I think the most fun part with Google is that if some wayward algorithm decides it doesn’t like you, along with nuking your app and developer account it will probably nuke your 20 year old gmail, your kids Google Drive accounts, your wife’s YouTube premium, the Adsense account of some company you worked for in 2008, and disable your Nest cameras.

And you’ll never reach a human to sort it out.

To avoid this, I tried to close my Google Play Developer account. A decade ago I published a free app on it, which was online for half a year.

It was to no avail. They will not close the account.

I received only automated responses about bringing my old app into compliance with current policy, to then transfer it to another developer account.

Only then would Google graciously allow me to close my Developer account.

Meanwhile, private Google services charge me the wrong prices, because I have a Payments profile in another country. It is associated with a Merchant account, which is linked to the Google Play Developer account.

The support concluded that this can also not be closed, and that I should close my Developer account first.

It's hell.

It's not just google. Try removing an unpublished but uploaded iOS app. Wasn't possible for decades and I guess it still isn't. You eventually could hide them. The only way to remove it was to publish it, but that requires app validation, which a failed app is not suited for.

Gotta move to the EU and sue based on right to be forgotten

Suing a company will almost certainly result in them exercising their right to not do business with you and shutting down all your accounts - exactly what OP was trying to avoid

In some EU countries - it could be seen as retaliation if you sue for something and then Google closes your accounts, some EU countries have strong protections here.

More importantly for Google though it's under extra scrutiny under the DSA at the EU wide level - so it doesn't have a clear right to not do business, it has to do terminations correctly with clear reasons set out in terms, there are mandatory notice periods etc.

Which countries have that?

Let us know how that works out for you!

I tried to close my account, and got the response. But they closed it when I failed to verify it.

really? I have to keep making useless updates (just a version number bump) on one of the accounts i manage, because i keep receiving thread emails every 6 months that the developer account sees no activity and if i don't do anything they will remove and close.

that app is a done project and need only to be udpated when the target SDK becomes too old for the play store

Yes, unfortunately that has not been the case for me, my account is still active.

My app has already been removed when they added the Privacy Policy requirement for the Advertising ID, where I did not update the app.

wonder what that app was for

What happens if you "accidentally" become persona non grata with both Google and Apple?

If you want to participate in the society, you will forever have to resort to shady tactics. Shady can be defined something as arbitrary as using GrapheneOS.

A temporary workaround like using alternatives like GrapheneOS for those affected will only delay the inevitable but it doesn't stop it at all.

If you've accidentally become a persona non grata, then obviously because you've not exercised sufficient self-censorship.

This is real already. Recently saw a petition for EU to rein in big tech (there are several initiatives advocating this). Had this nagging voice at the back of my head ... what if signing that gets your Google Account terminated.

I'll leave it open to you whether I signed it.

For developers relying on any type of Google services, you'd be in for lots of pain.

It doesn't even have to be censorship of speech.

If you are wrongly charged a significant amount by either Google or Apple and their service is of no help, what would you do?

Most people would weigh the options, then just eat the cost than anger them with a chargeback and lose their email/phone access. That's self-censorship financially too.

What if Google reinstates their old G+ and YouTube real name policy for its accounts. We would protest but give them the proof grudgingly and it can position itself as one of the core part of online ID verification push currently going on.

I was in that situation a few years ago. I started a hemp related business in 2019 and Ad Sense didn't like my ads and gave me an error message saying I couldn't run my ads because of certain keywords being banned. I forgot about it until a couple of years later when I saw a $300 charge on my credit card bill. Google changed their policy as CBD/hemp had become more mainstream and started running my ads. By this time my business had already failed so I did not want those ads running. I couldn't figure out how to contact a human, so I ended up just paying because I didn't want to risk getting my account closed.

> What if Google reinstates their old G+ and YouTube real name policy for its accounts.

G+ was a failure; people refused to provide real names. Even Facebook's "real name policy" wasn't (and still isn't AFAIK) enforced at all. At one point, I had multiple phantom Google and Facebook accounts. Now I just self-host and eschew social media.

Google had Don’t be evil motto just between 2000 and 2018. Other companies don’t even try to pretend it. You are owned by them.

„Power tends to corrupt, and absolute power corrupts absolutely.“ - Lord Acton, 1887

Like how Tony Chocolonely dropped their 100% slave free claim after finding out just how difficult that is to achieve.

Nowadays they are using the slogan “Crazy about chocolates, serious about people”

[dead]

>Google had Don’t be evil motto just between 2000 and 2018.

this is popping up a lot today for some reason. "don't be evil" is still in the code of conduct, as it always has been. it just isn't in the preface anymore after the restructuring under alphabet.

https://abc.xyz/investor/board-and-governance/google-code-of...

(its not like it stopped them, anyways)

This has been true for many years: <https://news.ycombinator.com/item?id=26876681>

It's a great question to send to the DMA authorities: https://digital-markets-act.ec.europa.eu/contact-dma-team_en

More of us ask this question, the better we are heard. Except if this is exactly what they want, then we need to vote better.

At least we dont have a social credit system... hey wait a minute

It's terrifying, yeah.

To some degree, the closest we have to these situations besides getting flagged with TOS violations (whether real or false-flagged) in these companies are residents of countries that are either trade or economically sanctioned by the USA.

