> Are you allowed to run whatever computer program you want on the hardware you own?
Yes. It is a basic human right.
> This is a question where freedom, practicality, and reality all collide into a mess.
No; it isn't. The answer is clear and not messy. If you are not allowed to run programs of your choice, then it is not your hardware. Practicality and "reality" (whatever that means) are irrelevant issues here.
Maybe you prefer to use hardware that is not yours, but that is a different question.
rikafurude21 · 6h ago
It seems that this is another one of those things where the lowest common denominator sets the rules for everyone. Most people arent tech savvy programmers so giving them the freedom to do 'whatever they want' will lead them to hurt themselves in some way. Of course this is not an excuse for locking down your hardware. Smartphones just came into being as a consumer-first product and didnt require many of the freedoms that programmers needed, which is why computers are fundamentally more open than smartphones. Apple of course is trying to change that with their Macs
squigz · 6h ago
You don't need to be a "tech savvy programmer" to be aware of the risks on the Internet and not do stupid shit.
Only that nothing about this requires big expertise. If you are a user of computers, you should be able to navigate the basics. It's the same like driving a car, you must know the traffic rules and how to behave, but that doesn't mean you have to understand how your engine works in detail.
rikafurude21 · 5h ago
If you want to drive a car you go through driving school and have to pass the tests to get a drivers license. Theres no drivers license for the internet and not really any strict set of rules you have to follow in order to get online - most people pick up a sense for rules online by osmosis, usually about how to not get scammed or get malware - sometimes they have to learn by first hand experience. If we go by your comparison this would be like learning to drive by crashing a couple cars. I definitely believe anyone whos even a little tech savvy underestimates how complicated or confusing technology can be for the average person.
gr4vityWall · 6h ago
> this is another one of those things where the lowest common denominator sets the rules for everyone
In that case, the solution should be to raise the lowest commmon denominator. Lots of issues like that could be prevented by investing in education to increase technology literacy. But long term investments (even public ones) do not match well with quarterly reports.
rikafurude21 · 5h ago
I would say young people grow up with tech and usually are very tech literate.
shagie · 4h ago
Tech... a "maybe" yes.
However, this isn't entirely a tech problem - it's a social/human one.
Not every mechanic has a driver's license. Sure, they may enjoy working on cars and the technology of cars... but for one reason or another they may have never gotten or have lost their driver's license.
Not everyone who is tech literate is similarly socially literate. I have programmer co-workers who have been scammed into sending gift card authentication codes or installed malware (or allowed the installation) onto their personal computing devices.
It isn't possible to prevent someone from accessing the internet any more than it is possible to prevent them from accessing a phone.
I am not saying that one should have a license to access the internet. Rather, I am saying that a device that holds and maintains the authentication mechanism for doing banking transactions, it is not unreasonable for the maker of that device and its software to attempt to mitigate the possibility that they are held liable for negligence in allowing user installed software to do banking without the owner's consent.
With the uncertainty that everything in the operating system and hardware is locked down to the point where no-consent access by malware to those banking capabilities is completely restricted (and thus they're not liable for negligence) - the wall that is being put up to try to prevent that is "no software that has not been vetted can be run on this device."
Consider that the phone is often the authentication mechanism and second factor for authorization to restricted systems. Authy, Microsoft Authenticator, and other 2nd factor applications typically do not run on general computing devices.
Technical literacy does not imply social or security literacy.
Hizonner · 3h ago
> Technical literacy does not imply social or security literacy.
Indeed. And people were falling for scams long before the Internet. What's new is the push to make that the fault of bystanders... thus causing those bystanders to intervene. It's neither the bank's fault, nor Google's fault, if somebody falls for a scam. Or installs malware. Or whatever. If you try to make it their fault, they're going to do really annoying things that you don't want.
Sure, you can sell security tools, or curation, or whatever. Many people will even want to buy them, but things break when that starts being a duty. And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.
shagie · 2h ago
> And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.
This tends to be counter to consumer protection laws or data privacy laws.
A company that can be held to strict liability for their actions can be sued (and be found liable) even if they presented that the action is unreasonable or dangerous.
In saying a consumer who buys a 100% "you can do anything on it" device liable for every action that that device takes no matter what initiated that action?
To me, the argument that you should be able to do anything on the device and be held liable for all the actions that device allows is very similar to that of "the maker of the device has no liability for providing a device that can be misused."
If that is the case, then (to me) this would need to be something that would need to be changed by the courts and the laws (and such a company would need to pull completely out of Europe).
Hizonner · 2h ago
Indeed, the bad attitude I'm talking about has found its way into some laws, as well as into other kinds of norms and expectations. That doesn't make it good.
You may be exaggerating it, but insofar as you're right, you're just describing the problem.
tempodox · 3h ago
> no software that has not been vetted can be run on this device
That’s just it. Software isn’t being vetted. Witness all the scam apps in the iOS and Android app stores. Even paid developer accounts don’t stop people from publishing these, nor does Apple’s walled garden protect you from them.
shagie · 3h ago
Do not make perfect the enemy of the good. There are failings of vetting.
That said, for sensitive apps they tend to go through more strict scrutiny of their functionality. Publishing a "Wəlls Fargo" application will likely not get approval.
The question isn't "does it need to be 100%" but rather "if was not done at all, would Apple or Google be liable for flaws in their software (e.g. VM breakouts) that allows malware to do banking transactions, location tracking, or place calls (e.g. 1-900 number dialing) without user consent?"
I'm fairly certain that Apple and Google take measures to limit their liability. With how courts and countries are finding technology companies liable for such (consumer and data privacy protections), I would expect to see more restrictions on the device to try to further limit the company's exposure.
ColinWright · 4h ago
I deal with a lot of young people who have grown up with tech, and my experience is that in general they haven't got a sodding clue about how anything works, or the implications of any of this.
Absolutely not a Scooby.
conradev · 5h ago
Control over hardware isn’t actually the issue at stake here: many Android devices can unlock their bootloaders in a moderately safe way. Go nuts.
It’s a more tricky issue where Google and other parties can restrict access to their services to devices they deem legitimate. Their services, their rules. Your hardware. Different arguments required.
It’s everywhere: Widevine is used to prevent stealing 4K content (incl ATSC 3.0), gaming providers use it for anti-cheat, banks use it to rate limit abuse. It’s not just Android.
(I say this as someone with an Apple Vision Pro running visionOS 1.0 with the hope to jailbreak it one day. I’m actually unable to do whatever I want to their hardware, unlike my Pixel phones.)
mathiaspoint · 5h ago
There are actually just about no services that genuinely need hardware attestation other than some DRMed music/video and zelle. Everything else pretty much works on Linux in a browser or has some substitute that does.
conradev · 1h ago
Yes, only some things for now! I hope it stays that way or decreases, but that’s not the way the arrow is pointing.
Providers still implement it where they can, like for blackout restrictions for US sports games: impossible to enforce on the web because I can spoof location. Very possible to enforce on iOS because jailbreaking is not possible. Possible to enforce on Android because you can check if spoofing was made possible.
It’s currently the primary reason I can’t play games online on Linux.
fsflover · 4h ago
> many Android devices can unlock their bootloaders in a moderately safe way.
And yet you can't install an alternative OS like Mobian, postmarketOS or PureOS due to the closed drivers and specs.
mathiaspoint · 6h ago
Or it's not a computer and really something more like a television. In that case these things should be thought of as a vice rather than a productivity tool.
The social structure of the smartphone app ecosystem is remarkably similar to the cable provider -> network -> show situation from before too.
ninkendo · 6h ago
The example I always go to is a Nintendo or PlayStation, etc.
They’re clearly just computers, they’re “hardware you own”, but you’ve never been able to run whatever software you want on them. But it’s been like this since the 1970’s and there’s never been an uproar over it.
For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.
danieldk · 5h ago
For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.
I think there is a huge difference. You can perfectly live your life without a game console. Even if you are a game addict and it is absolutely necessary for you to live, you could buy a PC and game on that.
Smartphones are a necessity nowadays. Some banks only have smartphone apps (or require a smartphone app to log in to their website). Some insurers want you to upload invoices with an app. Some governments require an app to log in (e.g. the Dutch DigiID). You need a smartphone to communicate with a lot of organizations and groups.
