Friday, April 20, 2018

Google’s support of RCS without end-to-end encryption is irresponsible

Dieter Bohn from The Verge has an exclusive look at Google’s upcoming ‘Chat’ app and its use of Rich Communication Services (RCS). Together, they are the company’s latest attempt to solve the dumpster fire that is text messaging on Android.

RCS is a protocol backed by wireless carriers, and Google is the latest enabler. Here’s why I think it’s irresponsible.

Chat app and Rich Communication Services

Dieter:

Now, the company is doing something different. Instead of bringing a better app to the table, it’s trying to change the rules of the texting game, on a global scale. Google has been quietly corralling every major cellphone carrier on the planet into adopting technology to replace SMS. It’s going to be called “Chat,” and it’s based on a standard called the “Universal Profile for Rich Communication Services.” SMS is the default that everybody has to fall back to, and so Google’s goal is to make that default texting experience on an Android phone as good as other modern messaging apps.

Maybe the app will have more feature parity with iMessage, and that would be great for Android users. But what good is it when you factor in the following?

  1. The traffic path is no different than SMS. It goes phone > carrier > phone. We all know how much carriers love our data, and how easily it can be accessed or even subpoenaed.
  2. Also like SMS, RCS traffic is not encrypted end-to-end.

The above points are the largest problems with all of this. In a day and age where data breaches and the selling or mishandling of personal data are sadly commonplace, unencrypted traffic is simply irresponsible. Public awareness of security and privacy are more at the forefront and can only increase.

Why not replicate iMessage?

As Dieter talks about, Google also has self-imposed limitations because of Android’s openness. You see, they won’t go all in on a purely in-house messaging service (like iMessage), because every text would have to route through them. In essence, Google isn’t empowered to replicate iMessage because they share the Android ecosystem. Whereas Apple is the Apple ecosystem.

One of the major complaints about Apple is how closed off they are. Apparent here, the benefit is tighter integration within their ecosystem of apps, services, and hardware.

Dieter also thinks Apple will adopt RCS, but I don’t see them backing it for a couple reasons:

  1. Aside from lackluster encryption, it competes too directly with iMessage on a feature level.
  2. iMessage is a huge reason people don’t switch to Android.
  3. The entire protocol would have to be encrypted end-to-end and supported by all other manufacturers and their messaging apps. Sure, Apple supports (unencrypted) SMS right now, but only out of necessity and precedence.

I don’t see Apple replacing SMS or introducing RCS simply for the sake of iMessage-like features without the security.

If anything, this further cements iMessage as the texting king.

Update for clarity: my case is essentially for end-to-end encryption, so I made a couple small edits to make it clearer.

Wednesday, March 28, 2018

Facebook reportedly delays home speaker amid data crisis →

Sarah Frier for Bloomberg:

Facebook Inc. has decided not to unveil new home products at its major developer conference in May, in part because the public is currently so outraged about the social network’s data-privacy practices, according to people familiar with the matter.

The company’s new hardware products, connected speakers with digital-assistant and video-chat capabilities, are undergoing a deeper review to ensure that they make the right trade-offs regarding user data, the people said. While the hardware wasn’t expected to be available until the fall, the company had hoped to preview the devices at the largest annual gathering of Facebook developers, said the people, who asked not to be named discussing internal plans.

Good. I hope any device Facebook puts out now will be seen as extremely toxic.

Repeat after me: when it comes to Facebook (and Google), you are the product. To chart the comfortability of having these smart speakers in my home from most to least, it would go: HomePod > Echo > Google Home. Facebook’s would never even make the cut.

Wednesday, March 21, 2018

WhatsApp founder joins the #deletefacebook movement →

Casey Newton for The Verge:

In 2014, Facebook bought WhatsApp for $16 billion, making its co-founders — Jan Koum and Brian Acton — very wealthy men. Koum continues to lead the company, but Acton quit earlier this year to start his own foundation. And he isn’t done merely with WhatsApp — in a post on Twitter today, Acton told his followers to delete Facebook.

“It is time,” Acton wrote, adding the hashtag #deletefacebook. Acton, who is worth $6.5 billion, did not immediately respond to a request for comment. WhatsApp declined to comment.

What Facebook and Cambridge Analytica have done is purely vile. Facebook’s user count has been in decline, anyway, as millennials flee the service for alternatives. 1 If you ever were in doubt as to Facebook’s privacy policies, look at their track record and let this be the final nail in the coffin. If only there would be a swift demise to both companies. #deletefacebook


  1. Though most are on Instagram, which is also owned by Facebook. 

Sunday, December 17, 2017

Mozilla’s sneaky, misguided ‘Mr. Robot’ promo plugin →

Kate Conger for Gizmodo:

Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox—and managed to piss off a bunch of its privacy-conscious users in the process.

The extension, called Looking Glass, is intended to promote an augmented reality game to “further your immersion into the Mr. Robot universe,” according to Mozilla. It was automatically added to Firefox users’ browsers this week with no explanation except the cryptic message, “MY REALITY IS JUST DIFFERENT THAN YOURS,” prompting users to worry on Reddit that they’d been hit with spyware.

Mozilla’a defense of the plugin:

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. “The Mr. Robot series centers around the theme of online privacy and security,” the company said in an explanation of the mysterious extension. “One of the 10 guiding principles of Mozilla’s mission is that individuals’ security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.”

What. The. Actual. Fuck?

This is incredibly wrong on so many levels, all for what I can imagine is a nice paycheck. Mozilla’s cited guiding principle completely contradicts the nature in which this plugin was installed. I can’t fathom how they can be so insanely obtuse. Mozilla, typical bastion of privacy, security, and general do-goodedness, has taken a terribly misguided step here. Asking fans of the show to download the plugin would have been the most sensible way to play this, instead of hiding behind the guise of the alternate reality game itself.

How do companies pull crap like this and think they can get away with it? Internet backlash is swift and damning. I was going to say I’d expect this more from Google than Mozilla, but I don’t think even Google would be so reckless as to try something like this.

Due to the blowback, Mozilla has pledged to move the plugin to its rightful place in the extension store (hey, imagine that). Regardless, they should be embarrassed by this nonsense.

Wednesday, November 22, 2017

Google collects Android users’ locations even when location services are disabled →

Keith Collins for Quartz:

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

Explanation by Google:

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said in an email. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”

Don’t be evil [and get caught]. ™

On a serious note, when location services are disabled, nothing better be using or logging my whereabouts. Furthermore, who is to say the data they collected was really discarded? Caveat emptor.