Petition to stop Google from restricting sideloading and FOSS apps
A developer started a petition to stop Google from limiting app installation on Android devices unless developers provide personal identity documents.
Even though Google has not revoked similar controversial policies in the past, we do our best as much as we can. This change particularly threatens the freedom to build, share, and use software without giving away sensitive personal information. It affects independent developers, FOSS contributors, and even regular users who want to install apps outside of Google Play.
``Just imagine giving sensitive personal, government-issued ID to a corporation to install an app outside Google Play``
Let’s stand together to protect our freedom to create and use software without handing over personal information to a corporation. Every signature, share, and voice counts here
Support the petition here: https://chng.it/MsHzSXtJnw
An open letter from the lead developers and decision makers of top-rated apps in the Play Store would be useful. But that takes work, unlike an online petition.
What do I need to do to make a difference, and how much time will this take?
[My elected officials listen, what's the path? Legislation?]
EU or US?
> what's the path? Legislation?
Send them a letter explaining why this is bad for you. Keep it strictly factual and ideally concise. Copy Google’s legal [1] and any relevant digital or markets regulators. (If in the US, don’t forget your state regulators.)
Wait two weeks and then call the elected. Make sure they’re aware, and talk through your options. Send a letter thanking them for the call, incorporating any new information and actions they said they would take, and copy all of the previous parties again.
More work: reach out to other top developers and organise an open letter. This will be hard because everyone wants to include their pet issue and everyone will fight over scope and language.
[1] https://support.google.com/faqs/answer/6151275?hl=en
The way to do this is funding an amicus curiae.
Now there's also this new requirement, and it's shocking the EU hasn't responded yet. Weren't we supposed to make ourselves more independent from US technology? But i wouldn't be surprised someone would be lobbying on google's behalf to convince the politicians that "trust me bro, google play is more secure"
https://digital-markets-act.ec.europa.eu/contact-dma-team_en
If you want to make a difference, try to communicate with someone from OEM companies. Google is making their phones inferior and they'll loose money and market share because of it.
After this change, "I can install NewPipe and Ad blockers" will become a major selling point for Chinese phones among large and profitable segments of the population. And that high-end manufacturers might as well give up and let Apple take that part of the market. If OEMs can be made to understand that, that's going to be the end of this initiative.
You’re correct, but for the wrong reasons. Privacy framings don’t work because people who care about privacy are unusually politically nihilistic and/or lazy. I’ve worked on privacy legislation. I’ve also worked on other laws. Nobody calls or writes about the former. With the latter, it was almost trivial to demonstrate to the elected that there was real political capital in embracing the issue.
The special interest of a particular group always result in far more intense support than any law that benefits the public at large. And privacy is usually a general concern.
Also, am I the only one who finds the idea that you need to demonstrate the existence of political capital to elected politicians concerning? (As opposed to persuading them that it's the right thing to do.) I don't want to sidetrack the whole discussion, but this makes me doubt the future of western democracy in a hundred different ways.
No comments yet
A lot of governments want to use American AI systems to run things to cut costs.
Someone will need to collect the necessary resources to bring the fight to the courts, though.
Just like chrome is not a monopoly because firefox exists
https://www.reuters.com/sustainability/boards-policy-regulat...
Petitions from verified voters are powerful. Triply so if done in person, because the infrastructure that can collect signatures in person can also e.g. back a primary challenge or plebiscite.
And the vast majority of their awareness actually came from a failed counter-campaign by the opposition.
https://docs.google.com/forms/d/e/1FAIpQLSfN3UQeNspQsZCO2ITk...
> …with Indonesia’s Ministry of Communications and Digital Affairs praising it for providing a “balanced approach” that protects users while keeping Android open.
> …Thailand’s Ministry of Digital Economy and Society sees it as a “positive and proactive measure” that aligns with their national digital safety policies.
> In Brazil, the Brazilian Federation of Banks (FEBRABAN) sees it as a “significant advancement in protecting users and encouraging accountability.”
I'd be curious to know, if it was because they never asked for one or because they never got one?
