How nice of them. They won't stop you from making an app not intended to be in their store, but they'll still charge you for the privilege of not wanting to use their service while also hoovering...
How nice of them. They won't stop you from making an app not intended to be in their store, but they'll still charge you for the privilege of not wanting to use their service while also hoovering up your personal info. They'll obviously never ever ever use the list of excessive PII about developers that want to avoid Google services for nefarious means either.
Google really needs to lose control of Android. Requiring every Andriod developer, even those that distribute outside of Google's store, to use and upload sensitive documents to Google Pay really should trigger some antitrust stuff.
It's feels like we're increasingly up against problems that can only be solved at a federal level, in a time where we're decreasingly likely to have solutions come from the federal level.
It's feels like we're increasingly up against problems that can only be solved at a federal level, in a time where we're decreasingly likely to have solutions come from the federal level.
I hope that it's Europe that pulls the trigger first as it's unlikely to happen in the US during this administration. While I'm not about to buy a Chinese OS phone, I am looking forward to (if...
I hope that it's Europe that pulls the trigger first as it's unlikely to happen in the US during this administration.
While I'm not about to buy a Chinese OS phone, I am looking forward to (if memory serves) recent designs on new smartphone OS's from the country.
This duopoly needs to get cracked and I'd bet that it's the lack of other OS options that keeps the EU from lashing out.
Well, there is also this: Trump administration weighs sanctions on officials implementing EU tech law, sources say So they are already bullying the EU out of that idea.
Well they already took aim at Graphene by removing the Pixel drivers from the AOSP device tree. It's going to be a lot harder for Graphene to make releases in future.
Well they already took aim at Graphene by removing the Pixel drivers from the AOSP device tree. It's going to be a lot harder for Graphene to make releases in future.
I'm not surprised; I'm running a 7 Pro so I haven't messed with much lately. Would rooting change anything? I always "break" my phones, but I'm rather un-knowledgable (not a word, I know, but I'm...
I'm not surprised; I'm running a 7 Pro so I haven't messed with much lately.
Would rooting change anything? I always "break" my phones, but I'm rather un-knowledgable (not a word, I know, but I'm brainfarting atm) at the behind the scenes actualities. I was finally thrilled I didn't have to introduce root and still be able to do what I wanted with my phone. :(
For "security"- always security with these assholes. They're just building the walls of the walled garden higher. I hope the EU jumps on them. I'm absolutely fed up with this nonsense.
For "security"- always security with these assholes. They're just building the walls of the walled garden higher. I hope the EU jumps on them. I'm absolutely fed up with this nonsense.
I would have to imagine the EU would love this kind of policy. It’s exactly what they would want - as a regulatory body, this means every app now has a physical identity for which they can take...
I would have to imagine the EU would love this kind of policy. It’s exactly what they would want - as a regulatory body, this means every app now has a physical identity for which they can take regulatory action.
Like, the EU is not a big fan of privacy or anonymity. See: Chat Control.
Imagine if you made an E2EE chat app. You didn’t want to adhere to chat control and add a backdoor. If you published it anonymously, there’s not much the EU can do about it.
Now they have an identity they can email and say “hey, implement a backdoor or we’ll fine the ever living shit out of you, ciao”.
That's true- there are definitely factions within the EU who would love this. I was thinking about the actors behind the current spat with Apple, who are pushing for a less walled-garden approach,...
That's true- there are definitely factions within the EU who would love this. I was thinking about the actors behind the current spat with Apple, who are pushing for a less walled-garden approach, but you're correct in that these people are a small group in a very large one.
The people pushing for competition with Apple and Google’s app stores aren’t necessarily all that big on protecting the privacy of independent Android developers. They are logically independent...
The people pushing for competition with Apple and Google’s app stores aren’t necessarily all that big on protecting the privacy of independent Android developers. They are logically independent issues. In principle, there could be a thriving, competitive ecosystem of alternative app stores where none of the businesses involved are anonymous, and they’re all subject to government regulation. It wouldn’t be like cryptocurrency or something like that.
Does the EU love that to the point of relying on an American tech company to be the middleman verifying such identities? It doesn't seem like a good time these days to lean on the US.
Does the EU love that to the point of relying on an American tech company to be the middleman verifying such identities? It doesn't seem like a good time these days to lean on the US.
Case in point; even after the DMA, Apple is still allowed and in fact seemingly encouraged to continue this behavior. The EU did not force them to allow arbitrary/unsigned binaries in any way...
Case in point; even after the DMA, Apple is still allowed and in fact seemingly encouraged to continue this behavior. The EU did not force them to allow arbitrary/unsigned binaries in any way whatsoever.
I love the EU as much as the next European, but when it comes to digital matters especially around chat control like you’ve mentioned, they tend to screw it up a bit too often.
You can disagree with heavy-handed responses (and many do), but security isn't a fake issue. Malware is a thing and it's often distributed by convincing users to sideload it.
You can disagree with heavy-handed responses (and many do), but security isn't a fake issue. Malware is a thing and it's often distributed by convincing users to sideload it.
It's a both real issue AND a convenient excuse. It's another one of those things one can hide behind when creating policies/requirements to make them more palatable (regardless of if said policies...
It's a both real issue AND a convenient excuse. It's another one of those things one can hide behind when creating policies/requirements to make them more palatable (regardless of if said policies are effective or reasonable or pointless given existing options)
It's always a balance and a trade-off but a lot of the times these decisions have much bigger consequences that might not be worth the trade-offs despite all of the spin, but consequences companies and governments love- deanonymizing is certainly one of those
Of course security is a legitimate issue- but in nearly every instance of heavy-handed responses which are justified by the boogeyman that is malware, security isn't the actual target. As with...
Of course security is a legitimate issue- but in nearly every instance of heavy-handed responses which are justified by the boogeyman that is malware, security isn't the actual target.
As with this whole authoritarian Online Safety Act in the UK, building more barriers which allow for tracking of users and developers is not a solution, but these policies are motivated by the need for control (over citizens, over an ecosystem). The main legitimate solution (for improving user security, for 'protecting kids') is to educate. Consumer technology provides ways to lock down devices for kids and other potentially irresponsible users- parental controls.
Why do we expect the general public to learn about the safe usage of other potentially dangerous daily tools, but forget about computing devices? Why do we treat the sentiment that 'everybody who uses computers should have a minimal understanding of how they work' as some form of gatekeeping?
Edit: modified punctuation in the third paragraph for clarity.
I'm not the most tech literate person on tildes by a wide, wide margin but you summed up my reaction. Why are folks being asked to give up their privacy when we could just...teach people to not...
I'm not the most tech literate person on tildes by a wide, wide margin but you summed up my reaction. Why are folks being asked to give up their privacy when we could just...teach people to not download malware? Like, am I being incredibly dense and missing something right now? :') I've always been under the impression that you shouldn't download things you can't verify and that policy has worked out pretty well for me so far...
I fall into the camp of "mundane average person who has nothing to hide" but I am very icked out by all these new policies pushing to de-anonymize the internet and creative spaces attached to it. I'd be willing to hear someone out if there are genuine reasons/benefits I should be considering but it seems all very corpo-dystopian nightmare future-is-now. T_T please educate me if there's something I'm missing
The word “just” is doing a lot of work there. While many of us wouldn’t fall for a phishing attack that required sideloading an app, It’s quite difficult to educate billions of people. Many of...
we could just...teach people to not download malware
The word “just” is doing a lot of work there. While many of us wouldn’t fall for a phishing attack that required sideloading an app, It’s quite difficult to educate billions of people. Many of them aren’t very sophisticated about computers and the attackers are clever.
Reaching for a technical solution is tempting because it’s much easier. Most people aren’t Android developers so we’re talking a few million at most. Most users are unaffected and don’t lose any privacy. Also, most users have no reason to install an app that isn’t from a known business.
Maybe compare registering as an Android developer to registering a domain name. Originally you were required to give your name, address, and contact information, and it was published to the world using whois. It’s only later that domain registrars started protecting people’s privacy - you still have to tell the registrar who you are, but they don’t make it public.
https://xkcd.com/538/ Most hacks are social engineering. "just" educating the populace is the most effective way, but not the most profitable. I don't think compromising potentially every...
People commonly use personal computers and mobile phones to do their banking, so it effectively is banking infrastructure. Maybe for our hacking projects, we should use a different computer?
People commonly use personal computers and mobile phones to do their banking, so it effectively is banking infrastructure. Maybe for our hacking projects, we should use a different computer?
Here's the thing: No technical solution can stop phishing attacks. At all. The most effective ones are still sent on paper, from perfectly legal businesses. Yet somehow we haven't stopped them...