Thankfully we haven't seen something like an account ban and deletion incident for such cases, but the severe ones I can remember usually prohibit access entirely and that'd be scary if it extended to primary services that others rely on for auth.

You will be effectively locked out to services if it's all that's linked and that identity provider just decided you'd be persona non grata.

iOS can be used without an account. iPhones can be acquired outside of Apple. The EU has the alternative App Store option that doesn’t require an Apple account.

But I can't use my Norwegian BankID unless I have an apple store or play store account. This is required for every aspect of society. Heathcare, banking, taxes, driving, using my debit card online.

They removed SMS 2FA options recently, the only non-tech monopoly method is a 2fa codebrick that's getting harder and harder to acquire (there are new ridiculous facial ID and passport scanning requirements, run by a private corporation, in order to get one).

It's garbage and getting worse. And it seems no one cares our entire lives exist at the whim of two US tech monoliths.

We need all countries and the EU govs to mandate companies to provide the same vital access via a Web page that works on the 4 major browsers (not an issue anymore) as via the app. All my banks have it; I need an otp device but thats fine; it works well. I wish EU would mandate that plus an EU made hardware device on which all seeds can be stored and otps generated. That can be the size of an USB stick you can put on your keyring. Add NFC/qr so you don't have to type the otp and there we go.

Most places are going the other way. The UK uses ID verification for company directors that gave me an alternative between driving half an hour each way (plus parking and queueing) or using a mobile app. There is a web version but apparently they do not have the data to let me use it. The EU is pushing an age verification app that will only work on Apple or Google phones.

There is a huge push towards cashless payments that has the same effect, especially as people increasingly use mobile payments.

Yep, it's pretty bad.

That's on your bank and not necessarily because of Apple/Google duopoly. I think it is crazy to put the whole banking system on foreign, private company though

It's not on their bank so much as the entire banking system in Norway and the rest of society tagging along for the ride.

BankID is used for login with every single Norwegian bank and government institution. There are alternatives, but they're invonvenient and sometimes bespoke per service.

The App Store account doesn’t need to be the same as the Apple iCloud account. You can create an account without a credit card associated to it.

That's much worse than I expected. Is it a hard play store requirement or can you install the apk? Are there really no other workarounds?

It truly is. We are a completely digital society and everything is authenticated with BankID. The name is a misnomer, it's not just banking but every single government service (including healthcare).

I might be wrong but as far as I'm aware there's no legitimate APK downloads. And even if you get a hold of it, they use google services to attest the phone is secure, so there's no running it on a google-less OS.

The workaround used to be SMS codes, scratch off cards, and a physical 2FA codebrick. They cancelled SMS and the card, and currently you can't acquire a codebrick until they figure out some new bullshit about ID verification. Even the app is warning us it will quit functioning if we don't submit a passport and biometric face scan to some private company: https://bankid.no/en/help/confirm-identity

It's fucking dire.

What Norway has sounds pretty crazy to me. If I am reading this correctly, Trump can disable the entire Norwegian healthcare system by calling Apple and Google and having them block BankID.

Yes, he can. Along with taxes, car registrations, banking, money transfers, rent payments, etc.

I really hope we figure something out.

I wish he would. Then the authorities would have to fix the problem.

Trump can close down a lot of the British NHS by telling AWS to stop supplying it. Everyone apart from a few countries (China, Russia, Iran, North Korea, etc.) is dependent on the US.

Yes but that’s a blunt instrument, which would risk reaction. However putting an individual on a sanctions list is routine and easy.

And a president could always just call up the CEOs and ask for their least favourite Norwegian to be cancelled without any paperwork.

As happened to ICC judges and prosecutors.

> The EU has the alternative App Store option that doesn’t require an Apple account.

I cannot install any iOS software without being logged into my Apple account, not even an alternative app store.

It would be perfect on my older iDevices, but they don't let me log in anymore “because the OS is too old”. And guess what: I cannot update the OS without being logged in. I never logged out of those iDevices, Apple did that from their end.

I tried to install onside.io through Safari and it doesn’t seem to use my Apple credentials.

Have you tried updating your older iOS devices through a Mac?

You can update the OS using a Mac or PC.

You can't install anything without an Apple account. Just tried installing altstore.io to repeat my previous unsuccessful attempt.

Only users based in Brazil, Japan, or the European Union are able to install apps through alternative app distribution. The country or region of your *Apple Account* must be set to one of those countries or regions, and you must physically be located there. [0]

UPDATE: Also tried to install onside.io. No luck. The same popup:

Cannot Install App: You are not eligible to install apps from "onside.io".

[0] https://support.apple.com/en-us/117767 https://support.apple.com/en-us/118110

Wow, I did not know this and -despite its drawbacks, like not being able to install apps from the Apple App store- this seems like a great way to have a powerful dumb-phone.

Why do you need a powerful dumb phone?

One can read it aloud in sarcastic tone, and it will become clear then.

[deleted]

Over the long term, we definitely need something like Linux phones. I find it bizzarre by how little companies support this mission of Linux phones.

It's not Linux phones that we need. We already have alternatives, like graphene and other AOSP forks.