Google is orchestrating buy-in with world governments. They've already signaled that this is happening everywhere, no matter what, and its just a paced rollout unfortunately.
(I agree with some other threads that merely signing a random petition is not a punch to the face. That's just whining. Systematic and organized, perhaps, but just whining.)
I have the feeling that these companies don't need nerds anymore. Who needs pioneers if everything is paved and regulated?
No comments yet
But I reckon we can all make an educated guess that they did anticipate negative feedback.
...No. Giving them the loud protest they deserve is the bare minimum
So, I believe that if they decided this is the path they want to take - they will find one way or another. It's not that resistance is futile (it's not!) but I believe that petitions are not a good tool for the case.
Google pay fealty to Trump, who is going in to bat for consumers over this when they won't even protect the constitution or rule of law?
20 years in, the so-called "smartphone" duopoly have jointly converged towards a "dumb terminal" strategy, where almost nothing can be done without cloud-based authentication from a centralized third party. And this was the case prior to the AI horse manure they're baking into the OS.
I use the Fossify forks of Simple Mobile Tools apps (Gallery, File Manager, Calculator) because these can be installed via APK files and just be left alone. My Google Calculator app on the other hand seems to want to download new updates every single month.
AOSP / Graphene, or the equivalent of linux on a smartphone would be a better chance, but first and foremost you need hardware support. Something is happening like eos, pinephone and the like but we are a long, long way toward that goal.
It's great to see that some more people who were previously complacent are outraged about this move. But let's look back a bit:
In the early 1990s, Linus Torvalds started writing an OS kernel for 386-class PCs. He didn't need the approval of some corporation to allow him to run code on his own machine, or distribute it for others to run on theirs. The code didn't have to run as an "app" in some restricted sandbox under Microsoft's OS (not that back then, DOS or Windows were even in any way locked down the way modern operating systems are). Documentation for all the "standard" hardware like video, keyboard, hard disks, etc. was openly available, so it didn't have to rely on proprietary drivers.
This is how it was at one time, and what should have remained the standard today, but instead it's turned into some utopian dream that those who grew up with "smart" devices can't even conceive as possible anymore.
Google has taken what became of this code, and turned it into an "open" system that is pretty much designed to track every aspect of people's lives in order to more effectively target them with psychological manipulation, which is what advertisements really are. And you're not really getting "free stuff" in return for this invasion either, since pretty much everything you buy includes a hidden "tax" that goes to support this massive industry.
"A supercomputer in everyone's pocket"? Yes, but it's not yours, nor can you even know what it does. Even the source code that is available is millions of lines that you couldn't inspect in all your lifetime. Online 24/7, with GPS tracking your every move and a microphone that listens to what you say. Every URL you visit is logged. Your photos uploaded to "the cloud" and used to train AI.
The only solution is to no longer accept any of this, even if almost everyone else does. Even if it means giving up some convenience.
Google has to be destroyed.
Apple too, they're the ones who normalized smartphones.
I know it's hard to remember today, but in 2007, Apple was still the perennially-"beleaguered" underdog whose only big success story in marketshare terms was the iPod.
If the public had not loved the iPhone, it never could have "normalized" anything.
There are definitely aspects of the iPhone that it is fair to criticize Apple for. The rest of the world's wholesale embrace of its design—to the point of slavishly copying it, for several manufacturers at different points in time—can only be blamed on their lack of imagination and willingness to take risks, and on the public's unwillingness to give up the benefits of the iPhone just to get the much-less-obvious benefits of something more "open" or different.
Smart phones have been around for over 15 years. Surely there's enough hardware expertise out there now for a startup to make a mass-market phone that runs Linux.
I'm so excited that I might even jump back into open source development to make a new OS that isn't as bloated and slow as Android. There is a need for an OS that only gives you minimum capabilities, to run on cheaper, simpler, smaller devices. I would love to help make that a reality.
People use app stores because they are used for artificially worsened web pages. They are used to find apps with similar properties from app store.
