One more time, what mobile phone owners need is an intermediary layer in the mobile OS where they can either manually or programmatically (via e.g. a random number generator) lie to higher-level application layers about the phone's data. It's not enough to just turn off permission to access this data (because then the apps will often just refuse to work); it's essential to be able to lie to these apps in a way that they cannot tell the data is fake. This is a perfect opportunity to build weaponized AI that acts on behalf of users against adtech.
> One more time, what mobile phone owners need is an intermediary layer in the mobile OS where they can either manually or programmatically (via e.g. a random number generator) lie to higher-level application layers about the phone's data.
On Android, if you install Xposed, there's XPrivacy [0], which essentially had this premise. Unfortunately, it only supports versions 4.0.3-5.1.1 (and is no longer maintained).
I haven't been following the rooting community for a while, so someone can probably correct me if there's a better alternative now, but I believe the replacement is XPrivacyLua [1].
The fact that this is possible is a symptom of the wider problem - the OS should ensure that it's impossible for the other app to know if Xprivacy is running or installed.
Instagram should be running in a sandbox that gets truth only if the user actually wishes to give it the truth, and if they want to demand unnecessary info from the user (e.g. access to data about other installed apps), then the app should be either lied to by the OS or banned by the platform provider.
There's an inherent conflict between the needs of the app developers and users. The device manufacturers have to take a side in that conflict, presumably the side of the user who's paying them for the device.
> then the app should be either lied to by the OS or banned by the platform provider
The problem with it is that at least one of the big the platform providers is in a conflict of interest, given how they engage in the exact same practices as a business model. Google cannot hit at anyone for any practice they also use without shooting themselves in the foot. So the status quo is maintained with everyone being allowed to take a swing at vacuuming as much personal user data as humanly possible without ever informing the user or getting proper (informed) consent.
I'm not getting a phone from Google, I'm paying money to Samsung or Motorola or Huawei or Sony or whatever who all already control and customize the OS installed on the phone; have an incentive to compete with other somewhat interchangeable manufacturers by being user-friendly; and don't have any vested interest in third party app vendors being able to obtain and sell data.
LineageOS offers this through Privacy Guard. But it's been pushed deeper and deeper in the settings hierarchy, and will be removed next release due to maintenance burden.
I block ads and trackers where I can but also recognize the value in understanding how one's app is used.
So I'm curious how privacy-focused mods figure out which features users most want without being able to track users. It seems like a huge risk to remove a feature that could be your killer feature but you just don't know.
How did product manufacturers figure out what features users wanted most before modern technology? I'm guessing they didn't just set up a hidden camera in their homes and spy on them using it without their permission.
They asked customers, and developed based on feedback from engineers, PMs, etc. As someone who works in an industry where people are vocal about what we should be doing, what people do and what people say they do are two different things. That, and products are different now. Software releases are daily if not more often, and to keep up with that sort of pace, you need data quicker than you can get in and analyze hundreds of people.
There must be a middle ground though. It can't be necessary for me to share my location data with an app for analytics, nor should it be necessary for me to provide a timestamped personally identifiavle breadcrumb trail, just so a site can know how i navigated.
I noticed the quality of software has declined significantly in the last decade despite more and more telemetry & analytics being used. I'm not convinced analytics provide more valuable insights than committed customers' feedback.
They're answering two different questions: what do vocal customers say they want and what does the mean customer actually do?
History is littered with beautiful products that only like five people actually wanted. I love the Chevy Volt, it fits my use case perfectly and is everything I would ask for in a hybrid right now, but it's sales numbers were objectively crap. It was basically a Chevy Cruze, but sold something like 1/20th the number of units over the same time period; I'm not surprised it was discontinued.
Analytics-driven design leads to unexciting products that are useful enough to most people, with only occasional forays outside the mean when a subteam manages to launch an "unnecessary" feature with neutral metrics (until another subteam discovered the feature can be turned down with neutral metrics). It's not surprising companies love that style of development.