We need corporations and governments to stop locking down and gatekeeping vital software to closed ecosystems.

A Linux phone doesn't help me when my government's 2FA system (BankID) only runs on Android and IOS phones and can only be acquired with an app store account.

> We need corporations and governments to stop locking down and gatekeeping vital software to closed ecosystems.

If you can't get the government to do this for you in Norway the US has very little hope currently.

We need some standard of minimal digital accessibility. Too much of our lives mediated by digital interactions with capricious systems.

The irony is none of this is a problem in the US. We still have a ton of banks that you can use without a smartphone. Even my bank's app works fine on a rooted Android or GrapheneOS.

Europeans are doing this to themselves.

I just recently, in the US, got bounced through a bank authentication system (Wells Fargo's) when trying to order something from Amazon that required me to use their mobile app. I don't use an Android or iOS phone; as best I can tell there is no way to successfully complete that authentication. I even have a hardware TOTP token from the bank now, but even that they won't accept.

Now, my card info did in fact get compromised recently, and that's probably why I ended up needing that stronger auth flow. But the fact that I literally can't complete that stronger bank authentication without Google or Apple is... yeah. No.

I have since signed up for a different credit card that I plan to use from here on out.

> Europeans are doing this to themselves.

I mean, tbf the situation was fine until the US transitioned to an autocracy, and the companies went full surveillance state evil, completely supporting the autocracy. Which is a relatively recent development.

But sure.

Most places here are working as fast as possible to decouple from any reliance on the US, and I would expect Norway to switch to the new EU digital ID system currently in development.

> US transitioned to an autocracy

this is too funny coming from a continent constantly at war with itself

Cope all you want, the broad spectrum opinion by most experts and independent research groups holds it to be true.

https://en.wikipedia.org/wiki/Democratic_backsliding_in_the_...

As a natively Russian speaking Jew born in Crimea I really don't need any lectures on democracy from someone who ran away to Europe at the height of it's American enforced century of stability. My childhood was listening to stories from my great grandmother (born in Moldova) losing her entire childhood and several family members to European savagery. European so called Democracy isn't even one lifetime old. It's hilarious that you think Europeans have any moral high ground here whatsoever. It took the US to save Ukraine from the Russians and while the entire EU was waffling and talking about "escalation" we were actually doing something about it.

which as of now seems to depend on google/apple services being in control of your device and thus gets us half a tiny step closer to freedom at most..

Competing to be best in class at US loyalty, more like it.

You say that as if Norway is somehow super civilized and enlightened when it comes to these things, that's not the case. Norway is best in class when it comes to compliance.

The new base agreement with the US, for instance, for practical purposes declares several areas in Norway to be US territory. It's rampantly against the Norwegian constitution of course, but that doesn't matter because the parliament seems to have agreed to just unanimously consent and not talk about it further.

Sea bed mining was a farce. Everyone said it was a terrible idea, including Equinor itself. Approved anyway. My assumption is that someone from US/NATO whispered "strategic minerals" into some party leader ears, and they suddenly decided to fast-track it without further discussion.

It would surprise me a lot if there weren't similar fast-tracked, no discussion, "it has been decided" deals about digital sovereignty. Norwegian politicians may not like the guy currently in charge over the Atlantic, but they view him as a temporary aberration and an occasion to prove their loyalty (to the crown, rather than the guy currently wearing it).

Speaking from experience, it's not only ID systems but if you run non-Android (some AOSP) they might still require you to install an App only available with Play Services or on iOS to do business with government agencies or even apply for funds in some European states. In other words if you are using GrapheneOS, from gov. agencies point of view you might as well be a criminal. Actually given how frequent ID-theft is nowadays, it's actually easier for criminals to launder their money than privacy preserving individuals or companies to pay taxes in EEA.

I'm not familiar with that system. Here in the US I can go to the bank and do anything I need personally with an ID. Is that not doable where you are?

My bank doesn't have any physical locations. Those that do have worse rates, and I've had bad experiences with several of them anyway.

One of the most popular banks in Brazil doesn't have physical branches. It doesn't even have a functional website. App only.

[deleted]

[flagged]

GrapheneOS does not run anything through google services. Nowhere in the "terms" is this stated. GrapheneOS uses first party servers for all default OS connections.

[flagged]

You seem to be greatly misunderstanding what is actually happening.

You are conflating default OS domains with google play services. Google play services is not bundled or installed by default, and is not given any kind of privileged access when it is installed. It does not handle OS domains or functionality, and GrapheneOS does not proxy its connections in any way.

As for the default domains of the OS, most are to GrapheneOS servers, not proxies. The only default OS connection that is proxied to google is remote key provisioning.

As for non-default connections, the only google proxies are widevine, for apps that use widevine, and SUPL, for location locking. SUPL can be disabled, and GOS is considering removing SUPL if network location is effective enough, or if they can host their own SUPL server viably.

https://grapheneos.org/faq#default-connections https://grapheneos.org/faq#other-connections

These connections do NOT contain identifiable information. That is false.

Note RCS chats are also not proxied.

[flagged]

> every app installed is known to the proxy since each app has a unqiue key

GrapheneOSs proxies do not collect and send any "unique keys" from apps. That is made up.