Smartphones have become extremely essential. And two companies can decide what does and what doesn't get run on a smartphone and they can take their 30% over virtually everything. They can destroy a company by simply blocking their app on a whim (contrast with game studios, which could always publish their game for PC or Mac or whatever).
It is not a healthy, competitive market. It is the market version of a dictatorship. And Google forbidding non-app store installs is making it worse.
Governments should intervene to guarantee a healthy market (the EU is trying, but I think they are currently worried about the tariff wrath).
snowe2010 · 5h ago
I have a friend that still uses a dumb flip phone from the early 2000s. No smartphones are not necessary.
danieldk · 3h ago
There was a documentary over here on TV about people that do not use smartphones. The conclusion was that it was almost impossible, they often have to rely on other people for certain things, and are excluded from a lot of social circles.
gr4vityWall · 5h ago
Surely it would be better if console makers gave users freedom to control the device, rather than smartphones not being in the users' control either.
Unfortunately, the copyright lobby of the video game industry was too strong in the 70s/80s/90s, so here we are.
mathiaspoint · 6h ago
Those are not really personal computers, they're fancy set top boxes and extensions of the television.
ninkendo · 5h ago
They have the same hardware in them as a personal computer, and essentially always have. (The original Nintendo had the same CPU as an Apple II.) The difference is only how they were marketed, and the artificial limitations on what software you could run.
mathiaspoint · 4h ago
Right. They're vices and not tools even though they might look like tools.
jackothy · 5h ago
The problem is larger than just smart phones. Smart phones are the templates for all future devices. You car now runs Android as well.
In the future, when your whole house is controlled by a computer, do you want that computer to be controlled by Google or to be controlled by yourself?
cwillu · 6h ago
Only because of sustained pressure from all the usual suspects to try to make that the social structure.
mathiaspoint · 6h ago
I think it's always going to evolve that way when people are so concerned about "safety" (no matter how that's defined) that all the escape hatches are removed.
martin-t · 6h ago
Increasingly, I keep noticing that all human-corporation relationships are a rehash of older power structures and basically struggles for power in which people gradually keep losing it until they realize they are exploited and then finally start fighting back.
People started free and equal, then some specialized into warriors[0] and gradually built deeper and deeper hierarchical power structures, called themselves "nobles" and started exploiting the "commoners".
At some point people snapped, killed a bunch of them (French revolution, US was for independence, etc.) and decided they wanna rule themselves.
And then companies started getting bigger and bigger, with deeper hierarchical power structures, the "nobles" call themselves "executives" or "shareholders" and the people doing actual productive work are not longer "commoners", they are "workers"[1].
[0]: And thus controlled the true source of power - violence.
[1]: Ironically admitting that people who are not workers are not doing real work, they are just redistributing other people's work and money.
I don't like describing it as cycles because it is too simplistic and pretend it is inevitable, robbing people of agency.
I prefer to think of society as a system where different actors have different goals and gradually lose/gain influence through a) slow processes where those with influence gain more from people who are sufficiently happy to be apathetic b) fast processes when people become sufficiently unhappy to reach for the source of all real world influence - violence.
This happens because uneducated/dumb/complacent people let it happen. It can be prevented by teaching them the importance if freedoms and to always fight back. But that goes directly against the interests of those in power - starting from parents who want children to be obedient.
accle · 5h ago
> > Are you allowed to run whatever computer program you want on the hardware you own?
> Yes. It is a basic human right.
Says who?
What's your philosophical argument in favour of this?
justinrubek · 5h ago
It's directly in the text.
> hardware you own
accle · 5h ago
That's not an argument.
Please explain how owning an item of hardware implies that running whatever computer program you want on it is a basic human right.
MrsPeaches · 5h ago
Is it not possible to run software on any hardware you own?
Is it illegal to spin up a Linux server on your mobile phone?
fsflover · 3h ago
It's practically impossible due to the closed drivers and specs, directly causing planned obsolescence and e-waste. It should be a part of the right to repair.
rafram · 6h ago
That’s a great ideal, but Android is used both by sophisticated users who want a phone they can tinker with and the tech-illiterate grandparents of the world, who will never have a legitimate reason to install an app outside the Play Store, and who would never attempt to do that unless they were being guided by a scammer.
danieldk · 6h ago
So, put a toggle somewhere. When the toggle is toggled, put up a big fat warning sheet and say if somebody on the phone or mail asks you to do that, 99.9% it's a scammer.
If people still go for it, then it is their responsibility. A lot of things in life require responsibility because otherwise the results can be disastrous. But we don't forbid them, because it would be a huge violation of freedoms.
rafram · 5h ago
But it’s not someone on the phone - it’s their best friend / star-crossed lover who they met on WhatsApp because of a chance wrong-number text! Since then they’ve become incredibly close, and they can trust each other with anything. When their lover gives them some amazing investment advice and it requires clicking through a scary-looking prompt (like they do all the time on a phone), who do they trust - their one true love or a generic warning message on their phone?
You have to take into account that the threat model here is vulnerable people, often older, being taken in by scammers who talk to them for weeks and gain their complete confidence. To the victims, it feels like a real romantic relationship, not someone who could even possibly be a scammer.
danieldk · 5h ago
The solution is not taking people's freedom away. The solution is education. Lesson 1: lovers are not for investment advise.
Also, scams also happen outside smartphones.
What's next? Are we going to revoke people's control over their financials because they might be scammed? Let's have the bank approve before we can do a transaction. And since we are using their payment platform, maybe they should also take 30%.
Please stop feeding their narrative. Scammers are Google/Apple's "but think of the children".
rafram · 5h ago
> lovers are not for investment advise.
Aren’t they? I ask my partner for investment opinions all the time.
> Let's have the bank approve before we can do a transaction.
Yes… That’s already how it works. Banks use heuristics to detect and prevent suspicious transactions. That’s why most of these scams ultimately involve crypto.
danieldk · 3h ago
Aren’t they? I ask my partner for investment opinions all the time.
Obviously, the probability of it being a scammer reduces with the amount of time. In the end it's a function of time vs. effort. Scamming billionaires by marrying them and waiting until they die happens frequently enough. A 5 year scam for a few thousand bucks, unlikely.
As usual, use common sense, which you would have to do anyway if you do investments.
rafram · 55m ago
There are lots of older people who have never really invested their money, have a lot in their savings account, and might be excited by the idea of a get-rich-quick crypto investment they hear about from someone they trust. Even if they’ve only known them for a little while.
Hizonner · 2h ago
> Banks use heuristics to detect and prevent suspicious transactions.
... and it's really fucking annoying when their heuristics misfire-- which is not at all rare-- especially since they do all they can to externalize all costs of that to the customer.
throw0101c · 2h ago
> The solution is education.
We've been trying to educate people about passwords and phishing for years/decades now, and it has not worked. Further, every day a new ten thousand (US) people need to be educated:
> So, put a toggle somewhere. When the toggle is toggled, put up a big fat warning sheet and say if somebody on the phone or mail asks you to do that, 99.9% it's a scammer.
The proverbial grandparents will follow the instructions of the scammers and will click through all of that. We've had decades of empirical evidence: people will keep clicking and tapping on dialogue boxes to achieve their goal.
People have physically driven to cryptocurrency ATMs on the instructions of scammers:
Then why not lock down their devices. Why aren't people using the parental controls on their parents phones to lock it down and own in on their behalf? I don't understand this idea that because there are some people vulnerable to scams that we all have to give up control to Apple and Google. The option to move the trust and ownership to another party is useful, but it doesn't have to be just those two parties as options.
rafram · 5h ago
Not everyone has children. Not everyone has children who they remain in contact with. Not everyone has children who are tech-adept enough to do that. Not everyone has children who are less vulnerable than themselves.
gumby271 · 5h ago
Well maybe let's start small and cover the people that do first, just to see how that goes. Instead we're starting with all people on the planet, and it will be declared a success because the metrics will say it was, there's no rolling this back.
