We may nerd out over their open source and tech, but aside from a few for-pay services (Apps for Business, Firebase, dev cloud, etc) Google is the largest advertising company in the world. When you choose a Google product, you are choosing that.
All thanks to the users of advertising companies who trade privacy for free or cheaper stuff. We used to have paid, more private tech. Still do actually. Almost no money in it with bankruptcies and acquisitions by shady firms more common than getting on Global 2000.
This feels a bit like blaming unsafe working conditions and 12-hour work days at the beginning of the industrial revolution on workers, because they signed the contracts (this was the prevailing narrative from factory owners at the time too).
At some point, society came to the conclusion that the workers and factory owners were not on equal footing, and so rules were instated, despite strong protests from the factory owners that contract law was sacrosanct and workers should be free to agree to anything.
Perhaps it's time for regulation to solve this dilemma?
People LOVE their phones and the functionality it provides, this is not analogous to being forced into shitty miserable manufacturing jobs to buy food for your kids. You can buy a dumbphone with a contact list that makes calls, but people don't.
That's actually a good example. Many honest people and criminals alike who value privacy are buying feature phones with no background apps, GPS turned off, and sometimes battery out. Been going on a long time. Great improvement in privacy or odds someone (outside nation-state) is going to remotely snatch your secrets. There's also regular press releases showing smartphones have lots of hackers targeting them.
Yet, people buy iPhones and Androids instead. They wanted those features over privacy or security. Next step was people posting hardening guides plus making private apps for these. Most people still didn't use them. Next step, given that and low sales of "crypto phones," was to make new crypto phones & mobile solutions that pre-hardened Android, pre-supplied key apps we needed, and provided things like remote wipe. Most people and businesses don't buy those even if the price gets down to a normal smartphone.
I mean, what else is even left to do to appeal to majority who won't buy a fully-featured, privacy-enabled, Android phone for Android prices? At this point, I feel comfortable saying the buyers are the problem or (said differently) they have a clear preference against any private phone companies produce. They're for existing UX, tons of apps, more tracking for app's features, cloud backups providers can read, faster, prettier, and so on. Everything that enables hackers.
So, I suggest companies just say "Screw it! I'm just going to do a marginal improvement on whatever customers want while making excuses when problems happen." Since telling them it's their own choice doing it or offering them a secure phone will both lead to financial losses.
That being said, could you give us a good example for these privacy-enabled phones and apps? I am willing to make a collection out of these and write a guide on hardening Android. And I am not just talking apps that are incredibly hard to use; I mean the better generation of them who are actually mass-audience-friendly.
Of course we must not forget that Android phones could have a backdoor at the kernel or even at the hardware level. But I still think we should do the best that we can. As many security researches say, you aren't absolutely breach-proof, but if you work hard enough you're not a target that's worth the effort, especially having in mind you're not a legitimate threat to any government.
I view this sort of like the people who got away from the Matrix in the movies; as the Architect and the Oracle implied, as long as these people aren't an escalating threat for the entire system, they're allowed to live however they choose.
What's your opinion on the Turing Phone and Sailfish OS in general, by the way? Do you think that it gives us a fair progress in the direction of the more snoop-proof end-user tech?
I'm going to focus on voice as messengers are all over the place. People originally wanted secure voice. They started out as custom or value-added devices that, if worth a crap, often had special protections like dedicated IC's for crypto and TEMPEST protection:
Those were usually very simple. A good thing compared to modern ones. They all cost in the $1,000-3,000 per unit range due to extra costs and low volume. Sectera Edge was probably most secure and rugged. Cryptophone was easy to use plus had nice features like hardened Windows and published source for crypto. You basically called the person, read out what was on your screen, listened to them do the same, and listen to each other's voices to make sure you recognized them. It was favorite outside of just defense use. Switched to Android later. That's the demo I found.
These were pretty expensive. So, companies started developing software for regular phones... often one or two models... that turned them into encrypted phones optionally with hardening. Prior list had some. SecureStar (PhoneCrypt), SecureGSM, and Cellcrypt come to mind. Eventually, recognizing encryption wasn't enough, this segment sort of combined with Android and other software to produce dedicated phones that were cheaper than older cryptophones. Well, some of them haha. Two examples with second being the open Redphone.
