I have a "phone upgrade" waiting as well. I am an Android dev and typically just buy unlocked phones when I need them and switch SIM cards. This sort of shit is why. Even as it is, Verizon branded phones are filled with crapware you can't delete. It sucks knowing that thru my monthly bill that I am subsidizing a "phone upgrade" program that I am never going to take advantage of due to the way Verizon molests Android before giving you the phone.
Surely they are going to be loading it using Carrier Configuration tied to the sim card... As soon as you put a verizon sim card into your unlocked non verizon phone it installed a bunch of helper apps.
Very interesting, thanks for pointing out. As far as I can tell nothing was installed by Verizon on my most recent phone. I was using it as a dev device before using at as my primary phone, so I was pretty aware of what was installed on it. This was over a year ago and I think I started with a 5.X version of Android. Will have to see what happens next time I switch phones... welp.
Because of these kinds of shenanigans, I'm seriously thinking about an iPhone for my next phone.
If Verizon did all this stuff on an opt-in basis, I'd have no problem with it. If it were opt-out, I'd be grumpy, but would probably deal with it. When it's required, I'm going to be looking for alternatives.
Verizon is very big in my town, but I pay $35/month for less-than-wonderful Virgin Mobile. Can't get a signal in the office but it's not worth +$85/month more to me.
Perhaps you can convince your employer to cover/expense your cell phone, as it is necessary for you to perform your job. If they disagree, completely stop using a personal cell phone, and then watch how fast they provide you with one.
I use page plus cellular on a Moto G4. Uses the Verizon network and I have no Verizon bloat at all. I never had to root the phone either. The Motorola/Lenovo bloat is quite minimal. I pay under 30 dollars a month, but don't need much data.
This sort of shit is why I only get phones I can root (except for my current iPhone, which was Buy One, Get One).
Root gives you access to tools that can disable/backup/uninstall stuff you otherwise couldn't - as well as access to more powerful adblockers and other goodies.
You have to be careful to try and get "trusted" apps (I don't download "cracked" ZOMG!FREE! games... anymore cough) but it's not like you control what's on your phone 100% anyways...
Is this really that different from Verizon phones having Google services enabled by default (if that's even true -- I don't use Verizon). Why is Verizon spying on you any worse, or better than Google or Facebook?
By using Google's free services you agree to giving them data - that's not how customers want to use an ISP.
Google is a company that relies on trust. If I can't trust them with my data their business will seriously suffer. Verizon in no way cares about users trusting them, it's not in their business model.
It needs to be a choice what companies I trust with my data
This is false. A lack of trust will not hurt google one bit since there is no meaningful competition for their search engine and the vast majority of their revenue comes from search ads.
Edit: This may be an unpopular conclusion but it based on facts.
It's very unlikely that Verizon's business will suffer, given their membership in the internet
oligopoly [1]. Also, in regards to your other point -- what's stopping Verizon from just changing
their business model? The fact Google offers free services is irrelevant.
Verizon could do this and "offer" faster internet, claiming this tracking is what enables everyone
to have faster internet for "free." There's a cost to everything -- including giving away your
information. If there was no cost, then Google and company wouldn't want it. The fact that they're
able to make money from it implies there's value, and if you're giving away value, it must be
costing you. It's just not dollars.
I still think you shouldn't let anyone spy on you, free or not. What Verizon is doing is just the
same as them raising the price of their service, except worse, because once they have your data the
returns on it will only compound.
The reason why I'm okay with Google, but not Verizon spying on me is because I pay Verizon but I don't pay Google. Verizon shouldn't have to sell my data for more money because they already charge money for their service. If their service is too expensive then Verizon can charge more money. However Google gives me services for free so I expect they'll sell my data to other companies.
Exactly. Your data is a currency. I cannot stress this enough. I(!) should be allowed to spend that currency however I choose. If I am already paying you for a service, you shouldn't get to have my data, too!
I actually feel like I'm getting something in return for letting Google index my personal data. I also trust Google far, far more than any ISP (wired or wireless) that I have used.