And it doesn't have to be children of parents, that's just the common example that's brought out every time this comes up.
snowe2010 · 5h ago
We literally did start with that… that’s the current situation, everyone has parental toggles and yet millions of people get scammed for billions of dollars a year. You’re acting like we (and these massive corporations) haven’t been trying for decades at this point. And you’re saying we shouldn’t be trying more stuff, we should just stop and give up and let innocent people get scammed because you want to be able to run whatever on your phone.
gumby271 · 5h ago
Maybe I'm wrong, but I have never seen Apple or Google suggest that someone use the parental control tools on a vulnerable adult person's phone to prevent them from hurting themselves. They have never run such a campaign for awareness or changed those tools to make them more palatable to controlling adult's phones (these tools are always sold as things to enable on a child's device). So no, I don't think we've started with that. We've started by adding some toggles and scary warning, and I agree that hasn't worked. I never suggested we stop trying, I suggested we allow the trusted owner/admin of the device to be more easily assigned to someone that person trusts, not just forcing Google into that role without consent.
Hizonner · 2h ago
You do not want to live in a world where that's normalized. There are legal processes for determining when somebody's "vulnerable" enough to need a guardian. Those process are heavy and strict for a damned good reason. And sometimes still not strict enough.
gumby271 · 2h ago
If I'm drunk and give my friend my car keys and ask them to not let me do anything stupid, I'm not giving up my legal rights to autonomy. I don't think this is any different. Legal guardianship is entirely unrelated, unless we're having some slippery slope fun.
Hizonner · 2h ago
So you expect aging parents to actively ask their children to put controls on their devices, and not to reverse that decision when it matters most?
Many, probably most, of the people most at risk aren't going to do that.
When you're (somewhat) drunk, you know that you're drunk, and you're still able to comprehend how that will slow down your reactions while driving. When you're being scammed, you think you're right... and if you begin to doubt that, you may tend to push the thought out of your mind rather than follow it through, and to evade things that might bring it back. And it's very hard to admit to yourself that you're permanently impaired in that sort of way... especially when you're impaired in that sort of way.
jackothy · 5h ago
Society is held back so much when the most capable have to live by rules made for the least capable.
Give the knowledgeable the freedom to use their skills. Separately, develop ways to help/protect specifically those that need it.
pydry · 6h ago
Or guided by their tech savvy children.
MrsPeaches · 5h ago
What else do you consider basic human rights?
My suspicion is: were you to list them, running programmes on hardware you own would be fairly low on that list.
2paz7x · 5h ago
So because it's low on the list it's not a right? Where do we draw the line? Let's do an experiment. Which rights can we take away from you? Some are pretty far down the list, right? The right to live is pretty important, so that's all the way up on the list. So where's the line drawn?
hollerith · 6h ago
I don't want to live in your overly simplistic world.
fleshmonad · 6h ago
How is this overly simplistic? It is pretty simple. You buy some hardware, and some company wants to force you to use their telemetry ridden, data collecting software under the guise of stupid people being unable to do a google search and comparing a string. I can safely say I don't want to live in your technocratic techbro wet dream.
hollerith · 5h ago
Remote attestation is a useful capability. One example: it can be used to create a camera such that the photographer can prove that an image is an accurate recording of reality and not AI-generated. Without remote attestation, we will soon enter a state of affairs in which the courts (and anyone else, too) cannot ever rely on photographic or video evidence.
The banking system has been relying on remote attestation for decades to ensure that devices used in settling financial transactions have not been tampered with:
Also, I think the chip-and-PIN cards used for most in-store transactions in Europe for the last 20 years rely on remote attestation and tamper resistance to prevent fraud.
Finally, in the domain of desktop and laptop computers, there is a big security hole in that most components (certainly, disk drives and storage devices, but basically any peripheral or board) are essentially embedded computers that can be pwned with the result that they stayed pwned even if the owner of the computer installs the OS from scratch. One solution to this would be for suppliers of peripherals and boards to get much better at securing their products or to stop using microprocessor to implement their products, but it would be quite a lot of work (and governmental intervention or at least intervention by industry-wide quasi-governmental entities that currently do not exist) to get from the current situation to the one I just described. The only products currently available that are secure against this threat (aside perhaps from using 40-year-old computers) use verified-boot technology to implement the security.
I.e., the only desktop and laptop computers you can buy where you can be reasonable sure some attacker hasn't installed malware in the computer's disk drive or track page or wifi module are things like Macs and Chromebooks, which implement the security using verified boot.
2paz7x · 5h ago
So we should all give up our rights so we can use the fancy new locked down technology to digitally sign our photographs. Oh, and now every photograph you ever post on social media can be tracked to your device. I love your future!! We should also install a camera in your bathroom. Just to attest. It's just attestation, bro.
fleshmonad · 5h ago
I am sorry that free choice what software to install on your device goes against your existential fear of "AI extinction" as displayed in your profile description. I guess I was wrong, and surrendering all your rights, being tracked and used for datapoints that will in turn be used to train AI is actually good.
hollerith · 5h ago
I don't think the "ethic" you are proposing (i.e., a consumer should have free choice of what software to install on their own device) has much bearing one way or the other on AI extinction risk.
Do you simply not care that this Linux computer that you have such warm feelings about is fairly easy to pwn (in part because of the lack of verified boot and in part because desktop Linux software is just much easier to pwn than the systems software on a Mac or a Chromebook or an iPhone or an Android phone) such that if you ever got to be an effective activist against some government or some powerful industrial interest, that government or industrial interest could fairly easily eavesdrop on everything you do with this Linux computer?
That doesn't sound much like protecting your individual rights.
fleshmonad · 5h ago
You're right. My loonixtard brain didn't grok this without your input. My device is going to be pwned because I didn't use a Microsoft verified image. Should I ever feel the need to start the revolution, I will make sure to use secure boot and use Microsoft windows using my employers account.
hollerith · 5h ago
It appears that most PC makers didn't implement verified boot correctly (e.g., they negligently left sample keys in the firmware they shipped), which is why I avoided any mention of Windows in my previous comments.
2paz7x · 5h ago
>this Linux computer that you have such warm feelings about is fairly easy to pwn
It's just not. Otherwise, all servers would be running your beloved iOS, wouldn't they?
>in part because of the lack of verified boot
This does not matter. I can generate my own keys.
>easier to pwn [...] than [...]an iPhone
Lol... If anything, phones are more vulnerable because you have less access to sandboxes and VMs.
>Is it possible to allow sideloading and keep users safe?
Why is this a question of _allow_? Who is my hardware provider that he is somehow my guardian and must _allow_ me to install software that I want to install?
>Is it possible to allow people to do sports and keep them safe?
>Is it possible to allow people to roam freely and keep them safe?
>Is it possible to allow people to not be locked up in a padded cell and keep them safe?
People are responsible for what they are doing, and teaching them about technology is the best way to do deal with this example here, as it doesn't infringe anyone's human rights and would give anyone the resources to check their sources.
edent · 6h ago
Every sporting body that I know of has rules to keep people safe. Even dangerous sports like boxing and American Football pit some effort into keeping participants reasonably safe.
Similarly, every modern society has rules to keep people safe when roaming. That might be as simple as warning signs it as complex as a coastguard.
We've had decades of warning people about online scams and I don't see any slowdown in the volume of scammy emails that I receive. Education clearly isnt working - and that imposes a cost on all of us.
Mordisquitos · 5h ago
We've had decades of 'simple warning signs' or measures as complex as coastguards and yet people are still periodically lost in the wilderness, badly injured, or even killed. Education clearly isn't working here either — what restrictions should we impose on people's right to roam to solve this?
snowe2010 · 5h ago
You clearly know the answer here since you used the word “periodically”. There’s a massive difference between hundreds and millions. No one is stopping you from buying a non Google phone, no one is stopping you from running calyx or graphene. Mitigation for the things that affect the most number of people is how the world works.
jmholla · 4h ago
> No one is stopping you from buying a non Google phone, no one is stopping you from running calyx or graphene.
Google and phone manufacturers have been actively moving in that direction and have a long history of being actively hostile to those things. This is just another move on the same board to restrict these freedoms.
fsflover · 2h ago
> No one is stopping you from buying a non Google phone
You mean, the iPhone, which restricts everything even more?
mathiaspoint · 5h ago
They don't come into your own house and tell you what to do though. The police aren't going to arrest you for swimming in your own pool without a lifeguard. That's completely absurd.
edent · 5h ago
I don't know where you live, but lots of places require you to secure your pool in such a way that people can't accidentally drown in it.
Societies often place limits on individual freedoms.
tempodox · 3h ago
Are you seriously comparing the self-serving decisions of a for-profit company with laws designed to protect people?
fleshmonad · 5h ago
Okay, how would you fix the scammy email problem? Only allow authorizing people to send emails after they applied for a government issued address?
