New Post: Snitching on Phones That Snitch on You

I recently read about a study that tracked how much iOS and Android phones phone home. The abstract says it all (emphasis mine):

We investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. We find that even when minimally configured and the handset is idle both iOS and Google Android share data with Apple/Google on average every 4.5 mins. The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc. are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this . When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.

I was inspired to write a post about this topic (and the OpenSnitch project), which you can check out in the link below.

18 Likes

"We treat data like uranium, not gold"

Very nice turn of phrase, @Kyle_Rankin! My compliments!

10 Likes

The only connection a Librem 5 makes to Purism servers is to check for software updates and you can change that by pointing to one of our mirrors or you can disable the automatic checks entirely.

Presumably an HTTP proxy (or a VPN) are also options - for keeping the userā€™s IP address out of the Purism logs. There are plenty of guides on the internet for configuring apt to use an HTTP proxy (either temporarily or permanently) e.g. https://kifarunix.com/configure-apt-proxy-on-debian-10-buster/

To be honest, itā€™s not something that I have tested or tried at this stage. My need to trust Purism goes way beyond what they do with my IP address, obviously.

Edit: PS Some users may wish to force IPv6, in order to be able to use the privacy features of IPv6 addressing. repo.pureos.net apparently does not offer IPv6. Hint, Kyle. :slight_smile:

3 Likes

Note in the Ars Technica article, a Google representative states this quote:

On background (meaning Ars isnā€™t permitted to name or quote the spokesperson), the representative said that itā€™s inaccurate to say that a user can opt out of all telemetry data collection by the Google OS. The Android Usage and Diagnostics checkbox doesnā€™t cover telemetry data that Google considers essential for the device to operate normally. Telemetry information collected by the Device Configuration service, for instance, is required for updating and patching the OS.

Their stance is no different from Microsoftā€™s Windows 10, even on Enterprise versions such as LTSC (Long-Term Servicing Channel), or Pro Education. Microsoft still collects telemetry regardless of whichever Windows 10 version used, and as a result there has been an active movement in the piracy scene where LTSC is highly regarded as the ā€œbestā€ version, due to reduced telemetry and less features. See a relevant article below:

Appleā€™s statement on Ars Technica is below:

An Apple spokesperson also spoke on the condition it be background. The spokesperson said that Apple provides transparency and control for personal information it collects, that the report gets things wrong, that Apple offers privacy protections that prevent Apple from tracking user locations, and that Apple informs users about the collection of location-related data.

Notably, they have neglected to share how one would obtain control for personal information iOS collects, they have not bothered to specify what or where the report got wrong, and how one would validate their claims, if they had any to begin with. As for privacy protections, again, they did not provide information as to how one can utilize that to protect oneā€™s data, and lastly, while informing users about collection of data is an important step, that does not signify that oneā€™s data is able to be opt-out. Especially missing is that point alone. Their stance is reflected on @Kyle_Rankinā€™s earlier post about implicitly trusting Apple for security, located below:

The referred study is below:

8 Likes

Thanks for the PDF, reminds me of this study from 2018 that found similar results; glad to see another (and recent) study, especially if it helps gain traction to alternatives given the current level of privacy concern among populations as a whole. On the recent study I like how the listed examples with the highlighted contents, made things easy to spot while reading.

2018 study: https://digitalcontentnext.org/blog/2018/08/21/google-data-collection-research/

2 Likes

I have another question on this article of @Kyle_Rankin
So you write that firefox is snitching on us. No problem to admit that. But what is the solution? I can not even use firefox-esr because of the need to use Jitsi. So I use firefox (I think only version >82 work with Jitsi) or Chromium. So my questions comes down to this:

What is the correct (privacy-wise) way to browse the web, and how to access Jitsi?

I have been refusing to use zoom. If I can not access Jitsi during the covid pandemic then there is not a descent solution(?)

1 Like

You can try whereby.com. Here is their privacy policy. Iā€™ve used it before for a little while, seems decently sufficient to me.

1 Like

Would you care to share your rules list, or would that be too much of a hassle?

1 Like

Try ungoogled-chrome or brave.

1 Like

Thanks. I will try ungoogled-chrome. But Brave ā€¦ doesnā€™t it belong to another company that will again snitch? Does anyone know if the electron client of Jitsi is google dependent?

1 Like

Pretty sure electron has chromium code.

