I generally agree with this. Unless OpenAI has a track record of being poor stewards of open source projects, then right now the concern is mostly FUD.

However, this is a bit aggressive. It is appropriate to be skeptical about the intent of a controversial company acquiring another company that made a few popular open source projects or of the future state of those open source projects.

Just because a popular open source project is well liked today doesn’t mean the community will be happy with the project in the future or even that the project will forever remain open source. Some notable recent examples include Redis, Terraform, and CentOS.

That’s correct, but the XMPP portion of this communication chain is just your device to the JMP service. Any messages sent or received to another phone number are delivered via SMS/MMS. As a result, those messages can be read by unrelated 3rd parties. I assume something similar is possible for voice calls as well (or at the very least the call start/stop times and the other number on the call can be determined).

Essentially this just shifts trust from a mobile phone carrier to JMP. However, I understand that it may be more challenging to hack a VOIP number than perform a SIM swap attack. Another benefit of JMP for privacy is the more challenging tracking of location for a JMP phone number.

I’m not saying that using JMP is bad. I am saying if you need a secure and private way of messaging someone then this is not the best solution.

It depends on what your threat model is. For example, do you want to mitigate the ability to easily link accounts and other information to you based on a single phone number? If so, then this will help with that assuming you (at least temporarily) use multiple numbers through JMP. On the other hand, if you want your communication to be private then there are better alternatives.

Ultimately, this is similar to using a privacy respecting email provider over gmail. Unless you take some additional precautions, your communications have a similar security/privacy exposure. It can be an improvement (assuming you trust JMP), but it is not the best means of communication in terms of privacy.

I understand that there is a public benefit to this technology/data, but there are definitely concerns (including privacy concerns) even if the data is not currently widely available at a per household, per toilet, or per individual level. For example, insurance companies may not insure people who live in specific neighborhoods and it could lead to increased levels of surveillance through other means. There is also usually limited (or no) methods of opting out leaving a person’s consent to be questioned, especially visitors. Speaking of visitors, it could also enable location tracking/history of a person.

This really is just scratching the surface here, as is this technology. As the technology progresses, this can (and likely will) evolve into more sophisticated, granular, and wide ranged levels of tracking. Granted much of this is speculative, but the same thing has happened with computers, cell phones, TVs, cars, cameras, ancestry/DNA services, and many other services. As a result, its important to think of both current and future implications when considering the benefit and abilities of these technologies/data.

I recommend that you think hard and properly access your threat profile. You are likely going to have to pay with either your wallet (eg: some sort of company incorporation, lawyer fees, forwarding services, and other privacy protection services), your time (eg: using “inconvenient” services, managing separate accounts, etc.), or both. It can be draining (in more than one way) and take away some of the joy that you’re intending this to bring you if you do too much to protect yourself. On the other hand, if you do too little then you can overexpose yourself leading to pricey or dangerous situations.

At a minimum, I would recommend incorpating and making sure your name is not publicly tied to the company in any way. You will likely need a person/company/lawyer to be publicly listed as an agent of some sort for the company. You should be able to have someone do this for you for a small-medium sized fee. Once you have that, do everything in the company’s name and ideally with separate phone numbers, email addresses, online accounts, bank accounts, and physical addresses as anything tied directly to you.

Some of that is to protect yourself financially and legally, but there are some obvious privacy benefits as well. Anything beyond that should be dictated by your threat profile.

As always though, follow best practices when it comes to security! Use strong passwords and use multi-factor authentication when possible (or ideally, use passkeys). Don’t reuse passwords (and ideally, don’t reuse email addresses for multiple accounts). Avoid clicking links in messages when possible. Don’t open suspicious documents (especially if they are unexpected). Verify the authenticity of any new person/business you interact with (especially if they contact you first). Be vigilant of all forms of phishing attacks.

Another piece of advice (that you didn’t ask for, sorry!) - if the process of making art is the thing that brings you joy and the materials are not too expenses, then just focus on making the art without selling it (at least for a while). At worst, you will realize that maybe this isn’t as enjoyable as you thought it would be with the added benefit of not needing to deal with all the troubles of working through all the legal/financial/privacy protections. At best, if you decide to get serious about selling it then you’ll have a larger product inventory and better understanding of what you like making most. It may also help you understand what you should price everything at (assuming you’ve made some of the items in larger quantities).

I believe Google plans to use Google Play Services to block side loaded apps. By default, GrapheneOS does not come with Google Play Services installed. I am not sure how things would work if the sandboxes version of Google Play Services that GrapheneOS provides is installed.

The issue about maintaining/updating GrapheneOS is a separate issue from side loading apps. That was due to Google shifting the development of Android to a closed source model and only open sourcing the final code. This limits the Grapheme team’s ability to anticipate changes and make any required adjustments until after the release of Android.

I understand that the watch operating system is open source. However, it seems that the watch will connect to a companion smartphone app. Do you know if the app is a requirement and/or if the app will be open source?

In terms of privacy, you are giving your identity provider insight to each of the third party services that you use. It may seem that there isn’t too much of a difference between using Google’s SSO vs using your Gmail address to register your third party account. However, one big distinction is that Google would be able to see often and when you use each of your third party services.

Also, it may be impossible to restrict the sharing of certain information from your identity provider with the third party service. For example, maybe you don’t want to share a picture of yourself with a service, but that service uses user profile pictures or avatars. That service may ask (and require) that you give it access to your Google account’s profile picture in order to authenticate using Google’s SSO. You may be able to overwrite that picture, but you also may not be able to revoke the service’s ability to retrieve it. If you used a “regular” local account, that Google profile picture would never be shared with the third party service if you did not upload it directly. The same is true for other information like email, first/last/full name, birthday, etc.

There are other security and operational concerns with using SSO options. With the variety of password managers available, introduction of passkeys, and increased adoption of multi-factor authentication, many of the security benefits associated with SSO aren’t as prevalent as they were 10 years ago. The biggest benefit is likely the convenience that SSO still brings compared to other authentication methods.

Ultimately it’s up to you to determine if these concerns are worth the benefits of using SSO (or the third party service provider at all if they require SSO). I have a feeling the common advise will be to avoid SSO unless its an identity provider that you trust (or even better - one that you host yourself) - especially if you’re using unique emails/usernames along with strong and unique passwords with multi-factor authentication and/or passkeys.