"sideloading" connotates something that is negative.
On systems before apple's locked-down iphone, it was just called "installing".
The PC revolution started with people just inserting their software into the comptuer and running it. You didn't have to ask the computer manufacturer or the OS vendor permission to do it.
And note that apple doesn't allow you to protect yourself. You cannot install a firewall and block arbitrary software on your phone. For example, you can not block apple telemetry.
gblargg · 1h ago
Sideloading sounds like sidestepping (synonyms: circumventing, avoiding, evading, bypassing, ignoring, dodging, escaping, skirting). I wonder if the term originated on iOS, where you did have to circumvent things to install programs manually.
pjmlp · 2h ago
Which is why alongside freedom came the business of anti-virus.
sunaookami · 9m ago
And people were successfully tricked into "needing" anti virus scanners that do more harm then good.
wiseowise · 36m ago
Never in 20 years of using Linux/Macs I’ve ever needed anti-virus.
charcircuit · 30m ago
You have been lucky. It's trivial for someone to write a stealer and trick someone to run it. For example there's been stealers targeting Linux built into trojans of Minecraft mods.
Scarblac · 7m ago
Is it possible to let owners use their hardware as they wish, without having large companies control what they deem "safe"?
I'm not the user of my phone, I'm its owner.
lblume · 1m ago
Sure. But the societal losses of a vast amount of people getting scammed might in general be more important your individual wish for freedom to run anything you want on your device. I think there are important tradeoffs to be made, and that we have to acknowledge that many people in society less technically skilled might suffer from serious consequences in your proposed model of computation.
palmfacehn · 15m ago
Is it possible to protect users from themselves in every circumstance?
Yes. Remove all of the features from the software. Now, I know you're wondering, "What if my users eat the battery?"
Next, remove the hardware itself. Now users cannot harm themselves at all.
pxtail · 18h ago
It's not sideloading, you are not doing anything nefarious,shady, on the side, on the edge. It's software installation on your device, your own device.
This newspeak is purposely invented to negatively portrait software installation from sources not controlled by Google/Apple
miohtama · 27m ago
The examples in the post are bad.
The people who were scammed did not run rooted phones. Rooting your phone may allow you to install pirated applications containing malware. But most banking losses comes from scams where the user itself initiated a transaction.
wkat4242 · 32m ago
Users aren't safe anyway when the gatekeeper is Google. They're deeply evil these days and our phones are mainly a surveillance tool for them.
Apple is only slightly better. They limit espionage from other parties but not their own. And meta ads still exist so they block was not very effective.
mzajc · 18h ago
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. /../ I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."
But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like? Am I allowed to accept calls from people they haven't vetted or is it too much of a risk to the bank's bottom line that they might talk me into a scam.
I suppose we should also write off the inevitable privacy and freedom violations in the name of "security".[0] I don't have anything to hide after all.
Plenty of banks will say "only available in Chrome" or "you must be running version xyz of your browser".
There are also banks which are app-only.
You'll also notice that modern phones have a "spam caller" feature. It either gets data from the phone network or from another source. Should your phone block the most obvious spam calls? Your email client already blocks spam.
At a network level, STIR/SHAKEN is also trying to block you from answering fraudulent calls.
These things are happening right now. I expect most people think a reduction in phone spam is worth the occasional false positive.
You may have a different opinion.
andoando · 1h ago
I think that makes sense if you also agree to not have any protections from them for getting scammed.
But otherwise I agree, I hate the same shit about requiring 2fa. Let me fucking decide about how much I care about my account being stolen.
avianlyric · 15h ago
> But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like?
If you want to hold the banks liable for fraud committed against you (which is exactly what happens in many countries), then it’s hardly reasonable to say that they’re not allowed to use what ever technical options they can to prevent that fraud.
You can put forward the argument that banks simply shouldn’t be responsible for fraud committed against their customers. But we only need to look at world of cryptocurrencies to see how well that works in reality.
creata · 1h ago
> it’s hardly reasonable to say that they’re not allowed to use what ever technical options they can to prevent that fraud.
Of course it's reasonable? You can give someone a job and also ask them to do it a certain way.
anthk · 1h ago
Then that vendor need to go to /dev/null and end its business.
bisRepetita · 13m ago
If only there was no app stores... sigh... I would only download apps from the reputable company I like (myfavoritebigbank.com), trusting their brand and reputation for my security. If a client-side app can threaten their security, that's a weakness on their part.
And if a lone developer has a cool new idea, and its app is recommended by users I trust on an obscure specialized forum, then I'll decide to install their app from "coollonedeveloper.com".
If only we could invent some kind of "domain names" system that one would have control and responsibility over, instead of trusting some broken unscalable app stores...
nazgu1 · 19h ago
For me it’s a matter of settings. As a user I would have option to choose “secure” mode that disallow installing apps from unofficial sources, but if I want to I should have option to allow side loading. Everything else is just corporations need to have to much control.
cwillu · 19h ago
The problem is that important services will then be (and already are!) only permitted to run in “secure” mode.
I literally have a banking app that will refuse to run on an “unsecure” phone. Today I can still install unsigned apps, but removing that ability is explicitly the goal of this policy change.
boredatoms · 3h ago
Im worried about big apps like instagram deciding that side loading is better for whatever permissions hacks that alllows
Larrikin · 2h ago
They would have already done it
Disposal8433 · 19h ago
Sandboxing should prevent most of those issues. We can't control the users giving permissions to everything, but with more control on those permissions, or disabled by default, a phone should stay pretty safe, or am I missing something?
rafram · 19h ago
People have been trained to tap through those prompts without really reading them, and it’s unreasonable to expect a less technical user to know what the implications of granting a permission are.
Lvl999Noob · 54m ago
I want an option to give fake permissions. A lot of apps are pretty necessary (due to network effects). I don't want to give my contact or location data to them but they also refuse to work without it, even though they don't it for the stuff I am doing. So just let me provide fake data instead. As far as the app is concerned, it has the permissions it so wanted.
stavros · 10m ago
That used to exist, but it's bad UX, because the user doesn't understand why the app they didn't give permissions to doesn't work well, and gives it a bad review. It's better UX for the app to say "I can't work without this permission", though it's worse for tech-savvy users.
mathiaspoint · 18h ago
Giving illiterate people access to computers is going to be dangerous for them no matter what you do. UIs and operating systems should consider their caretakers instead.
rafram · 18h ago
Not everyone has caretakers, unfortunately, but everyone needs a phone.
mathiaspoint · 18h ago
Then they can have flip phones. Those are still made and are great for children and other people who aren't capable of caring for themselves.
daxfohl · 3h ago
Or maybe when you buy a phone you can pay $5 extra to get the OS build that allows sideloading, or make it cost $5 and require you to hand-sign a bunch of forms to upgrade an existing phone to a sideloading-capable version. A little extra friction at phone purchase time (rather than app download time) would likely steer most people, especially non-techies, toward the safer option. Sure, maybe it doesn't stop the problem completely; someone completely bought in to some scam may go through the effort anyway. But if someone is that gullible, they're pretty destined to be scammed out of their money no matter what the protection.
simion314 · 18h ago
>People have been trained to tap through those prompts without really reading them, and it’s unreasonable to expect a less technical user to know what the implications of granting a permission are.
Can you please explain why there is no big push from the Google and Apple to remove microphone and camera access from the browsers? You claim that most users are "less skilled" and will allow anything , so for the grater good why not pushing to remove microphone, camera and file upload permissions? Why do we trust this users with reading a popup for permissions ?
Or maybe if the popups are not clear or good enough maybe is not the users fault ?
snowe2010 · 17h ago
That’s just advocating for the same thing, OS makers removing users abilities to do things they want with their devices. Pretty much everyone in this comment section that is advocating against what Google is doing would advocate against that as well.
simion314 · 12h ago
I do not see this Apple fanboys asking Apple to remove the camera and microphone features in their OSX operating system. They have many stories about grandma getting tricked to sideload soem evil app from Facebook but somehow same grandma does never get tricked to share her microphone, camera or screen. So I concluded that it is all their minds creating a narative to feel better about them getting screwed by Apple (we all have this problem where we invent some reason to justify some decision we did but in this case is a big mob)
> Our research [1] finds that users often make rational decisions on the most used capabilities on the web today — notifications, geolocation, camera, and microphone. All of them have in common that there is little uncertainty about how these capabilities can be abused. In user interviews, we find that people have clear understanding of abuse potentials: notifications can be very annoying; geolocation can be used to track where one was and thus make more money off ads; and camera and microphone can be obviously used to spy on one’s life. Even though there might be even worse abuse scenarios, users aren't entirely clueless what could possibly go wrong.
Its not the sandboxing, its the access to user data that apps can request. a mobile OS allows apps to request and be granted all kinds of permissions, and 80% of the world population doesn't really understand what all things are possible for each of the permissions they give to an app. For example being able to export the whole contact list, or read all files in folders (where users may have saved notes with passwords) or real time tracking of gps location with wifi mac address sniffing, listen in on conversations, be able to screenshot other apps, trigger touch events... none of this a sandbox can prevent.
When there are problems reported about an app, there has to be a known party to hold accountable. I agree that a developer path that is complex enough that only people who know all the impacts are able to use to side load random apps they own or from someone they can trust, but the general population has to be protected unless at the individual level they are savvy.
nottorp · 18h ago
> there has to be a known party to hold accountable
So no free applications. Prepare to pay a subscription for every flashlight app.
frameset · 45m ago
A better question would be:
Is it possible to restrict software installation and keep users free?
BriggyDwiggs42 · 1h ago
The answer to this question is yes. You need to make enabling sideloading somewhat difficult and make it require a modicum of tech literacy. The only reason that the phone companies do what they do is to make more money from their stores. They don’t care about people or their safety.
Gud · 14h ago
“allow side loading” is a premise I object to.
Now that Android is going full retard with their authoritarian BS, it’s time to build a new phone operating system or at least make the ones we already have viable.
It’s a monumental undertaking, but it needs to be done.
walthamstow · 19h ago
MacOS handles it pretty well, I can use it to do what Doctorow calls general computing and my mother can use it to shop and do email. Apple allowing freedom for MacOS but not iOS is inconsistent and I see no good reason for that.
MillironX · 18h ago
Except Apple code signing on MacOS is basically what Google is trying to copy over to Android. I can run arbitrary programs on MacOS, but I have to go and remove the com.apple.quarantine attribute from any application that doesn't have Apple's explicit permission to exist, i.e. most FOSS apps. I suspect that option will go away eventually.
BriggyDwiggs42 · 1h ago
Highly unlikely they’d remove the option with how many devs use macos
Rohansi · 26m ago
I think it's more likely Apple will shift everyone to using iPads and phase out Mac.
vbezhenar · 18h ago
MacOS does not handle it well. I can run `curl example.com | sh` and it'll steal my ssh key.