Examples of the phones produced include Boeing Black, Bull Hoox, the Cryptophones, and recently the Blackphones w/ Silent Circle. Blackphone was among the cheapest we saw at regular, smartphone prices. It was common for crypto phones to come with voice and SMS at least. Blackphone added quite a few privacy-oriented apps over most to be all-in-one solution. I remember that as an advantage.
Far as messengers, we have good open ones these days so I mostly forgot the others outside cryptophones and above. Signal is super easy, free, and quite secure. Main recommendation. There was also ChatSecure and TextSecure. Given open ones, no reason to trust commercial ones since subversion and BS is high in this industry. Still worth looking at them for how they do usability aspect to increase adoption. I know Threema got significant adoption. Worth looking at. I'm open to others' suggestions here on crypto apps with good security protocols that also have great usability. Thing is, if it's really end-to-end, usability is inherently lower than centralized one due to verification aspect. Anything truly frictionless is suspect in my view with Signal representing the high end of what I'm expecting.
Bruce Schneier, for Congressional submission, did ask us all to list as many crypto products as possible for him. You might find something of interest there. Here's that thread:
Note: Also, the original way we did this outside expensive cryptophones is called Voice over Secure IP (VoSIP). That means you set up the strongest VPN (or link encryptor) between two points that are communicating. Then, you force a normal app to go through it. One can automate this process so it's painless for users. Often stronger than average secure voice app given what scrutiny goes into some implementations of transport-level security. Or existence of dedicated lines between branches.
"I view this sort of like the people who got away from the Matrix in the movies; as the Architect and the Oracle implied, as long as these people aren't an escalating threat for the entire system, they're allowed to live however they choose."
Possibly but don't count on it. Depends where you live. The U.S. increasingly targets harmless citizens with anything it can up to and including just stealing their money without charges under civil forfeiture laws. Just using Tor or crypto is grounds for NSA to put increased scrutiny on you per the leaks. So, this isn't guaranteed. Keep real secrets off online or wireless devices period. Face-to-face only. The rest we have to keep doing more and more to protect. Can incrementally deploy it, though, where sales drive increases in not just features but assurance of more of the stack. My recommendation.
"What's your opinion on the Turing Phone and Sailfish OS in general, by the way? Do you think that it gives us a fair progress in the direction of the more snoop-proof end-user tech?"
Let me help you out by showing you what all they have to protect. You can look at this list, look at the marketing/technical material, and usually tell if it's going to be victim to future attacks.
By those standards, the above aren't even close. I haven't studied these phones where I can say much more, though. I do like aspects of Sailfish in terms of a more open phone but it's still owned by one company from Wikipedia's description. That one also licenses key I.P. in proprietary fashion. So, there is risk of it being another Google Android situation. Turing Phone article I read on Wired sounds like a pile of marketing BS plus lock-in waiting to happen. People are better off using apps like Signal, Redphone, Cryptophone, or Silent Circle that at least come from people who know what they're doing. Who we know have a track record. That's my (common) initial impression.
Thanks a lot! Bookmarking and downloading your reply. I'll most certainly use the following months to try and find the perfect balance between usable and secure app.
Sadly, on the topic of the Turing Phone, I suspected as much. I really like to believe but yes, they're quite new to the market and are still closed in terms of what they use for this alleged "more secure" phone/OS. I'm still interested but my enthusiasm is not so high compared to the time of the original announcement...
I wanted to use Signal several times but I have to admit, it's use-case and convenience points aren't looking well. I'll take a more serious look, though.
The big issue with Signal at the moment, is that it doesn't work on AOSP.
You can't use it without installing closed-source Google Apps (Play Services for GCM at minimum), and means you agree to hand over your phone metadata to Google (per the OP's top-thread). Moxie has stated he is open to consider high quality PR's to add Websocket functionality. (Removing close-source binary blobs would be a prerequisite to distributing on anything other than Google Play to though, which Moxie's also said isn't on the roadmap - I assume primarily because of resources).
In the meantime, Conversations.IM has OMEMO and Vector.IM has Olm/MegOlm.
