How much commitment to privacy is expected to truly benefit from GrapheneOS?

hsdovjiw

I fully appreciate GrapheneOS for the privacy and security benefits it offers to those wanting and willing to commit to de-Googled phones and/or multiple profiles, and I know data collection can be minimized even with sandboxed Google Play Services, but what is the point of diminishing returns where the convenience and sureness of stock Pixel Android/iOS outweighs GrapheneOS with some of its lost or degraded functionality (Google/Apple Pay, banking apps, notifications in some cases, etc.)?

I understand this is also completely subjective and determined by a user's threat model, but for your average Joe who just wants to minimize personal data collection, but still needs to log in to Google for FCM and Play Store access, needs reliable notifications for work apps that are very identifiable and very much closed-source, needs WhatsApp for socializing, wants YouTube, Spotify, Netflix for obvious reasons, all on the owner profile, sandboxing around Google or no, is their personal data being harvested almost as much as if they just stuck with the stock OS (or worse compared to an iPhone)?

It seems like a lot of the discussion around how much better for privacy GrapheneOS is assumes you're not doing those things, even though it's a very possible and perfectly reasonable use case for most people. Maybe not on this forum, but if it were ever to gain more widespread use.

It's fair to say GrapheneOS is best for privacy because it allows you to determine what you're willing or not willing to sacrifice for increased privacy, but what's the point, or a best guess, for an individual user where that flexibility becomes meaningless?

[deleted]

hsdovjiw There's certainly no clear-cut case for "average Joes" running GrapheneOS on their Pixels. Heck, I know plenty of "privacy conscious" people than sneer at the lack of Google Pay, Android Auto or even at the extra tap required to install and app through Google Store. If only it would run on their 7-year OnePlus 3T then they would definitely consider it. I get it. Most people have lives to run, they don't know nor care about how GrapheneOS improves the privacy and security of the OS from the bottom up. However, as I already said elsewhere,, the opposite of striving for more agency in the realm of smartphones is walking into your local telco branch and walking out of there with whatever numeric Redmi series phone they had on sale that week. Buying an Android One device would be a marginal improvement over that and buying Pixel or an iPhone would be even better. For those who like to live on the edge, there's GrapheneOS.

It's also not all about systemic privacy and security improvements it offers. I dislike the hand holding and the incessant sign in prompts to sync stuff. GrapheneOS allows me to escape all of it an a sane matter and offers a way to opt in to things I need. It's not a diminishing return for me but a prerequisite.

joeleoj

I am just learning about graphene and haven’t downloaded or installed it. I have a pixel I’m planning on installing it on. I have a iPhone 14 pro to use for as a “normal phone”. I believe as a culture we have dimished the value we have in ourselves as a person with intrinsic value to a level of 0. If I have been “told” all my life that I have no such thing as person freedom no such thing as core values and no core beliefs that are absolute then, no it wouldn’t matter. But I’ve been told that I do matter that my option matters and I am valuable. Therefore I’m going to choose the hard path simply because it’s hard. And I don’t need or want any other reason. That being said, I am tired of being told what to do. I am tired of corporate capitalist America. I want my freedom back. I want personal choice back. We are going have to fight for it tooth and nail. I think this will be a good start for me. I’ll use their own device against them. So to speak.

hsdovjiw

I suppose I could rephrase that.

The average Joe doesn't particularly care about internet privacy for the most part. Many know what data/agency they're giving up using TikTok, Facebook, etc. and continue to use them, that's fine. My aim isn't to convince those people.

My question is more, for a privacy-conscious but practical user who still wants/needs some popular apps that aren't very private or transparent and needs a reliable, stock OS-esque experience while using them, are the benefits of GrapheneOS mostly lost?

When someone says GrapheneOS is the only mobile OS worth using from a privacy standpoint, are they assuming a highly configured and Google-minimized setup? Are they looking at worst-case usage and building up from that, most practical usage, etc.? Are the outstanding privacy benefits a given for anyone using the OS or are the benefits largely in the choice given to users, which may or may not be utilized?

