I think this study is quite good but it does come with one important caveat:
From page 5, "This is before the introduction of Apple's new opt-in mechanism for tracking in 2021. Our dataset therefore reflects privacy in the app ecosystem shortly before this policy change."
Personally, I would prefer to see the difference between apps monetized by customers paying directly and apps monetized by advertising. I take for granted advertiser will track, and I assume paid apps track less but I wonder if that's actually true in practice. It very well might not be.
It should be assumed that any app that won't allow public review and independent builds of their source code can and will take actions for profit you may not approve of at any time, be it intentionally or out of negligence.
Letting a third party run code on your system they don't permit you two or someone you trust to see is a bit like being asked to adopt a legal contract that has some amount of power over you you are not permitted to read.
If you want apps willing to prove you can trust them to respect your privacy and freedom, the reasonably strict process of apps in the F-Droid store are what you are likely looking for.
There is an accountable and privacy preserving alternative for almost everything.
Thanks for pointing me to that. It's hard not to agree with the Transparency Matters conclusion but the 13% drop in Tracking Attempts is worth calling out so I'm glad the Oxford researchers did it.
This is not my field but one thing that I don't get when looking over the Transparency Matters report [1] is why do some apps have 9 trackers and others have 300 requests? Are they really so different? And are they able to get information that Starbucks didn't with only 3 trackers and 21 requests?
I guess in the end the magnitudes aren't so important but I found the large differences pretty amazing. If nothing else I would think they might want to reduce the amount of data they need to retain, reducing their costs. It seems like there has to be diminishing returns there.
It also shows how much data Google has as they show up on 8 of the 10 apps tracker lists and one can only assume they keep a copy of all that as well.
So perhaps the iOS/Andriod comparison is meaningless anyway as Google knows all about you either way.
This article shows a fundamental misunderstanding of the functionality of "App Tracking Transparency", and I will admit the text "ask app not to track" is confusing.
ATT, when a user selects "no", blocks the app from accessing your device ID. This makes it so that even though the app can still track what you do in their app, they can't connect that to the data collected from other apps through your device ID, and therefore build a profile of you as a person.
I analysed[0] this early in 2021 based on the self repeated “nutrition labels” that Apple started requiring. There’s definitely a strong correlation between and collects significant data.
It's tough to diff the privacy between Android and iOS, as an OS.
However, as an app ecosystem, it's not tough at all. For example, there is not a single open source email app on iOS which supports GPG email. In the iOS app ecosystem, privacy and FLOSS is an afterthought, since iOS users are more likely to pay for proprietary software. On Android, there are a lot more options, including things like F-Droid which are full of FLOSS apps which are graded based on their patterns and anti-patterns.
If you're talking just about FOSS software availability, sure, but that's not grading the privacy of the app ecosystem nor does it grade the privacy posture of a typical user/the userbase on average.
I think the point here is that Play Store and the App Store have no requirements for public source code accountability so there is simply no way to know if a given app binary is safe or not.
Even an open source app on these stores can't be provably correlated to published source code and could have undocumented deviations at any time.
Put simply, there is no reasonably accountable privacy story on stock iOS or Android. You mostly just have to take each publishers biased word for it and that the permissions systems alone covers every potential way an app can abuse your trust.
They are different but I think FOSS apps inclines to be privacy friendly and if there are some issue we can always fork it remove the code that phones to its home?
But I agree andriod being in hands ads company has really no incentive to be privacy friendly. Apple mostly selling hard generally have incentive to be more privacy friendly.
While it would be nice to be able to ensure that the source is what's exactly on the app store, protonmail does have their iOS app open sourced. Not quite the same as a generic email client, but is probably the next closest thing.
Nice, but that doesn't really address the plethora of other privacy/security concerns that Protonmail has server-side (like their IP logging which they claims never happened).
The IP logging they were legally obliged to set up, so the IP of a specific account would be stored upon the next successful login? Where’s the problem with that?
Please don't pollute the debate with incendiary inaccuracies. They said "by default, we do not keep any IP logs which can be linked to your anonymous email account." It's always been clear that if they were compelled to do so by law, they would have to comply and that's what happened.