There's not a lot of good voice options. Vector.IM's just added WebRTC, which is meant to be DTLS secured. CSipSimple does ZRTP, but it hasn't been updated in a long time.
None of the apps mentioned above has been audited and scrutinised to the extent Signal has.
If you really need privacy & security, CopperheadOS is the only Android distro AFAIAA that fits the bill at the moment.
I wouldn't pin too much hope on having a high quality PR written and integrated back to Signal soon. It doesn't look like a top priority for them. OWS also like the telemetry that Play gives them for diagnostics and have stated they won't be looking at FDroid unless someone can replace that.
And imagine the online world loosing both Google and Mozilla. Or development of Firefox, Chrome, and Android slowing to a crawl as they went paid or donation-only. Big companies would win in browser and mobile market by default.
Fixing the funding model is an independent problem.
I'm not saying that advertising and software development aren't prresently linked through funding. But the process is _fundamentally_ unbundled, through the vehicle of Free Software development and licensing.
The costs for advertising are approximately $500 per year per capita in the developed world (~1 billion persons), plus all the associated privacy, surveillance, security, and chilling-effects risks.
A shift of that basis from advertising to a syndicated content-and-development support tax would cut the cord between both advertising and content, and advertising and software development. Treating both writing of content (fiction, nonfiction, journalism, research) and software development as public goods could achieve some very strong social benefits (or at least present a different set of problems for us to jaw over on HN, though the concept of a technology startup incubator might also see some ground shifts).
"Fixing the funding model is an independent problem."
Oh no, it's a very, intertwined problem. One is only likely to succeed in business using models that are shown to work. A browser, secure platform, and so on is usually tens to hundreds of millions in labor. The only companies that have pulled that off either used premium, licensed software (eg Microsoft) or advertising (the rest). There's scores of attempts at alternative, business models to break into all these ad-dominated markets. Almost none of them work. So, this is important.
"through the vehicle of Free Software development and licensing."
It's possible but few have been built that way. There's a bunch of small players trying in the secure collaboration space. Making almost no money. Used iMessage, Facebook Messenger, WhatApp, and SMS instead. The ones making it, almost none in privacy, seem to be outliers that have lasted quite a while or VC-funded ones that we shouldn't trust due to sell-out risks.
"The costs for advertising are approximately $500 per year per capita in the developed world (~1 billion persons), plus all the associated privacy, surveillance, security, and chilling-effects risks."
Better to look at what it costs to develop top-notch products vs what they make on advertising, proprietary licensing, and FOSS licensing/support. What they make and if it justifies continuing the offering matter more than the $500/yr they probably haven't heard of. It's new to me, too.
"Treating both writing of content (fiction, nonfiction, journalism, research) and software development as public goods could achieve some very strong social benefits (or at least present a different set of problems for us to jaw over on HN, though the concept of a technology startup incubator might also see some ground shifts)."
I agree. It's just that 90-99% of buyers don't consistently for a decade or so.
"Detachable headphones and mics."
Mine and some others' designs call for simple switches that cut power or connection to mic, camera, and so on. That's doable if people want it. I'm also for jumper- and/or crypto-enabled updates of firmware that are tamper-evidence. Also doable.
"Bust out of that box a bit, Nick."
The model I've been considering is to get proprietary vendors to each contribute a bit of their revenue to the development of OSS dependencies. These might even be new proprietary vendors that are starting for the purpose of pushing better, paid software plus new models. The idea is that each of them contribute to say a mobile OS, a SSL library, a Linux/BSD, disk encryption, secure backup, and so on. As they improve and succeed, so do the critical components they are sponsoring. They can include it in the marketing material for customers along with examples like Heartbleed that came from supporting competition that didn't invest in critical infrastructure. So, there's immediate benefit, long-term maintenance, and public good all in one package. Selling the participants is the hard part here.
Note: I also thought getting CompSci people developing bug hunting or code generation tools to use them on these projects with their grant money would be nice, too.
Note 2: We haven't even gotten to the risk of patent suits on these companies whose business models have nowhere near as much money for lawyers or buying patents as those suing. That makes situation more dire at least in U.S..