Almondsetat · 18h ago
It is perfectly consistent: iOS is not for general computing
G_o_D · 18h ago
I create apps just for myself, just started learning, self taught, not a student taking programming course in university, not professional
Apps created by me for my routine,
Does that mean i would not be able to install my apps ??
tcfhgj · 29m ago
No, you "just" have to show Google your ID and cryptographically make sure Google knows the apps belong to you
brnt · 11m ago
What universele are these people in? Though the app/play store is a fantastic way to obtain shitware that either steals data (seems to be nearly mandatory, if you look at the apps of these store operators), CPU time through mining of some sort, eats through your brain (by inserting horrific amounts of ads, much of which such clear scams I really don't get how this is allowed) or simply ask extra money for essential features one by one.
Everything about the so called stores is so decrepit, the safest way to get any decent software on is side loading / fdroid. How could you in sincerity argue any different?
fleshmonad · 18h ago
>Is it possible to allow sideloading and keep users safe?
Why is this a question of _allow_? Who is my hardware provider that he is somehow my guardian and must _allow_ me to install software that I want to install?
>Is it possible to allow people to do sports and keep them safe?
>Is it possible to allow people to roam freely and keep them safe?
>Is it possible to allow people to not be locked up in a padded cell and keep them safe?
People are responsible for what they are doing, and teaching them about technology is the best way to do deal with this example here, as it doesn't infringe anyone's human rights and would give anyone the resources to check their sources.
edent · 18h ago
Every sporting body that I know of has rules to keep people safe. Even dangerous sports like boxing and American Football pit some effort into keeping participants reasonably safe.
Similarly, every modern society has rules to keep people safe when roaming. That might be as simple as warning signs it as complex as a coastguard.
We've had decades of warning people about online scams and I don't see any slowdown in the volume of scammy emails that I receive. Education clearly isnt working - and that imposes a cost on all of us.
Mordisquitos · 18h ago
We've had decades of 'simple warning signs' or measures as complex as coastguards and yet people are still periodically lost in the wilderness, badly injured, or even killed. Education clearly isn't working here either — what restrictions should we impose on people's right to roam to solve this?
snowe2010 · 18h ago
You clearly know the answer here since you used the word “periodically”. There’s a massive difference between hundreds and millions. No one is stopping you from buying a non Google phone, no one is stopping you from running calyx or graphene. Mitigation for the things that affect the most number of people is how the world works.
morsch · 2h ago
> Mitigation for the things that affect the most number of people is how the world works.
Millions of people hurt themselves, physically hurt themselves, every day, doing things that we could easily restrict. Yet we still allow them to buy knives, glassware that can break, hammers, power tools, non automated vehicles of all kinds, the list goes on.
We also spend a lot of time educating them on the dangers, far more than is spent warning about online scams, and we do it at a far earlier age (age 0, for some of them).
Of course we still allow the sale of safe knives and plastic mugs, so people are free to choose; that point still stands. I'd argue that there is more competition in tableware, and less friction shifting between it, than there is in mobile operating systems.
jmholla · 16h ago
> No one is stopping you from buying a non Google phone, no one is stopping you from running calyx or graphene.
Google and phone manufacturers have been actively moving in that direction and have a long history of being actively hostile to those things. This is just another move on the same board to restrict these freedoms.
fsflover · 15h ago
> No one is stopping you from buying a non Google phone
You mean, the iPhone, which restricts everything even more?
mathiaspoint · 18h ago
They don't come into your own house and tell you what to do though. The police aren't going to arrest you for swimming in your own pool without a lifeguard. That's completely absurd.
edent · 18h ago
I don't know where you live, but lots of places require you to secure your pool in such a way that people can't accidentally drown in it.
Societies often place limits on individual freedoms.
bigstrat2003 · 45m ago
And those laws are completely unjust. It is absurd to place an obligation on someone to protect people who are trespassing on the owner's property. If you are poking around someone else's home, it's on you if you get into something that hurts you.
tempodox · 16h ago
Are you seriously comparing the self-serving decisions of a for-profit company with laws designed to protect people?
chii · 54m ago
they are, and they're correct in that comparison. except that the laws for the pool don't require a branded fence or anything, it's just a height and gate-lock requirement.
Google is telling you to buy their particular brand of fence (which has inextricably an insane markup). And they disallow it for pool shapes they dont like and you dont have an appeals process for it.
fleshmonad · 18h ago
Okay, how would you fix the scammy email problem? Only allow authorizing people to send emails after they applied for a government issued address?
Outlaw all non big corpo operating systems?
Perfect surveillance? All because some boomers can't into common sense?
It's also ironic that you bring up warning signs as a counterexample to my point, as it's exactly what I am saying. You can warn them, but you don't bar them from doing so.
diebeforei485 · 1h ago
I think sideloading should be allowed only if you actually connect your phone to a computer. This barrier will prevent a lot of vulnerable people from being scammed.
Alternatively, sideloading could require you to delete all App Store apps. In other words, disabling Google Play Protect should require you to wipe your phone. This is another barrier that will prevent a lot of people from getting scammed.
miki123211 · 52m ago
Alternatively, require the user to decide whether they want sideloading or not at device setup time, with no ability to change this decision without wiping and starting from scratch.
It wouldn't solve the "getting infected via cracked apps" problem, but it would at least solve the "users being scammed into sideloading something they don't want" problem.
chii · 58m ago
deleting all app store apps is too high a barrier, because there may not be a replacement that could be sideloaded.
Freak_NL · 44m ago
I don't see that changing either. Banking apps, government auth, Whatsapp¹, public transport apps², etc. The status quo is that a small number of official app store apps are all but required.
1: Still basically required if you have young children and want things like play dates. Oh Signal? Yeah, the recent push means that some tech-savvy users now have both Whatsapp and Signal installed. In the Netherlands, you can do without Whatsapp, but not if you don't want to turn your child into a social recluse.
2: For example, in order to use Germany's Deutschlandticket one of the participating public transport companies apps is required. This is a huge regression compared to the initial paper ticket, but there it is.
interloxia · 7m ago
I guess requiring a transport subscription to get the ticket, via app or smart card, is rather analogous to the topic of adding friction to the undesired path.
razighter777 · 18h ago
What about making side loading require some moderate level of technical sophistication? Like connecting to the phone over usb and having to manually type some long shell commands, or exit vim, or write a compiling c program, or some other layman proof filter to activate installing outside apps. I feel like grandma would be too intmimidated by this (good), making it too frustrating for even the most determine scammer to explain, no matter how desperate they are for her social security checks. Have it be done in the bootloader so you can't follow these instructions while on the phone, and require physical interactivity with the device (can't be automated over usb). Regardless, this policy is an unacceptable infringement on digital freedom by google.
bombcar · 2h ago
Even if it requires equipment, if people want it, someone will sell doing it.
If there’s a real downside, they’ll be affected.
accle · 18h ago
I believe this is already the case. You can purchase phones that may be bootloader unlocked, allowing custom firmware to be installed. This enables a tech-savvy user to sideload anything they like.
mathiaspoint · 18h ago
Closed drivers need Android userspace -> Android panics or otherwise refuses to function if it decides it's SE Linux policy is compromised -> you still don't have control over the device.
And we're back to "just break into the thing you've already paid for." Nope. Go away. No more smartphone crap.
accle · 18h ago
If you install custom firmware, you can control the SELinux policy that is configured and enforced by that firmware.
Mordisquitos · 18h ago
> There are, I think, two small cracks in that argument.
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. When customers are scammed, the bank is often liable. The bank wants to reduce its liability so it says "you can't run our app on a rooted phone".
> Is that fair? Probably not. Rooting allows a user to fully control and customise their device. But rooting also allows malware to intercept communications, send commands, and perform unwanted actions. I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."
> The same is true of video games with strong "anti-cheat" protection. It is disruptive to other players - and to the business model - if untrustworthy clients can disrupt the game. Again, it probably isn't fair to ban users who run on permissive software, but it is a rational choice by the manufacturer. And, yet again, I think software authors probably should be able to restrict things which cause them harm.
It's not clear to me whether in this fragment the author is stating the two alleged cracks in the argument or rather only the first one — the second one being Google's ostensible justification for the change. Either way, neither of these examples are generalisable arguments supporting that 'a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them'.
With regards to banking apps, the key point has been glossed over, which is that that when customers are scammed the bank is 'often' liable. Are banks really liable for scams caused by customer negligence on their devices? If they're not, this 'crack' can be thrown out of the window; if they are, then it is not an argument for "you can't run our app on a rooted phone", but rather "we are not liable for scams which are only possible on a rooted phone".
As for the second example, anti-cheat protection in gaming, the ultimate motivation of game companies is not to prevent 'untrustworthy clients' from 'running their code'. The ability of these clients to be 'disruptive to other players' is not ultimately contingent on their ability to run the code, but rather to connect to the multiplayer servers run by the gaming company or their partners. The game company's legitimate right 'to ban users who run on permissive software' is not a legitimate argument in favour of users not having full control over their system.
edent · 18h ago
Thanks for the feedback. Those examples are meant to cover the first point.
The problem if you are a bank is that scammed people can be very persistent about trying to reclaim their money. There's a cost to the bank of dealing with a complaint, doing an investigation, replying to the regulator, fielding questions from an MP, having the story appear in the press about the heartless bank refusing to refund a little old lady.
It is entirely rational for them to decide not to bear that cost - even if they aren't liable.
snowe2010 · 17h ago
> rather "we are not liable for scams which are only possible on a rooted phone".
Who is going to prove that though? It’s much simpler and less stressful on our court systems if a bank just says “we don’t allow running on rooted phones” and then if a user takes them to court the burden is on proving whether the phone was rooted or not rather than proving if the exploit that affected them is only possible on a rooted phone.
jackothy · 18h ago
I have come to the conclusion that both Android and iOS, along with the banking systems, are all doomed platforms.
Even something like GrapheneOS, in theory the best path to security and privacy and liberty, was falling way short even before this latest announcement from Google.
The problem lies partially in the app ecosystems, which embrace spyware and exploiting users (requiring all the worst Google APIs), and partially in governments, which will leverage any centralized organization like Google to gain control (EU chat control etc.).
The solution cannot be just a custom OS or an OS fork. In fact, ecosystem compatibility is toxic and slows down growth of real alternatives. There needs to be some wholly independent and decentralized offering.
The challenge is hardware compatibility and core services like digital IDs. Most apps should be solved by using a website instead.
These issues are especially important because the future is increasingly digital. Smart phones, smart glasses, smart watches, VR glasses, smart homes, and even brain implants. I don't want to live in a future where I'm either left behind or my whole life is controlled by Google/Apple/the government/etc.
rcarmo · 14h ago
The “use a website instead” angle doesn’t really work for a lot of things, and given the impermanence of websites these days, is actually a major point of potential failure.
jackothy · 13h ago
The "use a website instead" angle should work for the majority of things people spend phone time on. For the few things that could not be a PWA, some extra effort is needed.
barnabee · 18h ago
> 00. Users should be free to run whatever code they like.
> 01. Vulnerable members of society should be protected from scams.
00: yes, always; 01: yes, but not at the expense of 00 (or probably some other things)
snowe2010 · 18h ago
Why? What’s your logic and reasoning?
bigstrat2003 · 47m ago
Safety is not a valid reason to limit freedom. We cannot, and should not try to, keep people safe from their own bad decisions. That is treating adults like children, which is offensive to human dignity.
wiseowise · 29m ago
Because safety should never come at the cost safety?