1 Like

My goal is to package up a separate package full of reasonable default rules that would exist alongside the opensnitch package, when we get it packaged for PureOS. It would work similar to how firejail does it. There is a base firejail package and an add-on package that adds firejail profiles for common applications.

I wouldnā€™t want to roll my rules into the main opensnitch package because an individual might have a different opinion on how strict or relaxed the rules should be.

7 Likes

Hey Kyle, thanks for the writing!
I think a lot of us already with the phone would appreciate to be able to reproduce your steps and run it in the current possible state, do you think you could share the steps you followed to run opensnitch? just tried with the 1.2 arm64 deb packages but didnā€™t work out.

1 Like

The official releases are back on the evilsocket repository:

I pulled down the 1.3.6 arm64 packages, installed any dependencies they needed, and then installed the debs manually. Note that when you install the opensnitch_ui package, it will build some python libraries by hand (which is for cross-distro compatibility but HEAVILY frowned upon by Debian maintainers). Because when you turn off the screen, the Librem 5 clocks its RAM down drastically, and because building these python libraries is incredibly resource intensive, I highly recommend leaving your screen on throughout the whole process. Iā€™ve noticed loads up into the 15-20 range when building these libraries. If for some reason things seem to freeze, you can forcefully halt the phone and try again after a reboot and it should complete.

Our goal is to have a version of the UI package that doesnā€™t have this pip install as part of the post-install script.

[Edited to add] This pip install is a one-time thing. After you get through it, those libraries are on the system so any future upgrades of the python UI package will be fast.

4 Likes

That article is not specifying Firefox is snitching on us, rather, it focus on OpenSnitch, which acts like a firewall for the desktop user. It measures outgoing connections to servers.

There is no ā€œcorrectā€ way, as oneā€™s needs depend on how much privacy one wants, and your threat model.

For example, I use the Tor Browser, and my threat model on the Purism Forums is mass surveillance, so everything I do must be compartmentalized into a persona that follows that.

You can use Jitsi without needing to use the web application every time if you start your own instance. See the URL below:

1 Like

Speaking of Librem phoneā€¦ it also helps if your phone doesnā€™t yet have the driver to be able to use the webcam :slight_smile: :laughing:

2 Likes

ā€œtrackā€, tracking, trackersā€¦ all very polite terms that whitewash what it is. Tracking follows us from one place to another. Stalking, stalk, stalkers follow us from one place to another with INTENT. If the INTENT is considered ā€˜stalkingā€™ by the person, then a charge is laid - - - but only to individuals. Corporations and governments have made certain they are immune to such charges.

SMIRC, is used to Stalk the device, Monitor the devices locations, data exchanges, network and with whom including financial transactions (receipts), and to Inject more stalkers, then Record everything for storage and analysis in order to Control, the person with the device.

If one cannot convince government and/or corporations to do the right thing, then embarrass them into acting responsibly. Call it what it is :warning: SMIRC :warning:!

When we are too afraid to speak the truth, then they have won,

~S~

8 Likes

Yes, they should stop SMIRCā€™ing at us!

1 Like

Reminds me of ā€œSmert shpionamā€, but it seems to be the counter program. :laughing:

3 Likes

@prolog
A good movie for itā€™s time.
IMHO - unfortunately, this is real life with real thieves in a world full of myopic megalomaniacs taking what they want and pimping out our rights to privacy.
If it keeps up, too many country governments will start, as already implied by the 'Mericans, to reign in the top 3 miscreants; Google, Facebook and Twitter.
If people donā€™t want a voice, refuse to be heard, and want to be lead by the nose, theyā€™ll let government continue to control what one can and cannot say.

There are alternatives of course, but many of the Facebook and Google wannabes are already censoring anything that possibly might could be seen as a phobia or might possibly perhaps offend even one person.

Hope I havenā€™t t offended you or anyone reading this as it was never my intention and to be ahead of how the celebrities handle it, Iā€™ll apologize in advance, not later (for the headline) for anything I may have said that might deliberately be taken out of context to be used against me in the Courts of Social Media.

Š”Š¼ŠµŃ€Ń‚ŃŒ шŠæŠøŠ¾Š½ŃŠŗŠøŠ¼ стŠ°Š»ŠŗŠµŃ€Š°Š¼ Šø ухŠ¼Ń‹Š»ŃŃŽŃ‰ŠøŠ¼ŃŃ. :wink:

~s~

5 Likes