The problem is separable in that it is conceptually possible to make organisation for software development independent of the business organisation that uses it. We've had this in the past, we have it now, though typically in smaller pieces. It's largely how Unix was developed (an unlikely consortium of a company which quite literally wasn't allowed to sell the product, but could make use of it, and a group of academic institutions in need of both computing tools and training projects), Usenet, the WWW, Linux, Apache, Debian, and more.
Your point that many Free Software projects make little money (at least as Free Software projects) misses the more salient point that they generally don't need to. Scratching itches, low barriers to collaboration, and solving problems in other application spaces makes this possible.
The giants' very reliance on vast revenue flows is also a vulnerability.
And no, I'm not arguing that costs disappear (though efficiencies do appear), but rather that they're distributed and loaded throughout numerous other organisations and activities making money on their own.
The "90-99% of buyers" problem is precisely why you look at funding alternatives which bypass per-copy market sales. I've been looking into the history of publishing and creative works, it's an interesting space. Patronage, busking/performing, crown sanction (essentially a content tax), BBC tax, etc. Information goods and markets interact very poorly: https://redd.it/2vm2da
(UC Berkely / Google economist Hal Varian has an extremely similar treatment which I ran across recently.)
The detachable headphones and mics comment was a reference to an earlier exchange we had, I thought you might recall it.
Your bust-out-of-the-box model isn't too far from what I'm suggesting for content tax/syndication. Whether voluntary (free-rider problem) or compulsory (politically difficult but possibly inevitable) you're distributing contribution to a shared resource. Much as, say, we ended up with language or the law.
Patent threats are also somewhat diminished through small pockets (less attractive target), or might be addressed specifically via legislation and/or international treaty. Say, something with a different philosophy than the TTP, TTIP, TiSA, and BITS crud being shoved down our throats by Google, Apple, Amazon, Microsoft, IBM, AT&T, et al.
"This feels a bit like blaming unsafe working conditions and 12-hour work days at the beginning of the industrial revolution on workers, because they signed the contracts (this was the prevailing narrative from factory owners at the time too)."
That would make more sense if various companies didn't sink $1+ billion into more robust systems and software over the decades that most users & developers intentionally avoided in favor of what was faster, cheaper, supported buzzword/feature X, and/or was known unreliable/insecure. They make the same tradeoffs today. Look at use & tradeoffs of Facebook Messenger vs WhatApp vs Signal vs Threema [1]. Even when cheap/free and easy, vast majority will not make slightest effort for increased security and privacy.
[1] Not endorsing Threema so much as to say it was quite marketable & good example of what should get more adoption if users aren't to blame.
Itanium got posted here recently, too. It had enhanced reliability, stack protection, read/write/execute per page, and memory key isolation if one wanted it. Most server software that was mission critical continued to run on Xeon x86 instead of leveraging improvements in Itanium even when portable source was available for mere re-compile to Itanium. Why? Xeon was cheaper and took no extra effort.
Rinse, repeat for all kinds of software and tooling. There's often supply but little demand that pays. Which sucks extra here given high reliability or security costs more not less for producers. There has to be sustained demand that will pay at least 30-50% premium to develop each component or app. Since there's not, the companies are entirely justified in producing unreliable, insecure or surveillance-oriented garbage for people that exclusively use or buy such things. And the buyers are to blame wherever there were clear alternatives that were inexpensive given their choices collectively decide the issue.
"Perhaps it's time for regulation to solve this dilemma?"
I supported that on Schneier's blog with specific points showing where market consistently fails (even for itself) and how regulation would help:
Despite low demand, I also actually write a counterpoint justifying continued focus on niche that cares about quality/security with recommendations for "low-cost but high-value" practices to deliver that profitably as a differentiator. What's in this post is an example of how my software liability argument in other one might play out. Regulations would enforce stuff known to knock out problems consistently to form a better baseline without driving up cost or having vague stuff prone to frivilous lawsuits.
No, it's all thanks to the availability of cheap storage and video cameras and fast internet, driving the price of recording almost to zero. Couple that with the love people have for mobile phones, which are spying devices.
All thanks to advertising companies. What a rotten state of affairs.