How would you feel if your brain was “safeguarded” against potentially harmful thoughts?
vbezhenar · 18h ago
There are millions of homeless or otherwise struggling people all around the world, who would let anyone to use their identity for a small compensation. I don't really see how this requirement to register in Google will help with app security. So the malware will be signed with John Smith living under a bridge, now what?
solatic · 19h ago
< Vulnerable members of society should be protected from scams.
There are three ways to deliver protection: build better walls, defeat attackers after successful initial attacks, defeat attackers before successful initial attacks.
The article ties itself into knots because it recognizes that the first way cannot deliver 100% security. But it refuses to recognize that there are two additional ways.
The United States military could go after scammers operating from foreign compounds. It could treat the economic targeting of American citizens as acts of economic war. It chooses not to. Freedom is not free, and when your country chooses to literally not fight for your freedom, it's hardly any wonder that your freedoms are eroded.
Remember XKCD 538: https://xkcd.com/538/ Cybersecurity and physical security are fundamentally linked.
rafram · 18h ago
Scammers can operate from literally any country in the world, in any location where they have access to the internet. The idea of the military busting into a Bin Laden-style scammer compound is very romantic, but plenty of these operate from regular offices or homes, and it’s trivial for someone new to get into the scamming business if a big scammer is taken down.
wiseowise · 25m ago
Just nuke them into oblivion, like Google and Apple nuke freedom to own your device.
solatic · 18h ago
People forget both why the US invaded Afghanistan in the first place, and why US financial sanctions are so effective. The US invaded Afghanistan, a country whose government was not directly involved in the 9/11 attacks, because that government refused to extradite OBL and other senior Taliban leadership, to bring them to justice in the United States. US financial sanctions are so effective because they cut off foreign institutions from the US financial system if those institutions do business with those who harm Americans and American interests. Soft power is backed by hard power, first against organizations hosted by governments willing to cooperate with the US, and eventually against governments unwilling to cooperate.
That scammers can operate from anywhere is beside the point. More often than not, law enforcement and the military know where that is. A conscious decision is made not to prioritize or fund fighting it.
avianlyric · 15h ago
That’s easy when you’re dealing with people operating in countries where your existing relationship is poor or non-existent. There’s nothing practical that country can do to fight back against U.S. demands.
But try applying that approach to India or China. Do you think those countries are going to allow the U.S. military to operate on their home turf, shooting at their citizens, and not retaliate? It doesn’t even have to be military retaliation, the U.S. economy is heavily intertwined with those countries, just look at the consequences of Trumps tariffs. Do you honestly think U.S. citizens would be willing to trade off the trade benefits of working with those countries, just so you run a military raid on building of scammers?
solatic · 1h ago
> Do you think those countries are going to allow the U.S. military to operate on their home turf, shooting at their citizens, and not retaliate?
It's not related to scamming, but the US did just bomb Iranian nuclear facilities; the reaction was a face-saving gesture that was intentionally weak so as to de-facto de-escalate. So the answer to your question is basically yes. The costs of a wider war are too large to the host country to make it worth it to continue to allow scammers to operate freely.
> just look at the consequences of Trumps tariffs. Do you honestly think U.S. citizens would be willing to trade off the trade benefits of working with those countries, just so you run a military raid on building of scammers?
Don't you realize that Trump's election, his tariffs, all this is due to popular sentiment that the US was getting the raw end of the deal in its foreign affairs, that there was a need to, literally, put America First? If anything, such ideas, to have targeted attacks and enforcement aimed at the exact actors targeting American citizens, have been at their most popular in decades, at least since the Iraq war went off the rails.
rafram · 13h ago
Yeah. And even in situations where there’s no alliance to disrupt (e.g., Chinese scam compounds in functionally lawless areas of Myanmar), I don’t imagine that most Americans would be sold on the idea of a military operation against scammers.
woliveirajr · 19h ago
>> Vulnerable members of society should be protected from scams.
> There are three ways to deliver protection
While I agree with your idea I'd like to remember that there are previous steps: teach people to be less vulnerable. Teach people to be less greedy. Teach people the consequences of actions.
Being less vulnerable is an obvious definition: know how to not fall for some scams.
Less greedy: some scams revolve around the idea of quick and ease profits and the comeback is hurtful because the person thinks he would get x and ends up losing 500x.
Consequences of actions: there's a lot of value to the group that observes the (bad) consequences of one actions. Pain, even from others, teaches something. The more we protect people from consequences, the better and safer it is about small losses until the actions go beyond the protection and the consequences are catastrophic.
solatic · 18h ago
I fully agree that there's a different strategy for before the line is crossed, one that is often more humane, more freedom-respecting, and cheaper to boot. Too often those strategies are sadly under-funded.
That's beside the point that the line, too often, is being crossed, and perpetrators are allowed to perpetuate their crimes, instead of the military and/or law enforcement stepping in and performing their organization's missions to protect us, especially the most vulnerable among us.
natch · 3h ago
Authors like this love saying that it’s all about installing apps you choose on a device you own and control.
Who could disagree with that?
The problem is it’s often controlling household members sneakily installing creepy things on devices of those they live with and want to control.
bangaladore · 2h ago
> The problem is it’s often
I'd like a source for that. News to me if that is common at all. Not to mention there are apps on the playstore / ios store that can be used in a similar way without sideloading.
wiseowise · 28m ago
If only there was some kind of biometric protection on those devices, preventing from unauthorized access.
zdw · 19h ago
Most of this problem is solved by not hiding the trust model.
Do you want an phone where you trust Apple/Google/3rd party to make a "malware or not" decision? Or one where all that is turned off and you can do whatever? Go right ahead in either case - you control the trust, rather than it being made for you by the platform vendor.
Similarly, we have certificate infrastructure where the TLS roots are owned by a small number of people. These are generally trusted, but some people/organizations edit them down (ex: removing roots from state actors deemed untrustworthy). But it's hidden, and generally a lot of choices.
Even linux distros, you pick which package signing keys you trust.
And Docker/K8s... oh wait, there's no default keys and containers remain being developer's puke bags in most cases, and the repos are rugpulled by corporations regularly...
Nursie · 18h ago
I look forward to you explaining all that to my elderly mother.
Once you’ve explained the difference between Google and “the internet”, you may stand a chance. I wish you luck, I’ve been trying that for a while.
BRB, heading out for popcorn.
martin-t · 18h ago
> Here's the story of a bank literally telling a man he was being scammed and he still proceeded to transfer funds to a fraudster.
> The bank blocked a number of transactions, it spoke to James on the phone to warn him and even called him into a branch to speak to him face-to-face.
Y'know, at some point the cost of protecting the dumbest people is too much to be worth it. I am perfectly fine with some people getting hacked, doxxed and scammed out of their life savings if the alternative is everyone losing their freedoms.
Freedoms are important because without them people with power go unchecked more and more. It's a slow process but it culminates in 1) dictatorship at the state level 2) exploitation at the corporate level.
BriggyDwiggs42 · 1h ago
Frankly, I think this sort of behavior in a non-senile person constitutes disability, and I think it demonstrates societal failure to provide people with disabilities with support structures. Where was a friend or family, why was this guy operating a bank account to begin with?
mixxorz · 18h ago
Just make it harder to disable security.
At point of purchase, you get to decide whether you want secure mode or not. Then after that, if you want to change it, you have to open a support ticket with the manufacturer.
Kinda like how SIM-locking works.
edent · 18h ago
Look at the people who are conned into buying Apple Gift Cards so that they can "pay their taxes".
If they can be convinced of that, how hard will it be for a scammer to say "we've detected a problem with your phone. To avoid being imprisoned for piracy, please file this support ticket so we can debug things."?
chii · 46m ago
being conned into buying gift cards means the weak link isn't with the security of the phone, but with the person's brain.
Making the device so locked down that no such con could exist also means there's no way to use the phone in ways that haven't been authorized - and as a power user, i detest that i am paying a price for the safety of those who are too stupid. I do not want to pay that price.
Conveniently, google gets to remain in a position to earn more money from being in the controlling seat.
as they say, if you trade freedom for security, you'll end up with neither.
bitbang · 18h ago
Devices should offer a local signing cert, where you can sign an app for that device only. Then make the app signing process enforce binding agreement that you assume all responsibility related to the app.
evolighting · 2h ago
Safety is important, but may not that important. So, shouldn’t we just create something like a "secure virtual machine" to make it easier to protect sensitive content, rather than requiring the highest level of security for everything?
fsflover · 18h ago
The most secure OS existing, Qubes OS, allows and encourages installing any untrusted software and protects you with strong, hardware-assisted virtualization.
enriquto · 19h ago
> Are you allowed to run whatever computer program you want on the hardware you own?
Yes. It is a basic human right.
> This is a question where freedom, practicality, and reality all collide into a mess.
No; it isn't. The answer is clear and not messy. If you are not allowed to run programs of your choice, then it is not your hardware. Practicality and "reality" (whatever that means) are irrelevant issues here.
Maybe you prefer to use hardware that is not yours, but that is a different question.
rikafurude21 · 18h ago
It seems that this is another one of those things where the lowest common denominator sets the rules for everyone. Most people arent tech savvy programmers so giving them the freedom to do 'whatever they want' will lead them to hurt themselves in some way. Of course this is not an excuse for locking down your hardware. Smartphones just came into being as a consumer-first product and didnt require many of the freedoms that programmers needed, which is why computers are fundamentally more open than smartphones. Apple of course is trying to change that with their Macs
squigz · 18h ago
You don't need to be a "tech savvy programmer" to be aware of the risks on the Internet and not do stupid shit.
fc417fc802 · 4h ago
TBF historically systems were designed with such poor UX that it was sometimes quite difficult not to do stupid things. Such as using Windows back in the day without installing software from the internet at large (ie there was no reputable package manager).
But that's a system design issue as opposed to an argument against user freedom.
pjmlp · 2h ago
You mean like using curl, shell, and sudo that is so prevalent these days?
Only that nothing about this requires big expertise. If you are a user of computers, you should be able to navigate the basics. It's the same like driving a car, you must know the traffic rules and how to behave, but that doesn't mean you have to understand how your engine works in detail.
rikafurude21 · 17h ago
If you want to drive a car you go through driving school and have to pass the tests to get a drivers license. Theres no drivers license for the internet and not really any strict set of rules you have to follow in order to get online - most people pick up a sense for rules online by osmosis, usually about how to not get scammed or get malware - sometimes they have to learn by first hand experience. If we go by your comparison this would be like learning to drive by crashing a couple cars. I definitely believe anyone whos even a little tech savvy underestimates how complicated or confusing technology can be for the average person.
gr4vityWall · 18h ago
> this is another one of those things where the lowest common denominator sets the rules for everyone
In that case, the solution should be to raise the lowest commmon denominator. Lots of issues like that could be prevented by investing in education to increase technology literacy. But long term investments (even public ones) do not match well with quarterly reports.
rikafurude21 · 17h ago
I would say young people grow up with tech and usually are very tech literate.
shagie · 17h ago
Tech... a "maybe" yes.
However, this isn't entirely a tech problem - it's a social/human one.
Not every mechanic has a driver's license. Sure, they may enjoy working on cars and the technology of cars... but for one reason or another they may have never gotten or have lost their driver's license.