They shouldn't give themselves the faculties to even do that. Mullvad refuses to implement anything that could identify their clients, I guess it was my fault, since I considered Protonnmail to be among them as "one of the best".
As an iOS user, I would love to have something like F-Droid for iOS. That might also increase the amount of open-source iOS apps since it would be easier to publish them. (I expect that the mandatory developer account holds people in the open source community back when it comes to iOS.)
I'm not going to debate the conclusion of this paper, but keep in mind if you pick Android, it's still very important to pick the brand correctly. When you open the Clock app on Xiaomi phones, the first thing you see is a privacy policy you need to accept (!). Samsung might be better on this. I saw quite a few people on other websites (not HN) who said they switched to Android after Apple's CSAM thing, but put little thought into brand choice beyond price and features, just assuming all Androids are the same.
You might say that people who really care about privacy would just get GrapheneOS, but the mainstream info available to help make these decisions is really poor as of now. Just seems like a Wild West.
This. On privacy and even moreso on security, Android can be very good or it can be terrible and the first, and perhaps most important, determinant of this is your choice of brand.
Privacy is terrible on all stock Android phones, even first party from Google.
All ship with piles of binary blobs mandated by Google, SoC vendors, and carriers that have god access to your device, as well as any entities they sell that access to, and this sort of power abuse has been caught publicly many times.
Apple has been caught doing similar in the past but it is much harder to regularly audit closed platforms.
Unless you run something best effort like CalyxOS or GrapheneOS you should not have any reasonable expectation of privacy on a handset.
Flash Lineage OS without GApps, use microG if necessary. That will be miles better than either stock Android or iOS. Sure, that isn't really general user-accessible, but I'd expect it to be pretty easy for the general HN reader.
Or use Pinephone if you want "actual" privacy. Librem 5 is an alternative as well, albeit an overpriced one.
One thing you have to consider when debating i0S versus Android in the context of privacy is: you can have the best of both worlds and own an Android phone and an i0S device (if you can afford that, and I'm aware many citizens in third world countries don't have the luxury of owning two phones). It's like the old Chrome versus Firefox debates that happen every other month now on Hackernews & Reddit.
I own a Chromebook where I leverage the Google ecosystem and do Googley stuff all day, then a Thinkpad with Qubes+Whonix when I want privacy & security & sometimes anonymity.
You don't have to be faithful to a single company/OS/provider/whatever. You can leverage all the things and compartmentalize.
I don’t do this and it seems like a hassle but it is an interesting question: would this be more or less private than a single device?
One thing I can think of is most tracking algorithms probably assume each user has a single cell phone (either explicitly or the ML data is biased in that direction). So splitting your time across two devices probably messes with whatever user-behavior buckets they place you in. They might think you’re two people in the same household, for example.
It's actually more in-line with how real world threat models work. You always operate under the assumption that all of your hardware is compromised, then build layers of trust around that to determine which device should be used when. Not super practical for an end-user, but it's definitely better than having a single device that you always second-guess.
Maybe with different VPN endpoints on each device it could work. But it would require a strict discipline. Google is very good at finding the same person in 2 very different devices.
iOS, is short form for iPhone OS. i in iPhone, doesn't really stand for something (it's derived from iPod, which was derived from iMac). Accoding to wikipedia, Jobs said the "i" stood for "internet, individual, instruct, inform, and inspire".
Given that the abbreviation isn't literal, "internet OS" is not colloquial and you will confuse others.
Security of desktop Linux is unfortunately in the laughable category for the most part, with very few distro enforcing even the basics of SELinux/AppArmor.
Even then, every program runs under your user account with no more fine-grained permissions, meaning any program has the ability to send your browser cache/ssh files/photos whatever to wherever it wants, or just simply encrypt them.
You are not wrong, but the security of Linux relies on FLOSS and community verification, which generally work better than the security of app stores, which are full of malware.
And that is indeed effective in that malicious programs are almost nonexistent, but I think it oftentimes does give a false sense of security, as attacks not only happen through a malicious program, but through a buggy
ones that has to handle some potentially malicious data. Eg. a PDF reader, browser, etc while being written completely in good faith can easily compromise a system through a memory leak, that a clever hacker exploits. And with the over abundance of C programs in userspace for no sane reason in Linux land, it is not a far fetched idea how someone could hijack a process with a simple bug.