Outlaw all non big corpo operating systems?
Perfect surveillance? All because some boomers can't into common sense?
It's also ironic that you bring up warning signs as a counterexample to my point, as it's exactly what I am saying. You can warn them, but you don't bar them from doing so.
jackothy · 5h ago
I have come to the conclusion that both Android and iOS, along with the banking systems, are all doomed platforms.
Even something like GrapheneOS, in theory the best path to security and privacy and liberty, was falling way short even before this latest announcement from Google.
The problem lies partially in the app ecosystems, which embrace spyware and exploiting users (requiring all the worst Google APIs), and partially in governments, which will leverage any centralized organization like Google to gain control (EU chat control etc.).
The solution cannot be just a custom OS or an OS fork. In fact, ecosystem compatibility is toxic and slows down growth of real alternatives. There needs to be some wholly independent and decentralized offering.
The challenge is hardware compatibility and core services like digital IDs. Most apps should be solved by using a website instead.
These issues are especially important because the future is increasingly digital. Smart phones, smart glasses, smart watches, VR glasses, smart homes, and even brain implants. I don't want to live in a future where I'm either left behind or my whole life is controlled by Google/Apple/the government/etc.
rcarmo · 1h ago
The “use a website instead” angle doesn’t really work for a lot of things, and given the impermanence of websites these days, is actually a major point of potential failure.
jackothy · 58m ago
The "use a website instead" angle should work for the majority of things people spend phone time on. For the few things that could not be a PWA, some extra effort is needed.
barnabee · 6h ago
> 00. Users should be free to run whatever code they like.
> 01. Vulnerable members of society should be protected from scams.
00: yes, always; 01: yes, but not at the expense of 00 (or probably some other things)
snowe2010 · 5h ago
Why? What’s your logic and reasoning?
nazgu1 · 6h ago
For me it’s a matter of settings. As a user I would have option to choose “secure” mode that disallow installing apps from unofficial sources, but if I want to I should have option to allow side loading. Everything else is just corporations need to have to much control.
cwillu · 6h ago
The problem is that important services will then be (and already are!) only permitted to run in “secure” mode.
I literally have a banking app that will refuse to run on an “unsecure” phone. Today I can still install unsigned apps, but removing that ability is explicitly the goal of this policy change.
vbezhenar · 6h ago
There are millions of homeless or otherwise struggling people all around the world, who would let anyone to use their identity for a small compensation. I don't really see how this requirement to register in Google will help with app security. So the malware will be signed with John Smith living under a bridge, now what?
walthamstow · 6h ago
MacOS handles it pretty well, I can use it to do what Doctorow calls general computing and my mother can use it to shop and do email. Apple allowing freedom for MacOS but not iOS is inconsistent and I see no good reason for that.
MillironX · 5h ago
Except Apple code signing on MacOS is basically what Google is trying to copy over to Android. I can run arbitrary programs on MacOS, but I have to go and remove the com.apple.quarantine attribute from any application that doesn't have Apple's explicit permission to exist, i.e. most FOSS apps. I suspect that option will go away eventually.
vbezhenar · 6h ago
MacOS does not handle it well. I can run `curl example.com | sh` and it'll steal my ssh key.
Almondsetat · 6h ago
It is perfectly consistent: iOS is not for general computing
Disposal8433 · 6h ago
Sandboxing should prevent most of those issues. We can't control the users giving permissions to everything, but with more control on those permissions, or disabled by default, a phone should stay pretty safe, or am I missing something?
rafram · 6h ago
People have been trained to tap through those prompts without really reading them, and it’s unreasonable to expect a less technical user to know what the implications of granting a permission are.
mathiaspoint · 6h ago
Giving illiterate people access to computers is going to be dangerous for them no matter what you do. UIs and operating systems should consider their caretakers instead.
rafram · 5h ago
Not everyone has caretakers, unfortunately, but everyone needs a phone.
mathiaspoint · 5h ago
Then they can have flip phones. Those are still made and are great for children and other people who aren't capable of caring for themselves.
simion314 · 6h ago
>People have been trained to tap through those prompts without really reading them, and it’s unreasonable to expect a less technical user to know what the implications of granting a permission are.
Can you please explain why there is no big push from the Google and Apple to remove microphone and camera access from the browsers? You claim that most users are "less skilled" and will allow anything , so for the grater good why not pushing to remove microphone, camera and file upload permissions? Why do we trust this users with reading a popup for permissions ?
Or maybe if the popups are not clear or good enough maybe is not the users fault ?
snowe2010 · 5h ago
That’s just advocating for the same thing, OS makers removing users abilities to do things they want with their devices. Pretty much everyone in this comment section that is advocating against what Google is doing would advocate against that as well.
> Our research [1] finds that users often make rational decisions on the most used capabilities on the web today — notifications, geolocation, camera, and microphone. All of them have in common that there is little uncertainty about how these capabilities can be abused. In user interviews, we find that people have clear understanding of abuse potentials: notifications can be very annoying; geolocation can be used to track where one was and thus make more money off ads; and camera and microphone can be obviously used to spy on one’s life. Even though there might be even worse abuse scenarios, users aren't entirely clueless what could possibly go wrong.
Its not the sandboxing, its the access to user data that apps can request. a mobile OS allows apps to request and be granted all kinds of permissions, and 80% of the world population doesn't really understand what all things are possible for each of the permissions they give to an app. For example being able to export the whole contact list, or read all files in folders (where users may have saved notes with passwords) or real time tracking of gps location with wifi mac address sniffing, listen in on conversations, be able to screenshot other apps, trigger touch events... none of this a sandbox can prevent.
When there are problems reported about an app, there has to be a known party to hold accountable. I agree that a developer path that is complex enough that only people who know all the impacts are able to use to side load random apps they own or from someone they can trust, but the general population has to be protected unless at the individual level they are savvy.
nottorp · 5h ago
> there has to be a known party to hold accountable
So no free applications. Prepare to pay a subscription for every flashlight app.
mzajc · 5h ago
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. /../ I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."
But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like? Am I allowed to accept calls from people they haven't vetted or is it too much of a risk to the bank's bottom line that they might talk me into a scam.
I suppose we should also write off the inevitable privacy and freedom violations in the name of "security".[0] I don't have anything to hide after all.
> But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like?
If you want to hold the banks liable for fraud committed against you (which is exactly what happens in many countries), then it’s hardly reasonable to say that they’re not allowed to use what ever technical options they can to prevent that fraud.
You can put forward the argument that banks simply shouldn’t be responsible for fraud committed against their customers. But we only need to look at world of cryptocurrencies to see how well that works in reality.
Gud · 1h ago
“allow side loading” is a premise I object to.
Now that Android is going full retard with their authoritarian BS, it’s time to build a new phone operating system or at least make the ones we already have viable.
It’s a monumental undertaking, but it needs to be done.
pxtail · 5h ago
It's not sideloading, you are not doing anything nefarious,shady, on the side, on the edge. It's software installation on your device, your own device.
This newspeak is purposely invented to negatively portrait software installation from sources not controlled by Google/Apple
razighter777 · 5h ago
What about making side loading require some moderate level of technical sophistication? Like connecting to the phone over usb and having to manually type some long shell commands, or exit vim, or write a compiling c program, or some other layman proof filter to activate installing outside apps. I feel like grandma would be too intmimidated by this (good), making it too frustrating for even the most determine scammer to explain, no matter how desperate they are for her social security checks. Have it be done in the bootloader so you can't follow these instructions while on the phone, and require physical interactivity with the device (can't be automated over usb). Regardless, this policy is an unacceptable infringement on digital freedom by google.
accle · 5h ago
I believe this is already the case. You can purchase phones that may be bootloader unlocked, allowing custom firmware to be installed. This enables a tech-savvy user to sideload anything they like.
mathiaspoint · 5h ago
Closed drivers need Android userspace -> Android panics or otherwise refuses to function if it decides it's SE Linux policy is compromised -> you still don't have control over the device.
And we're back to "just break into the thing you've already paid for." Nope. Go away. No more smartphone crap.
accle · 5h ago
If you install custom firmware, you can control the SELinux policy that is configured and enforced by that firmware.
G_o_D · 5h ago
I create apps just for myself, just started learning, self taught, not a student taking programming course in university, not professional
Apps created by me for my routine,
Does that mean i would not be able to install my apps ??