Not everyone who is tech literate is similarly socially literate. I have programmer co-workers who have been scammed into sending gift card authentication codes or installed malware (or allowed the installation) onto their personal computing devices.
It isn't possible to prevent someone from accessing the internet any more than it is possible to prevent them from accessing a phone.
I am not saying that one should have a license to access the internet. Rather, I am saying that a device that holds and maintains the authentication mechanism for doing banking transactions, it is not unreasonable for the maker of that device and its software to attempt to mitigate the possibility that they are held liable for negligence in allowing user installed software to do banking without the owner's consent.
With the uncertainty that everything in the operating system and hardware is locked down to the point where no-consent access by malware to those banking capabilities is completely restricted (and thus they're not liable for negligence) - the wall that is being put up to try to prevent that is "no software that has not been vetted can be run on this device."
Consider that the phone is often the authentication mechanism and second factor for authorization to restricted systems. Authy, Microsoft Authenticator, and other 2nd factor applications typically do not run on general computing devices.
Technical literacy does not imply social or security literacy.
Hizonner · 15h ago
> Technical literacy does not imply social or security literacy.
Indeed. And people were falling for scams long before the Internet. What's new is the push to make that the fault of bystanders... thus causing those bystanders to intervene. It's neither the bank's fault, nor Google's fault, if somebody falls for a scam. Or installs malware. Or whatever. If you try to make it their fault, they're going to do really annoying things that you don't want.
Sure, you can sell security tools, or curation, or whatever. Many people will even want to buy them, but things break when that starts being a duty. And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.
shagie · 15h ago
> And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.
This tends to be counter to consumer protection laws or data privacy laws.
A company that can be held to strict liability for their actions can be sued (and be found liable) even if they presented that the action is unreasonable or dangerous.
In saying a consumer who buys a 100% "you can do anything on it" device liable for every action that that device takes no matter what initiated that action?
To me, the argument that you should be able to do anything on the device and be held liable for all the actions that device allows is very similar to that of "the maker of the device has no liability for providing a device that can be misused."
If that is the case, then (to me) this would need to be something that would need to be changed by the courts and the laws (and such a company would need to pull completely out of Europe).
Hizonner · 15h ago
Indeed, the bad attitude I'm talking about has found its way into some laws, as well as into other kinds of norms and expectations. That doesn't make it good.
You may be exaggerating it, but insofar as you're right, you're just describing the problem.
tempodox · 16h ago
> no software that has not been vetted can be run on this device
That’s just it. Software isn’t being vetted. Witness all the scam apps in the iOS and Android app stores. Even paid developer accounts don’t stop people from publishing these, nor does Apple’s walled garden protect you from them.
shagie · 16h ago
Do not make perfect the enemy of the good. There are failings of vetting.
That said, for sensitive apps they tend to go through more strict scrutiny of their functionality. Publishing a "Wəlls Fargo" application will likely not get approval.
The question isn't "does it need to be 100%" but rather "if was not done at all, would Apple or Google be liable for flaws in their software (e.g. VM breakouts) that allows malware to do banking transactions, location tracking, or place calls (e.g. 1-900 number dialing) without user consent?"
I'm fairly certain that Apple and Google take measures to limit their liability. With how courts and countries are finding technology companies liable for such (consumer and data privacy protections), I would expect to see more restrictions on the device to try to further limit the company's exposure.
ColinWright · 17h ago
I deal with a lot of young people who have grown up with tech, and my experience is that in general they haven't got a sodding clue about how anything works, or the implications of any of this.
Absolutely not a Scooby.
mathiaspoint · 19h ago
Or it's not a computer and really something more like a television. In that case these things should be thought of as a vice rather than a productivity tool.
The social structure of the smartphone app ecosystem is remarkably similar to the cable provider -> network -> show situation from before too.
ninkendo · 19h ago
The example I always go to is a Nintendo or PlayStation, etc.
They’re clearly just computers, they’re “hardware you own”, but you’ve never been able to run whatever software you want on them. But it’s been like this since the 1970’s and there’s never been an uproar over it.
For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.
danieldk · 18h ago
For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.
I think there is a huge difference. You can perfectly live your life without a game console. Even if you are a game addict and it is absolutely necessary for you to live, you could buy a PC and game on that.
Smartphones are a necessity nowadays. Some banks only have smartphone apps (or require a smartphone app to log in to their website). Some insurers want you to upload invoices with an app. Some governments require an app to log in (e.g. the Dutch DigiID). You need a smartphone to communicate with a lot of organizations and groups.
Smartphones have become extremely essential. And two companies can decide what does and what doesn't get run on a smartphone and they can take their 30% over virtually everything. They can destroy a company by simply blocking their app on a whim (contrast with game studios, which could always publish their game for PC or Mac or whatever).
It is not a healthy, competitive market. It is the market version of a dictatorship. And Google forbidding non-app store installs is making it worse.
Governments should intervene to guarantee a healthy market (the EU is trying, but I think they are currently worried about the tariff wrath).
snowe2010 · 18h ago
I have a friend that still uses a dumb flip phone from the early 2000s. No smartphones are not necessary.
danieldk · 16h ago
There was a documentary over here on TV about people that do not use smartphones. The conclusion was that it was almost impossible, they often have to rely on other people for certain things, and are excluded from a lot of social circles.
gr4vityWall · 18h ago
Surely it would be better if console makers gave users freedom to control the device, rather than smartphones not being in the users' control either.
Unfortunately, the copyright lobby of the video game industry was too strong in the 70s/80s/90s, so here we are.
mathiaspoint · 18h ago
Those are not really personal computers, they're fancy set top boxes and extensions of the television.
ninkendo · 17h ago
They have the same hardware in them as a personal computer, and essentially always have. (The original Nintendo had the same CPU as an Apple II.) The difference is only how they were marketed, and the artificial limitations on what software you could run.
mathiaspoint · 17h ago
Right. They're vices and not tools even though they might look like tools.
jackothy · 18h ago
The problem is larger than just smart phones. Smart phones are the templates for all future devices. You car now runs Android as well.
In the future, when your whole house is controlled by a computer, do you want that computer to be controlled by Google or to be controlled by yourself?
cwillu · 19h ago
Only because of sustained pressure from all the usual suspects to try to make that the social structure.
mathiaspoint · 18h ago
I think it's always going to evolve that way when people are so concerned about "safety" (no matter how that's defined) that all the escape hatches are removed.
gumby271 · 12h ago
Is it the people that are pushing for this though? Apple has long pushed privacy and security as a way to maintain their control over personal devices, the people just believe it and accept it. Google is just taking notes and seeing how profitable that approach is. Provided there's no push back, they'll succeed easily with no one actually asking for this.
martin-t · 19h ago
Increasingly, I keep noticing that all human-corporation relationships are a rehash of older power structures and basically struggles for power in which people gradually keep losing it until they realize they are exploited and then finally start fighting back.
People started free and equal, then some specialized into warriors[0] and gradually built deeper and deeper hierarchical power structures, called themselves "nobles" and started exploiting the "commoners".
At some point people snapped, killed a bunch of them (French revolution, US was for independence, etc.) and decided they wanna rule themselves.
And then companies started getting bigger and bigger, with deeper hierarchical power structures, the "nobles" call themselves "executives" or "shareholders" and the people doing actual productive work are not longer "commoners", they are "workers"[1].
[0]: And thus controlled the true source of power - violence.
[1]: Ironically admitting that people who are not workers are not doing real work, they are just redistributing other people's work and money.
I don't like describing it as cycles because it is too simplistic and pretend it is inevitable, robbing people of agency.
I prefer to think of society as a system where different actors have different goals and gradually lose/gain influence through a) slow processes where those with influence gain more from people who are sufficiently happy to be apathetic b) fast processes when people become sufficiently unhappy to reach for the source of all real world influence - violence.
This happens because uneducated/dumb/complacent people let it happen. It can be prevented by teaching them the importance if freedoms and to always fight back. But that goes directly against the interests of those in power - starting from parents who want children to be obedient.
conradev · 18h ago
Control over hardware isn’t actually the issue at stake here: many Android devices can unlock their bootloaders in a moderately safe way. Go nuts.
It’s a more tricky issue where Google and other parties can restrict access to their services to devices they deem legitimate. Their services, their rules. Your hardware. Different arguments required.
It’s everywhere: Widevine is used to prevent stealing 4K content (incl ATSC 3.0), gaming providers use it for anti-cheat, banks use it to rate limit abuse. It’s not just Android.
(I say this as someone with an Apple Vision Pro running visionOS 1.0 with the hope to jailbreak it one day. I’m actually unable to do whatever I want to their hardware, unlike my Pixel phones.)
mathiaspoint · 18h ago
There are actually just about no services that genuinely need hardware attestation other than some DRMed music/video and zelle. Everything else pretty much works on Linux in a browser or has some substitute that does.
conradev · 14h ago
Yes, only some things for now! I hope it stays that way or decreases, but that’s not the way the arrow is pointing.
Providers still implement it where they can, like for blackout restrictions for US sports games: impossible to enforce on the web because I can spoof location. Very possible to enforce on iOS because jailbreaking is not possible. Possible to enforce on Android because you can check if spoofing was made possible.
It’s currently the primary reason I can’t play games online on Linux.
fsflover · 17h ago
> many Android devices can unlock their bootloaders in a moderately safe way.
And yet you can't install an alternative OS like Mobian, postmarketOS or PureOS due to the closed drivers and specs.
accle · 18h ago
> > Are you allowed to run whatever computer program you want on the hardware you own?
> Yes. It is a basic human right.
Says who?
What's your philosophical argument in favour of this?
justinrubek · 18h ago
It's directly in the text.
> hardware you own
MrsPeaches · 18h ago
Is it not possible to run software on any hardware you own?
Is it illegal to spin up a Linux server on your mobile phone?
fsflover · 16h ago
It's practically impossible due to the closed drivers and specs, directly causing planned obsolescence and e-waste. It should be a part of the right to repair.
accle · 18h ago
That's not an argument.
Please explain how owning an item of hardware implies that running whatever computer program you want on it is a basic human right.
kartoffelsaft · 12h ago
If there are rooms in your house someone else could lock you out of, do you own the house or do they?
If someone else could use your car without your permission, do you own the car or do they?
If someone could grow their own plants in you back yard, do you own the garden or do they?
If someone else could choose what programs run on your computer, do you own the computer or do they?
Saying "basic human right" instead of just "basic right" may be odd, but definitionally, owning a thing means having the right to say how it is used. Either you own it and have that right, or you don't own it and don't have that right. That's what owning means.
There are times when it is necessary to limit the rights that a individual has so that the system that the individual lives within can work.
You can buy a radio transmitter, but you're not allowed to operate it without a license. You can likewise buy a car, but you aren't allowed to operate that either without a license.
You do not have the right to modify your phone so that it acts as a radio frequency jammer.
Possession of a device does not give an individual unrestricted rights to what can be done with it.
wiseowise · 16m ago
Requiring something and locking someone out are completely different things.
I’m fine with government requiring smoke detectors in my home, I’m not fine with completely unregulated private entity deciding how I live in my home, bought with my money.
