Google’s Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe’s data protection law.
According to a research paper, “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.
“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”
The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection.
Am I wrong in feeling like if my phone isn’t completely degoogled, there is not much point in not using Google apps because Google has so much integration into Android when not degoogled? I kinda view Google spying on me as unavoidable until I degoogle.
I switched to graphene so these make sense. I agree, though, if Google is baked in to your OS you’re pissing in to the wind trying to stem the flow of data to them.
Prompt after a crash, include verbatim data sent, send only this time or opt in for automatic reporting, IMHO best practice as a user who respects the need for valueable analytics
It takes years to build a good reputation in OSS, and only one dumb thing (like opt-out of personal data) to ruin it.
(Yes, IPs may be considered personal data in that they can be used to identify individuals, and so subject to the GDPR and, potentially, the very high fines associated with that. Unless you’re evil, don’t collect any personal or identifying data unless you absolutely have to, and very triple sure the user knows what you’re sending and why)
There are kinds of analytics that are incompatible with the GPL, as you can’t restrict what users do with GPL software, and that includes asking children not to submit analytics containing information you’re not allowed to know about children under COPPA. The only options are to hope your software is only used by adults, or not implement any kinds of analytics that collect the relevant kinds of personal information.
Many people who deliberately choose open source, are also into privacy. I’m not sure what people like. But you’ll definitely face some rejection by people like me. I like to file bugreports myself. I get my apps from F-Droid and they usually strip those telemetry libraries from the source. But for people who use Obtanium or Google Play, it’ll work. I think there is a good share of users who are fine with crashreports. Maybe the majority. You could make the app ask for confirmation before sending the report. Or offer two variants of the app, one normal and one without. Or let people like F-Droid offer the latter.
If it’s more than crash reports, I think it should be opt-in rather than opt-out.
I like the old fashioned way of doing free software. Have a community around the project, a bugtracker and engage people in a discussion about future developments. I’m happy if that’s baked into an app if it’s opt-in and it’s an open backend or something simple, meaning you don’t include the whole Firebase, Crashlytics, … stuff. But it’s up to the developer. If you like it, and your audience isn’t privacy nerds, include it and see if people complain.
Or offer two variants of the app, one normal and one without. Or let people like F-Droid offer the latter.
I like the idea of providing two variant one normal & another without any analytics whatsoever on F-Droid. Users can create a issue/support ticket on GitHub providing logs themselves. Their app will not even ping back whatsoever.
I will create app with analytics with a compile switch so analytics part is not even compiled and completely stripped from the build
Yeah, the maintainers of F-Droid will probably appreciate you did the work for them.
And I think it’s a sound approach. I mean the Linux ecosystem works the same way. We have upstream developers, and distributions and maintainers who adapt the packages for the user. We can have all the diversity, modern tools and also distributions like Debian that swich everything to privacy per default because their users like that. I think the same approach works for android and I really appreciate I get to choose between F-Droid, Obtanium and the Google Play store.
I will not use software that has analytics that I have to opt out of if there is an alternative that has analytics off by default with the ability to opt-in.
The psychology surrounding opt-out vs opt-in is very well understood, and choosing to include analytics with an opt-out structure is taking advantage of people to make development potentially easier. Not cool.
Like others suggested, lemmy communities and some news sites like HackerNews.
But also some YouTube channels like Mental Outlaw, The Linux experiment and Brodie Robertson (most of them also have Odysee channels if you don’t want to use YouTube). Also Luke Smith (actually he shills a lot of foss software).
Slashdot, hacker news feeds and some communities here. I dont really try to keep up with commercial tech since most of it is bundled with DRM or spyware with exceptions such as the steamdeck.
I’m only interested FOSS stuff myself. I subscribe to some security and privacy communities here in addition to some technology ones. If the news is big enough we’ll hear about it one way or another.
Discoverability happens organically out of need. Eg search “split pdfs linux” and I’ll get a cli tool for it.
I thought I would love a power button but after installing my pi4 in a case with one, I found myself setting the jumper to “always on” after every small power outage took my server offline and I had to drag my lazy butt to my pi to turn it back on.
opensource
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.