Pluralistic: Google's new phones can't stop phoning home (08 Oct 2024)

Originally published at: Pluralistic: Google’s new phones can’t stop phoning home (08 Oct 2024) – Pluralistic: Daily links from Cory Doctorow



Today's links



A photo of a 1950s-era teen girl lying on a pink bed, holding a Princess phone to her head. Her face has been replaced with the glaring red eye of HAL 9000 from Stanley Kubrick's '2001: A Space Odyssey.' The phone's handset, coil and body have been recolored with stripes in Google's four logo colors. Three Android mascot/robots peek out around her body.

Google's new phones can't stop phoning home (permalink)

One of the most brazen lies of Big Tech is that people like commercial surveillance, a fact you can verify for yourself by simply observing how many people end up using products that spy on them. If they didn't like spying, they wouldn't opt into being spied on.

This lie has spread to the law enforcement and national security agencies, who treasure Big Tech's surveillance as an off-the-books trove of warrantless data that no court would ever permit them to gather on their own. Back in 2017, I found myself at SXSW, debating an FBI agent who was defending the Bureau's gigantic facial recognition database, which, he claimed, contained the faces of virtually every American:

https://www.theguardian.com/culture/2017/mar/11/sxsw-facial-recognition-biometrics-surveillance-panel

The agent insisted that the FBI had acquired all those faces through legitimate means, by accessing public sources of people's faces. In other words, we'd all opted in to FBI facial recognition surveillance. "Sure," I said, "to opt out, just don't have a face."

This pathology is endemic to neoliberal thinking, which insists that all our political matters can be reduced to economic ones, specifically, the kind of economic questions that can be mathematically modeled and empirically tested. It would be great if all our thorniest problems could be solved like mathematical equations.

Unfortunately, there are key elements of these systems that can't be reliably quantified and turned into mathematical operators, especially power. The fact that someone did something tells you nothing about whether they chose to do so – to understand whether someone was coerced or made a free choice, you have to consider the power relationships involved.

Conservatives hate this idea. They want to live in a neat world of "revealed preferences," where the fact that you're working in a job where you're regularly exposed to carcinogens, or that you've stayed with a spouse who beats the shit out of you, or that you're homeless, or that you're addicted to Oxy, is a matter of choice. Monopolies exist because we all love the monopolist's product best, not because they've got monopoly power. Jobs that pay starvation wages exist because people want to work full time for so little money that they need food-stamps just to survive. Intervening in any of these situations is "woke paternalism," where the government thinks it knows better than you and intervenes to take away your right to consume unsafe products, get maimed at work, or have your jaw broken by your husband.

Which is why neoliberals insist that politics should be reduced to economics, and that economics should be carried out as if power didn't exist:

https://pluralistic.net/2024/10/05/farrago/#jeffty-is-five

Nowhere is this stupid trick more visible than in the surveillance fight. For example, Google claims that it tracks your location because you asked it to, by using Google products that make use of your location without clicking an opt out button.

In reality, Google has the power to simply ignore your preferences about location tracking. In 2021, the Arizona Attorney General's privacy case against Google yielded a bunch of internal memos, including memos from Google's senior product manager for location services Jen Chai complaining that she had turned off location tracking in three places and was still being tracked:

https://pluralistic.net/2021/06/01/you-are-here/#goog

Multiple googlers complained about this: they'd gone through dozens of preference screens, hunting for "don't track my location" checkboxes, and still they found that they were being tracked. These were people who worked under Chai on the location services team. If the head of that team, and her subordinates, couldn't figure out how to opt out of location tracking, what chance did you have?

Despite all this, I've found myself continuing to use stock Google Pixel phones running stock Google Android. There were three reasons for this:

First and most importantly: security. While I worry about Google tracking me, I am as worried (or more) about foreign governments, random hackers, and dedicated attackers gaining access to my phone. Google's appetite for my personal data knows no bounds, but at least the company is serious about patching defects in the Pixel line.

Second: coercion. There are a lot of apps that I need to run – to pay for parking, say, or to access my credit union or control my rooftop solar – that either won't run on jailbroken Android phones or require constant tweaking to keep running.