And in case of a muffler, there’s literally no one in this entire world who can stop me from removing it. There are repercussion for doing so, but nobody stole my rights from removing it.
rafram · 19h ago
That’s a great ideal, but Android is used both by sophisticated users who want a phone they can tinker with and the tech-illiterate grandparents of the world, who will never have a legitimate reason to install an app outside the Play Store, and who would never attempt to do that unless they were being guided by a scammer.
danieldk · 18h ago
So, put a toggle somewhere. When the toggle is toggled, put up a big fat warning sheet and say if somebody on the phone or mail asks you to do that, 99.9% it's a scammer.
If people still go for it, then it is their responsibility. A lot of things in life require responsibility because otherwise the results can be disastrous. But we don't forbid them, because it would be a huge violation of freedoms.
rafram · 18h ago
But it’s not someone on the phone - it’s their best friend / star-crossed lover who they met on WhatsApp because of a chance wrong-number text! Since then they’ve become incredibly close, and they can trust each other with anything. When their lover gives them some amazing investment advice and it requires clicking through a scary-looking prompt (like they do all the time on a phone), who do they trust - their one true love or a generic warning message on their phone?
You have to take into account that the threat model here is vulnerable people, often older, being taken in by scammers who talk to them for weeks and gain their complete confidence. To the victims, it feels like a real romantic relationship, not someone who could even possibly be a scammer.
danieldk · 18h ago
The solution is not taking people's freedom away. The solution is education. Lesson 1: lovers are not for investment advise.
Also, scams also happen outside smartphones.
What's next? Are we going to revoke people's control over their financials because they might be scammed? Let's have the bank approve before we can do a transaction. And since we are using their payment platform, maybe they should also take 30%.
Please stop feeding their narrative. Scammers are Google/Apple's "but think of the children".
rafram · 18h ago
> lovers are not for investment advise.
Aren’t they? I ask my partner for investment opinions all the time.
> Let's have the bank approve before we can do a transaction.
Yes… That’s already how it works. Banks use heuristics to detect and prevent suspicious transactions. That’s why most of these scams ultimately involve crypto.
danieldk · 16h ago
Aren’t they? I ask my partner for investment opinions all the time.
Obviously, the probability of it being a scammer reduces with the amount of time. In the end it's a function of time vs. effort. Scamming billionaires by marrying them and waiting until they die happens frequently enough. A 5 year scam for a few thousand bucks, unlikely.
As usual, use common sense, which you would have to do anyway if you do investments.
rafram · 13h ago
There are lots of older people who have never really invested their money, have a lot in their savings account, and might be excited by the idea of a get-rich-quick crypto investment they hear about from someone they trust. Even if they’ve only known them for a little while.
Hizonner · 15h ago
> Banks use heuristics to detect and prevent suspicious transactions.
... and it's really fucking annoying when their heuristics misfire-- which is not at all rare-- especially since they do all they can to externalize all costs of that to the customer.
throw0101c · 15h ago
> The solution is education.
We've been trying to educate people about passwords and phishing for years/decades now, and it has not worked. Further, every day a new ten thousand (US) people need to be educated:
> So, put a toggle somewhere. When the toggle is toggled, put up a big fat warning sheet and say if somebody on the phone or mail asks you to do that, 99.9% it's a scammer.
The proverbial grandparents will follow the instructions of the scammers and will click through all of that. We've had decades of empirical evidence: people will keep clicking and tapping on dialogue boxes to achieve their goal.
People have physically driven to cryptocurrency ATMs on the instructions of scammers:
Who cares? Granny is still allowed to buy knives and accidentally chop off her fingers while she cooks. If she ends up doing that it's either her fault or she's too old to be using knives. We don't ban or blunt knives just because you can cut yourself with them.
dns_snek · 12h ago
Okay great, seeing how every reasonable warning and technical restriction is completely pointless and how people will do everything they're told if they're naive enough and the person on the other end is convincing enough, we can skip this whole dance.
Because at the end of the day the scammer is going to convince your grandma to go to the bank, withdraw the entirety of her savings and send them to the scammer in an envelope.
Any technical restrictions therefore only harm our personal freedoms and don't actually protect those who are vulnerable because those people's problems aren't technical in nature.
gumby271 · 18h ago
Then why not lock down their devices. Why aren't people using the parental controls on their parents phones to lock it down and own in on their behalf? I don't understand this idea that because there are some people vulnerable to scams that we all have to give up control to Apple and Google. The option to move the trust and ownership to another party is useful, but it doesn't have to be just those two parties as options.
rafram · 18h ago
Not everyone has children. Not everyone has children who they remain in contact with. Not everyone has children who are tech-adept enough to do that. Not everyone has children who are less vulnerable than themselves.
gumby271 · 18h ago
Well maybe let's start small and cover the people that do first, just to see how that goes. Instead we're starting with all people on the planet, and it will be declared a success because the metrics will say it was, there's no rolling this back.
And it doesn't have to be children of parents, that's just the common example that's brought out every time this comes up.
snowe2010 · 18h ago
We literally did start with that… that’s the current situation, everyone has parental toggles and yet millions of people get scammed for billions of dollars a year. You’re acting like we (and these massive corporations) haven’t been trying for decades at this point. And you’re saying we shouldn’t be trying more stuff, we should just stop and give up and let innocent people get scammed because you want to be able to run whatever on your phone.
dns_snek · 12h ago
> let innocent people get scammed because you want to be able to run whatever on your phone.
As always it comes down to insulting and emotionally guilt tripping people to screw them out of their freedoms and of course there's never even a shred of evidence to support any of these incredible claims. You're laying it on too thick, give us a break.
> You’re acting like we (and these massive corporations) haven’t been trying for decades at this point.
You're acting like this would make a dent in the total number of people who are scammed every day.
And it just so happens that the only acceptable remedy necessitates infringing on billions of people's personal freedoms which will, incidentally, secure trillions in future profits for these corporations. All that for a temporary speed bump that would only affect a minority of scammers who would adapt in a month.
gumby271 · 18h ago
Maybe I'm wrong, but I have never seen Apple or Google suggest that someone use the parental control tools on a vulnerable adult person's phone to prevent them from hurting themselves. They have never run such a campaign for awareness or changed those tools to make them more palatable to controlling adult's phones (these tools are always sold as things to enable on a child's device). So no, I don't think we've started with that. We've started by adding some toggles and scary warning, and I agree that hasn't worked. I never suggested we stop trying, I suggested we allow the trusted owner/admin of the device to be more easily assigned to someone that person trusts, not just forcing Google into that role without consent.
Hizonner · 15h ago
You do not want to live in a world where that's normalized. There are legal processes for determining when somebody's "vulnerable" enough to need a guardian. Those process are heavy and strict for a damned good reason. And sometimes still not strict enough.
gumby271 · 15h ago
If I'm drunk and give my friend my car keys and ask them to not let me do anything stupid, I'm not giving up my legal rights to autonomy. I don't think this is any different. Legal guardianship is entirely unrelated, unless we're having some slippery slope fun.
Hizonner · 15h ago
So you expect aging parents to actively ask their children to put controls on their devices, and not to reverse that decision when it matters most?
Many, probably most, of the people most at risk aren't going to do that.
When you're (somewhat) drunk, you know that you're drunk, and you're still able to comprehend how that will slow down your reactions while driving. When you're being scammed, you think you're right... and if you begin to doubt that, you may tend to push the thought out of your mind rather than follow it through, and to evade things that might bring it back. And it's very hard to admit to yourself that you're permanently impaired in that sort of way... especially when you're impaired in that sort of way.
gumby271 · 12h ago
I'm expecting us that come up with something better than "give all computing control to two US companies" Yes this idea has flaws that you're an expert at picking at, but there's gotta be some middle ground that doesn't treat all of us as the most tech illiterate or scammable people.
jackothy · 18h ago
Society is held back so much when the most capable have to live by rules made for the least capable.
Give the knowledgeable the freedom to use their skills. Separately, develop ways to help/protect specifically those that need it.
pydry · 18h ago
Or guided by their tech savvy children.
MrsPeaches · 18h ago
What else do you consider basic human rights?
My suspicion is: were you to list them, running programmes on hardware you own would be fairly low on that list.
2paz7x · 18h ago
So because it's low on the list it's not a right? Where do we draw the line? Let's do an experiment. Which rights can we take away from you? Some are pretty far down the list, right? The right to live is pretty important, so that's all the way up on the list. So where's the line drawn?
hollerith · 18h ago
I don't want to live in your overly simplistic world.
fleshmonad · 18h ago
How is this overly simplistic? It is pretty simple. You buy some hardware, and some company wants to force you to use their telemetry ridden, data collecting software under the guise of stupid people being unable to do a google search and comparing a string. I can safely say I don't want to live in your technocratic techbro wet dream.
hollerith · 18h ago
Remote attestation is a useful capability. One example: it can be used to create a camera such that the photographer can prove that an image is an accurate recording of reality and not AI-generated. Without remote attestation, we will soon enter a state of affairs in which the courts (and anyone else, too) cannot ever rely on photographic or video evidence.
The banking system has been relying on remote attestation for decades to ensure that devices used in settling financial transactions have not been tampered with:
Also, I think the chip-and-PIN cards used for most in-store transactions in Europe for the last 20 years rely on remote attestation and tamper resistance to prevent fraud.
Finally, in the domain of desktop and laptop computers, there is a big security hole in that most components (certainly, disk drives and storage devices, but basically any peripheral or board) are essentially embedded computers that can be pwned with the result that they stayed pwned even if the owner of the computer installs the OS from scratch. One solution to this would be for suppliers of peripherals and boards to get much better at securing their products or to stop using microprocessor to implement their products, but it would be quite a lot of work (and governmental intervention or at least intervention by industry-wide quasi-governmental entities that currently do not exist) to get from the current situation to the one I just described. The only products currently available that are secure against this threat (aside perhaps from using 40-year-old computers) use verified-boot technology to implement the security.
I.e., the only desktop and laptop computers you can buy where you can be reasonable sure some attacker hasn't installed malware in the computer's disk drive or track page or wifi module are things like Macs and Chromebooks, which implement the security using verified boot.
2paz7x · 18h ago
So we should all give up our rights so we can use the fancy new locked down technology to digitally sign our photographs. Oh, and now every photograph you ever post on social media can be tracked to your device. I love your future!! We should also install a camera in your bathroom. Just to attest. It's just attestation, bro.
fleshmonad · 18h ago
I am sorry that free choice what software to install on your device goes against your existential fear of "AI extinction" as displayed in your profile description. I guess I was wrong, and surrendering all your rights, being tracked and used for datapoints that will in turn be used to train AI is actually good.
hollerith · 18h ago
I don't think the "ethic" you are proposing (i.e., a consumer should have free choice of what software to install on their own device) has much bearing one way or the other on AI extinction risk.
Do you simply not care that this Linux computer that you have such warm feelings about is fairly easy to pwn (in part because of the lack of verified boot and in part because desktop Linux software is just much easier to pwn than the systems software on a Mac or a Chromebook or an iPhone or an Android phone) such that if you ever got to be an effective activist against some government or some powerful industrial interest, that government or industrial interest could fairly easily eavesdrop on everything you do with this Linux computer?