> They mention no proxy of RCS data, but in theory, an RCS message requires location data. So, the proxy knows when a message is sent and received, at a minimum.

They dont mention a proxy of RCS data because there isnt one. RCS messages do not require location data. None of the GrapheneOS proxies are related to RCS and the proxies do not know if an RCS message is received or sent.

> So, based purely on the FAQ, if you use the sandboxed services and enable RCS, Graphene knows every app you install and has your location data, but they erase it after a couple of weeks.

You did not read the FAQ at all.

> There is some vagueness regarding the RCS implementation message content. People claim Google can't read it, yet they specify they can read it in the client terms, and offer a managed RCS archiving service that works regardless of messaging client or supposed encryption. Is the RCS query proxied? Graphene does not mention it, but the simultaneous location data to use it is.

RCS is end to end encrypted on Google messages. The RCS spec also includes end to end encryption. There is no RCS proxy and RCS is handled by google messages. No other client for it exists at this time. The location data provided by SUPL is not given to apps, it is used for OS location that can be reported to apps. An app must have the location permission to have location data provided by the OS.

[deleted]

> every app installed is known to the proxy since each app has a unqiue key

No such proxy exists in GrapheneOS. GrapheneOS does not intercept or proxy connections made by Google apps or other apps.

GrapheneOS doesn't include Google Mobile Services. Sandboxed Google Play is not part of GrapheneOS. Users can choose to install Google Play services, Google Play Store and other Google apps on GrapheneOS. Unlike a standard GMS Android device, those are installed as regular sandboxed apps with no special access. The feature provided by GrapheneOS is a compatibility layer coercing those to run as regular sandboxed apps if installed by users. It doesn't involve intercepting or proxying any connections.

> location data is proxied

Location request rerouting is an entirely local feature of the sandboxed Google Play compatibility layer. By default, it replaces the Google Play location library used by many apps with another implementation using the local OS location service instead of the local Google Play location service. This isn't intercepting or proxying connections.

Google Play has an optional network-based location service that's opt-out for a GMS Android OS although it's opt-in for sandboxed Google Play and people would also need to grant the required permissions to Play services which aren't normally needed.

GrapheneOS has an opt-in network-based location using Apple's service either directly or via a proxy. We'll also eventually have our own service with offline database download support as another option. We have to build our own database to use for this first.

You're misunderstand what location request rerouting means. It reroutes apps which normally request location from Play services to ask the regular Android location API for it instead. This doesn't involve servers other than optional network-based location for apps which support using the network or fused providers. Network-based location is opt-in for GrapheneOS.

> They mention no proxy of RCS data, but in theory, an RCS message requires location data. So, the proxy knows when a message is sent and received, at a minimum.

GrapheneOS doesn't proxy things in the way you claim in the first place. It doesn't proxy any connections involving carriers and doesn't proxy any connections made by Google apps. It doesn't come with Google apps and those would need to be installed by users.

> So, based purely on the FAQ, if you use the sandboxed services and enable RCS, Graphene knows every app you install and has your location data, but they erase it after a couple of weeks.

This is all completely untrue. GrapheneOS doesn't include with sandboxed Google Play. Sandboxed Google Play compatibility doesn't make any connections to GrapheneOS servers. It doesn't proxy anything through our servers. RCS via Google Messages doesn't involve our servers either.

You're misunderstanding our approach to all of these things. Location request rerouting means replacing the local Play services location API for apps using it with the OS location API. That means asking the OS for location rather than Play services. That isn't a connection to a server. It means that by default, apps using the Play services location SDK will work without Play services needing to be granted Location access based on the OS satellite-based location. If users enable network-based location for the OS location service then it will work for apps normally using the Google Play network or fused location providers. It's an entirely local compatibility layer as with the whole rest of it. Sandboxed Google Play compatibility layer has 0 connections to our servers and there's no reason it would need to connect to our servers.

[deleted]

> Graphene proxies all the Google services connection. They take over the connections that would go to Google. They then, supposedly, only forward the ones you wish.

GrapheneOS doesn't include Google Play services. Unlike LineageOS, GrapheneOS replaces all of the standard Android Open Source Project (AOSP) connections with our own servers. Also unlike LineageOS, GrapheneOS adds toggles for these connections providing a way to disable the ones which didn't already have a way to do it. See https://eylenburg.github.io/android_comparison.htm for a comparison across AOSP-based operating systems covering what's done with most of the standard AOSP connections. It doesn't cover everything such as the Certificate Transparency (CT) log list downloads added in Android 16 which are now used by default for enforcing CT for apps targeting Android 17.

> Graphene proxies what would go to Google on regular Android.

GrapheneOS doesn't include Google Play services. It has a compatibility layer enabling running Google Mobile Services apps including Google Play services and Google Play Store as regular sandboxed apps, but it doesn't come with those. Users can choose to install those in specific profiles.

> I am getting downvotes on this, but that is how their Google Play sandbox works. It is proxied on their server, not your phone. > > A non-Google copy of your Google pointed traffic is made. That is a fact. It is identifiable to you or they could not individually forward this or that. That is a fact.

GrapheneOS doesn't include sandboxed Google Play. It does not come with it. It's possible to install those apps on GrapheneOS and it provides a compatibility layer to make it work. The compatibility layer doesn't involve proxying anything to our servers.

