I switched to using PWAs for social media apps for similar reasons the author outlines. A pleasant, but somewhat unintended consequence is that I just use them a lot less because the experience is pretty bad. It makes me a little sad because I’ve always believed in the PWA dream, but the reality is that they’re bad because companies certainly don’t want to make an experience that rivals the app they really want you to download.
Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
What's funny is that desktop versions of websites in a lot of cases are responsive, and work fine on small screen. BUT at the same time the mobile version is crappy and lacks some features (or just shows "download our app").
Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.
quite likely that the site has a mobile "mode" and a small-screen mode (for desktop), each made by different teams. some mobile mode website is fine, but others suck. Where as the small-screen mode for desktop tend to be made by the same team/person as the main site (it's a css media query after all) - so it's likely to be more coherent.
Alternatively, you can download Firefox Nightly instead of regular.
"about:config" just works in Nightly. No fuss.
You can sideload extensions in Nightly, too, after you activate the developer options. I don't think they've added that to regular, as yet? At least not with as much flexibility.
Anyway, I'm gonna try this mobile desktop mode thing and see how it goes. Thank you to everyone!
And you don’t realize that social media apps put cookies on other websites so they know you have been to another website and then start showing you ads based on your interests?
Apps can’t tell what you do in other unaffiliated apps nearly as easily at least now on iOS that there is no globally unique identifier that apps can use to track you.
Apps require you to sign in so they've got you immediately. They can share all your activity with whoever they want. Websites (many) do not require you to login (youtube, reddit, hacker news, etc....)
Apps also try to open all links into their own webview, a webview in which they can track all activity.
All privacy-respecting browsers block 3rd party cookies by default now, which prevents that kind of tracking. There's still other forms of fingerprinting they can use, but those can be used in apps as well.
But I guess apps can run web views that have access to all the same fingerprinting as a standalone browser, minus any ad-blocking plugins (on iOS at least)
With a browser, you have the ability to block cookies, block whole hosts/domains, alter DOM content, alter tracking URL's, and (often) disable low level features you don't like. With apps, not so much.
And still waiting for examples of how apps can track you better. If the server wants to track you by your originating IP, all of the client side blocking will do nothing
What is your definition of "track you" in this context?
If it's to pinpoint a unique device accessing a website even through VPNs and/or other IP changes, there are an untold number of ways that apps can track you better than a website.
Apps have access to many device-specific APIs in addition to all the web ones, and every additional bit of information used can be added to the mix to create an even more unique fingerprint of the specific device accessing a website.
For example with phones, an app (even if it's mostly just a webview) may now also have access to your phone model, phone number, maybe your contacts or GPS location, and many other things.
A website Can easily deduce your phone model based on the browser agent attribute which tells the operating system and the screen resolution with a fair degree of certainty, an app can’t get your phone number, it can get your GPS with your permission. But so can a web page with your permission. There is a standard JavaScript API for it. Contacts are also gated by permissions.
Some apps can/will detect that an OS-level VPN has been activated though, and refuse to work at all. Spectrum TV does this for example, as well as some banking and other types of apps.
Yes and sites can also fairly reliably detect when a user is coming from a well known IP address block belonging to a VPN or VPS provider. It’s a built in feature of I know at least AWS
Assuming you are using a "well known IP address block belonging to a VPN or VPS provider", yes, but it is also possible to setup VPNs/proxies outside of well-known IP blocks.
PWAs can be good, but for a lot of social media, they're only as good as their website experience. Many (most) companies seem to make their website intentionally slow and buggy, probably with the idea that users only need to use their web UI for a short while because they lost access to their apps or something.
For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.
The absolutely batshit insane part is that the 'native apps' are almost certainly created using web technologies which call the exact same APIs as the web app.
There's zero reason the web apps should be so slow.
You can't use Facebook Messenger on the web at all, unless you go to Facebook and switch to the desktop version. Then it's a simple matter of zooming in without accidentally clicking anything, using their fiddly interface to load up the conversation you're interested in, and get bounced around the screen as the input focus changes around.
Puzzled because I use Messenger web version all the time on the laptop. Works pretty normally. I don't use Facebook usually. Maybe if they detect a phone they refuse?
