“Meet me in the middle, says the unjust man.

You take a step towards him, he takes a step back.

Meet me in the middle, says the unjust man.”

out of interest, do you actually mean no login, or do you mean no email-verified login?

Thanks for the distinctions and links to the other good discussions you’ve started!

For the invasive bits that are included, it’s easy enough for GrapheneOS to look over the incremental updates in Android and remove the bits that they don’t like.

That’s my approximate take as well, but it wasn’t quite what I was getting at.

What I meant is, to ask ourselves why is that the case? A LOT of it is because google wills it to be so.

Not only in terms of keeping it open, but also in terms of making it easy or difficult - it’s almost entirely up to google how easy or hard it’s going to be. Right now we’re all reasonably assuming they have no current serious incentives to change their mind. After all, why would they? The miniscule % of users who go to the effort of installing privacy enhanced versions of chromium (or android based os), are a tiny drop in the ocean compared to the vast majority of users running vanilla and probably never even heard of privacy enhanced versions.

excellent writeup with some high quality referencing.

minor quibble

Firefox is insecure

i’m not sure many people would disagree with you that FF is less secure than Chromium (hardly a surprise given the disparity in their budgets and resources)

though i’m not sure it’s fair to say FF is insecure if we are by comparison inferring Chromium is secure? ofc Chromium is more secure than FF, as your reference shows.

another minor quibble

projects like linux-libre and Libreboot are worse for security than their counterparts (see coreboot)

does this read like coreboot is proprietary? isn’t it GPL2? i might’ve misunderstood something.

you make some great points about open vs closed source vs proprietary etc. again, it shouldn’t surprise us that many proprietary projects or Global500 funded opensource projects, with considerably greater access to resources, often arrive at more robust solutions.

i definitely agree you made a good case for the currently available community privacy enhanced versions based on open source projects from highly commercial entities (Chromium->Vanadium, Android/Pixel->GrapheneOS) etc. something i think to note here is that without these base projects actually being opensource, i’m not sure eg. the graphene team would’ve been able to achieve the technical goals in the time they have, and likely with even less success legally.

so in essence, in the current forms at least, we have to make some kind of compromise, choosing between something we know is technically more robust and then needing to blindly trust the organisation’s (likely malicious) incentives. therefore as you identify, obviously the best answer is to privacy enhance the project, which does then involve some semi-blind trusting the extent of the privacy enhancement process - assuming good faith in the organisation providing the privacy enhancement: there is still an implicit arms race where privacy corroding features might be implemented at various layers and degrees of opacity vs the inevitably less resourced team trying to counter them.

is there some additional semi-blind ‘faith’ we’re also employing where we are probably assuming the corporate entity currently has little financial incentive in undermining the opensource base project because they can simply bolt on whatever nastiness they want downstream? it’s probably not a bad assumption overall, though i’m often wondering how long that will remain the case.

and ofc on the other hand, we have organisations who’s motivation we supposedly trust (mostly…for now), but we know we have to make a compromise on the technical robustness. eg. while FF lags behind the latest hardening methods, it’s somewhat visible to the dedicated user where they stand from a technical perspective (it’s all documented, somewhere). so then the blind trust is in the purity of the organisation’s incentives, which is where i think the political-motivated wilfully-technically-ignorant mindset can sometimes step in. meanwhile mozilla’s credibility will likely continue to be gradually eroded, unless we as a community step up and fund them sufficiently. and even then, who knows.

there’s certainly no clear single answer for every person’s use-case, and i think you did a great job delineating the different camps. just wanted to add some discussion. i doubt i’m as up to date on these facets as OP, so welcome your thoughts.

I’m sick of privacy being at odds with security

fucking well said.

Glad to see everyone agrees this is

1. funny cos they’re crying over stealing what they stole

2. acknowledges this means the weights are actually open sourced (which is how it fuckin should be)

also discussion i’ve seen elsewhere:

3. when considering the energy footprint of chatgpt, also consider the energy footprint of running the internet for 30 years to accumulate all that data they stole. therefore the most ecological option is to extract the weights and then opensource it.

just want to add

4. if the accusations aren’t true (still a possibility), oai is probably deliberately buying time/stock recovery by keeping this discussion in the news rather than everyone discussing how much they suck

5. if large entities are going to capture and then open source each others proprietary weights, that may actually be one of the best outcomes for global humanity amidst this “AI” craze

wow the level of cope in this thread (thankfully not that many tho) arguing over stats - which are probably made up anyway.

some people can’t handle that most humans just wanna be friends regardless of gov politics bs

correct.

the level of unsubstantiated cope in this thread is mind boggling. from people many of whom should honestly know better.

always listening

i never claimed always, i specifically advised op to refrain from claiming always.

how can you pretend to represent a sound scientific approach when you misrepresent the scientific claims made in sources you cite

piss easy

many domain experts dedicating significant resources to it’s study

pick one.

when your sources repeatedly don’t say what you claim they say, maybe its time to revisit your claims ;)

Of course a researcher is never sure something is 100% ruled out. That’s part of how academic research works.

once again, that isn’t what they were reported to have said. [and researchers don’t need to repeat the basic precepts of the scientific method in every paper they write, so perhaps its worthwhile to note what they were reported to say about that, rather than write it off as a generic ‘noone can be 100% certain of anything’] it’s a bit rich to blame someone for lacking rigor while repeatedly misrepresenting what your own article even says.

what the article actually said is

because there are some scenarios not covered by their study

and even within the subset of scenarios they did study, the article notes various caveats of the study:

Their phones were being operated by an automated program, not by actual humans, so they might not have triggered apps the same way a flesh-and-blood user would. And the phones were in a controlled environment, not wandering the world in a way that might trigger them: For the first few months of the study the phones were near students in a lab at Northeastern University and thus surrounded by ambient conversation, but the phones made so much noise, as apps were constantly being played with on them, that they were eventually moved into a closet

there’s so much more research to be done on this topic, we’re FAR FAR from proving it conclusively (to the standards of modern science, not some mythical scientifically impossible certainty).

presenting to the public that is a proven science, when the state of research afaict has made no such claim is muddying the waters.

if you’re as absolutely correct as you claim, why misrepresent whats stated in the sources you cite?

no, they don’t

Please be careful with your claims.

In my experience, whenever investigating these claims and refutations we usually find when digging past the pop media headlines into the actual academic claims, that noone has proven it’s not happening. If you know of a conclusive study, please link.

Regarding the article you have linked we don’t even need to dig past the article to the actual academic claims.

The very article you linked states quite clearly:

The researchers weren’t comfortable saying for sure that your phone isn’t secretly listening to you in part because there are some scenarios not covered by their study.

(Genuine question, not trying to be snarky) Will you take a moment to reflect on which factors may have contributed to your eagerness to misrepresent the conclusions of the studies cited in your article?