> Extricating from Google is the answer. Not relating your RCS chats et al through a third party then to Google then to that third party and back to you.

No such thing exists in GrapheneOS. It doesn't include any Google apps and doesn't proxy any of the connections made by Google apps elsewhere if people install them.

GrapheneOS has low-level support for RCS but doesn't have an RCS app yet since the only one for Android which exists in practice anymore is Google Messages and Google apps aren't included in GrapheneOS. Google Messages can be installed by users on GrapheneOS and set as the SMS/MMS/RCS app instead of using our fork of AOSP Messaging but that's definitely not a default. We'll have our own RCS implementation in the future in our fork of AOSP MEssaging.

> They wrote an article on it a while back.

No, and it's definitely not how sandboxed Google Play works for people who choose to install it.

It sounds like you're misunderstanding what our sandboxed Google Play compatibility layer handles location requests made to Play services. For users who install sandboxed Google Play on GrapheneOS, our compatibility layer redirects apps requesting location from Play services to request it from the OS instead. This doesn't involve making any connections, it happens locally on the default. By default, only GNSS (satellite-based location) with A-GNSS (SUPL and PSDS) is used. GNSS is a receive-only system. We add toggles for configuring SUPL and PSDS with choices between GrapheneOS, Google or Off. PSDS are static database downloads covering the whole world so that's just another form of update download. We also add a toggle for opting into our network-based location implementation which uses Apple's service either directly or via a proxy. You seem to be confusing our location request redirection with intercepting connections and running those through our services which isn't what it involves at all. Our location request redirection avoids needing to grant Location access to Play services by making it use the standard Android OS location service instead as many apps already do. There's a toggle for this in case someone actually wants to use Google's location service with their network-based location instead of Apple such as if the Apple data for their area is awful.

> Graphene with Google Services is like calling up an Intel Agency and signing up to use them as your VPN.

GrapheneOS doesn't include Google Mobile Services, and our sandboxed Google Play compatibility layer doesn't work that way at all.

> Without Google Services, it is a way to degoogle a phone with an SD card slot and 3.5mm phone jack if Motorola continues on track, but I would prefer regular Lineage support than Graphene for that purpose in case the middle man aspect expands to non-Google Services apps later.

There's no such man-in-the-middle system in GrapheneOS as you claim. LineageOS does not replace the Google servers for all of the standard AOSP services as we do and doesn't provide similar settings to control all of those. GrapheneOS does not intercept/redirect Google services used by Google apps as you claim. It doesn't come with Google apps as you're describing either.

> I want straight no-google android with the chipset drivers so that calls and sms/mms messages work without Google getting a copy of every message sent and received, and I want it on phones with sd card slots and 3.5mm headphone ports.

GrapheneOS only includes support for using SMS/MMS via the carrier. There's no involvement from Google unless Google is your carrier or your carrier is using GCP to host their servers or something similar. Using Google's RCS services would require that you go out of the way to install Google Messages after first going out of the way to install sandboxed Google Play followed by setting Google Messages as your carrier-based messaging app and granting the required permissions to use RCS (Phone permission for Google Messages and Play services along with the ICC authentication toggle in the sandboxed Google Play settings).

You're talking about it as if us supporting installing these apps as regular sandboxed apps somehow makes that the default approach. That's not how any of this is supported at all. You have to go out of your way to install sandboxed Google Play or especially Google Messages. Those don't come with GrapheneOS.

GrapheneOS does not include Google Mobile Services or Google Messages. It does not intercept or proxy connections made by Google apps installed by users. None of that is part of how it works.

[deleted]

> Read their terms.

There are no such terms. In a comment further in this thread, you linked to inaccurate posts from an anonymous user on the Privacy Guides forum as your sources.

> They still run everything through Google services.

No, this is completely untrue. GrapheneOS doesn't have any mandatory connections in the first place.

> They are essentially a man in the middle to Google services.

No, GrapheneOS is a privacy and security hardened mobile OS. It isn't a proxy service and doesn't have any mandatory services. It does not come with Google Play services.

> I read their terms to mean that they could snarf everything that every graphene device would normally send to Google because they are "anonymizing it" before sending it to Google.

There are no such terms despite what's claimed in the incorrect anonymous posts you read.

> What we need is Android like Lineage that works on more devices than Pixels and simply have it without Google services at all.

GrapheneOS doesn't add a single Google service compared to the Android Open Source Project (AOSP). It replaces all of the standard AOSP default connections with our own servers by default. It also adds settings to control each of the connections. These settings mostly have a choice between GrapheneOS server, Standard (Google) server or Off.

LineageOS doesn't provide replacements for the Google services pr toggles for user control. This is covered in the third party comparison at https://eylenburg.github.io/android_comparison.htm which provides an overview of what's done with most of the default AOSP connections. The table doesn't cover all the standard connections, but GrapheneOS does deal with all of them by replacing the standard servers and provides settings to control the connections.

We add opt-in services for geocoding and network-based location as an alternative to the Google service. We host geocoding ourselves with Nominatim using the standard OpenStreetMap, Wikipedia and other supplementary data. Our network-based location service has a choice between Apple or our proxy to Apple but we plan to build our own database to host it directly.