> They're answering two different questions: what do vocal customers say they want and what does the mean customer actually do?
The only question they're answering is "how do we maximize our profit?". If that happens to mean adding features users want that's just a nice side effect.
Claiming companies only care about profit is a bad faith argument. By that argument, the only reason the product exists in the first place is for profit. It's coming from the same place as claiming the only reason people work for companies is because they would starve to death otherwise. Distilling the argument to that point removes any opportunity to discuss the actual question being asked.
I work on a live service, and we use analytics to determine the impact of a crash. If someonr crsshes, often they go straight to reddit and conplain If you took everything at face value online, you would never correctly assess the impact of an issue, and you'd spend all your time fixing rounding errors of issues rather than improving the experience for a large number of people. If you ask people, they'll tell you it's the worst issue, even if it's never happened to them.
How does the solution proposed by your parent prevent software companies from tracking what features their users are using? App developers don't need to be able to track what other apps are installed or most of the other PII that these ad platforms track to determine what features are being used. Grindr could easily tell what features a user is using via logging what the user requests from their servers; after all a social dating app like that doesn't really have many features that don't rely on a network connection. So blocking the additional tracking wouldn't prevent them from seeing what information the user pulls/sends to their server and thus what actions the user is taking in the app. The detail might not be as fine, but I'm less than convinced that knowing the millisecond timing a user takes to perform an action is really all that helpful anyway.
That shouldn’t be the responsibility of the users. It’s the responsibility of the manufacturer, even if the end user isn’t aware of or care for those improvements.
This takes place in every industry except for software development.
I totally agree. Beyond the obvious privacy gains (which I am very much here for) I'd love to be able to take on different virtual personas within some of these apps just to understand the media landscape of people other than myself. It's always a bit of a trip when to see how the web experience changes when I borrow my girlfriend's laptop, and she's pretty similar to me in the great scheme of things.
I _think_ cyanogenmod exposes some of this functionality.
But as soon as it’s implemented, snoopy apps will just raise the bar further (sms verification, face verification, ‘add this contact to your phone book’, etc)
They can verify SMS all they want but they'll sell my location data consisting only of my random floats. I don't mind legitimate uses, like verifying you're a human or a real user for that matter.
It may just be that once this exists then you end up in the "software engineer who uses hn " bucket and will just see adds for ssds and processors and coding conferences... A segment that is really hard to identify may turn into a group that is generally easy to identify...
Think of these apps as malware,after all they are hostile. In dynamic malware analysis, virtualized and emulated environments are used to run malware samples to analyze their behavior. It's like a tom and jerry cat and mouse game with the jerry always winning (like the show!).
It's trivial to detect virtualized environments , not only that, the samples can afford to be patient and meticulous,and test themselves against existing analysis methods before deployment. That's why real hardware is the best place to study malware.
Your disadvantage here is that fingerprinting is a game of accuracy, where the adversary gains accuracy at basically a logarithmic(or geometric?) scale for every additional data point they have about your device, sometimes they only need one data point,such as a shared file system,let me explain: most apps need storage access right? Like you want them to read existing files or write files to be accesses by other apps. App1 writes a file with a random name or random content, app2 through appN in their affiliate network check that location/file for the random value to track your device. The apps in this network all collect various data points about you, let's say one app gets your real name and address (payment and shipping),now all the apps know those two things about you. Now they all know your zipcode and can infer things about you based on that,your last name,etc...and even do background check like lookups to know your past addresses aquaintances, cars you've driven,court cases and so much more. Now let's say one of these apps needs to send you text before it can function(most popular apps these days) , now all of them know your phone,can get a ton of info about you,who else has you as contacts and they can infer even more about if at least one of the people they track has your number as contact and they basically opened up their lives to all apps.
You can add all the layers of abstraction you want. Apps need to talk to each other and external sites/services need to reach you at a predictabl address (including physical address and such). And even if what you said was effective, it's incredibly hard to achieve without the user being very cooperative towards their own privacy preservation, and evem then ,like I said above, if anyone you have as contact reaches you using a predictable address, a lot can be constructed about solely based on their choices.