What value is there in sandboxed Google Play Services or Google Play Store with reduced privileges/identifiers if Google can still easily identify you through other more privileged apps it's either receiving data from internally or through IPC (or notifications?), and so on? Is the data harvested from that user's day-to-day usage meaningfully less identifiable and informative than the data harvested with a stock Pixel?

Questions that are likely hard or impossible to confidently answer, but I think they're worth asking as it's not entirely clear to me whether GrapheneOS is mostly just a platform for privacy that requires effort on most users' behalf for meaningful benefits, or a bestower of notably increased privacy regardless of configuration. Maybe I just have to read through the website a few more times.

[deleted]

hsdovjiw It's grapheneos that advises to install the play service sandbox to download applications. There are no privileged applications in gos.

[deleted]

hsdovjiw

When someone says GrapheneOS is the only mobile OS worth using from a privacy standpoint, are they assuming a highly configured and Google-minimized setup?

They don't assume anything. You still benefit from all the underlying hardening done by the OS whatever the apps you choose to run on it. In fact the ability to run Play (confined to a highly restrictive untrusted_app domain) is likely a reflection of the fact that most people will undoubtedly need either apps from the Play Store or other services provided by Google for apps they got elsewhere. It's a quality of life issue.

What value is there in sandboxed Google Play Services or Google Play Store with reduced privileges/identifiers if Google can still easily identify you through other more privileged apps?

To quote official documentation, "Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access."

It's just a regular user-installed app on your device (like WhatsApp or TikTok). It has no access other than to things you will allow it to have access to. Wheres usually it is a privileged app and a core part of the OS that can access anything it wants. As of Android 10, apps cannot obtain permission to access non-resettable hardware identifiers. Plays apps running on GrapheneOS are no exception here.

Is the data harvested from that user's day-to-day usage meaningfully less identifiable and informative than the data harvested with a stock Pixel?

It can only "harvest" what you give it. It requires a network access at the least (for downloading and updating apps as well as pushing notifications around) and the rest is optional (depending on what apps you use and how they're built). If you want to know what information contained within FCM you can read official documentation. You can use your primary Google Account or a throwaway depending you your needs. I'm fine with either.

[deleted]

hsdovjiw There's 3 things I'd highlight:
Behavior
Choice
Security

Behavior is far more important than any OS. Having the most secure device in the world is meaningless if you don't lock it down with a pin or password. What does this mean for average joe?
Choice is lost with a typical device. Your data is no longer yours to control. GrapheneOS restores that choice to you. Play services are optional, Facebook doesn't come along as pre-installed bloatware. If you want to use those services, you can, but they're not forced upon you. You choose where your data goes. My advice? If you want to give your data to Facebook, fine, do it. But actively choose to do it with eyes wide open. Because that's a helluva lot better than Facebook taking it simply because they can.
GrapheneOS focuses on security more than privacy. The argument goes back to point one. You can't have a private device if it's insecure and anyone can see your data. There are tons of benefits to using it, regardless of the privacy choices you make. Sometimes these might be in conflict. For example, I use yubikeys which only work with play services installed. There is no silver bullet.

spring-onion

hsdovjiw Are the outstanding privacy benefits a given for anyone using the OS or are the benefits largely in the choice given to users, which may or may not be utilized?

Both. GrapheneOS gives you a rock solid foundation to build on, without any of the bloatware garbage and other nonsense. Just a clean slate from which you can choose to do with your device as you see fit. That's the whole point of the project, to provide you with an operating system that is private and secure without sacrificing on the usability aspect where it isn't absolutely needed.