And Google search is artificially so bad that they won’t even try it to find some apps. And most won’t use other search engines.
So really, people need to start rejecting poor quality or poorly performing web apps. The collective bar for “good enough” is far too low, and so cheapskates will continue to churn out garbage.
For a while, I had stopped flashing custom ROMs because the default Android experience was good enough for me, but it looks like this is now necessary again.
That's why you have a debit card. And if your bank won't give you a debit card, you find a better bank.
Re SyncThing: there's the File System Access API. You can ask the user for a folder and then operate on the files and directories inside it. Also from a locally cached offline copy, of course. Serviceworkers are there to run in the background, though I'm not 100% sure if the FS API and service workers can be combined to be honest.
It'll need as much effort or maybe even more to port it to the web as it has taken to develop the Android app, but it's almost definitely possible, at least on Chrome.
As part of Google's attempt to break free from the iOS app store, they accidentally invented an alternative to their own draconic measures.
The web is dying at the same time as mobile OS freedoms, while important organisations such as governments and banks are moving away from browser access and towards doing everything (including 2FA in one device) on a phone
They're being sold and enough people are buying them to keep these companies alive. Fairphone said they're not delivering to USA because they don't have the manpower, not because there's no demand. Every release again you see people asking in the comments when/if it'll finally be available to them
That's not to say it's a big market where you get big economy of scale benefits. The devices are expensive but they're yours (and some of them try to do ethical resource mining and/or pay fair wages as well). Some of these will also have Googled variants available, but it's a choice
so do we have enough engineers who care about maintaining useful tools that aren't handicapped or compromised to be able to support this endeavor? i think we do. there have to be many good eggs within these companies who die a little inside each time something like this goes through.
Only because those alternative mobile OSes were, frankly, crappy in comparison to iOS and Android.
I don't recall Google or Apple doing anything particularly anticompetitive to cause any of those OSes to fail to keep up in the market, aside from just plain "being the 800lb gorillas in the room". (Not saying they never do anything anticompetitive, just that those particular market failures can't be laid at their feet.)
It would be great to have some really good alternatives to the mobile duopoly. Hell, if we had more fragmentation in the market, that would even lead to more impetus for interoperability and common standards—which we desperately need more of everywhere in tech these days. But those three, in particular? They lost because they were worse at being a good mobile OS for most people.
So the app marketplace should probably verify the contact info, right? Would you take on that kind of risk to protect the anonymity of some rando you’ve never met and will never give you any money? I wouldn’t.
Under the CRA, smartphones are considered to be much more critical from a security standpoint and, by the end of 2027, will have to follow an enhanced set of “best practices” to be able to enjoy a presumption of conformity. The best practices are due to be published by December of this year. I think Google already knows that developer attestations will be on that list and want to appear proactive instead of reactive.
The point still stands - the DMA does not exist in a vacuum. Other EU laws affect how you interpret it, and you should assume that the EU will pass more laws in the future that also affect how you interpret it.
If Google is hostile to me an my users, I prefer to dedicate my volunteer time to respectful plateforms instead.
i still disagree with the move. but it's not as bad as it could be. maybe there's a way to "unlock" a certified device (similar to unlocking the bootloader)?
- The requirement, unless I'm mistaken, would tie a real-world identity of the developer to an app, who may wish to keep that separate from a pseudonym they may normally release things with.
- Unwillingness to give Google PII or just not tie a particular pseudonymous identity to that PII on Google.
- It puts absolute control in Google's hands for whether any app is allowed to run on most devices. There may be concerns about the types of decisions that may arise from this, not merely from recognized malware. Certain governments may ask Google to regulate apps allowed on such devices via this approach.
- Once this globally rolls out in 2027 it will mean the audience for apps from devs who don't agree to this will shrink dramatically. Only those presumably with AOSP based custom ROMs will be able to use those apps which may have a knock-on effect for dev motivation.
I've had many Nexus and Pixel devices because I like the freedom that they offer me. I don't use Apple devices because they're so locked down and I can't use the hardware and software in ways that I'd like to use it. Google's about to be added to that shitlist, and there aren't really many alternatives.