Finally: time. I already have the equivalent of three full time jobs and struggle every day to complete my essential tasks, including managing complex health issues and being there for my family. The time I take out of my schedule to actively manage a de-Googled Android would come at the expense of either my professional or personal life.

And despite Google's enshittificatory impulses, the Pixels are reliably high-quality, robust phones that get the hell out of the way and let me do my job. The Pixels are Google's flagship electronic products, and the company acts like it.

Until now.

A new report from Cybernews reveals just how much data the next generation Pixel 9 phones collect and transmit to Google, without any user intervention, and in defiance of the owner's express preferences to the contrary:

https://cybernews.com/security/google-pixel-9-phone-beams-data-and-awaits-commands/

The Pixel 9 phones home every 15 minutes, even when it's not in use, sharing "location, email address, phone number, network status, and other telemetry." Additionally, every 40 minutes, the new Pixels transmit "firmware version, whether connected to WiFi or using mobile data, the SIM card Carrier, and the user’s email address." Even further, even if you've never opened Google Photos, the phone contacts Google Photos’ Face Grouping API at regular intervals. Another process periodically contacts Google's Voice Search servers, even if you never use Voice Search, transmitting "the number of times the device was restarted, the time elapsed since powering on, and a list of apps installed on the device, including the sideloaded ones."

All of this is without any consent. Or rather, without any consent beyond the "revealed preference" of just buying a phone from Google ("to opt out, don't have a face").

What's more, the Cybernews report probably undercounts the amount of passive surveillance the Pixel 9 undertakes. To monitor their testbench phone, Cybernews had to root it and install Magisk, a monitoring tool. In order to do that, they had to disable the AI features that Google touts as the centerpiece of Pixel 9. AI is, of course, notoriously data-hungry and privacy invasive, and all the above represents the data collection the Pixel 9 undertakes without any of its AI nonsense.

It just gets worse. The Pixel 9 also routinely connects to a "CloudDPC" server run by Google. Normally, this is a server that an enterprise customer would connect its employees' devices to, allowing the company to push updates to employees' phones without any action on their part. But Google has designed the Pixel 9 so that privately owned phones do the same thing with Google, allowing for zero-click, no-notification software changes on devices that you own.

This is the kind of measure that works well, but fails badly. It assumes that the risk of Pixel owners failing to download a patch outweighs the risk of a Google insider pushing out a malicious update. Why would Google do that? Well, perhaps a rogue employee wants to spy on his ex-girlfriend:

https://www.wired.com/2010/09/google-spy/

Or maybe a Google executive wins an internal power struggle and decrees that Google's products should be made shittier so you need to take more steps to solve your problems, which generates more chances to serve ads:

https://pluralistic.net/2024/04/24/naming-names/#prabhakar-raghavan

Or maybe Google capitulates to an authoritarian government who orders them to install a malicious update to facilitate a campaign of oppressive spying and control:

https://en.wikipedia.org/wiki/Dragonfly_(search_engine)

Indeed, merely by installing a feature that can be abused this way, Google encourages bad actors to abuse it. It's a lot harder for a government or an asshole executive to demand a malicious downgrade of a Google product if users have to accept that downgrade before it takes effect. By removing that choice, Google has greased the skids for malicious downgrades, from both internal and external sources.

Google will insist that these anti-features – both the spying and the permissionless updating – are essential, that it's literally impossible to imagine building a phone that doesn't do these things. This is one of Big Tech's stupidest gambits. It's the same ruse that Zuck deploys when he says that it's impossible to chat with a friend or plan a potluck dinner without letting Facebook spy on you. It's Tim Cook's insistence that there's no way to have a safe, easy to use, secure computing environment without giving Apple a veto over what software you can run and who can fix your device – and that this veto must come with a 30% rake from every dollar you spend on your phone.

The thing is, we know it's possible to separate these things, because they used to be separate. Facebook used to sell itself as the privacy-forward alternative to Myspace, where they would never spy on you (not coincidentally, this is also the best period in Facebook's history, from a user perspective):

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3247362

And we know it's possible to make a Pixel that doesn't do all this nonsense because Google makes other Pixel phones that don't do all this nonsense, like the Pixel 8 that's in my pocket as I type these words.

This doesn't stop Big Tech from gaslighting* us and insisting that demanding a Pixel that doesn't phone home four times an hour is like demanding water that isn't wet.