Methinks this is somewhat of an oxymoron. Your average joe already is not the average joe if they value their privacy and go through the effort of installing GrapheneOS. If you have come this far you will have already made some conscious decisions, you will be fully aware of the predatory nature of some services, so you may decide to install, say, TikTok, but also opt into storage and contact scopes. As you've already pointed out, it will depend entirely on the user's threat model. The person in your example would certainly install the play store and its components, but the difference here is that it's leashed, leashed to the ordinary sandbox, it doesn't own your device. It will do what you allow it to do, just how it should be.

GrapheneOS won't protect you from yourself, but its repertoire of options sure gives you control back.

applesbana

Thank you for articulating so well questions that I have after using both graphene and iOS together for the last year or so.

I’d add a couple of random points:

Bazzell says about 60% of his clients (people who need and are paying him big fees for privacy/security) use iOS and about 40% use graphene

He hammers not using your SIM card for any calls/texts but rather using voip services. This is to avoid sim swapping but also the surveillance we often don’t talk about: that via your carrier via your sim/Esim. The carrier knows your location always (unless on airplane mode), tracks/logs your legacy calls/sms, and often sells this information to marketers and readily hands it over to law enforcement. Lastly, the sim is essentially a mini computer, we don’t know exactly what it is doing in the background (perhaps I’m wrong on this, but this is what I recall reading).

I wonder if using iOS with voip without iCloud with a data only sim with encrypted notifications (I understand google’s notifications are clear text) would actually be a better tradeoff balance for the example privacy conscious person you’re referring to (not for an Edward Snowden type).

With that said, it’s hard to trust apple after their photo scanning fiasco (which they didn’t end up doing) and the fact that it’s closed source so you just have to take their word on many things.

[deleted]

And if you don't want to share your IP address, remove your sim card or put yourself in airplane mode.

hsdovjiw

[deleted] It has no access other than to things you will allow it to have access to.

This is true, in theory, but my question or thoughts are on how true this actually is in practice, specifically in the case of Joe.

For someone with a deeper understanding of Android, that statement makes sense. To someone with less knowledge, I think it implies they have a direct, completely transparent choice in either giving or not giving that access. I don't think that's the case.

Most people aren't aware that just by installing one app, they could be consenting to sharing sensitive, personal information with another app whether that be Google Play Services or Subway Surfer, sandboxed or not. That's largely determined by the permissions granted to each app, sure, but also largely what the apps themselves choose to do, within what they can do.

Also quoting official documentation here, "profiles are the only way to provide a strong assurance of separate identities since the application model of the OS is designed to support communication between apps within the same profile, but never between them".

"It has no access other than to things you will allow it to have access to" implies to the layman that Google will only know that throwaway@gmail.com downloaded Signal, Facebook, and Netflix.

In reality, Google could easily know that throwaway@gmail.com is signed in on the same profile as Joe Schmoe on Facebook, who's linked to joeshmoe@gmail.com, and suddenly the loss of Google Pay, Android Auto, and Joe's banking app is less justifiable.

[deleted]

spring-onion Agreed. As fun and useful low level hardening done by the OS is, things like Storage Scopes, Contact Scopes, Network and Sensors permission toggles etc are a real boon when it comes to TikToks of the worlds. Auto reboot as well as the optional Bluetooth and Wi-Fi timeout are my next favorites. I'm madly in love with all of it.

[deleted]

hsdovjiw What is the threat model here if you don't mind me asking?

If one desires cleaner separation, they can install Play services in a different profile with a profile with a per profile VPN to boot. It's cleaner but more work switching back and forth. For my threat model (I'm no Edward Snowden) the improvements are marginal over just running it in Owner where where yes, I would have no control over which apps talk to it and which don't, but it's still a massive improvement over Stock Android where it runs as single privileged instance across profiles.

I think running GOS with Play (in Owner or otherwise) is definitely more hassle compared with just picking a stock Android device. The latter is less taps, less hiccups, less to learn. I wouldn't be able to convince my parents to use it or even some of the people who claim to see and understand the improvements it offers. Convenience is everything to them. For my money the balance is good.