> you can have the best of both worlds and own an Android phone and an i0S device
This is something I’ve been wanting to do!
I’d love to own an iPhone and Android so I can get the best of both worlds.
Does anyone have any suggestions going this route? Ideally I’d like to keep a single number that can be used on both devices and I can just decide myself what device I want to drive for the day.
I recently got a pixel 3a for $83 on Amazon and loaded up CalyxOS. I swap sims back and forth and (re)register Signal on the device I’m using at the time. I also use MySudo on each for my burner numbers. Works well and I get to try out Android. I’ve had an iPhone since the 3g one I think, and was an active iOS developer since iOS 4. I can really say I like both systems.
I found an iPhone and a cheaper Android tablet is a cost effective way of experiencing both. I don't get the benefits of the tablet being connected to my phone number, but it lets me play with both OSes at a nominal upcharge to just an iPhone (You can get a good android tablet for <$100)
Note that this study and the other one from earlier this year predate iOS 14.5, which introduced the “ask not to track” prompt that disables the operating system-provided unique identifier.
What they want to do and what they actually can do are two different things. Facebook is one of the biggest trackers in the world. But when even FB was dealt a huge blow after iOS 14.5, I don’t think other apps could fare much better.
https://www.bloomberg.com/news/articles/2021-07-14/facebook-...
It seems like privacy isn't popular enough to enable a third player in the market. I wonder if "cheap" would be popular enough to make a dent. Like someone churning out de-googled AOSP phones cheap enough to attract market share.
How do you undercut competitors that are doing what you do, but also have a revenue stream from compromising customer privacy, and are skimping on investment in securing their products?
I don’t think that it’s popularity that’s the issue. Let’s say a lot of people wanted it, where would it come from?
Invading privacy and using that pays. If your hi is to make lots of money while maximizing profit you’re going to invade privacy. If you don’t and you’re public shareholders might complain about leaving money on the table.
Then there are those who often focus on privacy tools. They often don’t end up building rolls with a user experience for the every person.
A third player would have to create an ecosystem as well, and companies barely want to write apps for two platforms, let alone one with zero users/money.
It either has to be able to run one platform’s apps, or have some alternative support. The latter can be the open source world, but than why depart from Android, when its core is FOSS?
I can imagine almost everyone targeted by your marketing are also interested in benefiting from the immensely valuable, free* services provided by Google.
*: obviously paid with privacy, but that does mean less money leaves the user's bank account
You'd likely attract the ire of some 3-letter-agencies long before you found your market. Even low-volume devices like the Pinephone and Librem have come under fire for potentially including hardware backdoors in newer models. It's a game of cat-and-mouse, where the cat has unlimited resources.
I'm not fully clued-in to the situation (why I included the word "potentially"), but I've been hearing that the latest Pinephone shipping delay was in part due to the fact that the board schematic changed slightly. Details on this seem very sparse, but I'm sure you could get the full story if you poke someone in the right IRC channel.
It's a poor proxy measure of mobile OS privacy comparing thousands of apps of the default app stores. It totally ignores the effect of Android device brand on privacy, and choice of ROM and non-default app stores being used.
If this was more conservatively titled "who has the worst default app store" that'd be far more accurate.
>In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy.
>We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children's category, iOS apps used much fewer advertising-related tracking than their Android counterparts, but could more often access children's location (by a factor of 7).
>Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.
Well, here's a novel idea: don't get children their own smartphones, uninstall/disable all apps bar the essentials, and keep your own usage to the bare minimum.
This is like saying the solution to widespread obesity is to tell people to eat better. Kids use phones / tablets for many reasons and most of them are real
(e.g. keep in touch with parents, travel using services like Uber, communications and other school apps, etc.) — the platform needs to protect people because it’s unrealistic to expect individual choices to hold up against massive industry.
I don't think it's reasonable to expect people to adopt a bunker mentality on this. iPhones, Pixels, Samsung flagships, etc are fantastic devices that offer incredibly useful and powerful features. For most people giving that up for improved privacy in't a worthwhile tradeoff.