Here's the thing: No technical solution can stop phishing attacks. At all.
The most effective ones are still sent on paper, from perfectly legal businesses. Yet somehow we haven't stopped them despite being older than computers themselves.
You’re seeing this in very black and white terms. A lot of crime prevention is about reducing the prevalence and making things harder for attackers. For example, encryption won’t stop attackers,...
You’re seeing this in very black and white terms. A lot of crime prevention is about reducing the prevalence and making things harder for attackers. For example, encryption won’t stop attackers, but it helps against certain attacks.
It’s true that if convincing people to sideload Android apps doesn’t work, they’ll try something else.
If their line of reasoning is black and white, what is the shade of grey sufficiently "safe"? And why is Google's line appropriate for its users? The side effects of this method of "increasing...
If their line of reasoning is black and white, what is the shade of grey sufficiently "safe"? And why is Google's line appropriate for its users? The side effects of this method of "increasing safety" means accepting the unsafety of Google's rentseeking, of shutting down end-users' ability to use the software they want without permission, and collecting a list of any people whose work is important enough to be used by nontechnical users but incompatible with Google's regulations (which are entirely shaped by legal liability).
As stated by others in this thread, there are scams and malware being platformed by the Play Store and AdSense. Even taking for granted the need to coddle people and disincentivise fraud, why should anyone trust them?
I’m not going to argue that this new policy is good idea. I think it’s not obviously a bad idea and that I would need to understand the evidence better to decide whether the benefits outweigh the...
I’m not going to argue that this new policy is good idea. I think it’s not obviously a bad idea and that I would need to understand the evidence better to decide whether the benefits outweigh the harms.
This has been a largely evidence-free discussion so far - people are making ideological arguments for why it can’t possibly be worth it.
Google has gestured towards having evidence with this line:
our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play
It’s hardly enough to be convincing, though. They are comparing two ratios instead of telling us what the base rate is, and they don’t share how they measured it.
(I can imagine Googlers being shocked by a rising amount of malware in internal reports and saying something needs to be done about this, but imagination is not evidence.)
I don’t see how the existence of scams in the Play Store or Adsense proves anything. Obviously they should try to minimize that too. (And at the same time, the optimal amount of fraud is not zero.)
Well, this is an issue of values, not problemsolving, so evidence shouldn't be relied upon beyond conviction. Taking Google at their word that this is a problem worthy of concern is already being...
Exemplary
Well, this is an issue of values, not problemsolving, so evidence shouldn't be relied upon beyond conviction. Taking Google at their word that this is a problem worthy of concern is already being charitable, as this proposal has obvious anticompetitive effects which would benefit them alone. The scams on their preexisting services go to prove that Google "verifying identities" is not the strong disincentive to the fraud it's being sold as. It indicates, generously, that Google is not competent at the tasks they already undertake, and so unaware of this failure that they are trying to sell an expansion of that project when nobody is blaming them for these kinds of vulnerability. So what's the motive? It is either the motivation of flailing panic, or ulterior.
Personally, the numbers can be nigh-infinitely bad, and the idea of preventing people from participating in much of modern society without immense effort unless they use a surveillance device made by unaccountable parties which they are expected to pay for and be responsible for the usage of without meaningful ownership is absurd. At least if the fraud is so widespread there's some healthy skepticism.
What would you say are the anticompetitive effects? For a business, their name, address, and contact information is public information. For individuals, there is a privacy issue, but remaining...
What would you say are the anticompetitive effects? For a business, their name, address, and contact information is public information. For individuals, there is a privacy issue, but remaining anonymous isn't a competitive advantage. Having someone on your team register as an Android developer is a speed bump, but not really a blocker as far as business goes.
In a lot of places you need to get a permit just to open a hot dog stand.
Well if you strictly look at direct competition among businesses, I can't think of much of a strong anti-competitive effect of this registration. But if you consider that Google's business is...
Well if you strictly look at direct competition among businesses, I can't think of much of a strong anti-competitive effect of this registration. But if you consider that Google's business is impacted by more than direct competition, there are significant implications here and while I'm not sure that has it fall under anti-competitive, it does bolster their bottom line so maybe in some context it could be seen as that.
For example, adblockers. Some of these are commercial, but some are not. The most popular adblocker that I'm familiar with anyhow, uBlock Origin, is well known to be made by Raymond Hill. As far as I know, it's not released commercially, and they refuse donations for that project. From what I recall, he walked away from the original uBlock because he didn't like the hassles of dealing with public expectations, criticisms and what not that come from having millions of people rely on something he made mostly for himself. So he's not anonymous in any way, but also adblockers have rarely been targeted for violating laws, copyright or otherwise, so I'm guessing he hasn't had to incur a lot of trouble that would otherwise have driven him away from keeping that project available publicly. I could see an alternate timeline or a future where adblockers are targeted more substantially and a project like uBlock Origin would not be sustainable if it required someone to associate their real name and other information with the project. While adblockers are generally not standalone apps as far as I'm aware, there are some apps modified with adblocking functions built in (think of patchers like ReVanced or what not where they can patch some apps to make it so they don't play ads, like Spotify, Youtube etc.)
There's another project under the name Bypass Paywalls Clean maintained by someone under the name Magnolia that used to be easily accessible on the extension stores and then got removed, then got taken down off github etc. and according to the developer it was constantly targeted by DMCA claims. Last I checked, it was only available on a Russian hosted github like website, presumably because they don't care about bogus DMCA claims. This isn't an app mind you just as uBlock Origin isn't, so I'm not stating this as a specific example, but conceptually it is quite transferable. I don't know if this Magnolia person is actually easily trackable in any way, but this move Google is pulling is the type that would basically all but eliminate a project like this.
Then there are the other types of projects, like alternative Youtube front-ends (which generally remove ads), content downloaders (like Youtube-dl), and likely myriads of other projects I have no awareness of. Google has made it very clear they have been going after these types of services, and even if you agree that Google has the right to do so because it costs them money to provide these services, I don't think it's unreasonable to imagine that we're not far from a future where people who have to put their names on these projects can be legally harassed into giving up, even if what they are doing isn't even technically illegal. For non-commercial projects, who really has the resources to deal with a company like Google or any other that might come after them with some bogus legal claim?
Yes, I think you're right that it would have the most effect on apps that are operating in some kind of legal gray area. They would need someone who is willing to front for them.
Yes, I think you're right that it would have the most effect on apps that are operating in some kind of legal gray area. They would need someone who is willing to front for them.
Grumble covered a lot of the subtler ways, but here's the key thing: Google sells apps. Google wants to start blocking people from installing apps they have not "verified" on Android phones. The...
Grumble covered a lot of the subtler ways, but here's the key thing: Google sells apps. Google wants to start blocking people from installing apps they have not "verified" on Android phones.
The actual business structure is irrelevant. They are moving to prevent anyone who they don't OK from being able to distribute their software without going through things as tortuous as adb. Now, adb is not some labyrinth, but a second computer running specific software also made by the people blocking these applications just to bypass that block is beyond the line of preventing competition against the Play Store.
How is F-Droid going to handle this? What about Itch gamedevs, will Itch have to start preventing people from listing games as Android compatible if the dev doesn't prove verification? What about...solo devs with no interest in commerce? These are all competition for Google.
Sure. Google might not be evil this time. Or ever again! But it's an unacceptable thing. It's unacceptable on iOS, it's unacceptable on Windows. Proprietary software is bad enough, but this normalization of infantilism isn't okay.
Some background: Google is already blocking sideloaded apps: Google Bans 158,000 Malicious Android App Developer Accounts in 2024 Google Blocks Unsafe Android App Sideloading in India for Improved...
Some background: Google is already blocking sideloaded apps:
In addition, the company's efforts to automatically block sideloading of potentially unsafe apps in markets like Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, Singapore, South Africa, Thailand, and Vietnam has secured 10 million devices from no less than 36 million risky installation attempts, spanning over 200,000 unique apps.
Google has announced that it's piloting a new security initiative that automatically blocks sideloading of potentially unsafe Android apps in India, after similar tests in Singapore, Thailand, and Brazil.
The enhanced fraud protection feature aims to keep users safe when they attempt to install malicious apps from sources other than the Google Play Store, such as web browsers, messaging apps, and file managers.
The program, which was first launched in Singapore earlier this February, has already blocked nearly 900,000 high-risk installations in the Southeast Asian nation, the tech giant said.
Since currently developers of Android sideloaded apps don't have to register, attackers can create a new private key and sign the same app again. So these apps were already blocked (Google can already do this) but clones keep appearing. Making developers register makes it harder to sign the same apps again. It's another ratchet in an ongoing war.