Usually they only break the mobile websites. They know they won't get people to install programs on their computers for "online things". Not least lots of people don't have admin rights in their computers, but also people are used to accessing "online things" via browsers on computers rather than an app per website.
But, they've managed to make "phones use apps, not browsers" a social norm that enough people accept tacitly, perhaps because near enough everyone has the ability to install apps on their own phones.
On iOS devices you can turn off the ability to allow apps to wake up on a one by one basis “background refresh”.
And if you are concerned with your privacy, it’s nonsensical to buy a phone run by an adtech company that only made the operating system in the first place to sell ads and collect your data
Pwa with permissions granted gives access to:
Location, create notification, phone state, phone #, IMEI, motion data
Mobile app with permissions gives access to
EVERYTHING a pwa gets PLUS, Contacts, sms, notification content, biometrics data, web browsing data, phone activity history, location history, camera access, microphone access, NFC access, near device history, nearby wifi listing, saved wifi networks, Bluetooth device ID, Bluetooth beacons nearby, some device settings, personal data access(photos/music)
Maybe on Android. Literally half of that shit isn’t accessible by iOS apps even with full permissions. This feels like you’re just throwing shit against the wall.
I was wondering if it's just me. I am using Brave on iOS with all the possible blockers enabled, so I'm not surprised when some website doesn't work well. Instagram literally freezes solid after 5-15s of being on the website, so I usually only quickly scan the top 2-3 posts in the feed. I only follow people I know personally, so this is usually enough to do once or twice a day and stay up to date. If I see a close friend posted a story I kinda want to see then it usually takes two or three hard closes of the browser to actually see it. Sucks, but sucks less than being mental gamed into doomscrolling every time I get an app notification.
By the stopwatch it takes 3x longer for me to upload a photo to the Instagram web app than it does to Mastodon. Facebook's blue website works pretty well but the Instagram site comes across like something that was vibe coded in a weekend or maybe a straw man that was made to prove SPAs are bad. Contrast that to the Mastodon application produced by a basically unfunded application that's fast and reliable.
Just hours ago I couldn't even copy-paste a description of a post I drafted in another app. Literally nothing happened when I tried to paste. No console errors, no feedback, nothing.
It was a bit of a longer one, but still far below Instagram's supposed character limit. The fact that they somehow broke copy-paste functionality really baffles me.
Surely at some point some team that writes this has to demo it and someone checks it. After however many years of it not working, surely that's strategic, not accidental.
It's such a pervasive pattern and somehow always in the direction: the app works better than the website. If there even is a website.
Sometimes it goes the other way, in fact enough it's a running gag that the banner that says "Download our app for a better experience" at sites like Reddit ought to have one of these
I don't know if big companies even know how to make web apps. Honestly. Which is extra insane to me because there's so much investment in web technologies. On my team at $BigTech there's like 1 or 2 people out of 30 people on our team that knows web, the rest are mobile. I'm a web guy but I refuse to touch our web-app because they butchered the tech stack and I don't have the energy to deal with that BS. We still have an mobile-web version distinct from the 'desktop' version because.... I don't know why, whoever wrote it never learned about responsive web design and we never bothered to move out of the stone ages because if people want to use the app on their phone, they should download the native app of course! And by "native" I mean we built our own half-baked framework so that we could cross-compile for Android and iOS.
Also I don't think these people know how capable PWAs are. There's very little you can't do in a web-app that you can do with a native app.
I have had a FOSS web app for learning arithmetic for quite a few years. I occasionally review it, and make changes. Each year Chrome and Safari both nip at the edges of what allows a PWA to be OK. No one really cares until one has to write documentation helping folks install the PWA and avoid issues that did not affect the PWA a few years ago. I mean really, are Tim and Sundar really that afraid ?? I guess so. They have dozens of millions on the line. Capitalism... gotta luv it.
Hmm, I'm making a site and I planned on using a PWA for the app experience instead of a native app. Am I setting up for a bad time? I'm not too worried about the installation hurdle, my potential early adopters are motivated and smart.