That does not in any way mean any of this tracking is ok or acceptable. It means we need to keep up the public pressure and technical vigilance to publicise this issue, and try and get the industry and legislators/regulators moving in the right direction.
I’m pretty sure the dark patterns of Android make sure that most regular users share more data than iOS users. For example the Google maps app pretends the location service is broken when it’s simply not having the maximal efficieny with WiFi enabled.
Another aspect is the phone itself having their own way. Most Android devices come pre installed with a plethora of tracking apps enabled.
So given privacy with Apple I know that I share it exclusively with Apple, while on Android I’m certain it is both the manufacturer and Google.
I didn't test CalyxOS yet but I suggest you to try GrapheneOS, if you have a Pixel. I think it is really well done, the documentation is detailed and the team's attention about security, and so privacy, is rock solid.
There can be differences though. Where I live, Coca-cola has computerized all their vending machines, and you can connect to them with an app and pay for a drink and collect points to redeem for free drinks.
They also have a feature where if you walk a certain number of steps in a month, you can get a free drink. On iOS, the app asks for permission to read the step count data from the iOS system step counter. On Android, the app requires background location and the Coca Cola company can now know where you are at any time.
The abductors obtained that information through his fiance's iPhone. This iPhone was infected with NSO's Pegasus malware and the infection was executed by sending a zero-click text message with automatic payload delivery. There isn't a notification when the message is received so the fiance wouldn't have known it was happening.
This zero-click iMessage exploit is unique to iPhones.
You missed my point.
With an adversary that sophisticated, the actual method of compromise doesn’t matter. If he had an android the result would have been the same. Or a flip phone, or a landline, or if he lived in a cave.
Your point is that the device doesn't matter. If Khashoggi and his fiance had Android devices and used an encrypted messaging app such as Signal (or something similar like Session, Briar, etc.) his abduction would not have occurred as it did (even if MBS and his cohorts had control of an operator at the telecom).
As I said, the zero-click exploit is exclusive to iPhones using iMessage. An Android device that receives a similar SMS requires the user's knowledge and willful intent in order to activate. The last zero-click SMS exploit had been patched back in 2015.
So the device (and protocol) does actually matter.
Let’s leave it at “there are android phones”. Unfortunately it is not at all supported for the majority of phones, and for the ones where it is possible, it will result in eg. the purging of camera firmware.
Why not if one is better than they other? There is fanboyism, which is unproductive and then there’s sober comparison of objective measures of privacy. And I want to know which is better. So as long as someone presents facts that help me make a decision I don’t want to censor them.
Yes definitely. There are a lot of nuances in privacy. As an example, take the approach to ML and assistants, where Google collects most of everything to train models on their servers, while Apple tries to anonymize things a bit (e.g. their “differential privacy” techniques).
That's my attempt to characterize it fairly, since I'm not a cryptographer and don't know how solid it is. Last I checked there were debates about that.
I'm willing to limit what apps I use and carefully consider what I install. I'm not yet willing to abandon my smartphone.
Choosing the lesser of N evils is a pretty common and often rational choice, in life and in engineering. May be not in this case, and it's good to be unsatisfied, but disregarding the debate just because neither option is great makes no sense.
Choosing the lesser of N evils only makes sense if one is acceptable.
If neither is, a choice is useless.
Both sides have an unacceptable amount of tracking and your choice doesn't really have any consequences.
Naively, because it only takes two suppliers in a market, for consumers to start playing them against each-other by switching to whichever one plays more to consumer preferences at any given moment, incentivizing the suppliers to compete to satisfy that consumer preference. Like a classical "race to the bottom" that lowers prices, but with some other factor that consumers care about instead of cost.
(Of course, this assumes people bother to switch. In reality, this isn't even true in oligopolist party politics, let alone in oligopolist markets. In practice, there need to be a lot more, smaller options before switching costs are forced down enough to encourage people to switch. In phone markets, this looks like how people switch somewhat easily between different Android device manufacturers for their next phone. If we could get phone Operating Systems working like that, we'd really have something!)
You're welcome to say whatever you want, but if you genuinely believe that the NSA gives preferential treatment to anyone from FAANG you're living a fever dream.