That doesn't sound much like protecting your individual rights.
fleshmonad · 18h ago
You're right. My loonixtard brain didn't grok this without your input. My device is going to be pwned because I didn't use a Microsoft verified image. Should I ever feel the need to start the revolution, I will make sure to use secure boot and use Microsoft windows using my employers account.
hollerith · 18h ago
It appears that most PC makers didn't implement verified boot correctly (e.g., they negligently left sample keys in the firmware they shipped), which is why I avoided any mention of Windows in my previous comments.
2paz7x · 18h ago
>this Linux computer that you have such warm feelings about is fairly easy to pwn
It's just not. Otherwise, all servers would be running your beloved iOS, wouldn't they?
>in part because of the lack of verified boot
This does not matter. I can generate my own keys.
>easier to pwn [...] than [...]an iPhone
Lol... If anything, phones are more vulnerable because you have less access to sandboxes and VMs.
This is a false dichotomy. The following are not the only two possible solutions:
* Everyone has to trust one of two giant mega-corporations to make good decisions for everyone
* Everyone has to take on the evaluation of everything themselves, do their own admin, understand opsec, etc etc.
Freedom does not entail the latter. Freedom means having the freedom to do it, but also having the freedom to delegate it, and to decide who to delegate it to. We don't have to be technology "preppers". We can set up and fund independent organisations to do this -like Debian, for example. And have competition between them.
Yes, that means some people will delegate their trust to their religious cult. That's the price of freedom
oakpond · 18h ago
Goodbye Android.
danieldk · 18h ago
And then what?
More like: time for regulators to step up and do their work.
oakpond · 12h ago
What makes you think they will? What makes you think regulators don't also want this?
fsflover · 18h ago
And then GNU/Linux phones. Sent from my Librem 5.
martin-t · 18h ago
Evolution used to work by some people dying before they could reproduce.
That's how we become the smartest animal on the planet. But it no longer works, we are very good at keeping everyone alive. And there's nothing wrong with that, as long as we don't compromise our freedoms to achieve it.
Some people getting exploited is the modern equivalent of leopards eating your face. It would be nice to protect people from it happening but NOT by everyone giving up basic human rights. And yes, in the modern world, running any software on your hardware should be a basic human right.
Especially at a time where computation is starting to resemble intelligence. Otherwise we all become serfs all over again.
martin-t · 16h ago
Ah yes, the rudest form of agreement - downvote without justification.
If you can't explain why i am wrong, consider i am right.
broker354690 · 9h ago
A certain kind of arrogant man who hails from the land of theory tends to believe that everything can be perfectly optimized, that even real-world systems can be designed with mathematical guarantees as to some constraint or another. In their world every thing and every one is an abstract variable to be managed and modified, a goat to be herded. User input is modeled as untrustworthy, hostile input and treated accordingly. The unwashed masses have never toiled in their sterile computer science cathedrals, never been anointed with the sacred waters of ROOT, and thus could never possibly deserve to wield the powers of computation without the infallible guidance of Saint Jobs (peace be upon him) and his holy host.
To compute on one's own is to open one's electronic soul to the Sins of Free Software. Such devilish arts must be shunted to the margins of society, till they may be purged on That Day when all shall bask in Google's light forevermore.
glitchc · 19h ago
Yes. Run the sideloaded apps in a VM. Modern phones are powerful enough to do that.
neuroelectron · 1h ago
Back when the Apple hardware for iPhone offered real isolation between apps, yes. But that's really hard to maintain and isn't PRISM-friendly. Neither Apple nor Google can justify offering real isolation for apps in the current market.
ggm · 1h ago
I thought sandboxes were precisely what they are doing.
On systems before apple's locked-down iphone, it was just called "installing".
The PC revolution started with people just inserting their software into the comptuer and running it. You didn't have to ask the computer manufacturer or the OS vendor permission to do it.
And note that apple doesn't allow you to protect yourself. You cannot install a firewall and block arbitrary software on your phone. For example, you can not block apple telemetry.
I'm not the user of my phone, I'm its owner.
Yes. Remove all of the features from the software. Now, I know you're wondering, "What if my users eat the battery?"
Next, remove the hardware itself. Now users cannot harm themselves at all.
The people who were scammed did not run rooted phones. Rooting your phone may allow you to install pirated applications containing malware. But most banking losses comes from scams where the user itself initiated a transaction.
Apple is only slightly better. They limit espionage from other parties but not their own. And meta ads still exist so they block was not very effective.
But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like? Am I allowed to accept calls from people they haven't vetted or is it too much of a risk to the bank's bottom line that they might talk me into a scam.
I suppose we should also write off the inevitable privacy and freedom violations in the name of "security".[0] I don't have anything to hide after all.
[0]: https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...
There are also banks which are app-only.
You'll also notice that modern phones have a "spam caller" feature. It either gets data from the phone network or from another source. Should your phone block the most obvious spam calls? Your email client already blocks spam.
At a network level, STIR/SHAKEN is also trying to block you from answering fraudulent calls.
These things are happening right now. I expect most people think a reduction in phone spam is worth the occasional false positive.
You may have a different opinion.
But otherwise I agree, I hate the same shit about requiring 2fa. Let me fucking decide about how much I care about my account being stolen.
If you want to hold the banks liable for fraud committed against you (which is exactly what happens in many countries), then it’s hardly reasonable to say that they’re not allowed to use what ever technical options they can to prevent that fraud.
You can put forward the argument that banks simply shouldn’t be responsible for fraud committed against their customers. But we only need to look at world of cryptocurrencies to see how well that works in reality.
Of course it's reasonable? You can give someone a job and also ask them to do it a certain way.
And if a lone developer has a cool new idea, and its app is recommended by users I trust on an obscure specialized forum, then I'll decide to install their app from "coollonedeveloper.com".
If only we could invent some kind of "domain names" system that one would have control and responsibility over, instead of trusting some broken unscalable app stores...
I literally have a banking app that will refuse to run on an “unsecure” phone. Today I can still install unsigned apps, but removing that ability is explicitly the goal of this policy change.
Can you please explain why there is no big push from the Google and Apple to remove microphone and camera access from the browsers? You claim that most users are "less skilled" and will allow anything , so for the grater good why not pushing to remove microphone, camera and file upload permissions? Why do we trust this users with reading a popup for permissions ?
Or maybe if the popups are not clear or good enough maybe is not the users fault ?
Though, that document also states:
> Our research [1] finds that users often make rational decisions on the most used capabilities on the web today — notifications, geolocation, camera, and microphone. All of them have in common that there is little uncertainty about how these capabilities can be abused. In user interviews, we find that people have clear understanding of abuse potentials: notifications can be very annoying; geolocation can be used to track where one was and thus make more money off ads; and camera and microphone can be obviously used to spy on one’s life. Even though there might be even worse abuse scenarios, users aren't entirely clueless what could possibly go wrong.
[1]: https://dl.acm.org/doi/10.1145/3613904.3642252
When there are problems reported about an app, there has to be a known party to hold accountable. I agree that a developer path that is complex enough that only people who know all the impacts are able to use to side load random apps they own or from someone they can trust, but the general population has to be protected unless at the individual level they are savvy.
So no free applications. Prepare to pay a subscription for every flashlight app.
Is it possible to restrict software installation and keep users free?
Now that Android is going full retard with their authoritarian BS, it’s time to build a new phone operating system or at least make the ones we already have viable.
It’s a monumental undertaking, but it needs to be done.
Apps created by me for my routine,
Does that mean i would not be able to install my apps ??
Everything about the so called stores is so decrepit, the safest way to get any decent software on is side loading / fdroid. How could you in sincerity argue any different?
Why is this a question of _allow_? Who is my hardware provider that he is somehow my guardian and must _allow_ me to install software that I want to install?
>Is it possible to allow people to do sports and keep them safe?
>Is it possible to allow people to roam freely and keep them safe?
>Is it possible to allow people to not be locked up in a padded cell and keep them safe?
People are responsible for what they are doing, and teaching them about technology is the best way to do deal with this example here, as it doesn't infringe anyone's human rights and would give anyone the resources to check their sources.
Similarly, every modern society has rules to keep people safe when roaming. That might be as simple as warning signs it as complex as a coastguard.
We've had decades of warning people about online scams and I don't see any slowdown in the volume of scammy emails that I receive. Education clearly isnt working - and that imposes a cost on all of us.
Millions of people hurt themselves, physically hurt themselves, every day, doing things that we could easily restrict. Yet we still allow them to buy knives, glassware that can break, hammers, power tools, non automated vehicles of all kinds, the list goes on.
We also spend a lot of time educating them on the dangers, far more than is spent warning about online scams, and we do it at a far earlier age (age 0, for some of them).
Of course we still allow the sale of safe knives and plastic mugs, so people are free to choose; that point still stands. I'd argue that there is more competition in tableware, and less friction shifting between it, than there is in mobile operating systems.
Google and phone manufacturers have been actively moving in that direction and have a long history of being actively hostile to those things. This is just another move on the same board to restrict these freedoms.
You mean, the iPhone, which restricts everything even more?
For example https://www.forbes.com/advisor/legal/personal-injury/attract...
Societies often place limits on individual freedoms.
Google is telling you to buy their particular brand of fence (which has inextricably an insane markup). And they disallow it for pool shapes they dont like and you dont have an appeals process for it.
Outlaw all non big corpo operating systems?
Perfect surveillance? All because some boomers can't into common sense?
It's also ironic that you bring up warning signs as a counterexample to my point, as it's exactly what I am saying. You can warn them, but you don't bar them from doing so.
Alternatively, sideloading could require you to delete all App Store apps. In other words, disabling Google Play Protect should require you to wipe your phone. This is another barrier that will prevent a lot of people from getting scammed.
It wouldn't solve the "getting infected via cracked apps" problem, but it would at least solve the "users being scammed into sideloading something they don't want" problem.
1: Still basically required if you have young children and want things like play dates. Oh Signal? Yeah, the recent push means that some tech-savvy users now have both Whatsapp and Signal installed. In the Netherlands, you can do without Whatsapp, but not if you don't want to turn your child into a social recluse.
2: For example, in order to use Germany's Deutschlandticket one of the participating public transport companies apps is required. This is a huge regression compared to the initial paper ticket, but there it is.
If there’s a real downside, they’ll be affected.
And we're back to "just break into the thing you've already paid for." Nope. Go away. No more smartphone crap.
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. When customers are scammed, the bank is often liable. The bank wants to reduce its liability so it says "you can't run our app on a rooted phone".
> Is that fair? Probably not. Rooting allows a user to fully control and customise their device. But rooting also allows malware to intercept communications, send commands, and perform unwanted actions. I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."
> The same is true of video games with strong "anti-cheat" protection. It is disruptive to other players - and to the business model - if untrustworthy clients can disrupt the game. Again, it probably isn't fair to ban users who run on permissive software, but it is a rational choice by the manufacturer. And, yet again, I think software authors probably should be able to restrict things which cause them harm.
It's not clear to me whether in this fragment the author is stating the two alleged cracks in the argument or rather only the first one — the second one being Google's ostensible justification for the change. Either way, neither of these examples are generalisable arguments supporting that 'a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them'.