If you're using React, I'd recommend using Silk (silkhq.com) to create native-like bottom sheets, pages, sidebar, etc.
Most animations, including the swipe, are hardware-accelerated, and it deals with a lot of common issues you encounter on the mobile web (body scrolling, on-screen keyboard, etc).
Native phone apps give me the creeps. I assume the developer's are able to track me in various ways even without my giving permissions. Is that an unfounded fear on my part?
Can an app uniquely identify me if I don't give it
control over my phone number / nearby devices?
Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).
I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).
Android 15 supports Private Space [0] that is essentially a separate profile you can install apps into that you can put to sleep. Basically I put all low trust apps into it, but can still access easily enough.
Network is a permission on Android, it's just that phone manufacturers and likely Google don't want you to be able to control it. Most custom ROMs, including GrapheneOS expose it properly, often at the install dialog.
Some time ago, I used a module for Xposed on Android called XPrivacy which did exactly that. Yes, creepy app, you can have my location. It's Antarctica.
It does look like Xposed has successors, but my current approach is to just be selective about installing apps.
I use netguard and forbid network access by default for all apps. Mildly annoying for apps that need network access as I have to approve, but it's worth it.
The vast majority of apps need to use the network, at least sometimes. Eg turning network on to download podcasts then off to listen to them is annoying.
Depends on what apps you are installing. I love denying access to the network for games. It removes almost all ads from them. Even beyond full deny access, NetGuard gives you a lot around the conditions in which an app can access the network. I'd prefer if I didn't have to do any of this and the OS was on my side though.
On an unrooted Android you could use App Ops to do some of that with Shizuku.
I assume they don't expose it to users because once most people start to do that apps would start to implement detections, like if it spoof your location to a certain area then that area will get you "permission denied" error anyway, or I believe some apps do check that if your contact book is empty it assume you didn't give the permissions. It'd become a lot of work to implement a convincing spoof for most permissions to be blocked.
On play store you can see the permissions that an app uses and they are grouped by category. Have full network access is set in the "others" category, same as notifications and vibration. This is a category where (supposedly) permissions are automatically granted.
But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.
I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise.
Still, an "internet" category would have been nice...
The reason why internet access/downloading from the internet isn't a "major" permission is that asking about it would let people conveniently disable it for any offline apps with ads in them to remove the ads. Google doesn't like that, obviously. Of course, you can still disable your wifi/mobile data connection entirely, but it has friction that most average consumers won't trouble themselves with. But if the app asked if you wanted to give it internet access on launch, Google's ad revenue would probably be visibly affected.
In the beginning of Android / iOS, just installing an app and registering was enough for the company to get your device's MAC address and thus your indoor location with accurate precision.
They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."
All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.
What do you mean? The MAC address is used to identify the device within the same network segment. A program running on the device cannot derive location information just from the MAC address. It's a meaningless number. What the MAC address can do is make you visible to other devices in the same network segment. So for example, a wireless router can know you're nearby because your known MAC address has joined the network, but this is a problem regardless of what apps your phone is running.
That's what the GP was saying, I think. Once they get the MAC address, they can find you. Not via software on the phone, from exfiltrating and using shady third parties that collect data from access points, etc.
Okay, but if there's collusion between the app developers and external routers then it doesn't matter if the MAC is randomized. The app can still see the current MAC address and report it, and you can still be located, if nothing else, to within the range of a wireless router. Nothing is solved by randomizing the MAC address.
An app can use the VPN API to intercept network traffic. This is all done with plenty of security popups (one to inform you an app is trying to register as a VPN, the another popup when it's first activated, and the while it's active there's a permanent notification that says "your connection may be monitored" with a quick button to kill the VPN).
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
> should be noted that Google doesn't really like apps abusing the VPN API like this
Not really.
Only apps that use the VpnService and have VPN as their core functionality can create a secure device-level tunnel to a remote server. Exceptions include apps that require a remote server for core functionality such as:
- Parental control and enterprise management apps
- App usage tracking
- Device security apps (for example, anti-virus, mobile device management, firewall)
- Network-related tools (for example, remote access)
- Web browsing apps
- Carrier apps that require the use of VPN functionality to provide telephony or connectivity services.
