• Announcements
  • Highly misleading and inaccurate article from Cybernews about the Pixel 9

There's a highly inaccurate article about Pixels from Cybernews making the rounds everywhere in privacy communities. It gets the details nearly completely wrong and thoroughly misrepresents things like the optional network-based location used nearly everywhere as Pixel specific.

Any non-Pixel device with the standard Google Play integration has similar Google service integration doing the same things. You don't avoid it at all by using a non-Pixel, but you do end up with a device that's far less secure and adds OEM services with their own privacy issues.

It goes through connections for the Google Play network-based location that's offering as an option during the initial setup wizard, the optional Google Play account-based device management, Google Play feature flags, Google Play telemetry, etc. It gets a lot of details wrong.

iOS has direct equivalents to everything that's covered.

If what people take from the article is that they should use a non-Pixel Android device with Google Play, they'll have a dramatically less secure device with the same privacy issues and additional ones from OEM services.

If what people take from the article is they should use an iPhone instead of a Pixel, they'll have a device with comparable security and similar privacy invasive default connections. iOS does provide better privacy from third party apps than AOSP or the stock Pixel OS, at least.

Unfortunately, the article contributes to people using typical highly insecure Android devices with additional privacy invasive connections, not fewer. If it was promoting iOS over Android, at least it would be helpful overall despite being highly inaccurate. Tech news is awful.

People are having their privacy and security harmed by journalists misleading them because most journalists don't do basic due diligence and simply repeat claims from elsewhere without verification. Many people in the privacy and security communities are doing the same thing.

GrapheneOS is a major security upgrade over the stock Pixel OS or iPhone, but it doesn't mean we're on board with spreading misinformation about either of those. They're the most secure smartphone options and iOS is a clear next best overall choice for privacy after GrapheneOS.

iOS has important privacy features missing in standard Android. Our Storage Scopes feature is needed for parity with iOS. Our Contact Scopes is better than what they added in iOS 18 but it's similar. iOS having better privacy FROM APPS than Android definitely does check out.

The idea that iPhones have better privacy from Apple than Pixels do from Google is largely just a misconception and there's a whole lot of confirmation bias happening. Apple does have better end-to-end encryption support which most users aren't actually enabling for iCloud, etc.

There are a lot of alternative operating systems and supposedly private/secure phone products. Nearly all of these have dramatically worse security than the stock Pixel OS or an iPhone. Nearly all have worse privacy from apps than iOS. They have their own problematic connections.

In terms of privacy from apps, GrapheneOS is competitive with iOS with both advantages and disadvantages. In terms of overall privacy, GrapheneOS is a significant upgrade. Security is a much clearer win for GrapheneOS since Pixels are quite competitive without our work anyway.

Android has useful privacy features unavailable in iOS such as user profiles, Private Space in Android 15, better VPN support, etc. GrapheneOS adds more advantages, and we address the weakness of privacy from apps but not yet to the point it's a clear upgrade in that one area.


Social media site threads:

X: https://x.com/GrapheneOS/status/1843894076632121547
Bluesky: https://bsky.app/profile/grapheneos.org/post/3l62nuxbzwe2c
Mastodon: https://grapheneos.social/@GrapheneOS/113275934184024856

Any non-Pixel device with the standard Google Play integration has similar Google service integration doing the same things. You don't avoid it at all by using a non-Pixel, but you do end up with a device that's far less secure and adds OEM services with their own privacy issues.

I assumed as much.
Would be weird if this was based on hardware and not the OS, right?

One question I do have though: Does this happen even with sandboxed Google Play Services on GrapheneOS - even with GPS disabled or does having the Services sandboxed fix the tracking?

    hannes It's not a matter of "tracking". It's part of opting into network location.

    GrapheneOS doesn't use network location by default. it is possible to opt into Google's network location via Sandboxed Google Play if you want, and we're working on providing more ways to use network location on GrapheneOS.

    The article is interpreting normal connections which are opt-in even on stock OS as somehow bad or malicious.

    hannes Sandboxed Google Play are regular sandboxed apps. They can't access location without explicitly granting the permission to them which is not needed. We reroute Play services location requests from apps to the OS location service and plan to add similar rerouting features for other functionality we can provide ourselves. We're working on making our own GrapheneOS network-based location service with a client supporting multiple services which will be disabled by default for privacy reasons. We're going to host our own service as the main option which will also support downloading a regional database to do it locally. Their network location service is opt-in and disabled by default so giving it location access wouldn't result in it doing that anyway. The stock OS has the opt-in checked by default in the initial setup wizard, but without the initial setup wizard integration it's entirely opt-in.

    Regular apps also can't access hardware identifiers, data from other apps, etc. They're regular sandboxed apps when installed on GrapheneOS and cannot access more than other regular sandboxed apps. They have no special access or control on GrapheneOS. They're not part of the OS or granted special powers by it.

    Cory Doctorov claims (based on the cybernews article):

    And we know it's possible to make a Pixel that doesn't do all this nonsense because Google makes other Pixel phones that don't do all this nonsense, like the Pixel 8 that's in my pocket as I type these words.

    Is there really any difference between the Pixel 8 & 9 concerning privacy?? (with Pixel OS)

    And could you clarify the remote management claim by cybernews:

    “Worryingly, we observed CloudDPC reaching out to Google’s servers. This signals that the company may be able to control settings and perform actions on regular consumer devices if they choose to do so. It appears that users do not have full control of the device when a vendor can make changes without user knowledge and consent,” Nazarovas said.

      CyberOtter

      And we know it's possible to make a Pixel that doesn't do all this nonsense because Google makes other Pixel phones that don't do all this nonsense, like the Pixel 8 that's in my pocket as I type these words.

      It's utter nonsense. None of this is Pixel 9 or Pixel specific. The article is a fraud. We've made that clear above. A person getting duped by it because it fits their confirmation bias isn't any kind of evidence otherwise.

      Is there really any difference between the Pixel 8 & 9 concerning privacy?? (with Pixel OS)

      No, it's utter nonsense.

      “Worryingly, we observed CloudDPC reaching out to Google’s servers. This signals that the company may be able to control settings and perform actions on regular consumer devices if they choose to do so. It appears that users do not have full control of the device when a vendor can make changes without user knowledge and consent,” Nazarovas said.

      The account-based device management is an optional feature we covered above. the article is thoroughly wrong about all the connections it covers. They misrepresent and/or misinterpret it and present it as a narrative attacking the Pixel 9 for standard Google Play connections that are on all Android devices. A lot of what they cover is opt-in. There's no account-based device management until you optionally sign in and you can disable it. There's no network location until you enable it, which you're prompted to do by the initial setup wizard. There aren't usage stats submitted if you don't enable it, which you're prompted to do in the initial setup wizard but can say no and aren't asked again, you'd have to go out of the way to do it.

      The article gets all the details wrong. All they did is find connections on a device they'd configured where they opted into certain optional features and then wrote false narratives about it and wrongly attributed it to it being a Pixel 9. None of the connections in the article have anything to do with Pixels specifically. It's a strangely dishonest hit piece and people are way too gullible.