Grayjay (Frontend)

Open source always belongs to the authors. What you can do with it depends on the license.

I made a Pull Request to add Grayjay.

Regarding the open-source question, I would say it’s not open-source. FUTO could also have used the CC-BY-NC 4.0 (Creative
Commons by Non-Commercial).

We should remember that Grayjay is a paid product*, and I see this as the reason why @louis_rossmann doesn’t want it under an open license. Because then anyone could fork it and make it free.

But as far as Privacy Guides is concerned, being able to build from source and check the source code, as well as forking it for personal use (to remove parts one doesn’t like) – is all that matters.

In the future, it might be worth defining what PG defines as open-source. The Standard Notes license issue is a great starting point.

About Grayjay in itself, I see just one issue : telemetry. Grayjay’s privacy policy states that :

2. Information We Collect
   […]
   • Telemetry Packet: Upon starting the app, Grayjay sends a telemetry packet which contains the following:

• Version of the app you’re using and the OS SDK version
• A randomly generated unique identifier (this does not link back to your identity or specific device)
• Model and make of your phone

3. Use of Your Information
   • Improving Grayjay: The telemetry packet helps us understand our user base, which devices are most commonly used, and ensures that we optimize our app for those devices. The random identifier helps us determine unique app launches without identifying individual users.

This telemetry can’t be disabled. I personally don’t see it as a big issue, but I know it is for some people, as reflected by the advise to disable daily ping in browsers.

*There is no restriction if you don’t pay, but it is still a paid product

I think the focus of PrivacyGuides is to find the “best of the best”, it’s just that having a stringent requirement on every recommendation is just not feasible, so the requirements got relaxed somewhat on categories with limited choices. You will notice a trend that the criteria is more strict specifically when there is a lot of choices/competition available (eg. Email, VPN, Cloud Storage), and less strict when the choices are limited (eg. Password Managers, Note taking software).

So it’s less hypocrisy/stupidity and more “nothing will pass our criteria if we don’t relax it a bit”, tagging @jonah for input

Edit 1: Idk why they’d recommend 1Password though

3 posts were merged into an existing topic: Require Open Source for Password Managers

Not sure why I was down voted - my explanation wasn’t meant to say the license was good or bad. It was meant to explain the implications of the license as an end user and somewhat for the user running the code. While I prefer AGPL for interacting with hosted services, in reality I’m quite content with FUTO at the end of the day as it exposes what is most likely running on a server (my threat model doesn’t care about people modifying the code), and actually has (untested) legal agreements if anyone tries to commercialize it.

FUTO doesn’t require source code provided over a network, and AGPL like licenses do. This isn’t a ideology based consideration, it’s in the license itself. Why people choose some licenses over others without such consideration is definitely and ideology, even FUTO comes with its own take. With that, whether or not such copy left agreements matter to you depends on your threat model.

Regarding the open source vs license issue, I have created the following post to discuss it and define a definition. Following this discussion, we can decide whether being source available like Gray jay is enough for us to consider it open source, and add it to the website without altering the existing criteria.

lol, this is really bad. Unless there’s absolutely nothing else that is suitable, I wouldn’t use nor recommend Grayjay.

Why ?

There is definitely nothing with as many features : simultaneous sources, casting, SponsorBlock support, custom comments system, etc.

Because the data collected can reveal more information about the user than what it might seem at first glance. The fact that this is not even opt-out, but mandatory, is in my opinion not acceptable.

It is still much better than using the stock youtube client or the youtube website, and therefore should be recommended if every other frontend/alternative client is borked or can’t keep up with google’s bs, but that doesn’t seem to be the case as of now. NewPipe seems to be working fine.

hmm, I don’t know about the other features, but there are forks of NewPipe that include SponsorBlock functionality (Tubular being the actively developed one). NewPipe also supports sources other than YouTube.

Newpipe does not support nearly the same number of platforms as Grayjay does. Grayjay is also built in such a way that you can add any service you want to it via actually Open Source plugins.

If you start using Grayjay, then it sends your Android version, a randomly generated number, and your phone model (Pixel 6a in my case), and it only sends these things once.

I don’t see how this is unacceptable. Privacy folks just hear the word “telemetry” and completely lose their cool.

Once, or once every time you start the app? The privacy policy seems to point towards the latter, but if that isn’t the case then it’s considerably less bad.

If it’s phoning home daily on the other hand, then this information can be used to profile you. That isn’t to say that I think they are doing that, but they could, and we cannot verify that they aren’t.

(edit: somewhat related)

I personally am not concerned that X will learn that I am using Y app with phone Z.

What I am concerned about though, is my watching history being tracked. And Grayjay (with a VPN ofc) shields me from that threat.

That being said, I would like clarity about the telemetry being on each app start, or one-time only. It may be that device info is sent once, but each app launch is tracked. Hey @louis_rossmann, could you please clarify that point ?

