First time install: Safe to use a personal computer?

kamzat44

Hi all,

Have a pixel and want to install grapheneos for the first time.

Done a bit of research and found that, for anonymity sake, you should install in a remote location using public wifi if possible.

From a privacy/anonymity perspective, would using a personal laptop to perform the web-install leak any data/personal info to unwanted parties?

Searched online and the forum but cannot find any info on this. Any help much appreciated.

Cheers

de0u

kamzat44 I think questions about techniques properly come after a clear articulation of goals -- in particular, what you wish to conceal from whom, because it's not possible to conceal everything from everybody.

For example, doing an install via public Wi-Fi in a randomly selected location, as opposed to using one's home network, might conceal from one's home ISP that one is installing GrapheneOS. But if the GrapheneOS device will later be downloading updates from the GrapheneOS update server from one's home network without a VPN, one's ISP can easily determine that the device is running GrapheneOS. Meanwhile, if a VPN is used, the VPN provider can easily know that somebody using your account has installed GrapheneOS on some device.

kamzat44 From a privacy/anonymity perspective, would using a personal laptop to perform the web-install leak any data/personal info to unwanted parties?

If, hypothetically speaking, you don't want the GrapheneOS project team to know which OS and browser you use, then you might not want to run an install from your laptop using your browser.

kamzat44 Searched online and the forum but cannot find any info on this.

Arguably start here: https://www.privacyguides.org/en/basics/threat-modeling/

kamzat44

de0u

right, thanks for the link.

Regarding your hypothetical situation, so grapheneOS can see the what OS and browser the computer uses. Can any other party become privy to this information should they look? Does any unique identifier of the laptop become leaked when you plug in the phone and process the web-install step?

de0u

kamzat44 GrapheneOS can see the what OS and browser the computer uses.

As can every other web site the computer visits.

kamzat44 Can any other party become privy to this information should they look?

Sort of. Nominally, the information sent voluntarily by the browser is protected by HTTPS. But the behaviors of different OS IP stacks differ in subtle ways that in theory could be fingerprinted by all of the IP routers between you and the GrapheneOS server. And it seems plausible that the network behaviors of different browsers differ enough to enable third-party fingerprinting (unlike OS IP stack fingerprinting, I am unaware of work on third-party browser fingerprinting).

kamzat44 Does any unique identifier of the laptop become leaked when you plug in the phone and process the web-install step?

Not really, but sort of? You could read up on "browser fingerprinting" (but see below). Also, it is possible that the installer web app could acquire a serial number for the phone (source). That possibility would not imply that the installer does acquire or share the device serial number or that the server retains it (I very seriously doubt any of that).

The bottom line is that it is not possible to operate on the Internet without leaking some information to some parties. Thus trying to leak nothing is a pointless waste of effort.

It is genuinely much more productive to start by determining what you want to avoid leaking to whom. Because I did not take extensive precautions while installing GrapheneOS, my ISP knows I am running GrapheneOS (if they are organized enough to know). So what? I am completely unalarmed if they know that. Likewise my employer's network staff trivially know I am running GrapheneOS. I am fine with that. Actually, I personally encourage members of my employer's network staff to try GrapheneOS, so it is not something I professionally conceal.

Each of us may legitimately want to conceal some information from some parties. But starting from a position of trying to conceal everything from everybody is fruitless, at least while using a smartphone on the Internet.

Meanwhile, note that running GrapheneOS means, in practice, placing a lot of trust in the project's authors. In theory one could instead merely review 100% of the source code for each release, then personally build each release. In practice the realistic options are to place substantial trust in the GrapheneOS project or the DivestOS project or Google or Apple or Samsung or Sony or Xiaomi, etc. If one is choosing to run GrapheneOS it might simplify life to assume that the GrapheneOS developers are on one's side.