See the entire conversation

thoughts ? What’s @brave ‘s approach
A team of researchers has discovered that websites loaded in mobile browsers can often access an array of device sensors without any notifications or permissions whatsoever
Mobile Websites Can Tap Into Your Phone's Sensors Without Asking
Mobile apps need explicit permission to access your smartphone's motion and light sensors. Mobile websites? Not so much.
52 replies and sub-replies as of Sep 30 2018

I tweeted the Vanderbilt study when it came out in August: Brave turns off all sends to Google but we cannot affect the Android OS, which is what is doing the deed, I believe (Vanderbilt paper mentions Chrome running in background as possible confounder).
Paper DCN just published on Google data collection, by Douglas C. Schmidt & team of Vanderbilt University:…
If you cannot find the switches in Android's settings to turn things off, then Google will be in even more trouble.
BTW I saw an amazing @oppo phone, Google-free / Chinese-backdoor-free (allegedly :-) Android, bought in Hong Kong. Beautiful wraparound screen, no iPhone X notch -- instead, solenoid driven Camera periscope! First Android phone I wanted, will try to get one & test location pings.
Now of course your operator will see you pinging towers, which have to hand off calls, and you'd have to go to flight mode to stop those. But the location pings to Google should be easy to disable without turning off the radio or going to flight mode (which might leave wifi on).
Brendan, with all the bad things Google does, and with all your computer genius, why don't you develop an alternative to Android? I'd get (or buy!) it in a second. I've already completely replaced Chrome with @brave.
Phones are hard, gigascale business. We did Firefox OS, but the investment was too half-hearted at first, then got big after the window we were aiming for closed. (New window opened for b2g offshoot @KaiOStech.) A prominent VC to whom I pitched OS in 2014 said it was "beyond VC".
I'm connected to better mobile OS efforts, all forks of Android open source (our plan w/ Firefox OS: remove Java layer, save memory, fit in low-BOM devices where Android can't). Some are privacy-by-default, others blockchain. All need big distribution partners G locks up via $$$.
So money is required, large piles of it. The early PC era enabled Unix ports and new OSes, but phones have patent/DRM crud down to the hardware, plus nasty dark contracts on side of AOSP's seemingly benign licensing. To break thru to scale, money + differentiation vs G required.
you can build a business around reflashing low-end or refurbished phones made by other companies with very little money, though. I was disappointed cyanogen didn't go this route instead of building their own hardware
How would you sell such phones? Direct market (bins in mom&pop stores)?
and/or amazon, and/or local affiliate (think tupperware parties). local affiliate would be in partnership with a carrier (could be a small one like freedompop)
local affiliate also doubles as customer support, which is important to give people confidence to buy something as important as their phone from an unknown company
Good point about smaller MVNOs or whatever they're called. The Radio Access Networks have decoupled from the operators with their archaic Central Networks. This could mean a bushier "tree of life" grows around local services & phones.
"beyond VC" sounds scary .... So what's your phone right now? How do you handle this?
I'm an Apple slave. They do better on privacy than Google, this is obvious from what we know of the past. They're not perfect (shocking, I know ;-), so don't take this as some kind of for-all-time endorsement. But I'm team iOS, even though the relentless Safari tying hurts Brave.
Ok, any thought about xiaomi?
Not sure, would not want in-China Xiaomi phone outside of China but perhaps the outside (HK?) models are surveillance-free. Where I live it's hard to avoid Google services, but this is changing slowly.… Big things start little, important to support little.
This map charts everything there is to do on your block
With one swipe, you can find out exactly what’s happening.
When I saw that Oppo phone's clever solenoid cam-scope solution to avoid a cam-notch, something in my head said "that's what Steve would have done, instead of a notch". SJ & I used same haircutter for decades, used to bump into him now & then. Was his ghost whispering to me? ;-)
Seems to be a clear solid state vs mechanical motivation for notch over pop-out. Too many downsides to the mechanical - power drain, instant snapshot delay (since you have to wait for the deploy)
Have you tried the Oppo? It attempts to deploy ahead of need, so the scope pops up quite a bit but is super quiet & power efficient (the owner showing it to me said he can go > 1 day with heavy use). Yes, Apple loves still silent slabs. This design thought can go too far, IMHO.
No matter what, you're forced to make compromises in this area. Apple tell you what you can & can't do with the hardware you've purchased and make life increasingly difficult to do anything else. Google all but demolish privacy but let you do what you want in the process.
Hey, why not make a Brave fork of AOSP which comes bundled with Brave, DuckDuckGo, no tracking spyware, an open source app store (blockchain based?), an encrypted-but-central password/bookmark sync etc Could be good. Don't know what AOSP license permits but surely that'd be fine.
