Fresh perspective on privacy

[Watchinufrap]

Got a HTC phone the previous day, still waiting for the stupid sim to activate, Android honestly was not my first choice of Phone OS but it's the only one available unless you want to pay 750 dollars for an Iphone.

Everything else is either Nokia which is allways sold for far more than their worth and they still haven't got all the kinks out of their browser which is a dealbreaker.
anything else is outdated slow GSM shi- with old tech and software.

I've read around with some discussions, and i am concerned about privacy i am fully aware of the location and GPS settings which i disabled upon setup.
I think there's a bit of a deadzone of information when it comes to everything else, i prefer a phone with a self contained OS much like a PC, it's only when you go online that you have to be vigilant, i know many people trust google with their private and sensitive info, i do not, nor do i trust Apple, my Itunes has no real info and a prepaid credit card with no name or any details that are really unique or personal.

I think Google or at least Android needs a neutral Ombudsmen or privacy department that reviews and tests Mobile OS's to make sure they comply with laws and respect consumer rights.
As we all know, Apple liked keeping their little ongoing tracking and tracing feature secret, and their appalling patented security technology dubbed traitorware is not helping their image.

Do any of you know much about how Android works in the ways not specified in the general privacy policy? at the moment it looks like Android is an OS that generally works offline as much as any other mobile when not being used and just on standby, i only bought a smartphone for web browsing that is crisp and intuitive and loads so quick you won't have time to go and take a leak to pass the time.
These days people's smartphones are becoming their digital analogue of a personal diary which they carry around at all times, as you know reading someone's personal diary is very rude and a scornful practice, so it's important to me that i know how contained and private using my Smartphone really is, knowing means that you know how to go about making sure that it's a convenient device, and not something that can be used against you for malicious purposes, google isn't really about that, they don't care about you, they just like making money, but they too often are a Stalkers best friend,
I know of people who have had ALLOT of problems with their bank details being acquired from their smartphone which was thefted from them, and did not have the proper security details (some people are too lax)
But this does not remain with technology, even old media documents on paper can be abused, which is why you should burn and or shred your bank receipts health related mail or anything else before disposing of it.

Sorry i am rambling on, but i felt it important to show where i am coming from with this.
Always remember, that Google's business practice can change, for the worse, and or, if Laws change, say by governments of countries that would have particular interest acquiring people's info which google keeps, could have serious future consequences, especially in countries where free speech is NOT a guaranteed right, so it is always make sure that anything too personal or sensitive leaks from beyond our control.
I want to do just that, and would appreciate any insights people have.

Basically i think it's also our duty us Android Utilizers to bug Google for this info, and make a kind of collective demand on how we would prefer things to be in regards to using Android with a degree of it being our phone/s and what we do with it is our business unless we consent, and what we are and are not comfortable with.

 

[Arual]

I am a new smartphone user and I was wondering about this very subject. I would love to do my banking on my phone but I'm abit nervous about doing such thing. I just don't know what precautions I need to do, or need to set up on my phone, before doing such things.

 

[Martimus]

I suspect similar arguments can be made regarding Apple's IOS, HP's WebOS, Microsoft's WP7, etc.

In my opinion, a defining difference between Android and the other OS's is that Android is, for the most part, open source. With most versions of the OS, Honeycomb excluded, if you want to see what the OS is doing, you can typically find a copy of the source code online. This follows in the footsteps of Android's logical OS ancestor, Linux.

And, to be honest, similar concerns can also be voiced about modern PC operating systems. How many people are comfortable performing financial transactions on Windows or MacOS, both of which are closed and proprietary OS's?

Having an ombudsman is fine but, to be truly impartial, would need to be outside of the corporate reporting structure of any of these companies. And with companies like Microsoft and Apple this presents concerns since the company would have to provide complete access to their OS internals to a team of outsiders. In any case that would require one heck of a non-disclosure agreement...

 

[Watchinufrap]

I suspect similar arguments can be made regarding Apple's IOS, HP's WebOS, Microsoft's WP7, etc.