With regards to banking apps, the key point has been glossed over, which is that that when customers are scammed the bank is 'often' liable. Are banks really liable for scams caused by customer negligence on their devices? If they're not, this 'crack' can be thrown out of the window; if they are, then it is not an argument for "you can't run our app on a rooted phone", but rather "we are not liable for scams which are only possible on a rooted phone".
As for the second example, anti-cheat protection in gaming, the ultimate motivation of game companies is not to prevent 'untrustworthy clients' from 'running their code'. The ability of these clients to be 'disruptive to other players' is not ultimately contingent on their ability to run the code, but rather to connect to the multiplayer servers run by the gaming company or their partners. The game company's legitimate right 'to ban users who run on permissive software' is not a legitimate argument in favour of users not having full control over their system.
The problem if you are a bank is that scammed people can be very persistent about trying to reclaim their money. There's a cost to the bank of dealing with a complaint, doing an investigation, replying to the regulator, fielding questions from an MP, having the story appear in the press about the heartless bank refusing to refund a little old lady.
It is entirely rational for them to decide not to bear that cost - even if they aren't liable.
Who is going to prove that though? It’s much simpler and less stressful on our court systems if a bank just says “we don’t allow running on rooted phones” and then if a user takes them to court the burden is on proving whether the phone was rooted or not rather than proving if the exploit that affected them is only possible on a rooted phone.
Even something like GrapheneOS, in theory the best path to security and privacy and liberty, was falling way short even before this latest announcement from Google.
The problem lies partially in the app ecosystems, which embrace spyware and exploiting users (requiring all the worst Google APIs), and partially in governments, which will leverage any centralized organization like Google to gain control (EU chat control etc.).
The solution cannot be just a custom OS or an OS fork. In fact, ecosystem compatibility is toxic and slows down growth of real alternatives. There needs to be some wholly independent and decentralized offering.
The challenge is hardware compatibility and core services like digital IDs. Most apps should be solved by using a website instead.
These issues are especially important because the future is increasingly digital. Smart phones, smart glasses, smart watches, VR glasses, smart homes, and even brain implants. I don't want to live in a future where I'm either left behind or my whole life is controlled by Google/Apple/the government/etc.
> 01. Vulnerable members of society should be protected from scams.
00: yes, always; 01: yes, but not at the expense of 00 (or probably some other things)
How would you feel if your brain was “safeguarded” against potentially harmful thoughts?
There are three ways to deliver protection: build better walls, defeat attackers after successful initial attacks, defeat attackers before successful initial attacks.
The article ties itself into knots because it recognizes that the first way cannot deliver 100% security. But it refuses to recognize that there are two additional ways.
The United States military could go after scammers operating from foreign compounds. It could treat the economic targeting of American citizens as acts of economic war. It chooses not to. Freedom is not free, and when your country chooses to literally not fight for your freedom, it's hardly any wonder that your freedoms are eroded.
Remember XKCD 538: https://xkcd.com/538/ Cybersecurity and physical security are fundamentally linked.
That scammers can operate from anywhere is beside the point. More often than not, law enforcement and the military know where that is. A conscious decision is made not to prioritize or fund fighting it.
But try applying that approach to India or China. Do you think those countries are going to allow the U.S. military to operate on their home turf, shooting at their citizens, and not retaliate? It doesn’t even have to be military retaliation, the U.S. economy is heavily intertwined with those countries, just look at the consequences of Trumps tariffs. Do you honestly think U.S. citizens would be willing to trade off the trade benefits of working with those countries, just so you run a military raid on building of scammers?
It's not related to scamming, but the US did just bomb Iranian nuclear facilities; the reaction was a face-saving gesture that was intentionally weak so as to de-facto de-escalate. So the answer to your question is basically yes. The costs of a wider war are too large to the host country to make it worth it to continue to allow scammers to operate freely.
> just look at the consequences of Trumps tariffs. Do you honestly think U.S. citizens would be willing to trade off the trade benefits of working with those countries, just so you run a military raid on building of scammers?
Don't you realize that Trump's election, his tariffs, all this is due to popular sentiment that the US was getting the raw end of the deal in its foreign affairs, that there was a need to, literally, put America First? If anything, such ideas, to have targeted attacks and enforcement aimed at the exact actors targeting American citizens, have been at their most popular in decades, at least since the Iraq war went off the rails.
> There are three ways to deliver protection
While I agree with your idea I'd like to remember that there are previous steps: teach people to be less vulnerable. Teach people to be less greedy. Teach people the consequences of actions.
Being less vulnerable is an obvious definition: know how to not fall for some scams.
Less greedy: some scams revolve around the idea of quick and ease profits and the comeback is hurtful because the person thinks he would get x and ends up losing 500x.
Consequences of actions: there's a lot of value to the group that observes the (bad) consequences of one actions. Pain, even from others, teaches something. The more we protect people from consequences, the better and safer it is about small losses until the actions go beyond the protection and the consequences are catastrophic.
That's beside the point that the line, too often, is being crossed, and perpetrators are allowed to perpetuate their crimes, instead of the military and/or law enforcement stepping in and performing their organization's missions to protect us, especially the most vulnerable among us.
Who could disagree with that?
The problem is it’s often controlling household members sneakily installing creepy things on devices of those they live with and want to control.
I'd like a source for that. News to me if that is common at all. Not to mention there are apps on the playstore / ios store that can be used in a similar way without sideloading.
Do you want an phone where you trust Apple/Google/3rd party to make a "malware or not" decision? Or one where all that is turned off and you can do whatever? Go right ahead in either case - you control the trust, rather than it being made for you by the platform vendor.
Similarly, we have certificate infrastructure where the TLS roots are owned by a small number of people. These are generally trusted, but some people/organizations edit them down (ex: removing roots from state actors deemed untrustworthy). But it's hidden, and generally a lot of choices.
Even linux distros, you pick which package signing keys you trust.
And Docker/K8s... oh wait, there's no default keys and containers remain being developer's puke bags in most cases, and the repos are rugpulled by corporations regularly...
Once you’ve explained the difference between Google and “the internet”, you may stand a chance. I wish you luck, I’ve been trying that for a while.
BRB, heading out for popcorn.
> The bank blocked a number of transactions, it spoke to James on the phone to warn him and even called him into a branch to speak to him face-to-face.
Y'know, at some point the cost of protecting the dumbest people is too much to be worth it. I am perfectly fine with some people getting hacked, doxxed and scammed out of their life savings if the alternative is everyone losing their freedoms.
Freedoms are important because without them people with power go unchecked more and more. It's a slow process but it culminates in 1) dictatorship at the state level 2) exploitation at the corporate level.
At point of purchase, you get to decide whether you want secure mode or not. Then after that, if you want to change it, you have to open a support ticket with the manufacturer.
Kinda like how SIM-locking works.
If they can be convinced of that, how hard will it be for a scammer to say "we've detected a problem with your phone. To avoid being imprisoned for piracy, please file this support ticket so we can debug things."?
Making the device so locked down that no such con could exist also means there's no way to use the phone in ways that haven't been authorized - and as a power user, i detest that i am paying a price for the safety of those who are too stupid. I do not want to pay that price.
Conveniently, google gets to remain in a position to earn more money from being in the controlling seat.
as they say, if you trade freedom for security, you'll end up with neither.
Yes. It is a basic human right.
> This is a question where freedom, practicality, and reality all collide into a mess.
No; it isn't. The answer is clear and not messy. If you are not allowed to run programs of your choice, then it is not your hardware. Practicality and "reality" (whatever that means) are irrelevant issues here.
Maybe you prefer to use hardware that is not yours, but that is a different question.
But that's a system design issue as opposed to an argument against user freedom.
In that case, the solution should be to raise the lowest commmon denominator. Lots of issues like that could be prevented by investing in education to increase technology literacy. But long term investments (even public ones) do not match well with quarterly reports.
However, this isn't entirely a tech problem - it's a social/human one.
Not every mechanic has a driver's license. Sure, they may enjoy working on cars and the technology of cars... but for one reason or another they may have never gotten or have lost their driver's license.
Not everyone who is tech literate is similarly socially literate. I have programmer co-workers who have been scammed into sending gift card authentication codes or installed malware (or allowed the installation) onto their personal computing devices.
It isn't possible to prevent someone from accessing the internet any more than it is possible to prevent them from accessing a phone.
I am not saying that one should have a license to access the internet. Rather, I am saying that a device that holds and maintains the authentication mechanism for doing banking transactions, it is not unreasonable for the maker of that device and its software to attempt to mitigate the possibility that they are held liable for negligence in allowing user installed software to do banking without the owner's consent.
With the uncertainty that everything in the operating system and hardware is locked down to the point where no-consent access by malware to those banking capabilities is completely restricted (and thus they're not liable for negligence) - the wall that is being put up to try to prevent that is "no software that has not been vetted can be run on this device."
Consider that the phone is often the authentication mechanism and second factor for authorization to restricted systems. Authy, Microsoft Authenticator, and other 2nd factor applications typically do not run on general computing devices.
Technical literacy does not imply social or security literacy.
Indeed. And people were falling for scams long before the Internet. What's new is the push to make that the fault of bystanders... thus causing those bystanders to intervene. It's neither the bank's fault, nor Google's fault, if somebody falls for a scam. Or installs malware. Or whatever. If you try to make it their fault, they're going to do really annoying things that you don't want.
Sure, you can sell security tools, or curation, or whatever. Many people will even want to buy them, but things break when that starts being a duty. And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.
This tends to be counter to consumer protection laws or data privacy laws.
A company that can be held to strict liability for their actions can be sued (and be found liable) even if they presented that the action is unreasonable or dangerous.
In saying a consumer who buys a 100% "you can do anything on it" device liable for every action that that device takes no matter what initiated that action?
To me, the argument that you should be able to do anything on the device and be held liable for all the actions that device allows is very similar to that of "the maker of the device has no liability for providing a device that can be misused."
If that is the case, then (to me) this would need to be something that would need to be changed by the courts and the laws (and such a company would need to pull completely out of Europe).
You may be exaggerating it, but insofar as you're right, you're just describing the problem.
That’s just it. Software isn’t being vetted. Witness all the scam apps in the iOS and Android app stores. Even paid developer accounts don’t stop people from publishing these, nor does Apple’s walled garden protect you from them.
That said, for sensitive apps they tend to go through more strict scrutiny of their functionality. Publishing a "Wəlls Fargo" application will likely not get approval.
The question isn't "does it need to be 100%" but rather "if was not done at all, would Apple or Google be liable for flaws in their software (e.g. VM breakouts) that allows malware to do banking transactions, location tracking, or place calls (e.g. 1-900 number dialing) without user consent?"
I'm fairly certain that Apple and Google take measures to limit their liability. With how courts and countries are finding technology companies liable for such (consumer and data privacy protections), I would expect to see more restrictions on the device to try to further limit the company's exposure.
Absolutely not a Scooby.
The social structure of the smartphone app ecosystem is remarkably similar to the cable provider -> network -> show situation from before too.
They’re clearly just computers, they’re “hardware you own”, but you’ve never been able to run whatever software you want on them. But it’s been like this since the 1970’s and there’s never been an uproar over it.
For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.
I think there is a huge difference. You can perfectly live your life without a game console. Even if you are a game addict and it is absolutely necessary for you to live, you could buy a PC and game on that.