About sources, NewPipe does support a few one, but it lacks Odysee/LBRY. More importantly, Grayjay displays sources simultaneously, side-by-side.

Screenshot_20240821_185935_Grayjay1080×2178 212 KB

It sends an anonymous piece of info which is

1. version of app
2. release build
3. type of phone
4. stable or unstable phone

It’s sent every boot and helps us figure out what phones it crashes on, what we fkd up. A lot of people will say it doesn’t work on their phone but it works on another, but never submit a bug report or email. The anonymized stuff above was used to make bugfixing the app on a quick release cycle easier.

Citation for telemetry: grayjay-android/app/src/main/java/com/futo/platformplayer/states/StateTelemetry.kt at ec19ea44ad6f95fd445e1d343240bf8451ac1f9b · futo-org/grayjay-android · GitHub I don’t expect anyone to trust what I said above without a citation. It shows where the telemetry packet goes.

This is done out in the open, so if you want to block it, logs.grayjay.app 0.0.0.0 in your firewall/hosts… or just re-build the app without it. As you can see from the source code above, this is in no way designed to allow us to figure out anything about you other than what we fucked up when programming this app, what devices it is working on, & what devices it is not working on.

With regards to licensing, licenses are up to the maintainer of the project, not me! I don’t decide them. Different projects are under different licenses here.

With regards to the idea, if some phone maker says we want to bundle our app and have the “i already paid” button be hit on all of them, we’d like the ability to sell a mass-license to them rather than just have them provide it for free. It’s already essentially honor-system/trust-me-bro software with regards to payment as it is, so I see this as reasonable.

On one hand, I can see how people in the open source community think that this license is unreasonable; even though it allows you to modify & view source code & change for your own use, it doesn’t allow commercial redistribution without an agreement with FUTO. A limit on freedom!

On the other hand, if I were the billionaire spending tens of millions of dollars on all of these applications with DRM of “I already paid” and someone walked into my office to tell me that what I was doing was wrong… I would likely reply back with my trademark youtube catchphrase: “gargle my balls.”

Thanks for the link.

I understand why telemetry is helpful to the project but even if I do trust you to not misuse this data, there’s no way for the users to audit your servers and ensure that it is being properly anonymized and isn’t being used for anything other than what is claimed.

Please consider adding the option to enable telemetry in the popups when you first open the app and not have it on by default. I’m sure many would be willing to enable it to help with development, for the same reason why people are willing to pay for the product if it’s good. But when you start collecting data without saying anything, it’s not exactly the best look.

I don’t think that people think the license is unreasonable, they just think it is not open source, which is true. The response to FUTO’s “source first” has been largely positive, at least in this community and other tech communities I’m in. People agree with what you’re doing.

Thanks for popping on the forum and clarifying.

I agree with you that telemetry isn’t a hard blocker to sensible privacy, and I get confused when others are ride or die on it. Without basic metrics, the only way to improve the software is to rely on user reports and a strong community. Even then, the quality of reports matters, and diagnosing issues becomes difficult.

Regarding the license, my main beef with source first licenses is not with the license itself, but companies doing a bait and switch. Prime recent example is Redis. This is especially jarring in the example as it went from a weak BSD license to an AGPL like SSPL - a smack in the face of how it’s used everywhere, and makes me distrust Redis the company. Luckily forks were made under new owners as the previous BSD license permitted that.

However, I greatly respect FUTO coming out of the gates with it, and I suspect no foul play. The intention is definitely not to bait, gain popularity, then switch the license over us. It has a clear defined goal set out.

I hear where you’re coming from, but the anonymous nature of the data is right there in the code that is publicly viewable.

With regards to collecting data “without saying anything”, it is in the 2nd paragraph of our plain English privacy policy which is less than two pages long. Privacy Policy that privacy policy is the opposite of the wall of legalese nonsense I find everywhere else.

I would like to see a button to disable telemetry myself. At the same time, I want to make sure that they’re not being misrepresented as EULA roofing users when they are not

Thanks for the reply.

IP addresses are personal data. We cannot verify that you’re not storing and/or associating it with the rest of the data that is being collected.

That’s another reason to display it to the user when they first open the app. It’s not an incomprehensible gigantic wall of text that any sane human being would refuse to read.

In regards to transparency, I think Ubuntu does or at least used to get this very right: they have a button where you can view in plaintext the exact data that will be sent if you hit agree. Since Grayjay doesn’t collect a lot of data, it should be readable even from a tiny phone screen.

Every website you visit has access to a general IP address of yours. You have to send your IP so the server knows how to send data back to you. This is why VPNs are a hot commodity for this - you route traffic through another server to conceal this. But the VPN knows your IP at that point.

If their privacy policy says they don’t collect, we can try to trust that. If you don’t, then that threat model applies to every other website you visit, and not just this one in particular.