My solution is legal. Make it a crime and start throwing people in prison. If someone violates your consent to stalk you or creates public opportunities of business or employment where consenting to stalking is a requirement, make it a felony. And make privacy a core right for peoples of any society that calls itself free.
Unlike with malware authors, we can easily find the execs behind stalkerware and we can make them take responsibility (assuming people want liberty and democracy more than political theatrics).
Doesn't apple with it's ever tightening restrictions of what data you can ask for, like no more MAC address, no more device UUID other than an apple provided "ad id" that can be reset, along with 2 bits you store with apple, aggressive always on location nag alerts, etc also accomplish something similar bit by bit?
But there's always the issue that the app might need some data for functionality but also misuses it. Like having you type in notes and syncs it with cloud, but then uses the data to show adverts.
Facebook is still in the store. Instagram is still in the store. Grindr (the app in the article) is still in the store.
Facebook Messenger actually has a nasty dark pattern where they will display a fake pixel-perfect copy of a permission prompt where the only way to get through is to tap Allow, and when you do they call the real prompt (since it's pixel-perfect you can't tell the difference besides the short animation when it appears) and hope you also click Allow on the real one. If this is allowed then it's a lost cause.
Apple is doing fuck all about privacy on the App Store.
Disclaimer: I used to work in this industry for about 4 years at various DSPs. I've worked with Grindr as a client and bought a lot of Mopub inventory and met with their employees several times.
DSPs get access to around 84 data points from the various SSPs that they work with. This ranges from information around age, sex, city geolocation and what apps are currently installed on your phone. It's scary to see just how effective these 84 data points are in predicting user's likelihood to commit certain actions.
My friends that are still in the industry are quite confident that Apple will depreciate the IDFA in the coming year to fit more with their 'privacy that's iPhone' stance. This will greatly reduce the ability for DSPs to target users and all performance marketing on iPhones will be reduced to branding ads, that have very little targeting.
As a consumer, I'm very happy with these changes and hope Google will follow suit with the GAID. If you're using an iPhone I'd recommend to switch off your IDFA in your privacy settings ("Limit Ad Tracking" toggle on). By doing this DSPs will no longer be able to target you.
Odd, I've worked for a DSP for years too. These data points you talk about are rarely all there. 99% of the OpenRTB spec is optional fields. I also never seen a bid request that listed other apps on the phone - calling bullshit on this one.
LMT does not hide your IDFA. You can reset it fine, but it's always there.
Also, hell hath no fury like a brand-safety conscious advertiser whose ad appears next to dick pics on Grindr.
It's essentially a web app/UI that allows advertisers to actually set up their advertising campaigns that run on devices.
DSPs are integrated with a host of a data providers and exchanges that give advertisers the ability to target people based on location, demographics, what articles they're reading, etc.
To be clear, it sounds like MoPub/Grindr/OKCupid aren't selling people's data. Instead, they reveal personal information (for free?) to hundreds of advertising networks when hosting auctions for ad inventory.
That would mean that after getting approved as an ad-network on MoPub, you can get all 1.5B users' data for free, just by participating in the auction (without even having to win and spending money in auctions).
Does anyone on HN happen to have a sample bid request from MoPub that demonstrates the actual data that's made available to ad networks (DSPs)?
At my previous job we had a dormant bid server hooked up to MoPub for months, receiving hundreds of bid requests a second that we just dropped or replied "no bid" to.
The call out to make are the fields device.d(p)idmd5, device.d(p)idsha1 (both now deprecated), and device.ifa, as well as the user/data/segment fields. That's where user ID's (and potentially other data) are passed around. Some exchanges pass a bunch of data, others pass less data but allow you to do a cookie or device-ID exchange/sync so that one side of the transaction can map the other's ID's to theirs, so that the bidder can look up their user profile information. (which they've either bought or accumulated somehow).