I also have faith that Google won't accidentally expose my data to the entire internet - or at least, they'll only fall to vulnerabilities that affect everyone.
Verizon's ethics aside, I have no real trust in their competence to keep data to themselves. I've dealt with their website, I've read the stories of people getting their accounts hijacked because Verizon can't handle verification right, and all the rest. I don't want a side channel to track my downloads, location, and god knows what else because I expect it'll be compromised far faster.
Another good point. Even assuming that Google has lots of government ties and no real respect for privacy, I still don't expect them to roll over with no discretion whatsoever. I pretty much expect Verizon to do like AT&T and surrender all their user data unprompted.
Corporate ethics aside, this scares me because I don't trust its security. Android has vulnerabilities, but they're regularly discovered and patched. A Verizon-made side channel gathering all the same stuff? That sounds like it'll bleed data to anyone and everyone and not get patched on anything like a responsible schedule.
It seems it just provides regular configuration stuff required for certain things. I guess they made this so that people get a good OOB experience when replacing sim cards etc.
While we're getting a bit into "flame war" territory, it's hard to argue that the current iteration of Android is an "open platform"; practically speaking, most of the useful features of the OS are hidden in the (closed) Google Play Services. Yes, you can go for a custom ROM, but not on all devices and most people don't want to deal with the effort/UX downgrade.
What makes you think they're getting the data from Apple? The entire OS is sandboxed and siloed out the proverbial wazoo, and Apple is demonstrably a very pro-privacy company that doesn't allow most forms of carrier fuckery.
Apple has the power here. Verizon needs the iPhone on their network more than Apple needs to support Verizon as a carrier.
The FBI paid $1 million to "get the data from apple", and that was a phone that was several generations of hardware and software security updates old. If you have a magical iPhone exploit, there are people who will pay you a lot of money.
This has nothing to do with Apple vs. Google. It has more to do with Android being Open Source. So they modify Android + put the Google stuff on it (which Verizon is paying a fee for).
But it does. Follow the money - the consequences flow directly from the differing business models.
Verizon can't poison Apple's phones, because Apple profits by not selling out their customers.
Google benefits from surveilling their customers, so their OS is surveillance-friendly. By piggybacking on Google's purpose-built surveillance-friendly OS, Verizon's commonality of interest with Google benefits them.
The app store is Apple's way of selling out access to their customers, it just happens to be to developers instead of advertisers.
I use Android and iOS so I don't have a horse in the race, but it's disengenous to claim that Apple's business model makes it any more your device than Apple's.
Can anyone speculate what will happen if I'm using an unlocked Google device (Nexus 5X) on Verizon? Will the new app be force-installed somehow? And can it be removed?
Not sure, but I do know for sure that the firmware to the radio is a proprietary blob that we, as users, have 'no rights' to.
Meaning, they could already be doing this without notifying anyone, and we have no way to confirm beyond packet capture and analysis or reverse engineering.
I find it hard to believe there is no market for an open-firmware phone.
>Surely they are going to be loading it using Carrier Configuration tied to the sim card... As soon as you put a verizon sim card into your unlocked non verizon phone it installed a bunch of helper apps.
Is this truly just an app or is it functionality tied to base OS configuration? If its the former, I should be able to uninstall via root like all the other bloatware crap, correct?
If it is the former, don't forget that having a rooted phone likely puts you in the minority. Most people don't have the patience or confidence in their technical abilities to root their phones.
Between the Google play store, Android's general insecurity, and now cell carriers actively pushing spyware, what alternatives exist?
And please don't say iOS. It's closed source, which means we really don't know what's going on under the hood. We may trust it today, but one secret court order + an overnight update is all we need to lose everything with iOS. Apple execs may not even be made aware of such an update if the order was delivered to the engineers directly.
What are my options such that I'll actually feel comfortable when I sleep at night? My phone knows everything. All my emails (which can typically be used to get into everything else), all my contacts, all my calendar events, where I go every day, and I'm even paranoid that it records all of my conversations. This isn't schizophrenia, we know that devices record people's conversations without their knowledge. A phone doing the same is just one step away.