However with Android it is the only OS that happens to be owned and maintained by the hugest search engine on the planet, that is not quite sure what exactly they should do with the data they collect or what is too far, that makes people uncomfortable, they might try something just to test it, and if it turns out to be unpopular like the google phonebook search, they will probably pull it, but allot of damage can already be done by that time.

In my opinion, a defining difference between Android and the other OS's is that Android is, for the most part, open source. With most versions of the OS, Honeycomb excluded, if you want to see what the OS is doing, you can typically find a copy of the source code online This follows in the footsteps of Android's logical OS ancestor, Linux.

Not all of us know how to code or understand the source code of Linux or Android, most of us just want to buy a phone that is safe secure, and suits fine for minimal tinkering unless we feel like it.
As for Open Source, well it is open source like PC Operating Systems which means that you have to be careful of malicious code and programs.

And, to be honest, similar concerns can be voiced about modern PC operating systems. How many people are comfortable performing financial transactions on Windows or MacOS, both of which are closed and proprietary OS's?

Never had any of those problems with computers, use a firewall disconnect from the net when not using it, be careful where you visit.
Allways create a system restore point and check your program list, if anything happens that seems odd, do a virus check.

Having an ombudsman is fine but would logically need to be outside of the corporate reporting structure of any of these companies. And with companies like Microsoft and Apple this presents concerns since the company would have to provide complete access to their OS internals to a team of outsiders. In any case that would require one heck of a non-disclosure agreement...

Still it would be fine with Android, remember it's Open Source, Google doesn't care if you hack it and reprogram it for your own uses, so long as you don't do anything that infringes upon other people's rights.
Like creating Malware.

in the case of Google, i think an Ombudsmen would be good, i don't particularly like Google, but if Android can be proven out of the box to be completely privacy oriented with the exception of GPS Data and general non pinpointed location, which can be turned off,no problems, we just need some ample proof to reinforce that we are not blindly trusting google, blind trust is for the foolish if it comes to complete strangers.
Remember Illegal spammers use to spam us with shit in order to try and GET our Personal information for uses without our consent, any company out there Apple Microsoft WebOS Nokia or Google no matter the quality services they provide, should not be exempt from the same standard of scrutinity from the public.

It's also our responsibility and i reiterate, that Google gets feedback and we all take the concerns of people who are paranoid about the whole Borgish in the Matrix plug in thing, even if they are a minority, their needs should be satisfied, while at the same time everyone else who is okay with it can still choose to take those options and services.

 

[Martimus]

However with Android it is the only OS that happens to be owned and maintained by the hugest search engine on the planet, that is not quite sure what exactly they should do with the data they collect or what is too far, that makes people uncomfortable, they might try something just to test it, and if it turns out to be unpopular like the google phonebook search, they will probably pull it, but allot of damage can already be done by that time.

I think you are comparing apples to oranges here. Microsoft, Apple, Google and HP are some of the largest technology companies in the world. According to the financial world pundits both Bill Gates and Steve Jobs have more income than many third world countries. Each company has had issues/concerns voiced in recent years about their policies, standards, and processes as they relate to public use of their technologies.

Here's an amusing aside for you. The Internet is based on a series of network backbones that run throughout the world. Each of these networks is managed/supported by millions of dollars worth of network routers, switches, and firewalls. These devices process literally trillions of data packets per day. By definition, routers receive the packets, rebuild header information, and then re-transmit the packets.

Every time someone performs a transaction on the Internet, their data passes through many of these devices. If someone wanted to compromise data all they would need to do is to compromise one of these network devices. In most cases, access to these devices is managed by complex passwords with detailed logging and oversight. In a few cases, however, the device may only have a simple clear text password defined. Once inside a backbone device they could upload a compromised configuration or firmware image and copy packets to an analysis device of their choosing.

As we used to say back when I was an undergrad (a loooonnnng time ago) "A computer is only as smart as the dummy who programs it"!

As for Open Source, well it is open source like PC Operating Systems which means that you have to be careful of malicious code and programs.

With the exception of Linux, most all PC operating systems are closed source. They are proprietary and, short of a court order, few people outside of the company will ever get access to the internals of the operating systems.