So far, I don't think Google has blocked any F-Droid apps? But they already have the power to do so and wouldn't need developers to register to do that. They could block apps from alternative app stores, and the main thing preventing that would be agreements with the EU to allow such things.
If Google having the technical capability of blocking what apps run on your phone is unacceptable, I think you need to install a forked Android OS.
Cool. Fuck all that, and their ever present capacity doesn't make this policy change any better. I'm not waiting around for them to prove their own track record of anticompetitive and antihuman...
Cool. Fuck all that, and their ever present capacity doesn't make this policy change any better. I'm not waiting around for them to prove their own track record of anticompetitive and antihuman priorities.
I will not be installing a forked version of android, I will be abandoning smartphones as a technology, once the one I have dies. Because how dare they? How dare everyone in our culture just roll over for this domineering bullshit. The compromises we've made for decades were the thin edges of the wedge of totalitarianism, and I'm tired of tolerating this.
Computing is infrastructure. Personal computers are a means of expressing agency. This is like banning people from moving furniture around their house without approval from mortgage lenders.
I think it is a decent parallel, but there are limitations. The first is competition. With registering a domain, you can choose which company you go with, whereas with verifying your developer...
Maybe compare registering as an Android developer to registering a domain name. Originally you were required to give your name, address, and contact information, and it was published to the world using whois. It’s only later that domain registrars started protecting people’s privacy - you still have to tell the registrar who you are, but they don’t make it public.
I think it is a decent parallel, but there are limitations. The first is competition. With registering a domain, you can choose which company you go with, whereas with verifying your developer account your only option is Google. What is stopping Google a year from now to charging for this? The second is that whois has flaws with that information being used for social engineering attacks. Yes, there has been changes to allow for obscuring information, but Google has not provided information on how public their system will be. Also, will Google share that information with LEO?
Technical solution will do zero for the various malicious sw present and in some cases endorsed on the play store. It is malicious differently but it does do damage. Standard expectation of bare...
Technical solution will do zero for the various malicious sw present and in some cases endorsed on the play store. It is malicious differently but it does do damage. Standard expectation of bare basic computer literacy would help in both situations.
Then there are the implications of the owner of the device being flat out unable to do something without approval of a remote third commercial party, especially for something as important as smartphone. There is a toggle already, that should be enough.
I would have thought that the toggle would be enough to protect normal people, and it probably does help, but apparently scammers can talk people into turning it on and downloading an app? I...
I would have thought that the toggle would be enough to protect normal people, and it probably does help, but apparently scammers can talk people into turning it on and downloading an app?
I remember seeing an Android update where they no longer let people sideload apps while talking on the phone, so at least they have to hang up on the attacker, hopefully breaking the spell and giving them a chance to think. I wonder how much that helped?
It would be nice to get more info about the prevalence of these kinds of attacks. I don’t actually know how big the problem is; I’m just unwilling to dismiss it out of hand.
Would you mind (and if you have the time) explaining your perspective a bit more? I've read a few of your other replies in the thread and you seem very...optimistic that this isn't a...
Would you mind (and if you have the time) explaining your perspective a bit more? I've read a few of your other replies in the thread and you seem very...optimistic that this isn't a negative/inherently bad thing? I'm not sure if that's the appropriate word but that is my general impression.
So right. We (meaning the tech literate) along with journalists, parents, tech companies and educators have been teaching people digital hygiene for decades and it's worked out ok. We could do...
Why do we treat the sentiment that 'everybody who uses computers should have a minimal understanding of how they work' as some form of gatekeeping?
So right. We (meaning the tech literate) along with journalists, parents, tech companies and educators have been teaching people digital hygiene for decades and it's worked out ok. We could do better, but in any case the population is definitely capable of learning to avoid scams and malware. And they're motivated to learn. There are a lot of tech details most people don't care about, but scams and malware get everyone's attention.
As others have said, education is the solution. Google extending their control over applications isn't. I can already think of a handful of ways people will use to get around it. The arms race has been going on for a long time and it's unlikely to end any time soon.
The problem, more than anything else, is that they will likely strip any option to turn it off. Doctorow's First Law also applies. Everything this proports to solve for security's sake already has...
The problem, more than anything else, is that they will likely strip any option to turn it off. Doctorow's First Law also applies.
Any time someone puts a lock on something that belongs to you, and won't give you a key, they're not doing it for your benefit.
Everything this proports to solve for security's sake already has a good-enough solution via the unknown apps toggle. But you know what that doesn't do? Provide a direct name and face to throw DMCA lawsuits at.
Yeah basically stifle creation of or maintenance of many kinds of apps because it could result in someone getting harassed for one reason or another. Harassed by corporations via DMCA claims and...
Yeah basically stifle creation of or maintenance of many kinds of apps because it could result in someone getting harassed for one reason or another. Harassed by corporations via DMCA claims and other bogus copyright claims, bogus legal threats and otherwise for anti-competitive reasons, and then all other kinds of work that aren't illegal but someone may not want to be publicly associated with because family, friends, coworkers, future potential employers etc. and while there may not be a public database that one could easily look up, it's not entirely clear yet how accessible this information would be. Given the current state of US government and just how many governments across the world are treating privacy, I have absolutely no faith that this information won't be trivially accessible even if there are no crimes being committed.
It's things like this that happen over time that have contributed to the erosion of people sharing their hobbies for fun and make it so the only way anything can be shared publicly is if you're willing to do it as a business and make money off it, because that's the only way you can justify all the potential headaches and hoops to jump through. I just think of the experience of going to the store front of Google Play to look for free games and comparing that to the days when you could go to the 'store front' of flash game websites and the direction those go in are completely different.
They will never let people disable it, that would completely defeat the purpose. You already have to allow the installation of apps outside the play store, so adding just one more toggle to...
They will never let people disable it, that would completely defeat the purpose. You already have to allow the installation of apps outside the play store, so adding just one more toggle to deactivate it wouldn't make sense.
This will be such a blow to the independent application ecosystem. Even if custom roms could disable it, the userbase of independent apps would shrink to a point where most developers wouldn't bother with it anymore.
On the bright side, nothing changes for websites, so for some apps that’s a viable alternative. Also, I imagine there could be businesses or nonprofit organizations who publish Android apps on...
On the bright side, nothing changes for websites, so for some apps that’s a viable alternative.
Also, I imagine there could be businesses or nonprofit organizations who publish Android apps on behalf of others? For open source software, it could be something like Debian, where they recompile the code before distributing it. Someone needs to register as an Android developer, but it doesn’t have to be you.
For now. We've already got https as defacto mandatory. Just need a small rule about Android not serving DNS entries or validating certs for unidentified site owners.
nothing changes for websites
For now. We've already got https as defacto mandatory. Just need a small rule about Android not serving DNS entries or validating certs for unidentified site owners.
I can point to one example of the trend going the other way. It used to be that there were extended validation certificates for associating domain names with legal entities, but nobody bothered...
I can point to one example of the trend going the other way. It used to be that there were extended validation certificates for associating domain names with legal entities, but nobody bothered looking for that and mobile browsers don’t display them any differently.
Maybe not always, but I think sometimes it does go well. There are good Linux distributions. Steam is pretty good. I also appreciate the package managers that many programming languages have for...
Maybe not always, but I think sometimes it does go well. There are good Linux distributions. Steam is pretty good. I also appreciate the package managers that many programming languages have for downloading open source libraries. In the old days we would download tar.gz files and run autoconf, and I’m glad I don’t have to do that anymore.
Do you have an example? Because I can't think of any. I say that not as a fanboy "he can do no wrong", but genuine interest. His creative writing paired with a deep love of technology has resulted...
Do you have an example? Because I can't think of any.
I say that not as a fanboy "he can do no wrong", but genuine interest. His creative writing paired with a deep love of technology has resulted in insight that borders on prescient. I can't recall any deliberate, or even unintentional, misinformation.
Well, take this particular slogan. It would be like claiming that anyone who believes prescription medicine should be regulated doesn’t care about the harm to patients and must have some other...
Well, take this particular slogan. It would be like claiming that anyone who believes prescription medicine should be regulated doesn’t care about the harm to patients and must have some other agenda. It’s reasonable to argue that there is too much regulation, but that doesn’t mean you have to accuse the other side of bad motives. And here he goes making a “law” that the other side always has bad motives, as if that were a logical necessity.
Doctorow’s positions are sometimes those of an extreme libertarian and somehow people don’t really notice.