Mordisquitos · 6h ago
> There are, I think, two small cracks in that argument.
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. When customers are scammed, the bank is often liable. The bank wants to reduce its liability so it says "you can't run our app on a rooted phone".
> Is that fair? Probably not. Rooting allows a user to fully control and customise their device. But rooting also allows malware to intercept communications, send commands, and perform unwanted actions. I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."
> The same is true of video games with strong "anti-cheat" protection. It is disruptive to other players - and to the business model - if untrustworthy clients can disrupt the game. Again, it probably isn't fair to ban users who run on permissive software, but it is a rational choice by the manufacturer. And, yet again, I think software authors probably should be able to restrict things which cause them harm.
It's not clear to me whether in this fragment the author is stating the two alleged cracks in the argument or rather only the first one — the second one being Google's ostensible justification for the change. Either way, neither of these examples are generalisable arguments supporting that 'a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them'.
With regards to banking apps, the key point has been glossed over, which is that that when customers are scammed the bank is 'often' liable. Are banks really liable for scams caused by customer negligence on their devices? If they're not, this 'crack' can be thrown out of the window; if they are, then it is not an argument for "you can't run our app on a rooted phone", but rather "we are not liable for scams which are only possible on a rooted phone".
As for the second example, anti-cheat protection in gaming, the ultimate motivation of game companies is not to prevent 'untrustworthy clients' from 'running their code'. The ability of these clients to be 'disruptive to other players' is not ultimately contingent on their ability to run the code, but rather to connect to the multiplayer servers run by the gaming company or their partners. The game company's legitimate right 'to ban users who run on permissive software' is not a legitimate argument in favour of users not having full control over their system.
snowe2010 · 5h ago
> rather "we are not liable for scams which are only possible on a rooted phone".
Who is going to prove that though? It’s much simpler and less stressful on our court systems if a bank just says “we don’t allow running on rooted phones” and then if a user takes them to court the burden is on proving whether the phone was rooted or not rather than proving if the exploit that affected them is only possible on a rooted phone.
edent · 5h ago
Thanks for the feedback. Those examples are meant to cover the first point.
The problem if you are a bank is that scammed people can be very persistent about trying to reclaim their money. There's a cost to the bank of dealing with a complaint, doing an investigation, replying to the regulator, fielding questions from an MP, having the story appear in the press about the heartless bank refusing to refund a little old lady.
It is entirely rational for them to decide not to bear that cost - even if they aren't liable.
mixxorz · 6h ago
Just make it harder to disable security.
At point of purchase, you get to decide whether you want secure mode or not. Then after that, if you want to change it, you have to open a support ticket with the manufacturer.
Kinda like how SIM-locking works.
edent · 5h ago
Look at the people who are conned into buying Apple Gift Cards so that they can "pay their taxes".
If they can be convinced of that, how hard will it be for a scammer to say "we've detected a problem with your phone. To avoid being imprisoned for piracy, please file this support ticket so we can debug things."?
bitbang · 5h ago
Devices should offer a local signing cert, where you can sign an app for that device only. Then make the app signing process enforce binding agreement that you assume all responsibility related to the app.
solatic · 6h ago
< Vulnerable members of society should be protected from scams.
There are three ways to deliver protection: build better walls, defeat attackers after successful initial attacks, defeat attackers before successful initial attacks.
The article ties itself into knots because it recognizes that the first way cannot deliver 100% security. But it refuses to recognize that there are two additional ways.
The United States military could go after scammers operating from foreign compounds. It could treat the economic targeting of American citizens as acts of economic war. It chooses not to. Freedom is not free, and when your country chooses to literally not fight for your freedom, it's hardly any wonder that your freedoms are eroded.
Remember XKCD 538: https://xkcd.com/538/ Cybersecurity and physical security are fundamentally linked.
woliveirajr · 6h ago
>> Vulnerable members of society should be protected from scams.
> There are three ways to deliver protection
While I agree with your idea I'd like to remember that there are previous steps: teach people to be less vulnerable. Teach people to be less greedy. Teach people the consequences of actions.
Being less vulnerable is an obvious definition: know how to not fall for some scams.
Less greedy: some scams revolve around the idea of quick and ease profits and the comeback is hurtful because the person thinks he would get x and ends up losing 500x.
Consequences of actions: there's a lot of value to the group that observes the (bad) consequences of one actions. Pain, even from others, teaches something. The more we protect people from consequences, the better and safer it is about small losses until the actions go beyond the protection and the consequences are catastrophic.
solatic · 5h ago
I fully agree that there's a different strategy for before the line is crossed, one that is often more humane, more freedom-respecting, and cheaper to boot. Too often those strategies are sadly under-funded.
That's beside the point that the line, too often, is being crossed, and perpetrators are allowed to perpetuate their crimes, instead of the military and/or law enforcement stepping in and performing their organization's missions to protect us, especially the most vulnerable among us.
rafram · 6h ago
Scammers can operate from literally any country in the world, in any location where they have access to the internet. The idea of the military busting into a Bin Laden-style scammer compound is very romantic, but plenty of these operate from regular offices or homes, and it’s trivial for someone new to get into the scamming business if a big scammer is taken down.
solatic · 5h ago
People forget both why the US invaded Afghanistan in the first place, and why US financial sanctions are so effective. The US invaded Afghanistan, a country whose government was not directly involved in the 9/11 attacks, because that government refused to extradite OBL and other senior Taliban leadership, to bring them to justice in the United States. US financial sanctions are so effective because they cut off foreign institutions from the US financial system if those institutions do business with those who harm Americans and American interests. Soft power is backed by hard power, first against organizations hosted by governments willing to cooperate with the US, and eventually against governments unwilling to cooperate.
That scammers can operate from anywhere is beside the point. More often than not, law enforcement and the military know where that is. A conscious decision is made not to prioritize or fund fighting it.
avianlyric · 3h ago
That’s easy when you’re dealing with people operating in countries where your existing relationship is poor or non-existent. There’s nothing practical that country can do to fight back against U.S. demands.
But try applying that approach to India or China. Do you think those countries are going to allow the U.S. military to operate on their home turf, shooting at their citizens, and not retaliate? It doesn’t even have to be military retaliation, the U.S. economy is heavily intertwined with those countries, just look at the consequences of Trumps tariffs. Do you honestly think U.S. citizens would be willing to trade off the trade benefits of working with those countries, just so you run a military raid on building of scammers?
rafram · 58m ago
Yeah. And even in situations where there’s no alliance to disrupt (e.g., Chinese scam compounds in functionally lawless areas of Myanmar), I don’t imagine that most Americans would be sold on the idea of a military operation against scammers.
zdw · 6h ago
Most of this problem is solved by not hiding the trust model.
Do you want an phone where you trust Apple/Google/3rd party to make a "malware or not" decision? Or one where all that is turned off and you can do whatever? Go right ahead in either case - you control the trust, rather than it being made for you by the platform vendor.
Similarly, we have certificate infrastructure where the TLS roots are owned by a small number of people. These are generally trusted, but some people/organizations edit them down (ex: removing roots from state actors deemed untrustworthy). But it's hidden, and generally a lot of choices.
Even linux distros, you pick which package signing keys you trust.
And Docker/K8s... oh wait, there's no default keys and containers remain being developer's puke bags in most cases, and the repos are rugpulled by corporations regularly...
Nursie · 6h ago
I look forward to you explaining all that to my elderly mother.
Once you’ve explained the difference between Google and “the internet”, you may stand a chance. I wish you luck, I’ve been trying that for a while.
BRB, heading out for popcorn.
ajb · 5h ago
This is a false dichotomy. The following are not the only two possible solutions:
* Everyone has to trust one of two giant mega-corporations to make good decisions for everyone
* Everyone has to take on the evaluation of everything themselves, do their own admin, understand opsec, etc etc.
Freedom does not entail the latter. Freedom means having the freedom to do it, but also having the freedom to delegate it, and to decide who to delegate it to. We don't have to be technology "preppers". We can set up and fund independent organisations to do this -like Debian, for example. And have competition between them.
Yes, that means some people will delegate their trust to their religious cult. That's the price of freedom
fsflover · 5h ago
The most secure OS existing, Qubes OS, allows and encourages installing any untrusted software and protects you with strong, hardware-assisted virtualization.
martin-t · 6h ago
> Here's the story of a bank literally telling a man he was being scammed and he still proceeded to transfer funds to a fraudster.
