As we just said a little earlier, using a Lineage-OS phone instead of using a stock Android phone
allows you to not be subjected to wi-fi scanning, telemetry based spying, device fingerprinting,
browser fingerprinting, biometric data spying and in-app build spying through Google Services. We
will talk briefly about some of those issues in the following material.
-
WiFi triangulation and WiFi scanning
Your device is scanning for networks continuously. Google records the routers around
(yours and your neighbors) and their MAC addresses and update their map all the time.
Together with the power of their signal (and the GPS position given by the phone’s sensor)
they can triangulate your location to less then half a meter error margin. This is done
all day, so every mobile phone user is located continuously with great accuracy. This is
more accurate than any other location method and the process cannot be stopped on a Google
(or Apple) phone. This happens regardless of the location permission that you might grant
or not ( which is only for the third party apps - Google exempts itself no matter your option).
So Google knows every Android's position all the time with great accuracy.
The network scanning data and wifi triangulation data on Lineage-OS devices is not transmitted
to Google or other external players.
-
Location tracking
Location tracking is one of the most complex an difficult to prevent because most applications
are desperate to access it, and they do it most of the time without the user knowledge. Most of
the photos taken with a Google smartphone have a location metadata. Every website visited on a
Google devices can reveal your location and report it to base. facebook apps track your location
irrespective of your privacy settings. Many other apps (especially weather apps, but many others,
including camera or even the flashing light) send your location to Google. The info is aggregated
and analysed, therefore it can reveal more then just your pure location. Thing like groups, contacts,
shopping patterns, working patterns, visits to the doctor, banks, courts of law, and so on are actively
used for detail profiling. What’s more, almost all this data can be available to third parties if
they pay, so not only governments but also insurers, employers, lenders and others can have access to it.
Location tracking data on LineageOS devices is not transmited to Google or other external players.
-
Google telemetry
Google Services are the secret link to the Google empire. For a better understanding of this you have
to understand Google infrastructure. All apps in Play Store have to conform with the Google imposed
standards. They have to be written in Java and packed in a particular way. Most of the time even the
developer cannot understand how the Google libraries function, they only make the app to function with
the API provided. So a lot of the activity of many apps actually involve using Google functionality, like
databases, notification infrastructure, payment infrastructure, specific telemetry, location, user data
infrastructure an so on. Google updates its data all the time using not only its resources, but also the
resources of the third party apps running on your phone.
Some important sensors on Android devices are: GPS, Accelerometer, Magnetometer, Gyroscope
and IMU (inertial measurement unit)
The phone sensors on LineageOS devices are not used to transmit data to Google or other external
players unless you install apps with such capabilities without checking. Even then, this data will not
be associated with your Google ID.
-
Biometric recognition:
Facial Recognition and Fingerprint Recognition
The tech has overtaken us. It is no longer necessary to have a chip since our face and fingerprints
are fixed biometrics that we cannot escape from. We have a reprieve in 2020 with facial recognition
because many of us have to wear masks. But can we keep hiding our face? Should we keep hiding our face?
Facial recognition data is collected in new ways today. This has expanded in ways that most people don't
even realize.The covering with masks , hats, hoods or sunglases is not helping, since the new trend is to
use infrared technology. The heat distribution in our body is truly unique, based not only on the shape of
the area in question but also on blood circulation. There is no secret that the biometric sensors on your
phone collect and report this kind of data to Google.
Biometric recognition data on LineageOS devices is not transmited to Google or other external players.
-
Firmware spying
There are parts of your phone constantly collecting data and leaking that data to base. You cannot stop
this on a stock phone. This is being used by powerful players like Google, amazon and Facebook to track who
we are connected to and what places we frequent. In addition, there are some back-doors that allow third parties
(state players included) to listen and record the conversations, capture text messages, emails and other means
of communications and even turn on the phone remotely to allow recordings.
Firmware spying can also occur on Lineage-OS devices. The binary blobs in the firmware are
largely on the discretion of the manufacturer. This issue is highly uncontrollable and hard to impossible to audit.
Circumspection is advisable especially with the Chinese manufacturers!!
-
Device fingerprinting
The fingerprint of a given device uniquely identifies the device. It comprise of any piece of data
that identifies the phone among all other phones in existence. It includes the IMEI, IMSI, hardware
specifics, MAC Addresses (WiFi and Bluetooth) Notification tokens, user ID (Google ID / Apple ID),
IP Address, apps installed, Router MAC Address (when connected to a WiFi), saved debit/credit cards,
Device User Identifier of the Browser and some others. Notice that an app does not have to acquire
all of them. They can be correlated with the past activity, other apps data or Google databases.