SUPL which is a limited form of network-based location has a choice between our proxy to Google, Google or Off. SUPL can be fully replaced by enabling network-based location and leaving the default enabled static global PSDS database downloads enabled. We'll be hosting our own SUPL server using our network-based location database once the much easier to build subset of the database for cellular towers is ready for use.

Google certified devices use Google's hardware key attestation root and service so supporting that inherently has to use either a proxy (our default) or their server including for a non-Android-based OS running on the same hardware which wants hardware attestation support to be functional. That's tied to the hardware ecosystem based on certification, not software. Non-Google-certified devices will use a different service for attestation key provisioning, either hosted by GrapheneOS or a proxy to the service by the hardware provider or certification authority.

You read the terms wrong

[deleted]

I don’t want to be too pedantic but Android uses the Linux kernel. Degoogled Android is basically what you want.

no, because screw all that java crap, they optimized for control and developer quantity, not for ux, customizability, performance...

Why do you need a Linux phone (as if Android is not a Linux phone), when there is also AOSP. If Google closes it up, it can be forked, but I don't see any fundamental benefit of throwing away decades of development done on AOSP.

GrapheneOS is not shady at all, since when is wanting to use an actually secure OS that doesn't sell your data to palantir or some other ACTUALLY shady shit like that shady?

That was their point.

"If you had learned to wash lettuce, you wouldn't have had to pay court to Dionysius" - Diogenes.

> What happens if you "accidentally" become persona non grata with both Google and Apple?

https://www.theguardian.com/law/2026/feb/18/international-cr...

The US made a Canadian judge a persona non grata for any firm domiciled in the US. All because she works for the ICC, and the ICC declared Netanyahu a war criminal (which is indisputible). Why is the US destroying worldwide trust in US businesses on behalf of a reviled nuclear armed hermit nation on the other side of the planet? Good question, but it is what it is.

This example that the US will spuriously use sanctions like this is why many nations are investigating ways to purge American financial systems and tech.

That judge may be an outlier today, but we all know tomorrow they could sweep through all accounts and ban everyone that spoke against the regime. We have arrived.

You are right - now greedy corporations decide who is an "acceptable" human and who is perma-banned.

Governments need to wake up to this insane level of Evil. And other governments also need the US government responsible here, since they allow this to happen.

In objective terms this can be called a fascist system.

> A temporary workaround like using alternatives like GrapheneOS

The issue still is that so many services and functionalities are tied into private companies. States simply need to wake up now.

> Governments need to wake up to this insane level of Evil.

I’m not even being cynical — it would probably just increase the amount of government contract cash awarded to them. Control makes governing a lot easier, control is what tech companies have, and to varying degrees, it’s for sale.

> Governments need to wake up to this insane level of Evil

Governments are made up of people. People who have at best median level understanding of the things they are ruling about but great self-interest in following the biggest purse to which they can attach themselves.

As proven by history, it's convenient to have a big well-known external entity to blame as a source of any trouble, but in reality it's orders of magnitude easier to be a digital dissident in the US compared to the EU. And European Commission + European national governments are exactly the ones you should blame first. They are openly proud of how it works, they call it successful digitalization for a positive spin.

As an extra anecdote: one of the things Cory Doctorow has been bringing up as a counterweight to US tech hegemony has been repealing anticircumvention laws that the US insisted upon as a condition of tariff-free market access that has now been rescinded. This is a good idea, but at the same time, the EC is never going to do it. We're already seeing with Stop Killing Games how even tangentially related consumer protection issues can and will be shot down with an insistence that IP is sacred and untouchable.

The reason for this is really simple: every pirate wants to be an admiral, and every client state wants to be an empire. We as tech consumers hear "sovereign cloud" and think "cutting out undue influence that US tech companies have in the EU". The EC hears "building our own tech monopolies to lock in other countries into our stack". Using SKG as an example again, the whole reason why SKG started was because of a French company, Ubisoft, killing one of their games. Why would the EC ever overrule their own industrial interests?

The EC was specifically and expressly built to be an antidemocratic bulwark against popular sovereignty. The entire concept of dividing people up by nation-states is already an antidemocratic exercise - e.g. France has 69,000,000 residents and Malta has 520,000, but both get one seat at the EC. And because the EC is made up of nation-state appointees and not elected representatives, they have all the incentive in the world to stab their own people in the back. The EC is the designated villain that the """liberal""" side of Europe's government uses to shut down democratic control (and, sometimes, even liberalism itself).

Some have pointed out that this is deliberate (and, supposedly, therefore good): that Malta would never have joined the EU if they didn't have veto powers over whatever France wanted to do. My counterargument is that veto powers are the last resort of the rich and powerful. You can either have strong protections[0] on national identity, or you can have democracy, but not both.

[0] To be clear, the way we deal with democracy being a tyranny of the majority is with liberalism: we explicitly declare certain things to be "human rights" and thus more or less off limits to the democratic process. This list is generally fixed (or at least, difficult to change) and thus less ripe for abuse than, say, having an entire wing of the government dedicated solely to overruling the people that is active all the time.

One of my best friend has a Jolla phone.