> The bank blocked a number of transactions, it spoke to James on the phone to warn him and even called him into a branch to speak to him face-to-face.
Y'know, at some point the cost of protecting the dumbest people is too much to be worth it. I am perfectly fine with some people getting hacked, doxxed and scammed out of their life savings if the alternative is everyone losing their freedoms.
Freedoms are important because without them people with power go unchecked more and more. It's a slow process but it culminates in 1) dictatorship at the state level 2) exploitation at the corporate level.
oakpond · 6h ago
Goodbye Android.
danieldk · 5h ago
And then what?
More like: time for regulators to step up and do their work.
fsflover · 5h ago
And then GNU/Linux phones. Sent from my Librem 5.
martin-t · 5h ago
Evolution used to work by some people dying before they could reproduce.
That's how we become the smartest animal on the planet. But it no longer works, we are very good at keeping everyone alive. And there's nothing wrong with that, as long as we don't compromise our freedoms to achieve it.
Some people getting exploited is the modern equivalent of leopards eating your face. It would be nice to protect people from it happening but NOT by everyone giving up basic human rights. And yes, in the modern world, running any software on your hardware should be a basic human right.
Especially at a time where computation is starting to resemble intelligence. Otherwise we all become serfs all over again.
martin-t · 3h ago
Ah yes, the rudest form of agreement - downvote without justification.
If you can't explain why i am wrong, consider i am right.
glitchc · 6h ago
Yes. Run the sideloaded apps in a VM. Modern phones are powerful enough to do that.
Yes. It is a basic human right.
> This is a question where freedom, practicality, and reality all collide into a mess.
No; it isn't. The answer is clear and not messy. If you are not allowed to run programs of your choice, then it is not your hardware. Practicality and "reality" (whatever that means) are irrelevant issues here.
Maybe you prefer to use hardware that is not yours, but that is a different question.
In that case, the solution should be to raise the lowest commmon denominator. Lots of issues like that could be prevented by investing in education to increase technology literacy. But long term investments (even public ones) do not match well with quarterly reports.
However, this isn't entirely a tech problem - it's a social/human one.
Not every mechanic has a driver's license. Sure, they may enjoy working on cars and the technology of cars... but for one reason or another they may have never gotten or have lost their driver's license.
Not everyone who is tech literate is similarly socially literate. I have programmer co-workers who have been scammed into sending gift card authentication codes or installed malware (or allowed the installation) onto their personal computing devices.
It isn't possible to prevent someone from accessing the internet any more than it is possible to prevent them from accessing a phone.
I am not saying that one should have a license to access the internet. Rather, I am saying that a device that holds and maintains the authentication mechanism for doing banking transactions, it is not unreasonable for the maker of that device and its software to attempt to mitigate the possibility that they are held liable for negligence in allowing user installed software to do banking without the owner's consent.
With the uncertainty that everything in the operating system and hardware is locked down to the point where no-consent access by malware to those banking capabilities is completely restricted (and thus they're not liable for negligence) - the wall that is being put up to try to prevent that is "no software that has not been vetted can be run on this device."
Consider that the phone is often the authentication mechanism and second factor for authorization to restricted systems. Authy, Microsoft Authenticator, and other 2nd factor applications typically do not run on general computing devices.
Technical literacy does not imply social or security literacy.
Indeed. And people were falling for scams long before the Internet. What's new is the push to make that the fault of bystanders... thus causing those bystanders to intervene. It's neither the bank's fault, nor Google's fault, if somebody falls for a scam. Or installs malware. Or whatever. If you try to make it their fault, they're going to do really annoying things that you don't want.
Sure, you can sell security tools, or curation, or whatever. Many people will even want to buy them, but things break when that starts being a duty. And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.
This tends to be counter to consumer protection laws or data privacy laws.
A company that can be held to strict liability for their actions can be sued (and be found liable) even if they presented that the action is unreasonable or dangerous.
In saying a consumer who buys a 100% "you can do anything on it" device liable for every action that that device takes no matter what initiated that action?
To me, the argument that you should be able to do anything on the device and be held liable for all the actions that device allows is very similar to that of "the maker of the device has no liability for providing a device that can be misused."
If that is the case, then (to me) this would need to be something that would need to be changed by the courts and the laws (and such a company would need to pull completely out of Europe).
You may be exaggerating it, but insofar as you're right, you're just describing the problem.
That’s just it. Software isn’t being vetted. Witness all the scam apps in the iOS and Android app stores. Even paid developer accounts don’t stop people from publishing these, nor does Apple’s walled garden protect you from them.
That said, for sensitive apps they tend to go through more strict scrutiny of their functionality. Publishing a "Wəlls Fargo" application will likely not get approval.
The question isn't "does it need to be 100%" but rather "if was not done at all, would Apple or Google be liable for flaws in their software (e.g. VM breakouts) that allows malware to do banking transactions, location tracking, or place calls (e.g. 1-900 number dialing) without user consent?"
I'm fairly certain that Apple and Google take measures to limit their liability. With how courts and countries are finding technology companies liable for such (consumer and data privacy protections), I would expect to see more restrictions on the device to try to further limit the company's exposure.
Absolutely not a Scooby.
It’s a more tricky issue where Google and other parties can restrict access to their services to devices they deem legitimate. Their services, their rules. Your hardware. Different arguments required.
It’s everywhere: Widevine is used to prevent stealing 4K content (incl ATSC 3.0), gaming providers use it for anti-cheat, banks use it to rate limit abuse. It’s not just Android.
(I say this as someone with an Apple Vision Pro running visionOS 1.0 with the hope to jailbreak it one day. I’m actually unable to do whatever I want to their hardware, unlike my Pixel phones.)
Providers still implement it where they can, like for blackout restrictions for US sports games: impossible to enforce on the web because I can spoof location. Very possible to enforce on iOS because jailbreaking is not possible. Possible to enforce on Android because you can check if spoofing was made possible.
It’s currently the primary reason I can’t play games online on Linux.
And yet you can't install an alternative OS like Mobian, postmarketOS or PureOS due to the closed drivers and specs.
The social structure of the smartphone app ecosystem is remarkably similar to the cable provider -> network -> show situation from before too.
They’re clearly just computers, they’re “hardware you own”, but you’ve never been able to run whatever software you want on them. But it’s been like this since the 1970’s and there’s never been an uproar over it.
For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.
I think there is a huge difference. You can perfectly live your life without a game console. Even if you are a game addict and it is absolutely necessary for you to live, you could buy a PC and game on that.
Smartphones are a necessity nowadays. Some banks only have smartphone apps (or require a smartphone app to log in to their website). Some insurers want you to upload invoices with an app. Some governments require an app to log in (e.g. the Dutch DigiID). You need a smartphone to communicate with a lot of organizations and groups.
Smartphones have become extremely essential. And two companies can decide what does and what doesn't get run on a smartphone and they can take their 30% over virtually everything. They can destroy a company by simply blocking their app on a whim (contrast with game studios, which could always publish their game for PC or Mac or whatever).
It is not a healthy, competitive market. It is the market version of a dictatorship. And Google forbidding non-app store installs is making it worse.
Governments should intervene to guarantee a healthy market (the EU is trying, but I think they are currently worried about the tariff wrath).
Unfortunately, the copyright lobby of the video game industry was too strong in the 70s/80s/90s, so here we are.
In the future, when your whole house is controlled by a computer, do you want that computer to be controlled by Google or to be controlled by yourself?
People started free and equal, then some specialized into warriors[0] and gradually built deeper and deeper hierarchical power structures, called themselves "nobles" and started exploiting the "commoners".
At some point people snapped, killed a bunch of them (French revolution, US was for independence, etc.) and decided they wanna rule themselves.
And then companies started getting bigger and bigger, with deeper hierarchical power structures, the "nobles" call themselves "executives" or "shareholders" and the people doing actual productive work are not longer "commoners", they are "workers"[1].
[0]: And thus controlled the true source of power - violence.
[1]: Ironically admitting that people who are not workers are not doing real work, they are just redistributing other people's work and money.
https://www.youtube.com/watch?v=uqsBx58GxYY
I don't like describing it as cycles because it is too simplistic and pretend it is inevitable, robbing people of agency.