Moreover, a Google ID / Apple ID have a one-to-one match to a real identity. This ID is also associated
with financial identity.
Some explanations of those terms are detailed below:
- IMEI: unique serial number of the phone. In some countries it is illegal to tamper with it.
It is accessible by many apps on Android and iOS devices.
- IMSI: unique serial number of the sim card.
- MAC Address: this is unique to any phone and is also accessible by many Google and iOS apps.
There is a separate wifi and Bluetooth MAC Address.
- Notification token: Available to all apps that send and receive notifications. There is a
lot of telemetry associated with it.
- IP Address: Very important identifier when on a home network. Same about the MAC address of the router.
- Router MAC Address: Very important identifier when on a home network. Same about the IP Address.
- Device User Identifier of the Browser. This is also a major part of Browser Fingerprinting.
The device fingerprinting is used to identify the user. Needless to say, this is done most of
the time without the user permission.
Device fingerprinting data on LineageOS devices is not transmited to Google or other external players.
-
Browser fingerprinting
Browser fingerprinting is one of the most accurate ways to track a particular device on the internet.
When matched with other data like email, IP Address,location, device model, CPU model, screen size, browser
window size, browser position, graphics card, battery level, browser version, browser extensions, operating
system, time zone, cookies, visited addresses and others, the effect is major. There is no surprise that
a given user can be picked up from the crowd by Google based on browser fingerprinting data alone.
For example, if an add tracker identifies a visit to lets say YouTube, then amazon, then other random site,
it can be determined that it was the same device and then the events can be easily correlated. The add tracker
will give a user an ID at first encounter, then it will use the same ID at subsequent encounters and the
available data will be collected and processed. With Google, this is possible because the same add tracker
will be present in multiple websites. This way, Google adds will track you all over the internet. Those trackers
collect information beyond the scope of serving adds only, as they are often presented by Google,
but not exclusively. They also collect location, for example. And because it can be matched to your phone,
it will be easy to observe all the places you’ve been. This is sold to data mining companies. The browser
fingerprint can be matched now to an IP and an email address used to log in an website. You as the user
are now associated with this fingerprint and the data will be accumulated about you. There is no easy escape
from this point. Even if you change the browser, you will use the same data for login and you will visit
roughly the same websites, so your identity will be easily recognizable.
One of the scariest propagators of Browser Fingerprinting is Facebook. Because the Facebook Like
button is in essence an add tracker, every website with a Like button has an active spyware. So
after browsing the internet , the moment you log in Facebook you are unmistakeably identified and
all data associated with you like friends, contacts, and so on become a big database. This extreme
tracking is unmatched even by the big Governmental players. They are not concerned though, they can always
buy your data (and they will someday) without being accused of direct mass surveillance or other wrongdoing.
This is one of the reasons Facebook is one of the biggest violator of internet privacy. If you use Facebook
and the associated apps, all your internet activity will be attached to your real identity. As long as you
stick with the Facebook account, nothing will prevent the theft of your info. The only good decision
would be to leave Facebook. There are other platforms out there. Hard pill to swallow for many, I know that!
If you use facebook and/or other facebook owned apps on LineageOS devices you can nulify half of the
effort spent for your privacy. Facebook will know who you are and will sell your data to whoever wants to
buy it without any remorse and, of course, without any warning or notification.
Browser fingerprinting data propagation is highly dependent on the browser, search engine and apps you
have installed and use. An add blocker will make a lot of difference. Some care should be taken and awareness
is advisable when deciding the utilization patterns.
Actually, there is a way. Aurora Store, Aurora Play Store and/or microG.
Aurora Store is available on F-Droid
Aurora Play Store actually takes apps from Google Play Store.
It anonymizes the request made to Google store with a fake Gmail account and a spoofed device id. So Google doesn’t
know who is downloading the app. It only works for free apps and those apps which do not require a
personalized id or Google services to function. A notification will not work.
MicroG is the Google Services spoofer for notifications and location creates services
that emulate the Google services. An app talks to MicroG, which anonymize the request
(even for Notifications, Location Services and Google Maps), then forwards it to Google. So
the app will work but Google will not know the user’s real identity.
Theoretically, the Lineage-OS software is open source, therefore free for anyone to use.
You would install Lineage-OS on your phone without the Google Services bundle and you would be ready to use it.
The practical side of it is a little differnt though. Each manufacturer has its own firmware (drivers) and
they install the software following the Google specification. The boot-loader is generally locked in order
to prevent the user to modify the software.
Yes there are. But the process is tedios and the risk of bricking (iremediably damaging) the device is very high.
Additionally, each model demands a different approach. Even for the same model, there are different things to consider
for each hardware combination.