There was a person there
Who put forth the proposition
That you can petition the Lord with prayer
Petition the Lord with prayer
Petition the Lord with prayer
You cannot petition the Lord with prayer!
If you truly want to protect your rights then don't petition Google, but instead petition FTC and other antitrust agencies. Petitioning Google just establishes that they have a choice here.
What would a company fill in for these details for the developer deployment account they are using to deploy the apps made by their software team?
Is the account that publishes Spotify or Facebook app etc really going to be personal information for some person? I highly doubt that.
Professional developers stand behind their code with their real names. If you are unwilling to do that much, you should not be able to release software to billions of users on the Android platform. That phone is not a Commodore 64. It is people's link to financial, health, educational, and government services. Compromise can have severe consequences. Just as we lock down corporate PCs to avoid leaking corporate information, phones should be locked down to avoid leaking personal information.
If anything this just gives me more reasons to seriously look at linux phone options.
I would also be surprised if there weren't cell phone system-based fallbacks for emergency services. The carriers have a good idea of where you're at based on the towers you're connected to. There are plenty of situations where GPS doesn't work.
Step 2: Block non-approved install of Operating Systems in my devices
Deeply mine: Alphabet Inc.
I expect the only entity powerful enough to create a fork of android, hardware included, is the CCP. Between a rock and a sword.
Graphene is the only reason I own any pixel devices.
EU have done it with Apple and their trash lightning cable, forcing them to adopt the USB c standard. EU fined Meta and Google for mishandling our personal data (like all the time), and forced (kinda) both Google and Apple to allow alternative stores. This bs will not fly in the EU.
I will not tell you to stop using Google products and Android, since you are most likely a dev or FOSS on the Android ecosystem. But yeah, Google are pretty evil.
- sent from my Android - /s
In Spain, I have to give my NIE (National ID number) and show my government ID just to send or receive a package from FedEx. Why should I have to give up sensitive information just to receive a package?
You can sideload apps on non-google-certified android builds/installs just fine right? If you're going to publish an app that literally be installed on billions of devices, is this not a sensible measure? Long overdue even? Why isn't Windows and Linux distros enforcing this as well is my question!
Do you guys understand that people's lives are being ruined by malware? and the most popular way of deploying malware on the most popular platform (android) is sideloading apps!
This is a similar situation as "Freedom of speech isn't freedom of reach". You can publish any android app you want, that doesn't give you the right to anonymously deploy those apps on everyone's personal tracking devices (phones).
I get a petition to allow alternative attestation and verification authorities. and honestly, I don't think Alphabet has much choice on that given EU and US anti-trust policies. I can't image the EU being ok with a US company collecting the IDs of all its developers.
For about a decade now, on Windows, you are required to have an ID-verified code signing certificate so sign drivers for example. And that has dramatically reduced rootkit abuse on the platform. Don't get me wrong, I also don't want to submit my ID to anyone. But this is a very sensible measure, one that will improve security in measurable and significant ways to millions of regular people.
This is about users freedom to install apps on the devices they own.
> non-google-certified android builds/installs
Those targets are rapidly disappearing. Alternative Android ROMs are dying one by one. Look at how few modern phones are officially supported by LineageOS. And many of those are Pixels which Google is no longer releasing binaries for (making ROM builders lives harder).
> Do you guys understand that people's lives are being ruined by malware?
Do you have figures to back that up? There are already multiple warnings when sideload apps.
> For about a decade now, on Windows, you are required to have an ID-verified code signing certificate so sign drivers for example.
Drivers and applications are not the same things.
Drivers and applications are not the same thing, certainly and no application is the same as other applications. browsers aren't the same as file managers. To users what matters is impact not category. A persons entire life can be destroyed because of one side-loaded app, much less so with a windows rootkit (because you don't have phone number/2fa app,etc.. on your windows box).
Users are free to buy devices that let them install any app. Google is responsible for the majority of users who don't care about installing apps from anonymous randos, but care much much more about their livelihoods and well being suffering at the hands of criminals!