I prefer to think of society as a system where different actors have different goals and gradually lose/gain influence through a) slow processes where those with influence gain more from people who are sufficiently happy to be apathetic b) fast processes when people become sufficiently unhappy to reach for the source of all real world influence - violence.
This happens because uneducated/dumb/complacent people let it happen. It can be prevented by teaching them the importance if freedoms and to always fight back. But that goes directly against the interests of those in power - starting from parents who want children to be obedient.
> Yes. It is a basic human right.
Says who?
What's your philosophical argument in favour of this?
> hardware you own
Please explain how owning an item of hardware implies that running whatever computer program you want on it is a basic human right.
Is it illegal to spin up a Linux server on your mobile phone?
If people still go for it, then it is their responsibility. A lot of things in life require responsibility because otherwise the results can be disastrous. But we don't forbid them, because it would be a huge violation of freedoms.
You have to take into account that the threat model here is vulnerable people, often older, being taken in by scammers who talk to them for weeks and gain their complete confidence. To the victims, it feels like a real romantic relationship, not someone who could even possibly be a scammer.
Also, scams also happen outside smartphones.
What's next? Are we going to revoke people's control over their financials because they might be scammed? Let's have the bank approve before we can do a transaction. And since we are using their payment platform, maybe they should also take 30%.
Please stop feeding their narrative. Scammers are Google/Apple's "but think of the children".
Aren’t they? I ask my partner for investment opinions all the time.
> Let's have the bank approve before we can do a transaction.
Yes… That’s already how it works. Banks use heuristics to detect and prevent suspicious transactions. That’s why most of these scams ultimately involve crypto.
Obviously, the probability of it being a scammer reduces with the amount of time. In the end it's a function of time vs. effort. Scamming billionaires by marrying them and waiting until they die happens frequently enough. A 5 year scam for a few thousand bucks, unlikely.
As usual, use common sense, which you would have to do anyway if you do investments.
... and it's really fucking annoying when their heuristics misfire-- which is not at all rare-- especially since they do all they can to externalize all costs of that to the customer.
We've been trying to educate people about passwords and phishing for years/decades now, and it has not worked. Further, every day a new ten thousand (US) people need to be educated:
* https://xkcd.com/1053/
The proverbial grandparents will follow the instructions of the scammers and will click through all of that. We've had decades of empirical evidence: people will keep clicking and tapping on dialogue boxes to achieve their goal.
People have physically driven to cryptocurrency ATMs on the instructions of scammers:
* https://bc-cb.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2136...
* https://www.usatoday.com/story/money/2025/04/21/bitcoin-atm-...
Warning sheets will do nothing.
And it doesn't have to be children of parents, that's just the common example that's brought out every time this comes up.
Many, probably most, of the people most at risk aren't going to do that.
When you're (somewhat) drunk, you know that you're drunk, and you're still able to comprehend how that will slow down your reactions while driving. When you're being scammed, you think you're right... and if you begin to doubt that, you may tend to push the thought out of your mind rather than follow it through, and to evade things that might bring it back. And it's very hard to admit to yourself that you're permanently impaired in that sort of way... especially when you're impaired in that sort of way.
Give the knowledgeable the freedom to use their skills. Separately, develop ways to help/protect specifically those that need it.
My suspicion is: were you to list them, running programmes on hardware you own would be fairly low on that list.
The banking system has been relying on remote attestation for decades to ensure that devices used in settling financial transactions have not been tampered with:
https://en.wikipedia.org/wiki/IBM_4758
Also, I think the chip-and-PIN cards used for most in-store transactions in Europe for the last 20 years rely on remote attestation and tamper resistance to prevent fraud.
Finally, in the domain of desktop and laptop computers, there is a big security hole in that most components (certainly, disk drives and storage devices, but basically any peripheral or board) are essentially embedded computers that can be pwned with the result that they stayed pwned even if the owner of the computer installs the OS from scratch. One solution to this would be for suppliers of peripherals and boards to get much better at securing their products or to stop using microprocessor to implement their products, but it would be quite a lot of work (and governmental intervention or at least intervention by industry-wide quasi-governmental entities that currently do not exist) to get from the current situation to the one I just described. The only products currently available that are secure against this threat (aside perhaps from using 40-year-old computers) use verified-boot technology to implement the security.
I.e., the only desktop and laptop computers you can buy where you can be reasonable sure some attacker hasn't installed malware in the computer's disk drive or track page or wifi module are things like Macs and Chromebooks, which implement the security using verified boot.
Do you simply not care that this Linux computer that you have such warm feelings about is fairly easy to pwn (in part because of the lack of verified boot and in part because desktop Linux software is just much easier to pwn than the systems software on a Mac or a Chromebook or an iPhone or an Android phone) such that if you ever got to be an effective activist against some government or some powerful industrial interest, that government or industrial interest could fairly easily eavesdrop on everything you do with this Linux computer?
That doesn't sound much like protecting your individual rights.
It's just not. Otherwise, all servers would be running your beloved iOS, wouldn't they?
>in part because of the lack of verified boot
This does not matter. I can generate my own keys.
>easier to pwn [...] than [...]an iPhone
Lol... If anything, phones are more vulnerable because you have less access to sandboxes and VMs.
Hey, look, an Apple CVE from two days ago. https://nvd.nist.gov/vuln/detail/CVE-2025-43284
And this one's from this month. https://nvd.nist.gov/vuln/detail/CVE-2025-43300
And here's Apple's sandbox failing, last month. https://nvd.nist.gov/vuln/detail/CVE-2025-43274
Why is this a question of _allow_? Who is my hardware provider that he is somehow my guardian and must _allow_ me to install software that I want to install?
>Is it possible to allow people to do sports and keep them safe?
>Is it possible to allow people to roam freely and keep them safe?
>Is it possible to allow people to not be locked up in a padded cell and keep them safe?
People are responsible for what they are doing, and teaching them about technology is the best way to do deal with this example here, as it doesn't infringe anyone's human rights and would give anyone the resources to check their sources.
Similarly, every modern society has rules to keep people safe when roaming. That might be as simple as warning signs it as complex as a coastguard.
We've had decades of warning people about online scams and I don't see any slowdown in the volume of scammy emails that I receive. Education clearly isnt working - and that imposes a cost on all of us.
Google and phone manufacturers have been actively moving in that direction and have a long history of being actively hostile to those things. This is just another move on the same board to restrict these freedoms.
You mean, the iPhone, which restricts everything even more?
For example https://www.forbes.com/advisor/legal/personal-injury/attract...
Societies often place limits on individual freedoms.
Outlaw all non big corpo operating systems?
Perfect surveillance? All because some boomers can't into common sense?
It's also ironic that you bring up warning signs as a counterexample to my point, as it's exactly what I am saying. You can warn them, but you don't bar them from doing so.
Even something like GrapheneOS, in theory the best path to security and privacy and liberty, was falling way short even before this latest announcement from Google.
The problem lies partially in the app ecosystems, which embrace spyware and exploiting users (requiring all the worst Google APIs), and partially in governments, which will leverage any centralized organization like Google to gain control (EU chat control etc.).
The solution cannot be just a custom OS or an OS fork. In fact, ecosystem compatibility is toxic and slows down growth of real alternatives. There needs to be some wholly independent and decentralized offering.
The challenge is hardware compatibility and core services like digital IDs. Most apps should be solved by using a website instead.
These issues are especially important because the future is increasingly digital. Smart phones, smart glasses, smart watches, VR glasses, smart homes, and even brain implants. I don't want to live in a future where I'm either left behind or my whole life is controlled by Google/Apple/the government/etc.
> 01. Vulnerable members of society should be protected from scams.
00: yes, always; 01: yes, but not at the expense of 00 (or probably some other things)
I literally have a banking app that will refuse to run on an “unsecure” phone. Today I can still install unsigned apps, but removing that ability is explicitly the goal of this policy change.
Can you please explain why there is no big push from the Google and Apple to remove microphone and camera access from the browsers? You claim that most users are "less skilled" and will allow anything , so for the grater good why not pushing to remove microphone, camera and file upload permissions? Why do we trust this users with reading a popup for permissions ?
Or maybe if the popups are not clear or good enough maybe is not the users fault ?