Never had any of those problems with computers, use a firewall disconnect from the net when not using it, be careful where you visit. Allways create a system restore point and check your program list, if anything happens that seems odd, do a virus check.

Similar processes can be followed with Smartphone OS's. Within the many market apps to be found online, there are apps available to allow the user to disable their data connection. There are also anti-virus apps and new third party apps show up daily.

in the case of Google, i think an Ombudsmen would be good, i don't particularly like Google, but if Android can be proven out of the box to be completely privacy oriented with the exception of GPS Data and general non pinpointed location, which can be turned off,no problems, we just need some ample proof to reinforce that we are not blindly trusting google, blind trust is for the foolish if it comes to complete strangers.

I hear ya! I have similar concerns with Steve Jobs and Apple...

 

[Watchinufrap]

Every time someone performs a transaction on the Internet, their data passes through many of these devices. If someone wanted to compromise data all they would need to do is to compromise one of these network devices. In most cases, access to these devices is managed by complex passwords with detailed logging and oversight. In a few cases, however, the device may only have a simple clear text password defined. Once inside a backbone device they could upload a compromised configuration or firmware image and copy packets to an analysis device of their choosing.

I Thought that's why digital data gets encrypted so only the intended recipient computer can decode it.

I do not like Apple too, they don't have a search engine, but they seem to like the idea of spying on users too far, such as activating your mic and both camera's to get your face and your surroundings, under the pretense of preventing unauthorised users from using your phone even if you don't know they are using it.
Apple's intention could be to rat out those who hack their iphones and punish them, and find out who they are and file a lawsuit against them if they really really dislike what they are doing such as.. providing an easy way to jailbreak your Iphone and distributing free code to accomplish this.

I don't trust any companies, Google troubles me most because info collecting is their primary source of income, i prefer traditional methods of making money such as selling a service or product, rather than having people sellout their private life and business to pay off a "free" service.

 

[Martimus]

I Thought that's why digital data gets encrypted so only the intended recipient computer can decode it.

With current computing technology it's quite possible for encryption to be compromised. All it takes is time and some computing horsepower. An example of this is WEP and WPA encryption of wireless data. It's been proven that these early encryption types can be compromised in mere minutes.

Hack most wireless LANs in minutes! | ZDNet
No longer safe: WPA encryption cracked in 12 to 15 minutes | ZDNet

 

[Slug]

However with Android it is the only OS that happens to be owned and maintained by the hugest search engine on the planet

Incorrect. Android is actually "owned", if such a term can be used for an open-source product, by the Open Handset Alliance.

As for Open Source, well it is open source like PC Operating Systems which means that you have to be careful of malicious code and programs.

That's why there's an extensive system of checks, balances and verification of all submitted code. There's a good overview of the various roles involved here.

if Android can be proven out of the box to be completely privacy oriented with the exception of GPS Data and general non pinpointed location, which can be turned off,no problems, we just need some ample proof to reinforce that we are not blindly trusting google

You don't have to "trust" Google. It's perfectly possible to use Android handsets with only a Google account for accessing the Market. Everything else is optional.

Btw, Google are already pretty transparent about the info they have about you. Visit the Dashboard, log-in to your account and it's all there for your scrutiny.

 

[zuben el genub]

France is suing Apple over Iphone tracking, so it isn't just Android.

Quote from post on Broadband reports:

Hobbyist hackers have built a DIY flying spy drone that's capable of intercepting communications over remote Wi-Fi and cellular networks and beaming them to snoops located half a world away.

Short for wireless aerial surveillance platform, the WASP is equipped with a battery of off-the-shelf hacking tools that can secretly hover over unsuspecting targets and infiltrate their networks. A 4G cellular connection links it to a back-end server that allows operators to control its operations and monitor its sensors in realtime.

All of the tools have been around for years, or even decades. What makes WASP novel is their all-in-one packaging in a 14-pound plane that can penetrate a target's geographical boundaries to tap a variety of electronic sources.

At 27 inches high and 76 inches long, WASP can reach altitudes of 22,000 feet, ...cost about $6,200 to build and takes about 30 minutes for someone to learn how to fly.