Not every idiom applies in every situation? The lock metaphor certainly applies to everything you own. Not so much about FDA approval processes. Heck, even applying it to medicine; I'd certainly...
Not every idiom applies in every situation? The lock metaphor certainly applies to everything you own. Not so much about FDA approval processes.
Heck, even applying it to medicine; I'd certainly consider it unreasonable for a bottle of medicine to automatically permanantly seal when the expiration date hits, even if a bit of song and dance about safety could be made. Most medicines don't really go bad unless the pills crumble or they get wet.
And when it comes to DRM and computing rights, we have clear documentation of bad intentions dating back well over 30 years. Remember that time Sony installed a rootkit on every computer that put an audio cd in it? I sure as heck do.
Ever since the first commercial software came out, it has been a constant battle between "people selling software" and "people using the software how they want." The GPL wasn't born out of nowhere, it was a direct response to not being permitted to port tools between different systems.
The reality that the only technical barriers that prevent software from one computer on another is a lack of source code and having sufficient resources. And so, DRM all hinges on oppresive legal frameworks and the stripping of consumer rights.
Cory advocates for all sorts of meaningful regulation. But he rightfully rails against anti-consumer bullshit, which is like the cornerstone of all growth these days.
He's not even doing that. "Not for your benefit" is not "opposed to" it. At most you could argue he's overly glib and conflating paternalism with exploitation.
He's not even doing that. "Not for your benefit" is not "opposed to" it. At most you could argue he's overly glib and conflating paternalism with exploitation.
Do you think prescription medicine that needs a doctor's overview is comparable to your FOSS grocery list app that needs Google's approval? In general, do you think a "law" needs to be universally...
Do you think prescription medicine that needs a doctor's overview is comparable to your FOSS grocery list app that needs Google's approval?
In general, do you think a "law" needs to be universally applicable? Moore's law hasn't worked in tech for a while, but I don't think it ever worked outside of the tech industry.
that the other side always has bad motives, as if that were a logical necessity.
The goodwill has been lost long ago, but yes. We still do need to hammer into some people that bit tech is not looking out for you. We still have to hammer into some people basic things like "yes women have rights", after all.
This will be a decades long battle, no matter how redundant it might seem.
That's not a valid interpretation of that "meme" at all. You don't own any medicine pre-purchase and that is generally where the regulation is. What he argues against is something that doesn't, as...
It would be like claiming that anyone who believes prescription medicine should be regulated doesn’t care about the harm to patients and must have some other agenda.
That's not a valid interpretation of that "meme" at all.
You don't own any medicine pre-purchase and that is generally where the regulation is.
What he argues against is something that doesn't, as far as I'm aware exist for prescription medicine. Something akin to a bottle that unlocks up to a specific amount of times per day (per the prescription) - except that it is/can be set after you have already purchased the prescription.
From the article: Here is Google's announcement. Here's a slide deck showing the new developer console they're building for developers who only create sideloaded Android apps. It will require...
From the article:
Starting next year, Google will begin to verify the identities of developers distributing their apps on Android devices, not just those who distribute via the Play Store. The changes will affect all certified Android devices once live, though the global rollout will be more gradual.
The tech giant stresses that this does not mean developers can’t distribute outside of the Play Store through other app stores or via sideloading — Android will remain open in that regard. However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option. Google says this will help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users’ personal data.
Here is Google's announcement. Here's a slide deck showing the new developer console they're building for developers who only create sideloaded Android apps.
It will require government id, which will be done via Google Pay:
Android Developer Console will ask you to link a payments profile to your account to collect and verify information about you or your organization, including its legal name, address, and associated D-U-N-S number (only required by organizations).
[...] This includes identity information to streamline the verifications you need to complete.
...
After this, you'll need to accept the Android Developer Console terms, and pay a $25 USD fee to finish creating your account. Students and hobbyists will be able to create a special type of account with fewer verification requirements, that doesn't require the $25 USD fee.
They will require the "package names" used by Android apps to be registered.
But it looks like it doesn't require the apps to be approved, so I guess that's something.
On one side I hate this, on the other (my security side), this makes sense. But, it shouldn't be left to Google to do this at all, this should be left to an independent non-profit to handle this...
On one side I hate this, on the other (my security side), this makes sense.
But, it shouldn't be left to Google to do this at all, this should be left to an independent non-profit to handle this side of things. An accreditation service or database, or what have you.
Probably good, considering the appetite is high for this kind of regulation (see OSA in the UK and chat control in the EU). Note that Google isn’t saying they’re going to be a gatekeeper with...
Probably good, considering the appetite is high for this kind of regulation (see OSA in the UK and chat control in the EU).
Note that Google isn’t saying they’re going to be a gatekeeper with this. What they’re saying is that if you want to run an app, you need to provide personal details and sign your app to verify you are providing that binary.
The EU would love that. It means if an app is violating their policies, they now have a real person or company to prosecute. Taking anonymity away is absolutely in their wheelhouse.
The UK isn't in the EU, and for all the complaints about chat control, it (thankfully) hasn't passed. Mind you, the EU is also responsible for the GDPR, a regulation specifically crafted from the...
The UK isn't in the EU, and for all the complaints about chat control, it (thankfully) hasn't passed. Mind you, the EU is also responsible for the GDPR, a regulation specifically crafted from the ideal of privacy as a human right. And one of those EU member states is Germany, which is among the most privacy-conscious countries in the world. So I don't think the EU's anti-anonymity streak is as clear-cut as you're depicting it.
I dunno man. Who knows how it's going to work in practice? F-Droid compile and package the applications for their store, so they'll have to do the signing, but they're not the developers of those...
I dunno man. Who knows how it's going to work in practice? F-Droid compile and package the applications for their store, so they'll have to do the signing, but they're not the developers of those applications. I doubt Goo would be happy to have F-Droid listed as the developer for hundreds of random apps from hundreds of different developers.
I was just thinking today how I wanted to try an Android because I can install APKs from wherever… At least unlike Apple notarization on Mac it's a $25 one-time fee to become a Google Play...
I was just thinking today how I wanted to try an Android because I can install APKs from wherever…
At least unlike Apple notarization on Mac it's a $25 one-time fee to become a Google Play developer and get the requisite keys. But I um. I'd like to see something get worked out for F-Droid and such.
I've previously toyed with the idea of giving one of the various phones that run some flavor of Linux a try. The main thing I want out of a phone is it needs to be reliable enough on the telephony...
I've previously toyed with the idea of giving one of the various phones that run some flavor of Linux a try. The main thing I want out of a phone is it needs to be reliable enough on the telephony side of things that I can be sure I'm not missing calls or texts and I can place them when I need to, which didn't always seem like a given on Linux phones when I've dug into them in the past. But I think if this is the direction that Android is going in, it may finally push me over the edge.
Me too, freedom for developers is the reason I'm on android so why bother if they revoke that. I'm looking at PinePhone, Halium, and postmarketOS. The philosophy behind postmarketOS makes it seem...
Me too, freedom for developers is the reason I'm on android so why bother if they revoke that. I'm looking at PinePhone, Halium, and postmarketOS. The philosophy behind postmarketOS makes it seem like my favorite option, but they are clear it is for tinkerers so perhaps not as reliable as PinePhone? I don't know what is out there, planned on making a post polling opinions. Last time I recall mobile linux was brought up, the overwhelming opinion was to use de-googled android.
If you are serious about this, then buying a PinePhone is probably the way to go. If you just want to dip your toes in, then buying a device that's "supported" by postmarketOS or Ubuntu Touch is a...
If you are serious about this, then buying a PinePhone is probably the way to go. If you just want to dip your toes in, then buying a device that's "supported" by postmarketOS or Ubuntu Touch is a good way to experiment (and see what is missing, because a lot is missing). My sole experience with this is installing Ubuntu Touch, then postmarketOS on a Pixel 3a XL with UBports. It was a fun experiment, I can see how it could work for daily use with a more powerful device, but it wasn't good enough for me to put my SIM in it and actually try to daily drive it. Basic functionality is missing, and it varies by device. You could lack bluetooth, for instance, or backlight dimming. RCS does not and will not work full stop (because Google won't open it up).
Thank you kindly for the input :) good to know that about RCS as well. I like my phone but it no longer gets updates so I'm debating on what to do next and how soon. My phone is probably the...
Thank you kindly for the input :) good to know that about RCS as well. I like my phone but it no longer gets updates so I'm debating on what to do next and how soon. My phone is probably the device I most want to "just work" compared to the tinkering I do with my desktop, server, or deck. Experimenting on a secondary mobile device is perhaps the best solution in my case, wait and see where Google goes and how the scene develops in response.