Though, that document also states:
> Our research [1] finds that users often make rational decisions on the most used capabilities on the web today — notifications, geolocation, camera, and microphone. All of them have in common that there is little uncertainty about how these capabilities can be abused. In user interviews, we find that people have clear understanding of abuse potentials: notifications can be very annoying; geolocation can be used to track where one was and thus make more money off ads; and camera and microphone can be obviously used to spy on one’s life. Even though there might be even worse abuse scenarios, users aren't entirely clueless what could possibly go wrong.
[1]: https://dl.acm.org/doi/10.1145/3613904.3642252
When there are problems reported about an app, there has to be a known party to hold accountable. I agree that a developer path that is complex enough that only people who know all the impacts are able to use to side load random apps they own or from someone they can trust, but the general population has to be protected unless at the individual level they are savvy.
So no free applications. Prepare to pay a subscription for every flashlight app.
But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like? Am I allowed to accept calls from people they haven't vetted or is it too much of a risk to the bank's bottom line that they might talk me into a scam.
I suppose we should also write off the inevitable privacy and freedom violations in the name of "security".[0] I don't have anything to hide after all.
[0]: https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...
If you want to hold the banks liable for fraud committed against you (which is exactly what happens in many countries), then it’s hardly reasonable to say that they’re not allowed to use what ever technical options they can to prevent that fraud.
You can put forward the argument that banks simply shouldn’t be responsible for fraud committed against their customers. But we only need to look at world of cryptocurrencies to see how well that works in reality.
Now that Android is going full retard with their authoritarian BS, it’s time to build a new phone operating system or at least make the ones we already have viable.
It’s a monumental undertaking, but it needs to be done.
And we're back to "just break into the thing you've already paid for." Nope. Go away. No more smartphone crap.
Apps created by me for my routine,
Does that mean i would not be able to install my apps ??
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. When customers are scammed, the bank is often liable. The bank wants to reduce its liability so it says "you can't run our app on a rooted phone".
> Is that fair? Probably not. Rooting allows a user to fully control and customise their device. But rooting also allows malware to intercept communications, send commands, and perform unwanted actions. I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."
> The same is true of video games with strong "anti-cheat" protection. It is disruptive to other players - and to the business model - if untrustworthy clients can disrupt the game. Again, it probably isn't fair to ban users who run on permissive software, but it is a rational choice by the manufacturer. And, yet again, I think software authors probably should be able to restrict things which cause them harm.
It's not clear to me whether in this fragment the author is stating the two alleged cracks in the argument or rather only the first one — the second one being Google's ostensible justification for the change. Either way, neither of these examples are generalisable arguments supporting that 'a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them'.
With regards to banking apps, the key point has been glossed over, which is that that when customers are scammed the bank is 'often' liable. Are banks really liable for scams caused by customer negligence on their devices? If they're not, this 'crack' can be thrown out of the window; if they are, then it is not an argument for "you can't run our app on a rooted phone", but rather "we are not liable for scams which are only possible on a rooted phone".
As for the second example, anti-cheat protection in gaming, the ultimate motivation of game companies is not to prevent 'untrustworthy clients' from 'running their code'. The ability of these clients to be 'disruptive to other players' is not ultimately contingent on their ability to run the code, but rather to connect to the multiplayer servers run by the gaming company or their partners. The game company's legitimate right 'to ban users who run on permissive software' is not a legitimate argument in favour of users not having full control over their system.
Who is going to prove that though? It’s much simpler and less stressful on our court systems if a bank just says “we don’t allow running on rooted phones” and then if a user takes them to court the burden is on proving whether the phone was rooted or not rather than proving if the exploit that affected them is only possible on a rooted phone.
The problem if you are a bank is that scammed people can be very persistent about trying to reclaim their money. There's a cost to the bank of dealing with a complaint, doing an investigation, replying to the regulator, fielding questions from an MP, having the story appear in the press about the heartless bank refusing to refund a little old lady.
It is entirely rational for them to decide not to bear that cost - even if they aren't liable.
At point of purchase, you get to decide whether you want secure mode or not. Then after that, if you want to change it, you have to open a support ticket with the manufacturer.
Kinda like how SIM-locking works.
If they can be convinced of that, how hard will it be for a scammer to say "we've detected a problem with your phone. To avoid being imprisoned for piracy, please file this support ticket so we can debug things."?
There are three ways to deliver protection: build better walls, defeat attackers after successful initial attacks, defeat attackers before successful initial attacks.
The article ties itself into knots because it recognizes that the first way cannot deliver 100% security. But it refuses to recognize that there are two additional ways.
The United States military could go after scammers operating from foreign compounds. It could treat the economic targeting of American citizens as acts of economic war. It chooses not to. Freedom is not free, and when your country chooses to literally not fight for your freedom, it's hardly any wonder that your freedoms are eroded.
Remember XKCD 538: https://xkcd.com/538/ Cybersecurity and physical security are fundamentally linked.
> There are three ways to deliver protection
While I agree with your idea I'd like to remember that there are previous steps: teach people to be less vulnerable. Teach people to be less greedy. Teach people the consequences of actions.
Being less vulnerable is an obvious definition: know how to not fall for some scams.
Less greedy: some scams revolve around the idea of quick and ease profits and the comeback is hurtful because the person thinks he would get x and ends up losing 500x.
Consequences of actions: there's a lot of value to the group that observes the (bad) consequences of one actions. Pain, even from others, teaches something. The more we protect people from consequences, the better and safer it is about small losses until the actions go beyond the protection and the consequences are catastrophic.
That's beside the point that the line, too often, is being crossed, and perpetrators are allowed to perpetuate their crimes, instead of the military and/or law enforcement stepping in and performing their organization's missions to protect us, especially the most vulnerable among us.
That scammers can operate from anywhere is beside the point. More often than not, law enforcement and the military know where that is. A conscious decision is made not to prioritize or fund fighting it.
But try applying that approach to India or China. Do you think those countries are going to allow the U.S. military to operate on their home turf, shooting at their citizens, and not retaliate? It doesn’t even have to be military retaliation, the U.S. economy is heavily intertwined with those countries, just look at the consequences of Trumps tariffs. Do you honestly think U.S. citizens would be willing to trade off the trade benefits of working with those countries, just so you run a military raid on building of scammers?
Do you want an phone where you trust Apple/Google/3rd party to make a "malware or not" decision? Or one where all that is turned off and you can do whatever? Go right ahead in either case - you control the trust, rather than it being made for you by the platform vendor.
Similarly, we have certificate infrastructure where the TLS roots are owned by a small number of people. These are generally trusted, but some people/organizations edit them down (ex: removing roots from state actors deemed untrustworthy). But it's hidden, and generally a lot of choices.
Even linux distros, you pick which package signing keys you trust.
And Docker/K8s... oh wait, there's no default keys and containers remain being developer's puke bags in most cases, and the repos are rugpulled by corporations regularly...
Once you’ve explained the difference between Google and “the internet”, you may stand a chance. I wish you luck, I’ve been trying that for a while.
BRB, heading out for popcorn.
* Everyone has to trust one of two giant mega-corporations to make good decisions for everyone
* Everyone has to take on the evaluation of everything themselves, do their own admin, understand opsec, etc etc.
Freedom does not entail the latter. Freedom means having the freedom to do it, but also having the freedom to delegate it, and to decide who to delegate it to. We don't have to be technology "preppers". We can set up and fund independent organisations to do this -like Debian, for example. And have competition between them.
Yes, that means some people will delegate their trust to their religious cult. That's the price of freedom
> The bank blocked a number of transactions, it spoke to James on the phone to warn him and even called him into a branch to speak to him face-to-face.
Y'know, at some point the cost of protecting the dumbest people is too much to be worth it. I am perfectly fine with some people getting hacked, doxxed and scammed out of their life savings if the alternative is everyone losing their freedoms.
Freedoms are important because without them people with power go unchecked more and more. It's a slow process but it culminates in 1) dictatorship at the state level 2) exploitation at the corporate level.
More like: time for regulators to step up and do their work.
That's how we become the smartest animal on the planet. But it no longer works, we are very good at keeping everyone alive. And there's nothing wrong with that, as long as we don't compromise our freedoms to achieve it.
Some people getting exploited is the modern equivalent of leopards eating your face. It would be nice to protect people from it happening but NOT by everyone giving up basic human rights. And yes, in the modern world, running any software on your hardware should be a basic human right.
Especially at a time where computation is starting to resemble intelligence. Otherwise we all become serfs all over again.
If you can't explain why i am wrong, consider i am right.