So what can I do? How can I get some sanity and security around my mobile life?
Would be a great step to have a phone that:
+ Fully open source. (Sorry Android you don't count)
+ Hardware switch for mic
+ Hardware switch for location services
Or at least a phone that is beginning to move in that direction? Should I just stop using my phone?
It will work, right now it only supports a few phones (Nexus 9 WiFi, Nexus 5X, Nexus 6P) with the Pixel and Pixel XL on the way. I don't have a supported phone currently so I haven't been able to test it out but any phone that is capable of connecting to Verizon's network hardware wise should be able to connect using any OS that implements the necessary protocols. The Pixel and Pixel XL use nano SIM cards to connect to a carrier.
If CopperheadOS is installed the only attack vector Verizon could use is the SIM Card, but CopperheadOS implements a lot of security features that could help mitigate the risk:
* Full verified boot, covering all firmware and OS partitions.
* Baseline app isolation via unique uid/gid pairs for each app.
* App permission model including the ability to revoke permissions and supply fake data.
Carriers can not install software on phones connected to the network. Assuming they installed a Carrier configuration application or anything else using the SIM Card you could revoke its permissions or supply fake data, or even create firewall rules to disallow the traffic manually.
I am not sure but I don't think so, I am sure they would be bragging about it if they did. There may be some attempt to lessen the risks but I haven't taken a deep look into what they have done in hardening the OS.
I don't think we will ever solve that problem without more support for projects like CopperheadOS and ReplicantOS. They are struggling to even maintain and improve just a couple devices.
Purism are working on a phone that should meet most of these requirements. Honestly, with such strict expectations, no smartphone will ever satisfy your needs.
"And please don't say iOS. It's closed source, which means we really don't know what's going on under the hood. We may trust it today, but one secret court order + an overnight update is all we need to lose everything with iOS. Apple execs may not even be made aware of such an update if the order was delivered to the engineers directly."
So Android is "open source" even though most of what makes Android Android to most users -- Google Play Services and all of the Google apps and third party OEM apps are closed.
But iOS is closed source even though parts of it are also open source?
I asked people not to suggest iOS because I thought it likely that they would. I did not think it likely that people would suggest Android is acceptably secure, and indeed they did not.
iOS has the high ground between the two, but neither are anywhere close to acceptable.
> Would be a great step to have a phone that: Fully open source.
Two problems remaining why this won't happen:
a) Baseband (which in some cases has direct access to the microphone, or worse, DMA link to the CPU, or even worse, integrated into the SoC) firmware
b) Linux kernel. So many manufacturers either blatantly ignore the GPL by not releasing kernel source code, and nearly all of them, instead of cooperating with upstream, fork the kernels and add literal crap on their trees. The horrors I have seen, especially in leaked Mediatek source trees... unimaginable. I can certainly understand why Mediatek does not want to release kernel sources.
Also this is the biggest threat to the Android ecosystem. Either some kernel contributor sues Mediatek and other shoddy OEM/ODMs for enough money that they go down (unlikely), or the kernel forks by manufacturers will go so hard out of sync that new userlands of Android will simply not work with fossilized kernels. Same as in the embedded-Linux world...
I believe a lot of manufacturers operate by "lets either not release code at all or code so shoddy no one else wants to release anything based on it", and thus holding privacy, security and competition hostage. Especially as competition is stuff like cyanogenmod which removes all the nasty tracking/adware whose data sales the OEMs intend to monetize...
"Between the Google play store, Android's general insecurity, and now cell carriers actively pushing spyware, what alternatives exist?"
There are no alternatives until we have an open baseband.
Every objection you state in your comment about android (and iOS) is dwarfed by the objections you would have if you truly understood the two other general purpose computers inside your phone that you have no control over - namely, your baseband processor and your SIM card.
Your carrier owns you. Your carrier owns you more deeply than any spyware author ever dreamed of owning you.
Your carrier can upload and run arbitrary java applets onto your SIM card without you ever knowing. Your carrier, depending on which SOC you have and how it is implemented, can access your CPU and memory directly. As in, read the passphrase of your cutesy encrypted chat app as you key it in.