Smartphones are a necessity nowadays. Some banks only have smartphone apps (or require a smartphone app to log in to their website). Some insurers want you to upload invoices with an app. Some governments require an app to log in (e.g. the Dutch DigiID). You need a smartphone to communicate with a lot of organizations and groups.
Smartphones have become extremely essential. And two companies can decide what does and what doesn't get run on a smartphone and they can take their 30% over virtually everything. They can destroy a company by simply blocking their app on a whim (contrast with game studios, which could always publish their game for PC or Mac or whatever).
It is not a healthy, competitive market. It is the market version of a dictatorship. And Google forbidding non-app store installs is making it worse.
Governments should intervene to guarantee a healthy market (the EU is trying, but I think they are currently worried about the tariff wrath).
Unfortunately, the copyright lobby of the video game industry was too strong in the 70s/80s/90s, so here we are.
In the future, when your whole house is controlled by a computer, do you want that computer to be controlled by Google or to be controlled by yourself?
People started free and equal, then some specialized into warriors[0] and gradually built deeper and deeper hierarchical power structures, called themselves "nobles" and started exploiting the "commoners".
At some point people snapped, killed a bunch of them (French revolution, US was for independence, etc.) and decided they wanna rule themselves.
And then companies started getting bigger and bigger, with deeper hierarchical power structures, the "nobles" call themselves "executives" or "shareholders" and the people doing actual productive work are not longer "commoners", they are "workers"[1].
[0]: And thus controlled the true source of power - violence.
[1]: Ironically admitting that people who are not workers are not doing real work, they are just redistributing other people's work and money.
https://www.youtube.com/watch?v=uqsBx58GxYY
I don't like describing it as cycles because it is too simplistic and pretend it is inevitable, robbing people of agency.
I prefer to think of society as a system where different actors have different goals and gradually lose/gain influence through a) slow processes where those with influence gain more from people who are sufficiently happy to be apathetic b) fast processes when people become sufficiently unhappy to reach for the source of all real world influence - violence.
This happens because uneducated/dumb/complacent people let it happen. It can be prevented by teaching them the importance if freedoms and to always fight back. But that goes directly against the interests of those in power - starting from parents who want children to be obedient.
It’s a more tricky issue where Google and other parties can restrict access to their services to devices they deem legitimate. Their services, their rules. Your hardware. Different arguments required.
It’s everywhere: Widevine is used to prevent stealing 4K content (incl ATSC 3.0), gaming providers use it for anti-cheat, banks use it to rate limit abuse. It’s not just Android.
(I say this as someone with an Apple Vision Pro running visionOS 1.0 with the hope to jailbreak it one day. I’m actually unable to do whatever I want to their hardware, unlike my Pixel phones.)
Providers still implement it where they can, like for blackout restrictions for US sports games: impossible to enforce on the web because I can spoof location. Very possible to enforce on iOS because jailbreaking is not possible. Possible to enforce on Android because you can check if spoofing was made possible.
It’s currently the primary reason I can’t play games online on Linux.
And yet you can't install an alternative OS like Mobian, postmarketOS or PureOS due to the closed drivers and specs.
> Yes. It is a basic human right.
Says who?
What's your philosophical argument in favour of this?
> hardware you own
Is it illegal to spin up a Linux server on your mobile phone?
Please explain how owning an item of hardware implies that running whatever computer program you want on it is a basic human right.
If someone else could use your car without your permission, do you own the car or do they?
If someone could grow their own plants in you back yard, do you own the garden or do they?
If someone else could choose what programs run on your computer, do you own the computer or do they?
Saying "basic human right" instead of just "basic right" may be odd, but definitionally, owning a thing means having the right to say how it is used. Either you own it and have that right, or you don't own it and don't have that right. That's what owning means.
There are times when it is necessary to limit the rights that a individual has so that the system that the individual lives within can work.
You can buy a radio transmitter, but you're not allowed to operate it without a license. You can likewise buy a car, but you aren't allowed to operate that either without a license.
You do not have the right to modify your phone so that it acts as a radio frequency jammer.
Possession of a device does not give an individual unrestricted rights to what can be done with it.
I’m fine with government requiring smoke detectors in my home, I’m not fine with completely unregulated private entity deciding how I live in my home, bought with my money.
And in case of a muffler, there’s literally no one in this entire world who can stop me from removing it. There are repercussion for doing so, but nobody stole my rights from removing it.
If people still go for it, then it is their responsibility. A lot of things in life require responsibility because otherwise the results can be disastrous. But we don't forbid them, because it would be a huge violation of freedoms.
You have to take into account that the threat model here is vulnerable people, often older, being taken in by scammers who talk to them for weeks and gain their complete confidence. To the victims, it feels like a real romantic relationship, not someone who could even possibly be a scammer.
Also, scams also happen outside smartphones.
What's next? Are we going to revoke people's control over their financials because they might be scammed? Let's have the bank approve before we can do a transaction. And since we are using their payment platform, maybe they should also take 30%.
Please stop feeding their narrative. Scammers are Google/Apple's "but think of the children".
Aren’t they? I ask my partner for investment opinions all the time.
> Let's have the bank approve before we can do a transaction.
Yes… That’s already how it works. Banks use heuristics to detect and prevent suspicious transactions. That’s why most of these scams ultimately involve crypto.
Obviously, the probability of it being a scammer reduces with the amount of time. In the end it's a function of time vs. effort. Scamming billionaires by marrying them and waiting until they die happens frequently enough. A 5 year scam for a few thousand bucks, unlikely.
As usual, use common sense, which you would have to do anyway if you do investments.
... and it's really fucking annoying when their heuristics misfire-- which is not at all rare-- especially since they do all they can to externalize all costs of that to the customer.
We've been trying to educate people about passwords and phishing for years/decades now, and it has not worked. Further, every day a new ten thousand (US) people need to be educated:
* https://xkcd.com/1053/
The proverbial grandparents will follow the instructions of the scammers and will click through all of that. We've had decades of empirical evidence: people will keep clicking and tapping on dialogue boxes to achieve their goal.
People have physically driven to cryptocurrency ATMs on the instructions of scammers:
* https://bc-cb.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2136...
* https://www.usatoday.com/story/money/2025/04/21/bitcoin-atm-...
Warning sheets will do nothing.
Because at the end of the day the scammer is going to convince your grandma to go to the bank, withdraw the entirety of her savings and send them to the scammer in an envelope.
Any technical restrictions therefore only harm our personal freedoms and don't actually protect those who are vulnerable because those people's problems aren't technical in nature.
And it doesn't have to be children of parents, that's just the common example that's brought out every time this comes up.
As always it comes down to insulting and emotionally guilt tripping people to screw them out of their freedoms and of course there's never even a shred of evidence to support any of these incredible claims. You're laying it on too thick, give us a break.
> You’re acting like we (and these massive corporations) haven’t been trying for decades at this point.
You're acting like this would make a dent in the total number of people who are scammed every day.
And it just so happens that the only acceptable remedy necessitates infringing on billions of people's personal freedoms which will, incidentally, secure trillions in future profits for these corporations. All that for a temporary speed bump that would only affect a minority of scammers who would adapt in a month.
Many, probably most, of the people most at risk aren't going to do that.
When you're (somewhat) drunk, you know that you're drunk, and you're still able to comprehend how that will slow down your reactions while driving. When you're being scammed, you think you're right... and if you begin to doubt that, you may tend to push the thought out of your mind rather than follow it through, and to evade things that might bring it back. And it's very hard to admit to yourself that you're permanently impaired in that sort of way... especially when you're impaired in that sort of way.
Give the knowledgeable the freedom to use their skills. Separately, develop ways to help/protect specifically those that need it.
My suspicion is: were you to list them, running programmes on hardware you own would be fairly low on that list.
The banking system has been relying on remote attestation for decades to ensure that devices used in settling financial transactions have not been tampered with:
https://en.wikipedia.org/wiki/IBM_4758
Also, I think the chip-and-PIN cards used for most in-store transactions in Europe for the last 20 years rely on remote attestation and tamper resistance to prevent fraud.
Finally, in the domain of desktop and laptop computers, there is a big security hole in that most components (certainly, disk drives and storage devices, but basically any peripheral or board) are essentially embedded computers that can be pwned with the result that they stayed pwned even if the owner of the computer installs the OS from scratch. One solution to this would be for suppliers of peripherals and boards to get much better at securing their products or to stop using microprocessor to implement their products, but it would be quite a lot of work (and governmental intervention or at least intervention by industry-wide quasi-governmental entities that currently do not exist) to get from the current situation to the one I just described. The only products currently available that are secure against this threat (aside perhaps from using 40-year-old computers) use verified-boot technology to implement the security.
I.e., the only desktop and laptop computers you can buy where you can be reasonable sure some attacker hasn't installed malware in the computer's disk drive or track page or wifi module are things like Macs and Chromebooks, which implement the security using verified boot.
Do you simply not care that this Linux computer that you have such warm feelings about is fairly easy to pwn (in part because of the lack of verified boot and in part because desktop Linux software is just much easier to pwn than the systems software on a Mac or a Chromebook or an iPhone or an Android phone) such that if you ever got to be an effective activist against some government or some powerful industrial interest, that government or industrial interest could fairly easily eavesdrop on everything you do with this Linux computer?
That doesn't sound much like protecting your individual rights.
It's just not. Otherwise, all servers would be running your beloved iOS, wouldn't they?
>in part because of the lack of verified boot
This does not matter. I can generate my own keys.
>easier to pwn [...] than [...]an iPhone
Lol... If anything, phones are more vulnerable because you have less access to sandboxes and VMs.
Hey, look, an Apple CVE from two days ago. https://nvd.nist.gov/vuln/detail/CVE-2025-43284
And this one's from this month. https://nvd.nist.gov/vuln/detail/CVE-2025-43300
And here's Apple's sandbox failing, last month. https://nvd.nist.gov/vuln/detail/CVE-2025-43274
* Everyone has to trust one of two giant mega-corporations to make good decisions for everyone
* Everyone has to take on the evaluation of everything themselves, do their own admin, understand opsec, etc etc.
Freedom does not entail the latter. Freedom means having the freedom to do it, but also having the freedom to delegate it, and to decide who to delegate it to. We don't have to be technology "preppers". We can set up and fund independent organisations to do this -like Debian, for example. And have competition between them.
Yes, that means some people will delegate their trust to their religious cult. That's the price of freedom
More like: time for regulators to step up and do their work.
That's how we become the smartest animal on the planet. But it no longer works, we are very good at keeping everyone alive. And there's nothing wrong with that, as long as we don't compromise our freedoms to achieve it.
Some people getting exploited is the modern equivalent of leopards eating your face. It would be nice to protect people from it happening but NOT by everyone giving up basic human rights. And yes, in the modern world, running any software on your hardware should be a basic human right.
Especially at a time where computation is starting to resemble intelligence. Otherwise we all become serfs all over again.
If you can't explain why i am wrong, consider i am right.
To compute on one's own is to open one's electronic soul to the Sins of Free Software. Such devilish arts must be shunted to the margins of society, till they may be purged on That Day when all shall bask in Google's light forevermore.