I’ve been testing out Graphene on my Pixel that had its camera hardware fail, just to see what does and doesn’t work. One thing I’ve already run into is that in order to sign into Tailscale, I have to log in through google. If I do that, is my privacy completely toast at that point on the GOS phone? I’m not sure what all sticks around since it’s a browser sign in instead of an OS level sign in.
When you say privacy is toast, how do you mean?
The answer you’re looking for comes down to what you’re considering a bad thing and a compromise depending on how you’re trying to maintain your privacy per your threat model.
I don’t think there’s a conclusive answer here unless you explain your thinking more.
If you’re signing into Tailscale, all that happens is that Google knows you use Tailscale and so does Tailscale. Google may also know how long you’ve been signed in with its method and perhaps your IP too.
So if you consider Google knowing these select things as your privacy being compromised, then I’m afraid so.
But why must you use Google to sign into Tailscale to begin with?
Nothing “sticks aroud” on your device if you clear browser data afterwards. Worst they could do is fingerprint your browser and thus potentially make an educated guess that you’re the same user next time you use something Google related in the same browser.
Of all of the services they allow, its the only one I have. I tried to use Github one time, but Github’s security reacted poorly to the attempt and it locked me out of my account, with very, very poor response from their customer service. So definitely not messing with that again.
Google already knows I use Tailscale across all my devices…but I only use it for Immich and for Taildrop. Otherwise, I disconnect and use Proton VPN.
It probably voids your anonymity to some degree.
But Privacy is not the same as anonymity. It’s not a one-and-done kind of battle. It’s a constant handling of control over pieces of information.
So, while it might tell Google that you own that device, Broadly speaking, GrapheneOS still does a lot to snuff the vast majority of fingerprinting and tracking methods that happen over the lifetime of a mobile device.
I’d recommend asking this question on the GrapheneOS forums though. You’ll likely get really detailed answers over there, and it’s a pretty good place for privacy nerds overall, much like this forum.
4 Likes
No. It depends on your threat model tho.
From what I read here, you could also migrate towards a self-hosted Netbird and skip the whole mandatory OAuth (Google sign-in) from Tailscale