OT: Do you have in mind any currently working linux phone? I'm also thiinking about switch, since I am getting more and more frustrated on only two vendors of closed mobile OSes.
OT: Do you have in mind any currently working linux phone? I'm also thiinking about switch, since I am getting more and more frustrated on only two vendors of closed mobile OSes.
Probably the PinePhone Pro. I'm also aware of the Librem 5 but that thing is outside my price range. I believe both are generally reported to be fine as daily drivers by people who use them....
Probably the PinePhone Pro. I'm also aware of the Librem 5 but that thing is outside my price range. I believe both are generally reported to be fine as daily drivers by people who use them. There's one called the FuriPhone FLX1 that caught my attention most recently and sounds very promising, but I've read conflicting reviews that suggest the networks it supports aren't really optimal for use in North America where I am. Then there are a couple possible vaporware projects, the Liberux Nexx (their website is down as I write this, and all I can find about them is a closed IndieGogo), and another project that's in the pre-kickstarter phase called Mecha Comet that actually looks pretty neat if it ever comes to fruition. The other option I don't know much about is PostMarket OS which is basically a custom ROM compatible with some select Android phone models--using that would require already owning or probably buying an older phone model second hand, so I'm not sure how feasible it would be to find something there.
Google continues to disgust me lately with every new thing that they do. I used to, naively, put Google on a pedestal as they felt like such a breath of fresh air compared to Microsoft, IBM,...
Google continues to disgust me lately with every new thing that they do. I used to, naively, put Google on a pedestal as they felt like such a breath of fresh air compared to Microsoft, IBM, Oracle, Apple, and such. Now they are have become just as bad, perhaps worse in some cases. I have removed Google from my life as much as I can, but man...
I am pretty weak on the phone side of tech. What does this mean for something like Graphene? Does their fork (or whatever) of the Android system have the ability to turn this off, or would it be...
I am pretty weak on the phone side of tech. What does this mean for something like Graphene? Does their fork (or whatever) of the Android system have the ability to turn this off, or would it be baked in further down in the system's guts to the point that it would be hard to bypass?
Graphene will have to, because Google won't sign off on it being a secure operating system. That's why you can't use Google Pay on Graphene, even though all the hardware works.
Graphene will have to, because Google won't sign off on it being a secure operating system.
That's why you can't use Google Pay on Graphene, even though all the hardware works.
According to the GrapheneOS fediverse account, this developer verification thing isn't even on their radar. The main concern is the other things Google is doing in response to the antitrust...
According to the GrapheneOS fediverse account, this developer verification thing isn't even on their radar. The main concern is the other things Google is doing in response to the antitrust lawsuits like the spinoff of Android and potential end of AOSP. https://grapheneos.social/@GrapheneOS/115091275706894905
I was wondering what info Google makes public about verified developers. I didn't find anything for this new system, but here's a web page about what they do for the Play Console:
I was wondering what info Google makes public about verified developers. I didn't find anything for this new system, but here's a web page about what they do for the Play Console:
Google will display your legal name, your country (as per your legal address) and developer email address on Google Play. If you decide to monetise on Google Play, then Google will display your full address.
In certain regions, developers are required to provide additional information which may be displayed on Google Play, like their phone number or full address. Visit this Help Centre article to learn more.
Your contact email address, contact phone number and developer email address must be verified using a one-time password and remain operational for the duration of your developer account. Go to the best practices section below to find out more.
If you’re not an Android developer, this doesn’t directly affect you. If you sideload apps, it might affect what apps are available to you after upgrading to a newer version of Android. It depends...
If you’re not an Android developer, this doesn’t directly affect you. If you sideload apps, it might affect what apps are available to you after upgrading to a newer version of Android. It depends on whether the developer of the specific app you want to use goes through the trouble of getting registered and signing their apps.
I expect that popular, maintained apps would still be available, but older apps that aren’t maintained anymore won’t work.
I don't think that's the case, article didn't mention upgrading to newer version of OS, instead so, I suppose it will be implemented on a application (Play Store, System Security apps) level. And...
If you sideload apps, it might affect what apps are available to you after upgrading to a newer version of Android.
I don't think that's the case, article didn't mention upgrading to newer version of OS, instead
In March 2026, verification will go live for all developers.
so, I suppose it will be implemented on a application (Play Store, System Security apps) level.
And yes, I have few apps that not supported anymore, downloaded from other sources: GitHub, itch.io, etc. etc.
By "go live" I think that means that their new developer console isn't in "early access" anymore. They explain when users will be affected in the next sentence after that. It depends on which...
By "go live" I think that means that their new developer console isn't in "early access" anymore. They explain when users will be affected in the next sentence after that. It depends on which country you are in:
By September 2026, any app installed on an Android device in Brazil, Indonesia, Singapore, and Thailand will have to meet the new requirements. Starting in 2027, the requirements will begin rolling out globally.
(This is from the TechCrunch article.)
Presumably this is due to some kind of update, though perhaps it won't technically be an OS upgrade?
Why those countries? I imagine it's where the malware problem is the worst.
I mean anything running Android was never actually open or actually owned by the one who nominally bought it. I suppose they decided they don't need to pretend as hard. By now it seems the main...
I mean anything running Android was never actually open or actually owned by the one who nominally bought it. I suppose they decided they don't need to pretend as hard. By now it seems the main difference against ios will soon the choice of aesthetic and that Apple overlords it openly instead of pretending they don't.
For those of us like me that only build local apps that don't get distributed anywhere else. Of course the devil is in the details, and the details are thin. 🤷♂️
Google notes that student and hobbyist developers will be able to use a separate type of Android Developer Console account when this system rolls out, as their needs differ from commercial developers.
For those of us like me that only build local apps that don't get distributed anywhere else. Of course the devil is in the details, and the details are thin. 🤷♂️
How nice of them. They won't stop you from making an app not intended to be in their store, but they'll still charge you for the privilege of not wanting to use their service while also hoovering up your personal info. They'll obviously never ever ever use the list of excessive PII about developers that want to avoid Google services for nefarious means either.
Google really needs to lose control of Android. Requiring every Andriod developer, even those that distribute outside of Google's store, to use and upload sensitive documents to Google Pay really should trigger some antitrust stuff.
It's feels like we're increasingly up against problems that can only be solved at a federal level, in a time where we're decreasingly likely to have solutions come from the federal level.
Yeah, It's the witching hour. Their trying to ransack as much as they can before the inevitable change in government shines a sun on them.
I hope that it's Europe that pulls the trigger first as it's unlikely to happen in the US during this administration.
While I'm not about to buy a Chinese OS phone, I am looking forward to (if memory serves) recent designs on new smartphone OS's from the country.
This duopoly needs to get cracked and I'd bet that it's the lack of other OS options that keeps the EU from lashing out.
Well, there is also this: Trump administration weighs sanctions on officials implementing EU tech law, sources say
So they are already
preparing forbullying the EU out of that idea.Wondering how/if this will affect GrapheneOS... I might actually have to swap to that Pine Phone.
Well they already took aim at Graphene by removing the Pixel drivers from the AOSP device tree. It's going to be a lot harder for Graphene to make releases in future.
I'm not surprised; I'm running a 7 Pro so I haven't messed with much lately.
Would rooting change anything? I always "break" my phones, but I'm rather un-knowledgable (not a word, I know, but I'm brainfarting atm) at the behind the scenes actualities. I was finally thrilled I didn't have to introduce root and still be able to do what I wanted with my phone. :(
For "security"- always security with these assholes. They're just building the walls of the walled garden higher. I hope the EU jumps on them. I'm absolutely fed up with this nonsense.
I would have to imagine the EU would love this kind of policy. It’s exactly what they would want - as a regulatory body, this means every app now has a physical identity for which they can take regulatory action.
Like, the EU is not a big fan of privacy or anonymity. See: Chat Control.
Imagine if you made an E2EE chat app. You didn’t want to adhere to chat control and add a backdoor. If you published it anonymously, there’s not much the EU can do about it.
Now they have an identity they can email and say “hey, implement a backdoor or we’ll fine the ever living shit out of you, ciao”.
That's true- there are definitely factions within the EU who would love this. I was thinking about the actors behind the current spat with Apple, who are pushing for a less walled-garden approach, but you're correct in that these people are a small group in a very large one.
The people pushing for competition with Apple and Google’s app stores aren’t necessarily all that big on protecting the privacy of independent Android developers. They are logically independent issues. In principle, there could be a thriving, competitive ecosystem of alternative app stores where none of the businesses involved are anonymous, and they’re all subject to government regulation. It wouldn’t be like cryptocurrency or something like that.