> Those targets are rapidly disappearing. Alternative Android ROMs are dying one by one. Look at how few modern phones are officially supported by LineageOS. And many of those are Pixels which Google is no longer releasing binaries for (making ROM builders lives harder).
Ok, then let's talk about that, I'm all for sticking it to Google for all that b.s., but not for the topic at hand.
We just have to educate people better about how to protect themselves online, not resort to paternalistic control regimes which just happens to give one of the largest tech giants the power to also crush anything that it sees as a threat to their business model.
Maybe that's the disconnect here, because i don't think you/others lack empathy for regular people being victimized. You're incorrect about that figure, the people being actually impacted (not merely compromised but harmed, as in financial loss, job loss, harassment, or worse) is many times more than people who want to sideload apps.
Educating people doesn't work. We've been doing it with phishing for decades now , and it has no impact. in the moment, you're sure it's legitimate, so you won't look for obvious signs of phishiness.They use a lure to establish trust in the context, so you guards are down. Absolutely anyone can fall for deceptive lures. No amount of education changes that. You know what made a difference with phishing? Trust senders, DKIM/SPF validation, url-rewriting with sandbox detonation and global-scale reputation analysis/response (it means as soon as you hit one person, your domain/infra gets burned globally) ,etc..
It really frustrates me to no end, because it is the exact audience on HN that innovate and create software/apps but the level of ignorance on this subject is atrocious. I know you guys care as much as I do when people get hurt! It's just a case of knowing a lot about one domain and assuming you also know a lot about a related domain I think.
There's many ways to combat crime. Banning free distribution of software is one of the options but not the one I'd pick from the menu first
"There's many ways to combat crime" - name one effective way to combat sideloading of apps, that is anywhere as effective as id verification of devs?
You don't need an ID to find the person behind an IP address + timestamp. The line physically goes to a subscriber (yes, also with CGNAT: ISPs are required to keep logs for a reason). The police can do that in any country. Google isn't an elected government that I want to sit on that seat of power
Besides, criminals by definition don't care about laws. Photoediting an ID is not particularly hard, but quite illegal. Tackling the source (the person) ought to help more than impacting everyone who uses a specific distribution mechanism
The moment they use IPs to find devs and prosecute them , every malware dev will just use a vpn or Tor. or just use a compromised device to route their connection. This is a long running cat and mouse game.
Criminals care about laws if breaking the law is difficult, because laws have consequences. ID verification isn't as simple as "hey, it's an ID, all is good", and now you're on the hook for the much more serious crime of faking IDs and defrauding. It doesn't need to prevent all criminals, it just needs to be a good enough measure that it reduces the amount of abuse significantly.
It's a nightmare scenario, our lives locked in to total corporate control. What do we get in return for that? Scammers won't be stopped by this, the key to grifting isn't technology but people. What you're suggesting is trading open platforms and open source and fortifying current marketplace monopolies for a marginal decrease in scams. For a while. Maybe. I suggest that is unbelievably stupid.
And if we're at it, we should maybe also put camera's and microphones in everybody's houses so we can see what everyone's doing all the time, because many children are being hurt in houses you know.
But don't worry, if you don't want all of this you can just get this degoogled phone just around the corner and it works perfect you know, because everybody is using them and there's a big market for it and it's very easy to use.
Or maybe not
When you sell physical goods, you have to have a business license right? To a small group of people you know, nobody cares. But to mass market goods or services, you need to give the government your id, and they need to be able to hold you accountable, in the event you decide to break the law and/or harm the public.
I think this is something governments should have enforced long ago. Even linux distros with > N number of users should be required by law to id-verify package publishers. Although, they sort of already verify identify, just not using a formal/official way.
You have the right to free speech, anonymity and privacy. But being able to reach and impact the public is not a right, it is a privilege.
You can speak with a loud microrphone in public anonymously, but if you want to arrange a protest, you must give your id for the approval. If you want to start a radio or tv station, you must give up your id for the FCC license,etc... software isn't special.