I have done my homework. I know the “best approach” when it comes to Google Pixel is to use GrapheneOS with Sandboxed Play Services if required.
But what about stock itselft? What if I disable all tracking activities on the Google account and all tracking toggles on the phone itself?
I read a lot, and it seems that there is a lot of click-baits articles where the privacy configurations are not correctly set and then the writer would complain about tracking. On the other hand, one study which seems to be legetimate suggested that Google will even get your phone and sms logs (https://www.scss.tcd.ie/doug.leith/privacyofdialerandsmsapps.pdf) .
It is starting to become mentally exhausting. And any feedback about suggestions or experiences is welcome (I am also not going back to Apple).
Thank you very much!
Well, even if you disable all tracking activities, there is no guarantee that Google would respect the toggles anyway. Similar to what was happening with Apple.
Additionally, Google Play Services is still a system-level app on Stock Pixel and has lots of invasive permissions compared to its sandboxed state in GrapheneOS. Personally, I would go with GrapheneOS and benefit from the security hardening and privacy advantages.
The problem on stock Android is that Google Play Services has privileged and invasive access to your device. It can access all your files, your unique identifiers, and a lot more. As the study you linked and others show, disabling the toggles seems to be superficial in a lot of cases, and doesn’t do as much as it should. It all comes down to how much you trust Google at the end of the day. All you can really do is disable what tracking you can and hope for the best.
I would say overall that its really difficult to be private on stock unfortunately and I wouldn’t recommend it, but it all depends on your threat model and what you’re comfortable with.
Is there any reason why you don’t or can’t just use GrapheneOS and want to consider stock OS?
Maybe I am missing something but I think Stock is a smoother experience overall between all the small features here and there. And maybe this silly, but the hardware might be optimized for Stock at best (Adaptive Battery, Hardware accelertion, better compatibility etc…).
@Unperson @Sharply Yes, this is why I said it is becoming mentally taxing. On one hand there is the study, but then I read Google answer, which is not that bad, but we never know the reality of things…:
Google say they plan to change the app onboarding flow
so that users are notified this is a Google app with a
include opportunities to provide more “Privacy Tours”
that walk the user through an overview of the app’s
data use and data collection. This will include a new
on/off toggle to cover data collection that Google do not
consider to be essential for the app to function.
Will halt the collection of the sender phone number via
the CARRIER_SERVICES log source, collection of the
SIM ICCID and of a hash of sent/receivedmessage text
by Google Messages (the latter change will be rolled
out with version 10.9.160 of Google Messages, the other
changes in the next release).
Will remove logging of call related events in Firebase
Analytics from both Google Dialer and Messages.
Re the recommendation to use short-lived session identi-
fiers for telemetry data, Google say they would like to
see more logging moved to using the least long-lived
identifier available whenever possible and that this an
Re the spam detection/protection service, Google note
that this only occurs for phone numbers not in the
handset contacts list and plan to (i) create a product
tour explaining to new users and reminding current users
that caller ID and spam protection is turned on for user
protection, and letting them know how to disable it,
(ii) add a visual indicator within the Messages app that
indicates when spam protection is enabled, (iii) investi-
gate whether an approach similar to the Safe Browsing
hash prefix solution can be used. Google also state that
the timestamp logged in the SCOOBY EVENTS log
message (see Section VI.A.4) is fuzzed to the nearest
hour server-side, and will also be fuzzed client-side from
version v75 onwards of the Dialer app.
Google state that there are back-end server controls to
regulate joins between the Android ID and user account
data, but the policy used to manage joins is not publicly
available. Google also note that when a handset has
multiple Google user accounts then its Android ID would
be associated with all of those user accounts.
From what you have listed, almost all of these are future plans and have not been implemented yet so I don’t think basing your decision off of these reasons would be a good idea. Also, the benefits of Stock and the allegedly improved compatibility do not outweigh the advantages of GrapheneOS in my opinion.
Unless you have a really strong reason not to, I would use GrapheneOS for a month or two and then re-evaluate. From what you have said, you have done your research and came to the conclusion that the overall advantageous approach is to run GrapheneOS, so why consider running Stock anyway?
I would recommend reading the GrapheneOS Features Overview (assuming you haven’t already). It lists all the features that are GrapheneOS specific compared to Stock which can help with your evaluation.
Ultimately, It is up to you to consider your threat model and use case and pick whichever tool you feel will satisfy your criteria.
Maybe I am mistaken, but I don’t think that you can meaningfully disable tracking in your Google Account.
If you closely read most of the things Google lets you opt-out of, you’ll notice that rarely does Google let you opt-out of the actual tracking/data collection itself. They’ll often let you opt-out of certain ways that data will be used (i.e. targeted advertising) or limit the time some of that primary data is stored. But as far as I can tell none of the privacy controls let you actually opt-out of the tracking, data collection, and profiling in the first place. (e.g. you can opt out of some forms of targeted advertising, but afaik there is no option to opt out of the tracking and profiling that the targeted ads are based on).
I have to admit, I never thought about it in this way! I am happy that I distanced myself from Google products for a while except for phones.
I will give GrapheneOS a try as @Unperson suggested.
Thank you very much everyone for your feedback !
GrapheneOS is fantastic, so I think you’ll enjoy it. And if you have any questions, head on over to the GrapheneOS forum and we’ll help you out.
A little reminder: do not let perfect be the enemy of good! Figure out and remember your threat model. It’s easy to get lost in the Woods of Surveilance, with the Hounds of GAFAM nipping at our heels and the Big Bad
Wolf Brother skulking in the shadows as we search for the Cottage of Privacy.
So as you learn more, go back, reevaluate and update it as needed.