Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
This is really bad even just from the perspective of user behavior. Training people to scan QR codes from anything that looks like a captcha box is HORRIBLE for security.
"Thanks for scanning the code, just one more step! Please input your phone number, and type in the code you receive."
Boom, account stolen.
It's almost like they don't really care about your security...
If google requires me to permit other companies to leech all my personal data to be able to use anything on the Internet at all, I say we label Google, Microsoft, Apple as criminal organizations
I'm sorry, bit there have to be limits.
I. DO. NOT. WANT. TO. USE. ANYTHING. GOOGLE.
OR APPLE. OR MICROSOFT.
FUCK ALL THESE OLIGARCH COMPANIES INTO THE GROUND
I do not want my private data leeches and sold every day, I don't even get paid for it
well, I guess i will stop using those websites from my /e/os fairphone
What they are doing is way worse tban what you understood.
These QR codes will show on your Desktop PC and you will need an Android phone or an iOS device with a logged in Google QR code app to get past it.
so they are not only tracking you, but they are trying to reconnect your records across multiple devices.
And through the VPN
Ayup that has been the holy grail of big tech.
They are most of the way there today. Make Identity Resolution inescapable. Bing bang boom.
It is more than just phones and lappys too. It's everything. That smart TV. That fitness watch. That automobile. That streaming music service. The ebook reader you got as a birthday gift.
Your behavior across every single device is data gold. This is today's reality.
I wouldn't scan shit from a website. Random QR codes are a security risk. Just won't visit that website.
That's why you have to use the special google app that will protect you from all these dangers*
*and also collect all your data, sell it to advertisers and forward it to US surveillance agencies (for your own protection of course).
Sad thing is, that argument works against so many ppl. "I can trust this app. It's from Google!"
We(*) are tearing down personal computing. Brick by brick. The very idea of controling our own devs is getting lost. Replacing with Big Tech Feudalism.
(*) Not most of us here. But in the whole pop.
That would only make me install Graphene even harder if I wasn't already writing from a phone with it
This. Time to stand up to Google and completely boycott the surveillance tech that the US is deploying.
They should be fined so hard for this shit.
Every company that uses these captcha service should also be fined so hard. This isnt just google here.
Let's hope the EU prevents this from happening. We should be able to access every site we wish without Google's permission.
Fuck em. If websites use this, I don't need to see their shit or patronize their business. Google can eat a dick.
Not noticed it and fuck those websites. Happy to boycott.
How do you even scan a QR code if you're browsing on your phone?
You have to move all the black pixel blocks into the empty spaces and solve the puzzle to open the link. Than cenobites come out of your phone and show you pleasures beyond pain.
This does seem to work with sandboxed Google Play Services on GrapheneOS btw.
I scanned the demo QR code on Google's talk page about it with sandboxed Play Services enabled and it gave me a custom popup asking if I'd like to verify.
and you can do it from a second profile which contains none of your data.
Unless you're doing that from a separate device in a separate location then all you're doing is giving them the data they need to link those two accounts
You're right, you're not going to achieve complete anonymity if you're interacting with Google services in any way, but you can reduce the amount of information that they receive.
Sandboxed Google Play Services doesn't have privileged access to location information, so it can't pull your GPS location or Wifi Positioning information. It would only see a blank profile and doing this would allow for your primary profile to continue to not run Play Services.
Any malicious code which could be injected into the process would find itself in a sandbox, on a blank profile and isolated from the rest of the system.
Google would only see that you are authenticating from a profile without anything installed, from an unknown location and coming from whatever VPN endpoint that you'd like. They could possibly infer that the blank profile and your 'real' profile are different via browser fingerprinting. You can randomize a lot of fingerprinting datapoints with browser extensions, but avoiding browser fingerprinting is a whole other topic.
The 'real' privacy solution is to avoid anything that uses this version of recaptcha. However, if you have to use these services then you can still reduce the amount of information leaked via Play Services by using a blank profile to scan the QR codes.
Eventually privacy minded people like us will have to start creating and visiting sites on the dark web.
i have one myself, and I can tell you that grapheneos won't be affected by this. the real damage is to people using things like dumb phones or BSD, even windows computers are effectively locked out of the internet.
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
er/16609652
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
Can we trust that isn’t a campaign to promote Google? What are these websites? Why aren’t they blocking an iPhone? Can any of that be replicated or is this just a Google campaign to create fear and doubt
GrapheneOS user here! Not sure about websites but there are certain apps that don't work properly without Google Play Services, but Graphene's app store has a sandboxed version of it, so I just installed that and revoked all it's permissions. Then if an app needs it, I just turn on the relevant permission, do the thing and then turn permissions off again. It's a bit of a pain at first but I'm used to it now.
Note that some apps will say that they won't work without GPS, but actually will if you give it a try.
Its basically forced by Google. I mean who wouldn't force it after someone deliberately removes your government sanctioned spyware. See if people stopped calling it google or Apple and just USA spyware with backdoor to your lives it would be better at getting to the privacy issues. I mean the NSA already proved this is a fact.
Need to break up these monopolies. Really the root of all bad about capitalism.
The "root of bad" is capitalism itself, the logic of the system tends to create monopolies over time, as demonstrated in the game 'Monopoly'
I wont visit a website if they require my identity. Other options out there.
what will this mean for the upcoming motorola phones that can come with gOS installed?
They're still subject to the same dumbassery Google is trying to pull. Any OS that doesn't conform to Google Play standards is a target.
When my current iPhone dies, I'm never having a smartphone ever again.
You can install Google Play Services as a sandboxed app on GrapheneOS. That's not the issue. I believe the issue is that Google will use hardware attestation to check if the OS you're running it on is Google-approved.
You can still go graphene and isolate play services in a secondary profile.
For a better future: Organisations and services that structure themselves to require third party services need to take contractual responsibility for the actions in their fulfillment supply chain, just as an online retailer takes responsibility for delivery agents. Google play services harvesting needs to be reflected in the privacy policy of every company that doesn't provide alternative access.
Wonder what will happen if we all start making data protection complaints about enforced non contractual third party data harvesting?
Sites need to stop using recaptcha. It's an unnecessary barrier to using a site and I often refuse out of principle.
I run e/OS/. Block me. I'm good. There is plenty out there that doesn't require Google.
I'm using Firefox on GrapheneOS and recaptcha still works normally for me.
Smartphones are such an utter wretch nowadays, & I'm not even sure if there was a time they weren't. I don't get the appeal of a smartphone, they do everything a dumbphone does but worse, more expensive & with an unremovable thick layer of scum, yeah a smartphone has some of the features of a laptop or desktop but who needs that baked into their phone for every moment?
People are trying so hard to fix smartphones (even by giving money to the least privacy respecting companies ever by buying Google phones) when they can get a dumbphone and be rid of those problems in the first place. Well that's my opinion at least, I think it might be a bit extreme.
