- cross-posted to:
- privacy@programming.dev
- cross-posted to:
- privacy@programming.dev
You must log in or # to comment.
You can install Google Play Services as a sandboxed app on GrapheneOS. That’s not the issue. I believe the issue is that Google will use hardware attestation to check if the OS you’re running it on is Google-approved.
The Recaptcha QR code verification does work on GrapheneOS for now and there is a standard select the swuares fallback. Recaptcha is also entirely optional for a website and they can easily pick any competitor like hCaptcha if they want.
For a decade or two now, it’s been pretty much assumed that everyone has an internet-connected, camera-equipped, browser-capable device in their pocket. Restaurants, banks, hospitals, employers and even government offices use QR codes and websites to get you to their menus, forms or services.
If ID is being tied to my mobile spy device, then I need my mobile spy device to be a right and not a luxury. $40-50 for a few years of validity, internet access provided at no cost, even if slow. I can have my luxury phone be where I’m ‘anonymous’, but I want the government to subsidize the mobile spy device if it’s a mandatory expense. Even cheap phones cost a lot of money.
To be clear, I don’t want ID tied to my phone, but it’s gotten harder to exist without one, so it should be something we have access to with minimal friction.
Add food, water and shelter to that list, but you can’t ask for them without a web browser.
Most of the time, my phone’s browser is disabled. It keeps me from using my phone too much. I understand not everyone is in a position where they can do that though.
eww recaptcha,spyware piece of shit.
Lol, ok, I’m out
This is really bad even just from the perspective of user behavior. Training people to scan QR codes from anything that looks like a captcha box is HORRIBLE for security.
“Thanks for scanning the code, just one more step! Please input your phone number, and type in the code you receive.”
Boom, account stolen.
true
It’s almost like they don’t really care about your security…
And the phone number thing is already happening too. Google, discord and probably other stuff already ask for a phone number to prove you are a human when they flag your account.
It’s a server setting. one of my oldest servers has enabled this and I haven’t chatted with anyone there anymore because I need to verify my phone first.
well, I guess i will stop using those websites from my /e/os fairphone
That would make the two of us. My Fairphone 3+ is still kicking well with /e/OS.
And nothing of value was lost. I’m over social media, over commercial apps, and maybe I’m over having a mobile phone, too.
If google requires me to permit other companies to leech all my personal data to be able to use anything on the Internet at all, I say we label Google, Microsoft, Apple as criminal organizations
I’m sorry, bit there have to be limits.
I. DO. NOT. WANT. TO. USE. ANYTHING. GOOGLE.
OR APPLE. OR MICROSOFT.
FUCK ALL THESE OLIGARCH COMPANIES INTO THE GROUND
I do not want my private data leeches and sold every day, I don’t even get paid for it
That and fine them to oblivion. Piece their companies into parts. Make it all open source for the OS’es. Give ownership of companies to all the people. Etc. Lots and lots that can be done
I almost came reading this rant. Thanks for bringing this so much more eloquently to the point.
They should be fined so hard for this shit.
Every company that uses these captcha service should also be fined so hard. This isnt just google here.
And every company that is relying on gsm or the apple pendant to verify anything.
A fine is brushed off in a quarter. They should be forced to split into seperate companies.
What you said and my comment response to the person we both responded to
And forced to open-source their OS’es. And have to make their communities owned by the people instead of corpos. We are all beyond pissed and done with their shit. Everyone get more people on board into the movement daily to be focused on getting things done together!! Keep each other in the fight with online and in-person communities
Let’s hope the EU prevents this from happening. We should be able to access every site we wish without Google’s permission.
We should all be encouraging Europeans to:
- Force Android and iOS to be given to the people to own and open-source the OS fully in EU with GPL license
- Fine them to oblivion if they do not cooperate
- If they try to double down then piece up their companies into parts
We all tired of their fucking shit. Everyone keep getting people active and informed on all this!! Together anything is possible!!
The EU is busily building the Fourth Reich, so don’t expect help from there.
LOL, whatever you’re taking, stop, it’s doing your brain in! :D
The ongoing battle against online privacy is a symptom of capitalism, the EU is a capitalist state. The only thing the EU would ever do against US-based capitalism is to gobble up those capital gains for themselves. It doesn’t matter if it happes or not, the privacy-issues for end-users would never be alleviated by the EU.
From what you’re saying, they would’ve already introduced all those capitalist methods of control the first time around.
Which they didn’t.
What gives?
Also: the EU is literally incapable of “gobbling up capital gains for themselves” because “themselves” doesn’t exist in this context - the EU is not a “State”. The member-states might (and some do).
I see you have no clue. You will learn, eventually.
Go ahead, teach me.
Yeah, sure, at a really slower pace than USA. Maybe in a century. They still care more for their citizens Trump ever did.
Please elaborate.
Not noticed it and fuck those websites. Happy to boycott.
How do you even scan a QR code if you’re browsing on your phone?
You have to move all the black pixel blocks into the empty spaces and solve the puzzle to open the link. Than cenobites come out of your phone and show you pleasures beyond pain.
Drives me crazy how common this is too
Really? I don’t remember seeing it so far…
The “Mobile Verification” option “will initialize the reCAPTCHA app on your device”.
Mirrors
Google lens. :facepalm:
exactly …
Default GrapeneOS camera app has a QR code scanner
And how can the camera scan its own phone screen for the QR?
My solution is take a screenshot and then open the file in a separate QR reader app that can open files.
I think apps can have screenshot permission, so just by using that feature
Why would I give an app screenshot permission? That is such a security nightmare.
The answer is always convenience. Me stating that something exists doesn’t mean I blanket approve of it
This does seem to work with sandboxed Google Play Services on GrapheneOS btw.