 

[Watchinufrap]

Martimus

With current computing technology it's quite possible for encryption to be compromised. All it takes is time and some computing horsepower. An example of this is WEP and WPA encryption of wireless data. It's been proven that these early encryption types can be compromised in mere minutes.

But then i am guessing that the encryption specific to using a particular site or service such as Email or more importantly online banking is still protected by it's own encryption protocols in the event that the WPA and other wifi signals are compromised.
There was a news report a while ago, where they revealed that optics used by business's at the time were unencrypted and anybody could use a device that was not illegal and tap into the optic signals and intercept decode and record them, and they did a test where they paid a person to go do such a thing, nobody grew suspicious about what he was doing they probably just thought he was some maintenance guy and asked no questions.
They pointed out that Wireless was encrypted but the local network between computers at this business establishment were not.

Just keep in mind i do not know the details of how computer security works, only the theory, so i do appreciate all this info you guys are providing.

France is suing Apple over Iphone tracking, so it isn't just Android.

First off GOOD, Apple was doing it behind people's backs.
I have no problem with the Androids tracking feature, it presents itself upon setup and explains what it does and is for, and asks if you want to turn it on or off, i turned it off, just being precautionary i prefer to keep my general area private to anybody online.

I could go around with a wifi scanner and log and list all the Routers and access points i find as i go around the main city, google's android location thing basically does this, from what i read it's to create a map of hotspots and access points to figure out how best to have advertisements for something that is in the access points general area that may interest their Android users who happen to be there at the time.

 

[Watchinufrap]

I think google is pretty good upon reviewing their policies, and viewing what the dashboard has.
However, it is still putting all your trust in one company, and remember nothing is hackable.

There are two reasons you do not want to have your real information and address and job and anything else on a single profile that also contains your linked services, emails social networks, search history and all manner of personal Data.

1. Google could be hacked and if hackers want to they can, nothing is unhackable, it would take time but they would find a way, remember there are shady ops in countries where our laws do not apply to them, the same kinds as ops that pollute our inboxes with spam and harvest our emails.
They would LOVE to get a hold of the Data that google holds, it's the Texas gold repository to them, and if they get it, it would be very hard to have them apprehended, even if Google launched a full scale inquiry.

2. The Government, this also is not a concern now, but maybe in the future, remember Democracy everywhere is receding slowly and surely, if Goverments can make amendments to existing laws, they could get their way and make a requirement by law that Google passes all Data on people using the net onto them for analysis for general crime detection.
And remember, what may be legal today, may not be legal tommorow, in Australia it used to be legal to say what you want on the net, now and in the near future an internet filter will be brought into place to control what people see or say online, and also collect records of their browsing habits and communiques, it's the general idea.
The idea is that nobody deserves any sovereignty in their private lives anymore, because they need to check EVERYONE for Chil pornography, of course if you don't have it that doesn't mean you are safe, they will probably find some other unrelated technicality to fine you over.
Not to mention turning you inside out for complete strangers to see.

That's what i have deduced from news reports, it sounds alarming and pessimistic but remaining vigilant is the price of freedom.

Since a Mobile phone is a personal item and it used for contact with people you and i know in person respectively, and is used with out dealings with everyday life, it is important to make sure it stays safe and secure and does not change.

 

[takeshi]

Sure, nothing's unhackable. However, does that mean that you're going to keep your data in a fully secured location (not your smartphone at all unless you keep it locked and don't carry it with you) with no outside connections? It's always a matter of balancing convenience versus security. Absolute security makes it difficult to actually use your data. This is just a slippery slope argument. Where are you actually trying to go with this thread? Where's the "fresh perspective"? This thread just rehashes the same old stuff.

While, yes, Google's business practices can change you also need to consider that they also value the trust that people place in them. They can't collect/aggregate data if people don't trust them. If they lose that trust they lose their business. That argument is a double edged sword that cuts both ways.

Since a Mobile phone is a personal item and it used for contact with people you and i know in person respectively, and is used with out dealings with everyday life, it is important to make sure it stays safe and secure and does not change.

...and if you want to fully guarantee the security of data then you can't stick it on a smartphone. Where are you willing to draw the line?