Looks like MoPub doesn't pass ID/buyerId any more (it's strikethrough'd), but they do still pass data/segment fields. Not sure what those contain though, perhaps others can chime in.
For what it's worth, getting approved as an ad network is potentially non-trivial. I don't know all the steps involved, but you do need to demonstrate that you can at least meet minimum network response latencies, among other things. Additionally, most exchanges do have some sort of bidrate/winrate monitoring that will eventually throttle you if you're not participating "in good faith" or with reasonable bids/expectations of winning (it's costing them processing power and bandwidth to send you a request even if you don't win). Most also have ToS (for whatever good that does; enforcement may or may not be strong) restricting your ability to collect and store data received from bids (you're typically only allowed to store data from the bid IF you've won the auction). I've heard anecdotes of companies trying to tap into bid flow as "passive observers" this way and ending up getting cut off.
It would be fantastic if policymakers could enforce traffic transparency for mobile apps. I would love to just take my phone and see what is being transmitted, but of course Android doesn't trust user-added Certificate Authoritites for app traffic.
Being able to see one's own traffic doesn't magically fix things, but giving average folks the ability to just inspect their traffic and write blog posts about it would at least improve the current situation, without requiring major technical changes.
Actually android is perfectly fine with you doing MiTM on your own traffic. If you had issues with it then it's mean app developers intentionally implemented certificate pinning to stop you from doing it. Yet Google / Android have nothing to do with it.
Are you sure this wasn't reverted? I'm successfully used mitmproxy many times to debug all kind of Android apps and only money-related one usually caused issues.
Another possibility is that work differently in LineageOS and this it's always worked for me.
Yes, lets talk about bandaids when we should be talking about the elephant in the room. That'll help.
The whole economy of IT thriving off surveillance and cheap tricks is sickening. I went into this field to try and help the flow of information, to try and address the likes of Murdoch; turns out we're a shitty species that shouldn't propogate.
While it's reasonable to think cynically about the situation and conjure a blanket statement like: All people are bad, I remind myself to proof it wrong by doing something good myself. Thus at least one person does not suck and hope is restored.
Interesting. I've always been suspicious about Grindr, because there is no apparent reason for it to transmit so much data.
On the other hand, the ads I see there are poorly targeted. Either it's really obvious, reminding gay men that they still make KY Jelly and so on, or I'm surprised that anyone thought to make that stuff and that anyone buys it. This high-tech ad market doesn't seem to work very well.
Is there much merrit here for action on a VPN for the phone, instead of actualy tyring to fight against the OS' iOS & Android etc, to bottle neck all traffic through VPN and filter out everything.. Even depending on the Android to allow self signed certs is too risky as they can flip descisions on a whim..
I know it's not the best solution as it requires some loe from the user but I have this configured and its just worth it. Because waiting on the vendors to clean up their act is futile given how much money is being made..
There is one OS out there that would have stopped this... Symbian. It was locked down everywhere. It was also a bitch to develop for, but hey ho. The source code is out there somewhere.
Well. We kind of knew this. It's the reason I try very hard to use either webapps or only f-droid. And you can say least rotate your add Id on Android.
But it shouldn't be like this. It's very clear that phone manufactures are user hostile. There is no benefit here (maybe an edge case in support and payed apps)
This is just another case of companies behaving badly.
The public is going to get fed up with their antics, and they are going to vote in politicians that will drop the policy hammer on these companies’ heads.
Like they say: This is why you can’t have nice things.
You would be hard-pressed to find a list anywhere. That being said, MoPub is a significant player in the AdTech market – you'll most likely find that they're integrated with most major apps that have in-app advertising. The only foolproof way is to really delete any apps that serve you ads.
> Twitter’s suspension of Grindr’s ad account pending “investigation” is an attempt to deflect blame, and lawmakers shouldn’t be fooled.
Actually being fooled by special interest propaganda into enacting legislation that benefits said interest at the public expense is the definition of a lawmaker.