He never had WhatsApp. He refuses to use google. Only till recently he started using signal. He has been using an old Nokia phone till he was forced to upgrade by his operator. He is European and here in Europe WhatsApp dominates. Despite all that and having a very social life, driven by work, he manages.

I recently ordered a Jolla phone. I don’t want to know about android. I might tolerate iOS. But shelling thousands of $ for a phone that is controlled by an external company…

I am looking out for messaging alternatives. I am at a point where I think linking your identity to a phone number is not right either.

Let’s say we should all wake the fuck up. This is not right. Having a phone with such spyware is a potential attack vector I don’t want to have on the most important device I own.

It's all good until your European bank starts requiring unrooted Android and iOS for their mobile banking app, then tries to force you to use that app instead of letting you sort things out at their building. Then the government starts requiring you use unrooted Android or iOS to sign into their website for administrative tasks, and so on.

The endgame is that I will keep a phone in a drawer next to a 20 yo hardware token I still use to access a bank. When on the move, we will see.

Then I'd switch bank. A lot of banks work with SFOS [1]. Given the way the US is acting, we are trying to lower our dependence on American services, and I very much doubt all banks will walk the US bandwagon. There's a serious market for something else.

[1] https://forum.sailfishos.org/t/banking-apps-on-sailfish-os/1...

If that ever happens (what am I saying we all know it’s happening). Then just a phone in the drawer I use it just for such administrative tasks.

Right, until you have to use a mobile app to pay for parking or validate your bus/train ticket and so on. Yeah, "I can use my physical card", for now. Long-term we need a better solution than keeping an extra up-to-date phone.

Not sure Jolla deserves to be trusted, you'd be much better off with GrapheneOS. In any case, try out SimpleX for a messenger. You can also take a look at https://xn--gckvb8fzb.com/an-overview-of-privacy-focused-dec...

Thanks for SimpleX it looks like a great solution for a longstanding problem.

Why would you not trust Jolla? It was born from Nokia employees. GrapheneOS is a great alternative. Still Android though.

The blast radius is far worse than any "malware" Google could protect you from.

TFA is playing it up, but it is arguable that this is a real virus, except the shady hackers are Google.

I don't think 'virus' is the right term, since it should self-replicate. 'Malware' or 'spyware' are probably better terms.

Malware on Android causes more harm, both to individuals and collectively to all Android users, than Google locking people out of their accounts. These aren't even in the same order of magnitude. There are countless examples of people who have lost their life savings, all their data, etc. Losing access to your Google account sucks too, and I don't necessarily agree with what Google is doing here, but you're completely off base here.

If it makes my phone, that I paid for, do things I dont want it to do then it's malware.Especially because those things make the device less useful to me.

Google thinks they own my phone. They do not. I do not consent to this change, and will be voting against it by using the only remaining option: Moving completely out of their ecosystem.

They really left me no other choice when they decided that they didn't need the owners consent.

The comparison is not Google app store security vs nothing.

It's app store security vs app store security with verified developer IDs

The fact that the android fraud is not endemic means that the later is not worth the increased risk of losing your Google account.

Was this comment made by an LLM? i dont know anyone who drops "blast radius" in casual conversation besides claude.

People in security space use it all the time.

for CVE's, maybe.

> And you’ll never reach a human to sort it out.

Unless you blog about it angrily enough that you somehow make it to the HN front page and some insider sees it and solves the problem for you.

Getting my own domain and setting up email on it is one of the best things I've ever done.

About to go down that route as well, just need to find a email provider with ideally servers in the EU

Infomaniak (swiss) has a decent deal of a couple of free mailboxes with any domain you own through them. The webmail client kinda sucks but I just sync it with native clients. Using username:password for SMTP feels pretty weak tho they don't have Oauth2 support. lol now I'm talking myself out of it but it's worked great for years.

Fastmail has been working well for me.

Run your own server. Very easy with something like Mailinabox. You might need to find a relay for outgoing mail.

I am on protonmail+ my own domain. Works alright

I'm really looking forward to Thundermail.

All service providers above some scale should be obliged to create a transparent processes or be taken for external jusges.

Even better: all providers of services with more than 100K users or 10% of country internet users should be forced to provide API to export / import data in open format.

Maybe service providers above some scale just shouldn't exist, period?

It would be a lot harder to erect walled gardens if you're only serving a small subset of users - they would balk and leave at any attempt to prevent them from interacting with others outside of the ecosystem, and it would be a lot easier to do so.

That happened to me, lost 16 years old gmail account, which is my main account for my digital life. It happened after I disabled some tracking, and Google was no longer able to recognize me, even though I had my phone number registered, it was not enough.

Same. Lost my 2004 Gmail because they silently enabled 2FA and the phone number on the account is a long lost one. I have the username/password and the recovery email is set to me. The account also forwards all emails to me, so I still get the mail, but I can't log into the account.

Not yet found someone to do a SIM swap for me and get the 2FA code...

I suspect this will happen to me soon, though all I do with it is occasionally sign in just to keep it registered. It now refuses to log me in unless I am on a specific IP address, no matter how many MFA steps it requests and I pass.

