Why can’t I just write this up as a PR to Firefox and stand a snowball’s chance of getting it merged, though? Everything’s somehow simultaneously extremely stodgy and completely beholden to whatever Google decides to ship this week.

Why don’t browsers know how to render a Markdown content-type yet, all by themselves? It’s ubiquitous now and it’s not like it’s hard to parse, but every site has to translate it into HTML itself for the browser.

It sounds like this is the free service charging to access data you already gave them with the expectation it would always be available later. And which might not exist elsewhere.

That’s not fremium, that’s ransomware.

Sounds more like the pirate queen.

Pihole or other network-based ad blockers might be able to do a lot of the same things. Or an ad-blocking DNS set in the phone’s settings. But I don’t know of anything else that has the same on-device VPN implementation as the DDG tool.

It could probably change the language selector.

If I’m an elite hacker spy who works for the hacker spy division of the Chinese army, am I going to change the system language of the thing I am hacking to Chinese and forget to change it back?

Mostly so they could say they did.

You don’t do the development on the board.

It would definitely reduce the attack surface. And even though Windows has “security” issues patched all the time, rarely are they ones so severe that you can just roll up to a machine and send it a weird HTTP reply and get admin access. Usually it’s stuff like if you have a shortcut file on disk it gets to run code when you look in the folder, or something. Not great for working with downloads, but hard to exploit unless at least one other thing happens (like visiting a malicious page, which then starts a download that the browser accepts).

But the browser calls out to the OS to do a lot of stuff (render images, render fonts, play sounds, etc.). It mostly assumes the OS can do those things without popping open a remote shell because too many emojis were rendered in a row or something. That is not always true, and when it isn’t you want an OS patch to fix it before you go on a site where someone can post the Magic Emoji That Hacks You.

But you are right that you can browse around trustworthy websites on an unpatched system behind a decent firewall for quite a while before you notice something bad happening. But also, a lot of bad things can have been happening for quite a while before you notice.

Or plants. Or whether you should shout at people. Or sort of the concept of women.

Nah, that’s an NPU.

The graphics stack is better, but the security isolation is IMHO solving a problem no one really had, at the cost of breaking a bunch of integration mechanisms people actually used.

You want UI security isolation for something like Android, where most software being run is fundamentally opposed to the interests of the user and wants to steal anything not nailed down, and you also contain things at the file system level. If Facebook could screenshot every other app all the time it absolutely would, and people would download it anyway. To some extent the enforceable promise that it can’t do that is why people are still willing to download it anyway and let it do all the other things it does to compromise a system.

In a distro shipping legitimate software, isolation at the desktop UI level is nice for defense in depth, but not really drawing a real security boundary around any program to the point where a user can trust a machine with malicious software running. It doesn’t matter if I can’t steal Firefox’s pixels if I can echo "export PATH=$HOME/.evil-firefox/bin:$PATH" >>~/.bashrc.

I don’t think it is right to trivialize rape like that.

I don’t think the burden should be on users, but I do think some of the burden should be on the press. If the press just assumes Google is up to no good and never does the investigative reporting needed to show it, we will miss out on having very politically useful evidence.

Anytime I want cooperation I will need to persuade you.

That sounds suspiciously like democracy, the thing we would quite like to achieve.

But they aren’t even showing collection of data in the article. For the data to be collected, it needs to leave the phone, not just be touched by Play Services.

Play Services does collect data it shouldn’t collect, by sending it back to Google. But the difference between “I am collecting your data” and “I wrote software you are running” is important and needs defending, because obscuring it is one way that independent developers are prevented from publishing and marketing actually-privacy-preserving software. If I am deemed to have “collected” your personal data every time you type it into a text editor I wrote, I can no longer distinguish my local-only encrypted text editor from Google’s one that stores all your data unencrypted on their cloud. We both have to say we “collect” your data, and nobody non-technical can tell the difference.

You can buy a phone that arrives running GrapheneOS. This might not be advisable, because it adds another point of trust in the refurbisher who actually does the flashing, but you don’t need to have the skills or do the research to install it yourself to get access to a device that runs it.

It’s not that I want to give them the benefit of the doubt, it’s that the article neglects to bring in that whole thread of the argument that you give here. This should all be in the article.

The SensorVault data is “just” the Google Maps Timeline data though, right? Which people have always been able to turn on and off, if they knew about it.

I feel like Google not really respecting a concept of user consent and pretending people agree to poorly-publicized and often-modified tracking programs is a different, and, frankly, weirder, privacy problem than there being closed source stuff running with high permissions. If you could revoke permissions from Play Services, or if it was source available or even free software, that wouldn’t solve the problem because it would still be able to do stuff Google had manufactured consent for it to do.

Do you mean “transmits” as in “from the location service on the phone to the mapping app on the phone”?

Or do you mean the phones are all updating the wifi SSID geolocation database, which they then all can use for doing wifi-based geolocation?