Does the EU love that to the point of relying on an American tech company to be the middleman verifying such identities? It doesn't seem like a good time these days to lean on the US.
Case in point; even after the DMA, Apple is still allowed and in fact seemingly encouraged to continue this behavior. The EU did not force them to allow arbitrary/unsigned binaries in any way whatsoever.
I love the EU as much as the next European, but when it comes to digital matters especially around chat control like you’ve mentioned, they tend to screw it up a bit too often.
You can disagree with heavy-handed responses (and many do), but security isn't a fake issue. Malware is a thing and it's often distributed by convincing users to sideload it.
It's a both real issue AND a convenient excuse. It's another one of those things one can hide behind when creating policies/requirements to make them more palatable (regardless of if said policies are effective or reasonable or pointless given existing options)
It's always a balance and a trade-off but a lot of the times these decisions have much bigger consequences that might not be worth the trade-offs despite all of the spin, but consequences companies and governments love- deanonymizing is certainly one of those
Of course security is a legitimate issue- but in nearly every instance of heavy-handed responses which are justified by the boogeyman that is malware, security isn't the actual target.
As with this whole authoritarian Online Safety Act in the UK, building more barriers which allow for tracking of users and developers is not a solution, but these policies are motivated by the need for control (over citizens, over an ecosystem). The main legitimate solution (for improving user security, for 'protecting kids') is to educate. Consumer technology provides ways to lock down devices for kids and other potentially irresponsible users- parental controls.
Why do we expect the general public to learn about the safe usage of other potentially dangerous daily tools, but forget about computing devices? Why do we treat the sentiment that 'everybody who uses computers should have a minimal understanding of how they work' as some form of gatekeeping?
Edit: modified punctuation in the third paragraph for clarity.
I'm not the most tech literate person on tildes by a wide, wide margin but you summed up my reaction. Why are folks being asked to give up their privacy when we could just...teach people to not download malware? Like, am I being incredibly dense and missing something right now? :') I've always been under the impression that you shouldn't download things you can't verify and that policy has worked out pretty well for me so far...
I fall into the camp of "mundane average person who has nothing to hide" but I am very icked out by all these new policies pushing to de-anonymize the internet and creative spaces attached to it. I'd be willing to hear someone out if there are genuine reasons/benefits I should be considering but it seems all very corpo-dystopian nightmare future-is-now. T_T please educate me if there's something I'm missing
The word “just” is doing a lot of work there. While many of us wouldn’t fall for a phishing attack that required sideloading an app, It’s quite difficult to educate billions of people. Many of them aren’t very sophisticated about computers and the attackers are clever.
Reaching for a technical solution is tempting because it’s much easier. Most people aren’t Android developers so we’re talking a few million at most. Most users are unaffected and don’t lose any privacy. Also, most users have no reason to install an app that isn’t from a known business.
Maybe compare registering as an Android developer to registering a domain name. Originally you were required to give your name, address, and contact information, and it was published to the world using whois. It’s only later that domain registrars started protecting people’s privacy - you still have to tell the registrar who you are, but they don’t make it public.
https://xkcd.com/538/
Most hacks are social engineering. "just" educating the populace is the most effective way, but not the most profitable.
I don't think compromising potentially every de-googlefied android device is worth the offset of saving a few people from sideloading a malicious app.
It's a personal computer, not a national bank. It sucks when it happens but we have ways to protect and freeze info if a hack does occur.
People commonly use personal computers and mobile phones to do their banking, so it effectively is banking infrastructure. Maybe for our hacking projects, we should use a different computer?
Here's the thing: No technical solution can stop phishing attacks. At all.
The most effective ones are still sent on paper, from perfectly legal businesses. Yet somehow we haven't stopped them despite being older than computers themselves.
You’re seeing this in very black and white terms. A lot of crime prevention is about reducing the prevalence and making things harder for attackers. For example, encryption won’t stop attackers, but it helps against certain attacks.
It’s true that if convincing people to sideload Android apps doesn’t work, they’ll try something else.
If their line of reasoning is black and white, what is the shade of grey sufficiently "safe"? And why is Google's line appropriate for its users? The side effects of this method of "increasing safety" means accepting the unsafety of Google's rentseeking, of shutting down end-users' ability to use the software they want without permission, and collecting a list of any people whose work is important enough to be used by nontechnical users but incompatible with Google's regulations (which are entirely shaped by legal liability).
As stated by others in this thread, there are scams and malware being platformed by the Play Store and AdSense. Even taking for granted the need to coddle people and disincentivise fraud, why should anyone trust them?
I’m not going to argue that this new policy is good idea. I think it’s not obviously a bad idea and that I would need to understand the evidence better to decide whether the benefits outweigh the harms.
This has been a largely evidence-free discussion so far - people are making ideological arguments for why it can’t possibly be worth it.
Google has gestured towards having evidence with this line:
It’s hardly enough to be convincing, though. They are comparing two ratios instead of telling us what the base rate is, and they don’t share how they measured it.
(I can imagine Googlers being shocked by a rising amount of malware in internal reports and saying something needs to be done about this, but imagination is not evidence.)
I don’t see how the existence of scams in the Play Store or Adsense proves anything. Obviously they should try to minimize that too. (And at the same time, the optimal amount of fraud is not zero.)
Well, this is an issue of values, not problemsolving, so evidence shouldn't be relied upon beyond conviction. Taking Google at their word that this is a problem worthy of concern is already being charitable, as this proposal has obvious anticompetitive effects which would benefit them alone. The scams on their preexisting services go to prove that Google "verifying identities" is not the strong disincentive to the fraud it's being sold as. It indicates, generously, that Google is not competent at the tasks they already undertake, and so unaware of this failure that they are trying to sell an expansion of that project when nobody is blaming them for these kinds of vulnerability. So what's the motive? It is either the motivation of flailing panic, or ulterior.
Personally, the numbers can be nigh-infinitely bad, and the idea of preventing people from participating in much of modern society without immense effort unless they use a surveillance device made by unaccountable parties which they are expected to pay for and be responsible for the usage of without meaningful ownership is absurd. At least if the fraud is so widespread there's some healthy skepticism.
What would you say are the anticompetitive effects? For a business, their name, address, and contact information is public information. For individuals, there is a privacy issue, but remaining anonymous isn't a competitive advantage. Having someone on your team register as an Android developer is a speed bump, but not really a blocker as far as business goes.
In a lot of places you need to get a permit just to open a hot dog stand.
Well if you strictly look at direct competition among businesses, I can't think of much of a strong anti-competitive effect of this registration. But if you consider that Google's business is impacted by more than direct competition, there are significant implications here and while I'm not sure that has it fall under anti-competitive, it does bolster their bottom line so maybe in some context it could be seen as that.
For example, adblockers. Some of these are commercial, but some are not. The most popular adblocker that I'm familiar with anyhow, uBlock Origin, is well known to be made by Raymond Hill. As far as I know, it's not released commercially, and they refuse donations for that project. From what I recall, he walked away from the original uBlock because he didn't like the hassles of dealing with public expectations, criticisms and what not that come from having millions of people rely on something he made mostly for himself. So he's not anonymous in any way, but also adblockers have rarely been targeted for violating laws, copyright or otherwise, so I'm guessing he hasn't had to incur a lot of trouble that would otherwise have driven him away from keeping that project available publicly. I could see an alternate timeline or a future where adblockers are targeted more substantially and a project like uBlock Origin would not be sustainable if it required someone to associate their real name and other information with the project. While adblockers are generally not standalone apps as far as I'm aware, there are some apps modified with adblocking functions built in (think of patchers like ReVanced or what not where they can patch some apps to make it so they don't play ads, like Spotify, Youtube etc.)
There's another project under the name Bypass Paywalls Clean maintained by someone under the name Magnolia that used to be easily accessible on the extension stores and then got removed, then got taken down off github etc. and according to the developer it was constantly targeted by DMCA claims. Last I checked, it was only available on a Russian hosted github like website, presumably because they don't care about bogus DMCA claims. This isn't an app mind you just as uBlock Origin isn't, so I'm not stating this as a specific example, but conceptually it is quite transferable. I don't know if this Magnolia person is actually easily trackable in any way, but this move Google is pulling is the type that would basically all but eliminate a project like this.
Then there are the other types of projects, like alternative Youtube front-ends (which generally remove ads), content downloaders (like Youtube-dl), and likely myriads of other projects I have no awareness of. Google has made it very clear they have been going after these types of services, and even if you agree that Google has the right to do so because it costs them money to provide these services, I don't think it's unreasonable to imagine that we're not far from a future where people who have to put their names on these projects can be legally harassed into giving up, even if what they are doing isn't even technically illegal. For non-commercial projects, who really has the resources to deal with a company like Google or any other that might come after them with some bogus legal claim?