This almost happened to me 4-5 years ago. I don’t recall every detail but right around the time I was deep into a new job interview process, Google Pay decided it needed to verify my identity. It may have been triggered by one of my cards expiring but I don’t think I had ever used the service to actually pay for anything at that point and just had a card saved. Anyhow, I was almost immediately locked out of my primary email account as well and got delayed in sending documents to the potential employer and had to explain that I got locked out of gmail. Unfortunately, I didn’t learn my lesson and still use that gmail account as my primary email but I did at least open alternative accounts on other cloud providers.

I tried recently to create dev. account. I have not yet been successful. It is a painstaking process.

I had to submit my ID, my phone number, email.

Then to verify I had to give my address. They rejected my ID twice, so I had to submit driving licence.

I am several weeks in, and could not even produce a single app.

Their algorithm already rejected me, for no obvious reason.

This has been known for quite a while; when I published an Android app ~10 years ago I saw lots of people advising you to create a separate Google account to publish apps under, because a robot can just terminate your entire online identity for the crime of trying to contribute to Google's app ecosystem.

I left behind Android and as many Google services as I could in 2020 and so far I've only been more vindicated with that decision over time.

[deleted]

I've seen multiple stories of people buying phones from Fi, the phones never arriving, google refusing a refund, and on a chargeback, their entire google account gets shut down.

Holy crap that is scummy.

I still use 2 Google services, of which neither would crumble me if lost (YouTube, and my old email which now acts as my spam inbox). I have lost accesses before, when I was still partially dependent, and had to give up my privacy to get access again, long enough to get off. It sucks but I do consider myself lucky that I was able to prevent the life crushing consequences that some people have had. Such a terrible company.

Have a friend lawyer that will send them a proper letter. They will take you seriously that way. And if you live in EU, use GPT... Actually, use Gemini (!) to craft another great response invoking a number of articles etc that they are in violation of.

Leadership at Google should face prison time for this sort of practice. We wouldn't accept it in the physical space, so why do we accept it cyber space?

This is why I don't mess with any of Google's AI offerings right now. Losing access to my Gmail (technically a google apps for our domain) account would be devastating. I think the risk that some google ai decides I'm abusing their ai and bans me is too high.

We experienced this with Anthropic, not the same blast radius obviously, but out of nowhere account was terminated. No support available. It was via someone’s 30+ year old classmate via LinkedIn the account got reinstated.

As a counterpoint to the right to the repair there should be a right to recover.

There was a more direct case where someone’s child had been interacting with Gemini inappropriately resulting in Google nuking the entire families Google accounts.

I still remember how uploading photos of man's own child created the catastrophic chain of events.

Kicker? The photos were requested by a doctor.

Ref: https://www.koffellaw.com/blog/google-ai-technology-flags-da...

Google has been nuking accounts since their inception.

I have seen people being locked out as early as 2011 of accounts that could only be unlocked by sending a copy of an ID. Due to regulatory change of saving of information based on age (first 13 and above was ok, then became 16 and above).

> Google has been nuking accounts since their inception

Google has been dealing with accounts opened for fraud, spam and other evil bots since their inception. They should be nuking those. What's needed is some way of reverifying an account that was closed incorrectly, maybe some kind of independent ombudsman service or something to get the account back.

It was a fake story on reddit.

You noticed the sibling comment?

With the original story published by nytimes?

https://www.nytimes.com/2022/08/21/technology/google-surveil...

edit: ok, seems a different story, but better gets the point across

Si non e' vero, e' ben trovato.

That’s quite insane, especially considering how Google is pushing Gemini into every single product.

[deleted]

The vulnerability of your Google identity is terrifying.

I would strongly advise using your personal account to access the developer-side of the Play Store.

No, these services shouldn’t all be bundled under a single account…

Missing: [not]

Indeed. I should get more sleep. Thank you!

That sounds liberating

You go self-hosted and try to stick to real small alternatives, subset of technical standards, etc.

I am not a US citizen, but a EU one (well, since we have seriously rogue and toxic EU states, I dunno how long it will last).

And guess what, the handling of the issue of technical interop for administration online services is done... at the top of the top of the political power: in my EU country, only the president and prime minister do define it. Yep, you read well, it is THAT MUCH important: parliament, no power over it, 'technical authorities' have actually no real power over anything, etc. It requires the same level of power than deciding to make more nukes.

Basically, in 2015/2016 our president/prime minister at that time literaly gave all the administration (and dependencies) online services to big tech (a technical document which is basically 'law' with a content 'opening the gate' for big tech). Well, I say 'they gave it', but they could have 'sold it'... we have a department in our DOJ to monitor past politicians who could have set up some public money channels in order to benefit from it, often indirectly, afterwards. The following president and prime ministers did change nothing... how deep the rabbit hole goes? Brain washing via hardcore lobbying? Corruption?

IRL, you had country administration related web sites, working more that fine with "any browsers", small and big, citizen made, small company made, now it is over, they were all broken for web apps which do work only with whatwg cartel web engines with their abomination of "computer language" requiring an even worse SDK. Same with file formats.

There is light though, if this document of technical 'law' is properly modified, the whole administration and dependencies have 3 years to restore simple web sites and support minimal and subset of file formats.

it's a nightmare.

Yep! One way, or another, we gotta' get people out of the system.

[dead]