As it stands, the Tweet by Edward Snowden which endorses Graphene, is the best proof I found that the privacy claims of Graphene passes expert scrutiny. Snowden seems trustworthy.
However, this is far from enough. It is a Google device which we’re talking about here. Google’s entire business model relies on gathering data, i.e., undermining privacy. The idea that their device is the best on the market for privacy, seems ludicrous.
The privacy community is a serious threat to Google’s existence. If I was Google, I would create seemingly the most private smartphone, which would allow privacy tech-geeks to slap their own private OS onto. I would create a hardware backdoor, so that I can continue to collect data.
Those who think this sounds extreme, may not be aware of how Google has done more audacious things, namely, sending Google Maps cars around the world, not only to image the entire globe without our consent, but collect your Wifi traffic when it passed your house.
I tried to find academic papers which suggest Pixels can be trusted from a privacy perspective. I found nothing. If necessary, I am willing to lower my credibility bar, but I need convincing when it comes to using privacy as a reason to buy a Google smartphone. Maybe someone here can help?
It’s not. The general population does not care about digital privacy. It’s only a select few that are really into privacy. Half of the people don’t even use an ad blocker in their browser.
Pixels are well known devices and you can assume that a lot of researchers are looking into them. Nasty stuff would be found eventually.
Let’s look at your problem from the practical side: You don’t have a choice. Google, ironically, is the only company that publishes all the updates, firmwares, drivers, binaries etc. in a timely fashion every month that make a project like Graphene OS possible in the first place.
The general population does not care about digital privacy.
But there is a significant legal push for privacy rights, otherwise there would be no GDPR. Maybe the lawyers and politicians don’t consider themselves part of the privacy community, but I meant to include them, and anyone who may care about privacy for that matter. In other words, the general population taking privacy seriously (i.e., an expansion of the privacy community), is a serious threat to Google’s existence.
Pixels are well known devices and you can assume that a lot of researchers are looking into them.
This is the type of thing I keep reading online. Similarly, on Graphene’s FAQ:
the GrapheneOS code is reviewed by external security researchers, companies and organizations on a continuous basis
But I cannot find the clear evidence of this. I believe the implausibility of the claim that ‘Google is the only company to make a smartphone suitable for Graphene,’ warrants some research papers or reports by accredited auditors. I want to find this stuff. It should exist.
they go over some of these concerns/questions in their FAQ - grapheneos.org/faq, and I believe on the forums and repos. Audits aren’t always what we general think of, ie Independent Company does a full audit and publishes a paper. Sometimes that does happen, but a lot of audits are someone noticing a potential issue, and raising an issue in the repo.
It might be if the general population cared about privacy.
But they just don’t like @Valynor already pointed out.
And even if, it’s Google. Do you think Google and the tracking industry will go and die just because of the privacy community?
What I mean is they make big bucks off of data.
I thought the whole journey of Graphene is chronicled in their respective GitHub repo is evidence enough?
Graphene rides on the back of AOSP. AOSP has its own peer reviewed academic white paper published by ACM (Association for Computing Machinery). You know its sort of legit because the link above has a DOI number. Now I don’t know ACM because I don’t work in the computing industry and my ignorance is showing.
Where do they submit the white papers, exactly?
In medical research, white papers are submitted by researchers in their respective society (usually separated by organ systems and countries/region - in Europe, the US and presumably in their own country. What is the equivalent of a society in the secure computing field that is reviewing such papers? Functionally the security society analogous to the medical society is BlackHat and DefCon but they don’t seem to be publishing white papers per se. I’ve seen universities submit white papers but I cant seem to recall to what institution exactly?
Personally, I think the merits of an open source system stands by its GitHub page and how their community handles security issues. At its essence a peer reviewed paper is just some people talking about security problems/solutions and its community studies/reviews the claims critically and either agrees or disagrees, just like in GitHub.
Just being published does not ensure the legitimacy of a research paper. Other factors must be taken into account such as the reputability of the publisher/ journal.
I had hoped that if a paper were retracted, it would also show up in the DOI as well, turns out it isnt.
So now we are back to square one? Does this strengthen the assertion that a git repository and all the adjacent technical discussion is more than enough?
Also @plonkeyt lets say assume for a while that Graphene OS do gets cited and praised in a white paper up to and within your standards. Wont a simple version change completely invalidate the paper because the current version no longer applies to the paper submitted?
No offence, just well meaning comment, since I have been there (or at least close to it):
You seem to have gotten lost in the FUD of the World Wide Web.
The OP writes that they tried to find academic papers on the subject of privacy, relating to Pixel phones. It is not surprising that a search for “Google Pixel privacy” with a scholarly search engine yields no results.
It is claimed that there is an interest in academic papers, but there is seemingly no attempt made to study and comprehend articles from peer-reviewed scholarly work. There appears to be no interest in reading up on scholarly articles on, first instance, Android OS security, the security and composition of a hardware secure element and other hardware functionality of an Android, or Pixel, phone. The OP disregards that no scholarly work has reported on privacy violations or so-called “backdoors”, in Pixel firmware.
The OP appears to approach this subject with clearly defined assumptions about a specific OEM’s intentions. The OP could have approached their research with an open mind, attempting to question their own hypotheses during their research into this subject. Alas, there is no indication of such an attempt.
The community on this forum may point the OP to research papers that detail the various security features of the phone’s hardware. They may also point the OP towards a certain independent article where the author used a rooted phone to study the network connections that the GrapheneOS operating system makes by default. But the OP has made up their mind, and there clearly is nothing to be gained from trying to point OP in any other direction.
Google does care about security as it increase consumers trust in the current system of data harvesting. Google doesn’t want “unauthorised” third parties, including hackers, to acess your data.
Plus Google is free-riding on Graphene OS vulnerabilities finding, so that’s a win for them.
I think your insinuation that my post is low-effort and that I am ultimately stubborn, is a fair, but incorrect one. Truth is, I’m ignorant about tech. I don’t understand the security claims which Pixel/Graphene boasts. I don’t know enough about phones to know about the plausibility of hardware backdoors.
In such a situation, I am reliant on those who do understand this stuff. Usually, I can discern experts and quacks through looking at academic credentials, and seeing if there is peer-reviewed stuff published which support the expert claims. (this worked when I wanted to see if private browsers do indeed ensure browsing history is not stored locally on device.)
I most certainly am not saying that Graphene contributors and supporters are untrustworthy. But what I am saying, is that my default mode of verifying claims which require specialist knowledge, is inadequate in this case (due to being too niche, perhaps). In other words, I need to put my trust in someone other than an academic, or something other than an abstract of a peer-reviewed paper. Which is fine, I’m willing to do that. But I don’t know enough about this field of knowledge, to know who to trust and why.
It’s like it says on their website, the only people checking the Graphene code extensively are the Graphene people. So it is a bit self-referential, but if you trust that their team is good at what they do (and many do) then you can trust that they’ve been very thorough with their product. That’s just what it comes down to.
