My mobile privacy journey (the origin story, or how I discovered GrapheneOS)

Posted on 3rd Jul 2020     Leave a Comment

For those of you who know me, rather than know of me, you are probably aware that I have somewhat of an obsession with mobile phones. I’ve been a mobile enthusiast pretty much since I took my iPhone 5 with me on a trip to the US and it was my main holiday camera, my portable games console, my media player, and I hadn’t yet realised that I was slowly getting more and more addicted to it.

Fast forward many years and we are now at iPhone 11 (with iPhone 12 due out this year), and Android is now a much bigger, more stable, and often more cost-efficient offering in many markets around the world. Social media is second nature to most, and we are regularly afforded the options of signing up to a new web service or newsletter by logging in via Facebook/Google/Apple.

So in this glorious time, what got me started on the topic of mobile privacy?

No alt text provided for this image

For me, the journey began roughly a month ago, at the peak of the Covid-19 lockdown. I woke up in the morning to an email from Nintendo, telling me that my account had been accessed from Cambodia. I was lucky that I had long ago given up on console gaming and so it took me a minute to remember that when I had a 3DS on which I had spent countless hours catching Pokemon (if you want to unfriend me at this stage, I totally understand, and wouldn’t hold it against you; believe me I would do the same), I had created a Nintendo account which allowed me to download Nintendo’s version of rewards to keep me hooked into the console and into the games for as long as possible.

Apparently I wasn’t alone in receiving the email about my account being accessed illegally; there had been a rather large breach of Nintendo accounts and turns out, it wasn’t even the largest data breach of the last couple of months. Shortly before or after, there was another leak of millions of user records apparently left on an open server for anyone to peruse to their heart’s content. As a result I spent the next few days going into every account I had online, that shared that same password (of which I’m ashamed to say, there were many). One thing that this highlighted to me, was that my digital footprint was the size of a dwarf planet. This sowed the seed in my mind about digital privacy, but the soil and water came a few days later when I saw an ad on Facebook.

It was for a handbag; normally I’d scroll straight past these ads but something just didn’t feel right. I had never talked to anyone about handbags, didn’t browse handbags, and the closest I’d come to bags in general was looking at Pakt travel bags a year or so ago. It felt like an out of place ad, and so I clicked the three dots next to the ad, and selected “Why am I seeing this ad?”. Little did I know that for the next few hours of that Saturday afternoon I would be hurtling down the rabbit hole that is Facebook Advertising settings.

Menus, submenus, further submenus with subsections, switches, explanations with examples – it’s a lot to take in if you’re not 100% committed to understanding what Facebook is doing with your data. And you have to remember; this is by design. It wasn’t put together by chance in such a convoluted manner. The settings menu for Facebook adverts is deliberately obscure to put you off your quest to simply understand where and how Facebook tracks you and what data it holds on you, and who it shares this with. There were two sections that were my favourite – my Interests, and my off-Facebook activity. Let me quickly take you through what these are so we can get back to the main crux of this story (apologies – I have a habit of being verbose AF).

The Interests section is where Facebook determines, based on your time on the app, on Messenger, and on any other Facebook related systems (and some completely unrelated ones, which is the second section), that these are topics that you must be interested in. It had 458 interests assigned to me. I’m happy to say that roughly 60% of these were pure dogshit. Nothing to do with my actual interests. The other 40% were eerily close to what I care about (mainly Nokia, Android, iOS – you get the theme). The main mechanism of obscurity that Facebook has employed here (at least in the Facebook app) is that you can’t just purge these interests by “Selecting All” and then clicking “Purge”. Instead you need to click the 3 dots next to each interest and click “Remove Interest” manually to remove all of them. I had to do that 458 times. The reason why I know that this mechanism of obscurity works is that shortly after, when I showed this to my wife, her initial outrage over being tracked like this, dissipated rapidly when I told her she would have to manually remove each. Her response, “I already know they own me so why bother?”

The second section was the Off-Facebook activity. For some who may not know, Facebook and other large tech companies use something called supercookies, to track your usage of the net, off-Facebook – as in, when you’re just browsing the web or buying something or logging into another website. Facebook also does this surreptitiously through another functionality that it has been providing for years – the Login via Facebook function. Unbeknownst to me, whenever you sign up to a web service using the Login via Facebook function, implicit in your decision to use this service, is YOUR approval that Facebook will be given all the details related to you activity on the web service which you’re logging into.

In light of the recent Cambridge Analytica scandal, and having just seen these settings for myself (which Facebook only made available to users as a result of the scandal to begin with), I thought about the responsibility that people have when it comes to signing up for these free services. I won’t bore you by repeating the old addage, if something is free then you’re the product (there I repeated it anyway); but the reality is that the terms and conditions that these platforms often put forward when faced with privacy violation scandals, are not worded for normal everyday consumers. I work with lawyers, but I’m not a barrister myself and faced with a 3 page document detailing Term 1 clause 3 subsection 4.1 will inevitably lead me to click Agree, which in my mind is the equivalent of “Get me to the content already!”. And if I’m trying to play a game of word match with a friend, or trying to determine which Star Wars character I would be (Count Dooku for life), then the expectation that the cost for these mind-numbing distractions is that my digital footprint would be inexorably mined and sold to advertisers is disturbing. Not least because they can then focus their advertising, but also because they can now use the information they have to build predictive models of my spending behaviour, to find when is the most opportune time to advertise what, to ensure that I’m at my weakest willed. This is beyond creepy.