Yes, I think you're right that it would have the most effect on apps that are operating in some kind of legal gray area. They would need someone who is willing to front for them.
Grumble covered a lot of the subtler ways, but here's the key thing: Google sells apps. Google wants to start blocking people from installing apps they have not "verified" on Android phones.
The actual business structure is irrelevant. They are moving to prevent anyone who they don't OK from being able to distribute their software without going through things as tortuous as adb. Now, adb is not some labyrinth, but a second computer running specific software also made by the people blocking these applications just to bypass that block is beyond the line of preventing competition against the Play Store.
How is F-Droid going to handle this? What about Itch gamedevs, will Itch have to start preventing people from listing games as Android compatible if the dev doesn't prove verification? What about...solo devs with no interest in commerce? These are all competition for Google.
Sure. Google might not be evil this time. Or ever again! But it's an unacceptable thing. It's unacceptable on iOS, it's unacceptable on Windows. Proprietary software is bad enough, but this normalization of infantilism isn't okay.
Some background: Google is already blocking sideloaded apps:
Google Bans 158,000 Malicious Android App Developer Accounts in 2024
Google Blocks Unsafe Android App Sideloading in India for Improved Fraud Protection (2024)
Since currently developers of Android sideloaded apps don't have to register, attackers can create a new private key and sign the same app again. So these apps were already blocked (Google can already do this) but clones keep appearing. Making developers register makes it harder to sign the same apps again. It's another ratchet in an ongoing war.
So far, I don't think Google has blocked any F-Droid apps? But they already have the power to do so and wouldn't need developers to register to do that. They could block apps from alternative app stores, and the main thing preventing that would be agreements with the EU to allow such things.
If Google having the technical capability of blocking what apps run on your phone is unacceptable, I think you need to install a forked Android OS.
Cool. Fuck all that, and their ever present capacity doesn't make this policy change any better. I'm not waiting around for them to prove their own track record of anticompetitive and antihuman priorities.
I will not be installing a forked version of android, I will be abandoning smartphones as a technology, once the one I have dies. Because how dare they? How dare everyone in our culture just roll over for this domineering bullshit. The compromises we've made for decades were the thin edges of the wedge of totalitarianism, and I'm tired of tolerating this.
Computing is infrastructure. Personal computers are a means of expressing agency. This is like banning people from moving furniture around their house without approval from mortgage lenders.
I think it is a decent parallel, but there are limitations. The first is competition. With registering a domain, you can choose which company you go with, whereas with verifying your developer account your only option is Google. What is stopping Google a year from now to charging for this? The second is that whois has flaws with that information being used for social engineering attacks. Yes, there has been changes to allow for obscuring information, but Google has not provided information on how public their system will be. Also, will Google share that information with LEO?
Technical solution will do zero for the various malicious sw present and in some cases endorsed on the play store. It is malicious differently but it does do damage. Standard expectation of bare basic computer literacy would help in both situations.
Then there are the implications of the owner of the device being flat out unable to do something without approval of a remote third commercial party, especially for something as important as smartphone. There is a toggle already, that should be enough.
I would have thought that the toggle would be enough to protect normal people, and it probably does help, but apparently scammers can talk people into turning it on and downloading an app?
I remember seeing an Android update where they no longer let people sideload apps while talking on the phone, so at least they have to hang up on the attacker, hopefully breaking the spell and giving them a chance to think. I wonder how much that helped?
It would be nice to get more info about the prevalence of these kinds of attacks. I don’t actually know how big the problem is; I’m just unwilling to dismiss it out of hand.
Would you mind (and if you have the time) explaining your perspective a bit more? I've read a few of your other replies in the thread and you seem very...optimistic that this isn't a negative/inherently bad thing? I'm not sure if that's the appropriate word but that is my general impression.
See my other post.
So right. We (meaning the tech literate) along with journalists, parents, tech companies and educators have been teaching people digital hygiene for decades and it's worked out ok. We could do better, but in any case the population is definitely capable of learning to avoid scams and malware. And they're motivated to learn. There are a lot of tech details most people don't care about, but scams and malware get everyone's attention.
As others have said, education is the solution. Google extending their control over applications isn't. I can already think of a handful of ways people will use to get around it. The arms race has been going on for a long time and it's unlikely to end any time soon.
The problem, more than anything else, is that they will likely strip any option to turn it off. Doctorow's First Law also applies.
Everything this proports to solve for security's sake already has a good-enough solution via the unknown apps toggle. But you know what that doesn't do? Provide a direct name and face to throw DMCA lawsuits at.
Yeah basically stifle creation of or maintenance of many kinds of apps because it could result in someone getting harassed for one reason or another. Harassed by corporations via DMCA claims and other bogus copyright claims, bogus legal threats and otherwise for anti-competitive reasons, and then all other kinds of work that aren't illegal but someone may not want to be publicly associated with because family, friends, coworkers, future potential employers etc. and while there may not be a public database that one could easily look up, it's not entirely clear yet how accessible this information would be. Given the current state of US government and just how many governments across the world are treating privacy, I have absolutely no faith that this information won't be trivially accessible even if there are no crimes being committed.
It's things like this that happen over time that have contributed to the erosion of people sharing their hobbies for fun and make it so the only way anything can be shared publicly is if you're willing to do it as a business and make money off it, because that's the only way you can justify all the potential headaches and hoops to jump through. I just think of the experience of going to the store front of Google Play to look for free games and comparing that to the days when you could go to the 'store front' of flash game websites and the direction those go in are completely different.
They will never let people disable it, that would completely defeat the purpose. You already have to allow the installation of apps outside the play store, so adding just one more toggle to deactivate it wouldn't make sense.
This will be such a blow to the independent application ecosystem. Even if custom roms could disable it, the userbase of independent apps would shrink to a point where most developers wouldn't bother with it anymore.
I hate the timeline we are currently in.
On the bright side, nothing changes for websites, so for some apps that’s a viable alternative.
Also, I imagine there could be businesses or nonprofit organizations who publish Android apps on behalf of others? For open source software, it could be something like Debian, where they recompile the code before distributing it. Someone needs to register as an Android developer, but it doesn’t have to be you.
For now. We've already got https as defacto mandatory. Just need a small rule about Android not serving DNS entries or validating certs for unidentified site owners.
I can point to one example of the trend going the other way. It used to be that there were extended validation certificates for associating domain names with legal entities, but nobody bothered looking for that and mobile browsers don’t display them any differently.
Oh hey, just what we needed, more middleman in 2025. That always ends well.
Maybe not always, but I think sometimes it does go well. There are good Linux distributions. Steam is pretty good. I also appreciate the package managers that many programming languages have for downloading open source libraries. In the old days we would download tar.gz files and run autoconf, and I’m glad I don’t have to do that anymore.
Doctorow says a lot of things that aren't actually true but make good memes.
This is not one of them.
Do you have an example? Because I can't think of any.
I say that not as a fanboy "he can do no wrong", but genuine interest. His creative writing paired with a deep love of technology has resulted in insight that borders on prescient. I can't recall any deliberate, or even unintentional, misinformation.
Well, take this particular slogan. It would be like claiming that anyone who believes prescription medicine should be regulated doesn’t care about the harm to patients and must have some other agenda. It’s reasonable to argue that there is too much regulation, but that doesn’t mean you have to accuse the other side of bad motives. And here he goes making a “law” that the other side always has bad motives, as if that were a logical necessity.
Doctorow’s positions are sometimes those of an extreme libertarian and somehow people don’t really notice.
Not every idiom applies in every situation? The lock metaphor certainly applies to everything you own. Not so much about FDA approval processes.
Heck, even applying it to medicine; I'd certainly consider it unreasonable for a bottle of medicine to automatically permanantly seal when the expiration date hits, even if a bit of song and dance about safety could be made. Most medicines don't really go bad unless the pills crumble or they get wet.
And when it comes to DRM and computing rights, we have clear documentation of bad intentions dating back well over 30 years. Remember that time Sony installed a rootkit on every computer that put an audio cd in it? I sure as heck do.
Ever since the first commercial software came out, it has been a constant battle between "people selling software" and "people using the software how they want." The GPL wasn't born out of nowhere, it was a direct response to not being permitted to port tools between different systems.
The reality that the only technical barriers that prevent software from one computer on another is a lack of source code and having sufficient resources. And so, DRM all hinges on oppresive legal frameworks and the stripping of consumer rights.