We cannot begin to speak of a secure mobile platform or any kind of open source mobile platform until we have an open baseband and control our own SIM cards. We are very, very far away from this.
In the meantime, you have two choices:
1. treat your mobile device as fully compromised and behave accordingly. This is what I do.
2. Buy a non-cellular mobile device (for instance, the old "samsung galaxy player" devices that have no mobile chipset or SIM card) and insert a cellular modem into the USB port and segregate that function there, and use VOIP software. This actually sounds sort-of workable except for one interesting problem - in addition to handling cellular communications, the baseband also handles voice quality like noise cancellation and so on that also needs to be done in real-time and not interrupted by userland events ... and so your actual voice quality will drop as a result of using VOIP on a handset.
How does iOS and the iPhone handle this SIM card/baseband processor issue? Is there an article that details the exact threat model and defenses in place?
iOS uses Qualcomm and Intel chipsets for basebands.
For Qualcomm at least, they share a lot of code with Android, and nearly all the code is fully closed source, even to Apple engineers building the phone above.
Note that code does everything from camera autofocus to doing NAT for tethering, to audio decoding while the CPU is sleeping, to setting up the GPU, to handling supercomplex GSM protocols, to determining USB charging current and serial debug interfaces. It is probably more complex than the whole of the rest of the OS.
Looking at the quality of open source code from Qualcomm, I have nearly zero confidence in the security of that baseband. I'm confident you could find an "accidentally" open debug interface within a few days of looking.
I just use my cell phone as a phone... just a phone (it's not a smartphone); the rest I do on a device that isn't networked. The convenience of a smartphone comes with far too many hooks in my opinion.
You could build your own. I'm sure you've seen the Arduino DIY phone?
Take something like that - but use a RasPi Zero W - add on a better touchscreen (plenty of options there).
The Arduino version used a 3G module - but if you are willing to fork out the money, you can find 4G modules out there (they aren't cheap, though).
Then all you have to do as the code magic, a 3d printed case, etc...
You'll still need a cell service provider, of course - no real way to get around that, unless you wanted to set up some kind of wifi auto-hacking system to scrounge off of insecure (and other free) wifi nodes (coverage would be spotty, of course).
Ting, a MVNO and ISP, views customer privacy as an important value.
While Ting may not be able to prevent their upstream mobile providers from bundling such an app, everything I've seen from the company would lead me to believe that Ting would fight it as best it can on principle.
The link says this is related to the repeal of the FCC ruling, I fail to see that connection, however. What in the repealed rules prevented them from installing spyware on your phone? They already seemed to have the ability to do that.
Increasingly in the U.K. I've noticed it's significantly cheaper to buy an unlocked phone and get a SIM only plan. Surely it's a bad idea for networks to make their own phone even less attractive?
"UPDATE: We have received additional information from Verizon and based on that information we are withdrawing this post while we investigate further. Here is the statement from Kelly Crummey, Director of Corporate Communications of Verizon: 'As we said earlier this week, we are testing AppFlash to make app discovery better for consumers. The test is on a single phone – LG K20 V – and you have to opt-in to use the app. Or, you can easily disable the app. Nobody is required to use it. Verizon is committed to your privacy. Visit www.verizon.com/about/privacy to view our Privacy Policy.'"
I rang up Verizon Wireless this morning and asked to speak with a supervisor. I use a Google Pixel. I told the woman that came on the line my fear of AppFlash not only ruining the security of my mobile phone, but molesting the beauty that is pure Google Android.
At first the lady was perturbed that I called, but after calmly explaining to her what was at stake, she actually seemed to agree with me it was a problem. I pray she gets to keep her job, considering she agreed with me on a recorded line.
The takeaway from her is that Verizon does not plan on soiling Google Pixel devices due to their deal with Google to keep the ecosystem clean and allow Google alone to push software updates to the Pixel line. I'm praying this is the real story and I won't come to learn my phone has been infected with spyware.
reply