 

[daveybaby]

You don't have to "trust" Google. It's perfectly possible to use Android handsets with only a Google account for accessing the Market. Everything else is optional.

Even the market is optional - you can buy your apps from amazon or other app stores, or even directly from the authors in some cases.

 

[Watchinufrap]

The fresh perspective is this, we all discuss what we would like and not like, some people like having a device that stays constantly connected to a 3rd party service which they use to access their documents and files.
Some people like the convenience in exchange for entrusting a company with it.

I've read allot of privacy concerns that often could be mistaken for just prejudice against Android (fanboy talk) but i think that there should be options for everyone what i want personally is to manage my emails and logins for other things on my own my own way without going through a google syncer i appreciate the offer of convenience, but i don't put all my eggs on a single basket, it actually complicates things for me rather than simplify them.

As for the security of Data on a Smartphone, well.. unfortunately the fact that my phone and many android phones need a Micro SD makes security rather hard, anyone wishing to compromise your data just has to plug it in to a USB.
Everything else such as contacts services and emails browser history logins and facebook/social networking plus banking should be secure and protected on the phone itself and i imagine that there is a security function in place.

I would like to see a feature like on the Ipod Iphone and Ipad where if someone tries to access your smartphone and fails to enter the proper passcode 10 times, all the data gets erased and bombed out rendering the phone unusable until reactivated by the appropriate owner.

 

[Watchinufrap]

On another note, i found something called "Google Messages Framework" running in the background which i do not remember activating so i am guessing it is a standard thing.
I stopped it's processes.

What was it for exactly? i did a search around and just found a bunch of threads relating to technical problems but not explaining what it is exactly.

 

[Martimus]

Martimus

But then i am guessing that the encryption specific to using a particular site or service such as Email or more importantly online banking is still protected by it's own encryption protocols in the event that the WPA and other wifi signals are compromised.
There was a news report a while ago, where they revealed that optics used by business's at the time were unencrypted and anybody could use a device that was not illegal and tap into the optic signals and intercept decode and record them, and they did a test where they paid a person to go do such a thing, nobody grew suspicious about what he was doing they probably just thought he was some maintenance guy and asked no questions.
They pointed out that Wireless was encrypted but the local network between computers at this business establishment were not.

Just keep in mind i do not know the details of how computer security works, only the theory, so i do appreciate all this info you guys are providing.

WEP and WPA security encrypt the packets as they are transmitted across the wireless network. Once they are received by the access point this encryption is dropped.

Banks and other organizations use other encryption schemes to transmit data from your computer (pc, laptop, tablet, phone) to their servers. Most commonly used are DES, triple DES, and SSL encryption. While all of these encryption schemes do work, none are foolproof. With adequate time and computing resources available, all can be compromised eventually.

Researcher Shows How to Hack SSL | PCWorld Business Center

The U.S. Military has a series of color coded books that are used as their primary technology security guidelines.

Rainbow Books - Wikipedia, the free encyclopedia

If I recall from my days managing network security on an Army base, the Orange book has a section that discusses how to achieve complete security over data on a computer system. The solution... place the computer in a locked and secure room, turn off the computer, and disconnect all power and data cables from the computer. Otherwise there is and will always be a risk of compromise.

I could go around with a wifi scanner and log and list all the Routers and access points i find as i go around the main city, google's android location thing basically does this, from what i read it's to create a map of hotspots and access points to figure out how best to have advertisements for something that is in the access points general area that may interest their Android users who happen to be there at the time.

WiFi scanners run on PC's, laptop's, iPod's, iPad's, and Android devices. I used to have a WiFi scanner on my work laptop that I'd carry around my office (at my old job) to look for rogue access points. I regularly discovered wireless SSID's for the businesses surrounding that office, some of which had little or no security enabled.

And if you really want to pull in some wireless networks, outfit a laptop with WiFi card that has an external antenna connector on it. Then pick up or make yourself a Pringles can antenna (now marketed under the name Cantenna) and you can pull in networks a mile away.

 

[Slug]

what i want personally is to manage my emails and logins for other things on my own my own way without going through a google syncer

Don't create a Google account (or sign in to an existing one) on your handset.... job done.