It's not about resources, it's about reach and jurisdiction. If anything, FAANGs have the most incentive to cooperate with the NSA because they're located in the US and have the most to lose.
The companies that can best resist the NSA are located outside of the US and EU.
What promise did Apple break with CASM?
I fully support it. As designed, it shows Apple goes out of their way to protect privacy as much as they do children from being exploited.
I proper balance of interests.
Everyone, ostensibly. The only reason why they care about those companies is because they process an insane amount of data on a regular basis, so they will always go for the cheap wins first. I doubt it took any effort to convince Apple and Google to comply, since the alternative would be losing money (not an option to shareholders). Amazon was already under the NSA's thumb the moment they started working with domestic payment processors, and at this point the general public probably knows more sensitive info about Facebook than the NSA does. We could keep going down the Fortune 500 in such a manner, flagging people who process lots of data and determining what actual mitigation they put in place, but you'll quickly realize that they have all the information they need.
> On the other hand, who else besides FAANG has the resources to resist the NSA, at least in small ways?
US news orgs have a duty (implied by their extra-Constitutional protections) to ferret out NSA misdeeds but editors/journalists find celebs so much more intriguing.
Android that’s seen as Android in the mass market is also closed. The AOSP layer may be open source, but all the Google layers that make Android usable (for most people), such as Play Services, the Play Store, and Google apps, are all closed. Not any different from Apple in that respect.
I respect your hardline approach but for most people it's a rather soft thing. I want to be able to choose WHO i share my information with and under what conditions.
You can argue that once information is shared it's up for grabs by anyone but i argue that this is simply not true, it just feels like that it is.
We could do so much better and we should never forget that.
> You can argue that once information is shared it's up for grabs by anyone but i argue that this is simply not true
I think it is true. The old saying is that once you tell someone a secret, it's no longer a secret.
The ecosystem around mobile devices is just such that real privacy is impossible. That's not unlike many other things; pretty much any form of communication has this feature to one degree or another. There are just so many third parties and intermediaries involved in mobile platforms that's it's particularly bad.
Is there a privacy difference between telling your oldest, closest friend a secret and telling the office gossip?
Is there a difference between writing a secret in your encrypted electronic journal and posting it to facebook?
The issue with privacy absolutism is that it's essentially impossible to do it perfectly, so any tiny theoretical breech means you should pretty much just give up and tell the world, right? Or maybe there's more shades of gray than that and we can go ahead and evaluate the privacy implications of different activities with some more nuance.
> I don’t think a smart phone in your pocket all day with a GPS and microphone that you use as a central hub for all your communications, notes, research and appointments and so forth, can really be considered for its privacy
On the contrary. I don't have to consider the privacy implications of different paper notebooks - they all share a similar security profile being things that physical access is both required and sufficient for. For something like a smartphone, considering privacy implications of choices is vital.
Any conversation about privacy needs to be centered around the threat model:
Worried about state actors? More power to you, but good luck with that. Most people don't have the time, energy or paranoia (justified or not) to figure that out and keep on top of it.
Worried about stalker capitalism? Google is eagerly selling your data to the highest bidder = I have zero faith that their OS isn't snarfing up everything it can to sell to anyone who will pay. Apple has a different business model = I have some faith that they aren't selling my data.
Look how we selectively choose information and how that is bad for consumers!
iOS 14 released anti-tracking features in April of 2021. This article is released at the end of september, almost october, of 2021.
Yet, the authors choose to specifically use a version of iOS that was prior to these changes.
This is proof enough for me that the authors purposely skewed the data. This skewed data does not reflect reality, and so the data from this study is not data.
I hope the rest of this community is savvy enough to realize this article is attempting to dupe the readers into a false conclusion.
Or maybe the date of the publication does not imply that the data and the work was done exactly in the week before, sometimes a study might take more work then a blog post.
From page 5, "This is before the introduction of Apple's new opt-in mechanism for tracking in 2021. Our dataset therefore reflects privacy in the app ecosystem shortly before this policy change."
Personally, I would prefer to see the difference between apps monetized by customers paying directly and apps monetized by advertising. I take for granted advertiser will track, and I assume paid apps track less but I wonder if that's actually true in practice. It very well might not be.