*pronounced "jass-lighting"

Even before I read this report, I was thinking about what I would do when I broke my current phone (I'm a klutz and I travel a lot, so my gadgets break pretty frequently). Google's latest OS updates have already crammed a bunch of AI bullshit into my Pixel 8 (and Google puts the "invoke AI bullshit" button in the spot where the "do something useful" button used to be, meaning I accidentally pull up the AI bullshit screen several times/day).

Assuming no catastrophic phone disasters, I've got a little while before my next phone, but I reckon when it's time to upgrade, I'll be switching to a phone from the @calyxinstitute@mastodon.social. Calyx is an incredible, privacy-focused nonprofit whose founder, Nicholas Merrill, was the first person to successfully resist one of the Patriot Act's "sneek-and-peek" warrants, spending 11 years defending his users' privacy from secret – and, ultimately, unconstitutional – surveillance:

https://www.eff.org/deeplinks/2013/03/depth-judge-illstons-remarkable-order-striking-down-nsl-statute

Merrill and Calyx have tapped into various obscure corners of US wireless spectrum licenses that require major carriers to give ultra-cheap access to nonprofits, allowing them to offer unlimited, surveillance-free, Net Neutrality respecting wireless data packages:

https://memex.craphound.com/2016/09/22/i-have-found-a-secret-tunnel-that-runs-underneath-the-phone-companies-and-emerges-in-paradise/

I've been a very happy Calyx user in years gone by, but ultimately, I slipped into the default of using stock Pixel handsets with Google's Fi service.

But even as I've grown increasingly uncomfortable with the direction of Google's Android and Pixel programs, I've grown increasingly impressed with Calyx's offerings. The company has graduated from selling mobile hotspots with unlimited data SIMs to selling jailbroken, de-Googled Pixel phones that have all the hardware reliability of a Pixel, coupled with an alternative app suite and your choice of a Calyx SIM and/or a Calyx hotspot:

https://calyxinstitute.org/

Every time I see what Calyx is up to, I think, dammit, it's really time to de-Google my phone. With the Pixel 9 descending to new depths of enshittification, that decision just got a lot easier. When my current phone croaks, I'll be talking to Calyx.

(Image: Cryteria, CC BY 3.0, modified)


Hey look at this (permalink)



A Wayback Machine banner.

This day in history (permalink)

#20yrsago HOWTO censor the net with a Hotmail account https://web.archive.org/web/20041023150004/http://www.bof.nl/docs/researchpaperSANE.pdf

#20yrsago Pratchett’s “Going Postal”: Graft, hackers, and a semaphore Internet https://memex.craphound.com/2004/10/09/pratchetts-going-postal-graft-hackers-and-a-semaphore-internet/

#20yrsago Both Presidential candidates arrested while serving papers on CPD https://web.archive.org/web/20041009213011/https://badnarik.org/supporters/blog/2004/10/08/michael-badnarik-arrested/

#15yrsago Marc Laidlaw’s “Sleepy Joe” — sf story comic podcast about war, cable access and human bombs https://escapepod.org/2009/10/08/ep219-sleepy-joe/

#15yrsago Junky Styling: a manual for thrift-shop clothes-remixers https://memex.craphound.com/2009/10/09/junky-styling-a-manual-for-thrift-shop-clothes-remixers/

#10yrsago Kids who sext more likely to be comfortable with their sexuality https://publications.aap.org/pediatrics/article-abstract/47/Supplement_1/229/78000/The-Relationships-Between-Adrenal-Cortical?redirectedFrom=PDF

#10yrsago SWAT team murders burglary victim because burglar claimed he found meth https://www.techdirt.com/2014/10/08/swat-team-raids-house-kills-homeowner-because-criminal-who-burglarized-house-told-them-to/

#10yrsago Malware needs to know if it’s in the Matrix https://web.archive.org/web/20141009164227/http://thestack.com/mimicry-in-malware-giovanni-vigna-081014

#5yrsago After banning working cryptography and raiding whistleblowers, Australia’s spies ban speakers from national infosec conference https://www.theguardian.com/technology/2019/oct/09/melbourne-cyber-conference-organisers-pressured-speaker-to-edit-biased-talk