On another note, i found something called "Google Messages Framework" running in the background which i do not remember activating so i am guessing it is a standard thing.

It is. It's a service used by all the core Google apps to communicate sync data between handset and "cloud storage".

 

[Mega873]

Everything else such as contacts services and emails browser history logins and facebook/social networking plus banking should be secure and protected on the phone itself and i imagine that there is a security function in place.

... Thank-you for this very useful discussion - this is my first post in the forum! I'm eagerly awaiting delivery of my first Android phone, a Samsung Galaxy S2 and I'm using the excellent discussions on this forum to investigate security issues. I've read various threads and am reasonably clear about viruses, how to be careful choosing and downloading apps, the pros and cons of anti-virus software, and the value of security and backup software to trace a lost or stolen phone, disable it or delete data remotely, and ensure all data is safely backed up. What I'm not clear about is whether it is possible to have firewall protection on an Android, which would prevent outsiders hacking into my device and accessing the information held on the phone itself (such as outlined above by Watchinufrap - and also my personal organizer which I intend to keep on the phone), and accessing any voicemail. The phone hacking scandal here in the UK has really raised awareness of the privacy risks of using mobile phones.

Looking forward to any advice you have to allay my anxieties!

Many thanks

Mega

 

[zuben el genub]

Don't create a Google account (or sign in to an existing one) on your handset.... job done.



It is. It's a service used by all the core Google apps to communicate sync data between handset and "cloud storage".

Actually, Google should allow an opt-out for this service for those of us who don't want it. We have naked DSL, so no isp email, I have to use web base and I can hook Gmail up to Thunderbird. I did forbid mail to sync, as it screwed up mail on laptop (XP) and Desktop (Ubuntu).

I do nothing else personal on the phone. I will use email, but only to send a pic from the camera since I can't use MMS to some.

 

[Watchinufrap]

I hate how i cannot install Opera for Android without a google email. I don't want one, nope no! no! even if i only use it for the app store, it's another thing i will have to maintain and check which i don't want to do, and a google account with all kinds of services attached is like a nexus point full of a wealth of information for information harvesters that make money by selling it for marketing.

I personally would like it if to use the android marketplace you just needed an Android market account which is self contained and much like Itunes, i would prefer that.
All that all in one syncing and attaching bullshyt should be optional afterwards not obligatory.
I like Android, but this Google tap is still too integrated for me, Google may say they are a responsible steward with your info, but with an Android phone from what i have read on the net about learning how Android works i find it like Facebook facebook profiles hold allot of sensitive and personal information about people, BUT like your google accounts your facebook profile is your responsibility to maintain the security by watching what apps you use and allow.
On a computer, this has no problem for me, i play games and things outside of Facebook locally on my computer with the Microsoft Vista OS and i have no problems, i can use Facebook and still do stuff outside it.

With Android, i can use my phone for things without google syncing or connectivity, but i find that there is no way for me to download anything new without a google email which i do not want.
transparancy does not equal control
A company could do things that are privacy concerning and not reveal it willingly like Apple or Google which is transparent.
There still needs to be a choice Google can just say "we're letting you see what we collect about you, but tough shit if you don't like it"

I cannot install Opera on my android using my computer either, i don't know what directory it's supposed to go onto.
And the Opera website had no help on the subject.

 

[Stuntman]

I hate how i cannot install Opera for Android without a google email. I don't want one, nope no! no! even if i only use it for the app store, it's another thing i will have to maintain and check which i don't want to do, and a google account with all kinds of services attached is like a nexus point full of a wealth of information for information harvesters that make money by selling it for marketing.

I personally would like it if to use the android marketplace you just needed an Android market account which is self contained and much like Itunes, i would prefer that.

Why not just not check your Gmail for email and just use it for the sole purpose for using the Android marketplace? You don't have to use your Gmail account for anything other than the marketplace.

 

[Watchinufrap]

Because i have Live mail for that,
I deal with local storage.
I would prefer if the Marketplace had it's own dedicated profiles for the marketplace only to be honest.

EDIT: can be used without Gmail using a browser for signup.
All you need really is a Youtube profile at the very least.