I scanned the demo QR code on Google’s talk page about it with sandboxed Play Services enabled and it gave me a custom popup asking if I’d like to verify.
and you can do it from a second profile which contains none of your data.
Unless you’re doing that from a separate device in a separate location then all you’re doing is giving them the data they need to link those two accounts
You’re right, you’re not going to achieve complete anonymity if you’re interacting with Google services in any way, but you can reduce the amount of information that they receive.
Sandboxed Google Play Services doesn’t have privileged access to location information, so it can’t pull your GPS location or Wifi Positioning information. It would only see a blank profile and doing this would allow for your primary profile to continue to not run Play Services.
Any malicious code which could be injected into the process would find itself in a sandbox, on a blank profile and isolated from the rest of the system.
Google would only see that you are authenticating from a profile without anything installed, from an unknown location and coming from whatever VPN endpoint that you’d like. They could possibly infer that the blank profile and your ‘real’ profile are different via browser fingerprinting. You can randomize a lot of fingerprinting datapoints with browser extensions, but avoiding browser fingerprinting is a whole other topic.
The ‘real’ privacy solution is to avoid anything that uses this version of recaptcha. However, if you have to use these services then you can still reduce the amount of information leaked via Play Services by using a blank profile to scan the QR codes.
You’re right, you’re not going to achieve complete anonymity if you’re interacting with Google services in any way, but you can reduce the amount of information that they receive.
its not even about complete anonymity. google has zero business in when I’m logging into my utilities company account, or other semi-governmental portals!
it literally is their business; they make millions of dollars off of it.
then that’s a problem we must solve. Because an adtech company should definitely not have any business in that.
it has been solved for approximately 2 billion people on this planet, but those answers are not friendly to profit-seeking institutions like google and the only remaining institutions that can stop it are captured by the likes of google
That’s assuming they know I have another account
Eventually privacy minded people like us will have to start creating and visiting sites on the dark web.
Sheesh, using alternative sites instead of Facebook and Reddit isn’t using the dark web.
if they add this requirement for the “I’m not a robot” technology this affects way more than stupid Facebook, reddit and the likes, most things behind anti DDoS use this shit.
I find this very dystopian, and there are not many “oh I’ll just visit the sites than don’t have it” alternatives. You might as well just open IRC and be done with it, I tend to visit a bit more of the internet (even if I haven’t visited Facebook, Instagram and the likes in years)
Ayup absolutely. Those co’s have such weight. They can drive this into essential services. Banks. Gov services. All online stores. Heck even sites that don’t need logins.
It’s short sighted to say “I’ll just use other sites then”. The end of that road is, we get excluded from modern life.
You’re so right, it’s dystopian.
Isn’t it, though? (At least according to the masses)
No fuck that we must continue to grow the movement and get more people on board. We don’t give in to those rats and their garbage they try to put on us. Together we all can do together. Fuck them. Many of us already are doing and the more the better
No need for that, just spin up a nginx with letsencrypt certs. Most people don’t need Cloudflare.
Can we trust that isn’t a campaign to promote Google? What are these websites? Why aren’t they blocking an iPhone? Can any of that be replicated or is this just a Google campaign to create fear and doubt
GrapheneOS user here! Not sure about websites but there are certain apps that don’t work properly without Google Play Services, but Graphene’s app store has a sandboxed version of it, so I just installed that and revoked all it’s permissions. Then if an app needs it, I just turn on the relevant permission, do the thing and then turn permissions off again. It’s a bit of a pain at first but I’m used to it now.
Note that some apps will say that they won’t work without GPS, but actually will if you give it a try.
some of them are now straight up refusing to run without the play store.
Then they don’t deserve your business
Man, I want a phone with physical kill switches for things like Wifi, GPS, Bluetooth, because a lot of things seem to detect when these things are turned ‘off’ by software. Wonder how they’d react if in software, GPS is enabled, but the actual hardware is not powered at all
pine phone
They most likely won’t work. Just speculation, but I would imagine most software that “needs” information like GPS don’t care that its on or off, they care that they try to pull data and there is none.
I’d say making a 2nd user for the apps that need Play Services (like banking and Uber/Lyft) is the move. This only allows Play Services to run when the 2nd user is on and also fully seperates it from the main user!
Oh yeah that’s something I’ve been meaning to look into!
I’m a grapheneOS user and I don’t have any google services installed. I havecyetvto hit any major issues with any apps or websites I use. Lucky, maybe?
The main ones for me are the RBC app, Skip the Dishes and Communauto. But I think those might all be Canadian?
I am Canadian. I don’t use the rbc app, I use a different bank and use their website. I alao use the skip website when I order there, but I’ve never heard of the third one.
Because the iPhone has their own spyware to prove you’re a
productuser.
https://support.google.com/recaptcha/answer/16609652?hl=en
https://blog.cloudflare.com/how-to-enable-private-access-tokens-in-ios-16-and-stop-seeing-captchas/Interesting. Definitely turning that off. (As if it actually turns off)
If you turn it off, you’ll have to do the captchas manually.
Yeah I’m okay with that.
I just do them wrong, after a few tries it lets me through
Its basically forced by Google. I mean who wouldn’t force it after someone deliberately removes your government sanctioned spyware. See if people stopped calling it google or Apple and just USA spyware with backdoor to your lives it would be better at getting to the privacy issues. I mean the NSA already proved this is a fact.
Haven’t encountered this yet, has it been let loose in the wild?
Good point, this would have to work on iPhones too and people without a phone would just not be able to use those websites at all.
I just loaded a bunch of recaptcha on my GrapheneOS phone. So, I dunno what this is all about.
Yeah exactly. Millions of websites? Which ones? Though I don’t see how this would benefit google
@meowmeow because iPhone is already doing what Googles Playstore is now going to do