#5yrsago SQL Murder Mystery: teaching SQL concepts with a mystery game https://github.com/NUKnightLab/sql-mysteries

#5yrsago Washington establishment freaks out as Modern Monetary Theory gains currency https://www.bloomberg.com/news/articles/2019-10-07/economists-worry-that-mmt-is-winning-the-argument-in-washington

#5yrsago Hunter Biden’s Ukraine gig was corrupt, just not in the way Republican conspiracists claim it was https://theintercept.com/2019/10/09/joe-hunter-biden-family-money/

#5yrsago Gamers propose punishing Blizzard for its anti-Hong Kong partisanship by flooding it with GDPR requests https://www.reddit.com/r/hearthstone/comments/df0zx5/upset_about_blizzards_hk_ruling_heres_what_to_do/

#1yrago How Google's trial secrecy lets it control the coverage https://pluralistic.net/2023/10/09/working-the-refs/#but-id-have-to-kill-you


Upcoming appearances (permalink)

A photo of me onstage, giving a speech, holding a mic.



A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)



A grid of my books with Will Stahle covers..

Latest books (permalink)



A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025
  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025



Colophon (permalink)

Today's top sources:

Currently writing:

  • Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Today's progress: 752 words (60068 words total).
  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025

Latest podcast: Spill, part one (a Little Brother story) https://craphound.com/littlebrother/2024/10/06/spill-part-one-a-little-brother-story/


This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

Despite all this, I’ve found myself continuing to use stock Google Pixel phones running stock Google Android.

stock Android != Google Android Google takes android and makes it not-stock, for example on pixels. Pixels run google android, which isn’t stock android.

Run GrapheneOS on Pixels, because Pixels get regular security updates, as you correctly pointed out. Then, your OS won’t “phone home” except when you tell it to, and you’ll be secure with extremely regular security updates.

Second: coercion. There are a lot of apps that I need to run – to pay for parking, say, or to access my credit union or control my rooftop solar – that either won’t run on jailbroken Android phones or require constant tweaking to keep running.

Every app that I need works on GrapheneOS, except MyQ, the Chamberlain/Liftmaster enshittified piece of garbage. So I stopped needing it.

Finally: time.

It takes a bit of time to set up, but substantially less time to manage in an ongoing way.

I do recommend you keep a Google account, and turn on advanced protection for it. Ironically, a team at EFF or another site where I get privacy-focused operating system information went back to Google account with advanced protection. But, they needed it for publishing to youtube (I don’t think you need this), as well as journalistic purposes (you may or may not need the same features).

*pronounced “jass-lighting”

:heart_eyes:

Just use apple jesus… it’s specifically made to be in opposition to google

I don’t remember last time I used any google service and don’t need to boggle my life with jailbroken pixel phone.

iPhone seems crafted specifically for your needs too with focus on security updates. Why strain yourself with this pixel and google garbage?

This is just utter nonsense, the Pixel 8 is in no way more private that the Pixel 9, never was. Both are, with Pixel OS installed, horrible for privacy. The invasive telemetry is achieved through the deeply integrated Google Play Services, which essentially have root access. This is even worse on other manufacturer’s Android handsets, as they additionally add their own invasive telemetry next to Google’s.

Sadly Cory fell for a highly inaccurate and misleading article. I do find it quite insane that he uses a stock Pixel when there is GrapheneOS. Also its omission is quite telling, it being the defacto gold standard in the cyber security & privacy community. Also it is neither rooted, nor jailbroken or a flimsy custom ROM. Google Pixel officially support installing alternative operating systems (so no jailbreak needed). GrapheneOS also locks the bootloader, so there is NO rooting.

TLDR:
Pixel with GrapheneOS > Iphone > Pixel with Pixel OS (8 or 9 makes no difference) > random android handset (the worst)

Apple spies on mobile users…and lies about it:

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

There are trade-offs.

You essentially have two choices: apple vs google if you want to remain in the very convenient and comfy situation with all the bells and whistles, payments etc

I can’t say exactly what they collect of course but it is for sure a small percentage of stuff you are milked in google ecosystem.

Even by not using gmail and google account you already cut it substantially and that of course is super problematic when running android phone.

However you pay for this relative luxury a higher markup but it is still a good middle ground imo

This topic was automatically closed after 15 days. New replies are no longer allowed.