Cory advocates for all sorts of meaningful regulation. But he rightfully rails against anti-consumer bullshit, which is like the cornerstone of all growth these days.
He’s still accusing people who disagree with him of bad motives, and that doesn’t sit well with me. Even though it’s common.
He's not even doing that. "Not for your benefit" is not "opposed to" it. At most you could argue he's overly glib and conflating paternalism with exploitation.
Do you think prescription medicine that needs a doctor's overview is comparable to your FOSS grocery list app that needs Google's approval?
In general, do you think a "law" needs to be universally applicable? Moore's law hasn't worked in tech for a while, but I don't think it ever worked outside of the tech industry.
The goodwill has been lost long ago, but yes. We still do need to hammer into some people that bit tech is not looking out for you. We still have to hammer into some people basic things like "yes women have rights", after all.
This will be a decades long battle, no matter how redundant it might seem.
I think accusing the other side of bad motives in such a generic way is a terrible way to argue. It’s basically just stereotyping.
That's not a valid interpretation of that "meme" at all.
You don't own any medicine pre-purchase and that is generally where the regulation is.
What he argues against is something that doesn't, as far as I'm aware exist for prescription medicine. Something akin to a bottle that unlocks up to a specific amount of times per day (per the prescription) - except that it is/can be set after you have already purchased the prescription.
From the article:
Here is Google's announcement. Here's a slide deck showing the new developer console they're building for developers who only create sideloaded Android apps.
It will require government id, which will be done via Google Pay:
...
They will require the "package names" used by Android apps to be registered.
But it looks like it doesn't require the apps to be approved, so I guess that's something.
On one side I hate this, on the other (my security side), this makes sense.
But, it shouldn't be left to Google to do this at all, this should be left to an independent non-profit to handle this side of things. An accreditation service or database, or what have you.
I wonder how EU regulators would feel about this, especially when they've tried to compel Apple to allow iOS users to sideload apps.
Probably good, considering the appetite is high for this kind of regulation (see OSA in the UK and chat control in the EU).
Note that Google isn’t saying they’re going to be a gatekeeper with this. What they’re saying is that if you want to run an app, you need to provide personal details and sign your app to verify you are providing that binary.
The EU would love that. It means if an app is violating their policies, they now have a real person or company to prosecute. Taking anonymity away is absolutely in their wheelhouse.
The UK isn't in the EU, and for all the complaints about chat control, it (thankfully) hasn't passed. Mind you, the EU is also responsible for the GDPR, a regulation specifically crafted from the ideal of privacy as a human right. And one of those EU member states is Germany, which is among the most privacy-conscious countries in the world. So I don't think the EU's anti-anonymity streak is as clear-cut as you're depicting it.
But to @Bullmaestro's point, a one-time $25 fee is categorically different from Apple's core technology fee, so it might withstand regulatory scrutiny.
Comments appearing on the F-Droid forums about this now, which is the first place I went when I heard this. Could be bad for them :(
I'm wondering if this could be circumvented with a sandbox app. I'm imagining an app that can run apps and arbitrary code. It wouldn't be trivial.
I dunno man. Who knows how it's going to work in practice? F-Droid compile and package the applications for their store, so they'll have to do the signing, but they're not the developers of those applications. I doubt Goo would be happy to have F-Droid listed as the developer for hundreds of random apps from hundreds of different developers.
I was just thinking today how I wanted to try an Android because I can install APKs from wherever…
At least unlike Apple notarization on Mac it's a $25 one-time fee to become a Google Play developer and get the requisite keys. But I um. I'd like to see something get worked out for F-Droid and such.
I've previously toyed with the idea of giving one of the various phones that run some flavor of Linux a try. The main thing I want out of a phone is it needs to be reliable enough on the telephony side of things that I can be sure I'm not missing calls or texts and I can place them when I need to, which didn't always seem like a given on Linux phones when I've dug into them in the past. But I think if this is the direction that Android is going in, it may finally push me over the edge.
Me too, freedom for developers is the reason I'm on android so why bother if they revoke that. I'm looking at PinePhone, Halium, and postmarketOS. The philosophy behind postmarketOS makes it seem like my favorite option, but they are clear it is for tinkerers so perhaps not as reliable as PinePhone? I don't know what is out there, planned on making a post polling opinions. Last time I recall mobile linux was brought up, the overwhelming opinion was to use de-googled android.
If you are serious about this, then buying a PinePhone is probably the way to go. If you just want to dip your toes in, then buying a device that's "supported" by postmarketOS or Ubuntu Touch is a good way to experiment (and see what is missing, because a lot is missing). My sole experience with this is installing Ubuntu Touch, then postmarketOS on a Pixel 3a XL with UBports. It was a fun experiment, I can see how it could work for daily use with a more powerful device, but it wasn't good enough for me to put my SIM in it and actually try to daily drive it. Basic functionality is missing, and it varies by device. You could lack bluetooth, for instance, or backlight dimming. RCS does not and will not work full stop (because Google won't open it up).
Thank you kindly for the input :) good to know that about RCS as well. I like my phone but it no longer gets updates so I'm debating on what to do next and how soon. My phone is probably the device I most want to "just work" compared to the tinkering I do with my desktop, server, or deck. Experimenting on a secondary mobile device is perhaps the best solution in my case, wait and see where Google goes and how the scene develops in response.
OT: Do you have in mind any currently working linux phone? I'm also thiinking about switch, since I am getting more and more frustrated on only two vendors of closed mobile OSes.
Probably the PinePhone Pro. I'm also aware of the Librem 5 but that thing is outside my price range. I believe both are generally reported to be fine as daily drivers by people who use them. There's one called the FuriPhone FLX1 that caught my attention most recently and sounds very promising, but I've read conflicting reviews that suggest the networks it supports aren't really optimal for use in North America where I am. Then there are a couple possible vaporware projects, the Liberux Nexx (their website is down as I write this, and all I can find about them is a closed IndieGogo), and another project that's in the pre-kickstarter phase called Mecha Comet that actually looks pretty neat if it ever comes to fruition. The other option I don't know much about is PostMarket OS which is basically a custom ROM compatible with some select Android phone models--using that would require already owning or probably buying an older phone model second hand, so I'm not sure how feasible it would be to find something there.
Google continues to disgust me lately with every new thing that they do. I used to, naively, put Google on a pedestal as they felt like such a breath of fresh air compared to Microsoft, IBM, Oracle, Apple, and such. Now they are have become just as bad, perhaps worse in some cases. I have removed Google from my life as much as I can, but man...
I am pretty weak on the phone side of tech. What does this mean for something like Graphene? Does their fork (or whatever) of the Android system have the ability to turn this off, or would it be baked in further down in the system's guts to the point that it would be hard to bypass?
Graphene will have to, because Google won't sign off on it being a secure operating system.
That's why you can't use Google Pay on Graphene, even though all the hardware works.
According to the GrapheneOS fediverse account, this developer verification thing isn't even on their radar. The main concern is the other things Google is doing in response to the antitrust lawsuits like the spinoff of Android and potential end of AOSP.
https://grapheneos.social/@GrapheneOS/115091275706894905
It's an OS thing, so installing an alternative OS like that will bypass it.
I was wondering what info Google makes public about verified developers. I didn't find anything for this new system, but here's a web page about what they do for the Play Console:
Is there anything we can do?
I don't want to Google to dictate me what I can/can't install on my phone.
If you’re not an Android developer, this doesn’t directly affect you. If you sideload apps, it might affect what apps are available to you after upgrading to a newer version of Android. It depends on whether the developer of the specific app you want to use goes through the trouble of getting registered and signing their apps.
I expect that popular, maintained apps would still be available, but older apps that aren’t maintained anymore won’t work.
I don't think that's the case, article didn't mention upgrading to newer version of OS, instead
so, I suppose it will be implemented on a application (Play Store, System Security apps) level.
And yes, I have few apps that not supported anymore, downloaded from other sources: GitHub, itch.io, etc. etc.
By "go live" I think that means that their new developer console isn't in "early access" anymore. They explain when users will be affected in the next sentence after that. It depends on which country you are in:
(This is from the TechCrunch article.)
Presumably this is due to some kind of update, though perhaps it won't technically be an OS upgrade?
Why those countries? I imagine it's where the malware problem is the worst.
I mean anything running Android was never actually open or actually owned by the one who nominally bought it. I suppose they decided they don't need to pretend as hard. By now it seems the main difference against ios will soon the choice of aesthetic and that Apple overlords it openly instead of pretending they don't.
For those of us like me that only build local apps that don't get distributed anywhere else. Of course the devil is in the details, and the details are thin. 🤷♂️