Keep an eye on @Puri_sm, developing a phone from the ground up purpose built for user data self-ownership.
Ahh this answers my last tweet.
Well, thanks for your reply, and good luck with Brave. It's terrific. I hope you have gigascale success in the future.
Any chance we'll see a Brave spin of chromium OS on the desktop at some point in the future?
Never say never... more immediate: a big-display version of Brave Android tuned for Chromebooks.
Thanks Brendan..but it seems os independent? My belief is the browser acts as a container essentially and proxies the signals over? Is that not the basic issue? So if you took away browser permissions this would be solved?
Browser is subordinate to OS. That's good, the browser confines remote content to prevent signaling per Web standards & policies they support -- and beyond (e.g., @brave shields). But it cannot reach down into the OS "basement" and stop the OS from signaling.
But browser can stop passing it on right?
Passing what on? Chrome (any app) on Android could be "phoning home" location & other private info. True, but the Vanderbilt study implicated Android the OS, not an app (confounder aside). If you mean browser is intermediating all OS network traffic & could stop any: not true.
I meant the latter....
OS is superordinate, browser is just one program running in a process tree at your-user-id privileges.
Thanks for helping me think through this! Are apps running in the mobile browser not subordiante to the browser similarly? So can just ping my mostion sensors which are an OS API without any browser permissioning. Seems like a big design flaw?maybe not?
No, browser is just an app. Apps are subordinate to OS in general, any privilege-based ordering among them is on a secondary axis. Categorically the OS defines the shared or virtualized machine for each process, and an app consists of one or more processes running the app’s code.
I think I was missing that last part..thanks a ton. Need to think through this more. Might’ve made sense on Unix designs but with billions running it on mobile with sensitive sensors sounds like a disaster. Documentation on @brave ‘s approach to this anywhere?would love to read
So each tab in chrome is running the chrome process basically as it’s own process in the process tree subordinate only to Android /iOS ?
Up to a limit after which tabs would share processes (to avoid using too many resources) for most of Chrome’s life to date, process per tab in sandbox (lowered rights, file/net access off or filtered). Strict Site Isolation now tries for process per origin (domain, kinda) mostly.
Yeah this is a big deal...real time access to sensor data and other apis by random scripts on random sites is something that isn’t covered in tech journals nearly enough, adjusted for impact. Don’t even know of any focused study of how much pii-like data has been leaked to date
Some sensor APIs have been removed or restricted, indeed. The app store model makes it too easy to bundle permissions, users almost always click through install-time grants. The web model should be object-capability, least-authority grants in context, but is a mix. More to do....
A site can on purpose or as victim of a hacked edge cache or even a trusted vendor gone wrong, include script in page that logs keystrokes and form fill data to fingerprint the user or even exfiltrate PII from a form. Browsers are taking ad-hoc steps (e.g., no password in http:).
The so-called 3rd party scripts can really be 7 degrees of Kevin Bacon away from 1st party site you go to and trust directly, so this is a problem. I made 3rd party script (loaded by <script> from page) run as if inlined in 1st.
Sensor APIs are least of it: form data is at risk, along with your nav history tracked via 3rd party cookies or other means. This is why Brave blocks much 3rd party script by default: to stop abusive tracking (for ads & other purposes), fingerprinting, malvertising, cryptomining.
We need web standards that formalize the 3rd party relationship so that you can tell code loaded from <script> (or generated scripts nesting out to from 1st party, and restrict capabilities granted them.
GMO's Global Brand ""
"" is a unified brand (global brand) for global business of GMO Internet Group.
(lol, I didn't know Z dot com was legit -- sorry.) Anyway, improving web standards to enable greater protections for users is a topic of interest that I hope good people from Apple, Brave, Mozilla, Samsung, and other W3C members will discuss at the upcoming TPAC meeting in Lyon.
Why this isn’t a big thing yet is baffling
Sir already using @brave for a long time. But what your suggestion would be in case for an Android phone which actually respects privacy (atleast to some extent, more than others). Oppo?
I have not evaluated Oppo, just saw that gorgeous high end notch-free (camera-persicope!) unit while in Paris. What happened to Blackphone? Went down the Enterprise deathmarch path?
You can’t be serious, right? Brendan? Cellphones from China can not be trusted.
There are two versions of such phones in many cases — one for export, one for inside China. I do not trust either a priori. But there are differences; leakage can be checked with the right RF gear. As noted elsewhere, I use iPhones. Are they more presumably private? Must test.
Anyway, I just liked the design. Before I get such a phone, I will find trusted testers with fresh results, and share.
Without open source and verified compilers and so on, cannot rule out a back door, as Ken Thompson noted in his Turing Award lecture. A hardcore privacy phone would want verified Verilog and other CAD and fab toolchains.