So I started looking for privacy solutions online.

No alt text provided for this image

The source of all knowledge in my life actually isn’t strictly Google – it’s YouTube. So I went onto YouTube to see what privacy options people have. Initially it was anti-climactic; I was already doing a lot of things that are recommended. Not using the same password in different services (post Nintendo), using a VPN (have a lifelong subscription), using encrypted messaging services (iMessage and WhatsApp as I far as I knew were end-to-end encrypted), using a secure Browser (I’d opted for Firefox Focus a long time ago). So what could I do differently?

At this time I stumbled across two channels – TechLore and The Hated One. Both channels focus on tech security and privacy. I learnt from these channels, and from additional broader reading around the topic of mobile privacy, that the oft held belief that iOS is more secure than Android wasn’t strictly true any more. Apple had seen multiple data breaches in the last few years and more recently when iOS 13.5 was released, it was hacked and jailbroken within 24 hours.

Furthermore, iMessage happens to be completely closed-source so really nobody knows what is happening behind the scenes. An example that made me question the sainthood of iMessage vs other messaging apps, was that whenever any of us buy multiple Apple products, say a Macbook Pro, or an iPad to really live out the inspirational “more money than brains” model of life, attaching each device to our user ID means that by default each device starts receiving the message being sent to one device. So if I was to message my friend, it would be the equivalent of my personal iPhone, my work iPhone, and my iPad, all sending a message to his personal iPhone, his iPad etc. Now you and I can change that setting so that each device is set to send and receive messages separately and the messages aren’t replicated across devices. But suppose for a moment, that each user ID is also coupled with another user ID, or another computer – say one that is housed at the NSA, or the CIA. Wait, wait I know what you’re thinking – this is tinfoil hat territory!

No alt text provided for this image

It might sound conspiracy theorist, but let’s try and remember that Apple was named as one of the participants in the PRISM surveillance program that the Snowden leak highlighted. Apple along with Google, Facebook, YouTube, Skype, Yahoo and others. The following, as I understand it, is one of the slides from the PRISM collection of slides that were leaked:

By National Security Agency - original image | source, Public Domain, https://commons.wikimedia.org/w/index.php?curid=26526602

By National Security Agency – original image | source, Public Domain, https://commons.wikimedia.org/w/index.php?curid=26526602

So it’s not entirely outside the realm of reality that everything you’ve ever messaged using iMessage is being replicated on some NSA server, immediately indexed, automatically keyword searched, and tagged with appropriate designations and flagged for further review. For my fellow eDiscovery professionals, this is normally our bread and butter as I’m sure you’d agree. And for those who think the sheer magnitude of this task would be impossible to achieve – Google Cloud routinely advertises their own consumer offering having the ability to index and search across petabytes of data (that’s 1,000 terabytes, or 1,000,000 gigabytes) in under 4 minutes.

iMessage therefore was out. And with the rest of the Apple ecosystem the issue of being closed-source persists – there is no way of knowing what your device is doing while you’re not using it. Apps are background refreshing goodness knows what, and we are going about our life happy with the current reality that even though battery technology has come leaps and bounds, a modern smartphone needs daily charging just because #reasons.

No alt text provided for this image

So after much searching, I stumbled across GrapheneOS (https://grapheneos.org/). The simplest way to describe GrapheneOS is that it is a security hardened version of Android, with all the Google services removed, and apps sandboxed by default. As I mentioned earlier, Facebook does a tremendous amount of usage tracking. Imagine what Google must be doing as they are the largest index of the clearnet (or the general daily use internet). I still wanted to be able to use a smartphone and have a good level of convenience without giving up all my privacy. GrapheneOS fit that bill perfectly.

Ironically, GrapheneOS is only available for Google Pixel devices (specifically 2, 3 and 3A models and their XL variants). It is incredibly easy to install; and basically comes out of the box with all the Google services removed. What this does mean is that none of the Google apps will work here (apart from Snapseed which is a miracle) and certain apps that rely on Google, for ad tracking, message pushing or login functionality will stop working. The pictures I have provided above are my actual device. There are a small subset of apps on my phone that are not free or open-source like Netflix, Amazon Prime video, Kindle and WhatsApp, but knowing that there is no Google Firebase Analytics system on the phone definitely provides some much needed peace of mind. And on top of that, the battery life now lasts for 2-3 days even with my very heavy usage of listening to podcasts, watching Mr Robot, or playing Chess.

I have now been using my Graphene OS version of the Pixel 3A XL for about a month, and in all honesty, the transition has not been the smoothest in the world, but it has been relatively much smoother than I had expected. There is a conversation to be had around the inverse proportionality between convenience and privacy which I will save for the next post (as this one is trespassing even my own boundary of what is an acceptable article and not just a short book). I would definitely recommend everyone to take a look at GrapheneOS if you are seriously interested in taking charge of your data footprint. And in the next post, I’ll provide details of what free and open source apps I now use as replacements for the closed-source proprietary apps I’ve always used in the past.

I hope you enjoyed this; and if you did, please feel free to share this with others. And please leave a comment or send me a message. I’d be happy to connect. Much love in these tumultuous times, and I hope you have a great day.