> It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely
Whilst this is true for Android (connectivity checks bypass VPNs, as do VoWiFi and Hotspot traffic) [0], other OSes are known to do the same thing: https://news.ycombinator.com/item?id=24838816
Their official policy (can't find the up-to-date link because Google's documentation bitrots faster than any other website on the net) over at https://archive.is/OPg2g clearly stated:
The VPNService cannot be used to:
•Collect personal and sensitive user data without prominent disclosure and consent.
•Redirect or manipulate user traffic from other apps on a device for monetization purposes (for example, redirecting ads traffic through a country different than that of the user).
•Manipulate ads that can impact apps monetization.
Google has also removed/threatened to remove prominent firewall VPNs for bullshit reasons (claims that apps violate random policies), though that may just as easily be random Google bullshit fallout every Android developer needs to deal with.
> Whilst this is true for Android (connectivity checks bypass VPNs, as do VoWiFi and Hotspot traffic) [0], other OSes are known to do the same thing: https://news.ycombinator.com/item?id=24838816
You're right, of course. Unless you own the kernel on every SoC running on your system (including the modem), you should always assume there's a possibility of network traffic leaking through firewall APIs.
On Android specifically, though, there is a significant chunk of users that will want to restrict the built-in apps because carrier-installed apps or shady Chinaware that come with cheap phones cannot be disabled by default. Other platforms usually don't have this type of malware baked into the OS in a way that cannot be removed. Apple's questionable privacy decisions are a lot less worse than what some people try to block with these firewalls.
> Google has also removed/threatened to remove prominent firewall VPNs for bullshit reasons (claims that apps violate random policies) ...
I co-develop one such open source "firewall app" for Android, and you're right that apps like ours have been previously removed for blocking ads out-of-the-box. But, removals also happen due to stricter rules/policies that apply to apps using VPN APIs.
Note that, of late, many a popular apps ad-blocking out-of-the-box (like the DuckDuckGo browser with app tracking protection) haven't been removed.
> Unless you own the kernel on every SoC running on your system (including the modem)
I get your point but don't think even a rooted (supervisor) Kernel gets you much guarantee as there always could be a higher privileged hypervisor controlling it.
> Apple's questionable privacy decisions are a lot less worse
They've improved post Celebgate yeah, but the duality is such that... Apple is one of the largest buyers of user data aka "market intelligence" (per folks I know who work in this domain) that (presumably) these other shady apps collect.
No, not generally. A firewall app could include an OpenVPN/WireGuard/etc. client to serve both purposes, but by default you'll have a hard time getting more than one VPN app to work at the same time.
Simply your IP address can be used to track you so any app or website you visit knows roughly where you are with every http request unless you use an always on VPN. It can also fingerprint you in various ways without the need for any special permissions.
Agree with you about fingerprinting (also a bummer). I guess the difference here though is that I must be actively engaging with a website in order for it to be tracking me, but an app (I assume) can be tracking me basically whenever it wants.
An app on iOS doesn’t just run constantly in the background unless it’s playing sound or using the GPS. For almost everything else you can explicitly turn off “allow background refresh” on a per app basis
At the very least the VPN provider promises not to and their reputation depends on their not being caught doing this. Whereas your ISP and various sites you visit will already be collecting this data no matter what.
iOS always asks for permissions. I suspect the same is true for unrooted Android.
But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.
They can "fingerprint" devices more easily. They have access to all kinds of subsystems, like Bluetooth, NFC, gestures (at low level), etc. Many require the user to give permission, but the first thing the app does, is ask for permission. As long as the statement in the request passes Apple muster, the app won't fail review, I seriously doubt that Apple will test after the app has shipped, to make sure that they stick to their word.
Some of this can be caught by the App Review process, if they do things like access private APIs, but we keep reading about clever app developers (and there are a lot of really smart crooks out there) that can fool the App Review testers. I read about a dodgy app that detected when it was in review, and modified its behavior (ala Volkswagen).
Really, I am not sure if there's a way to ensure the app works the same after review, than during. I would probably put a 4-day timer on it, starting the day of submission. After the timer expires, the app starts accessing private APIs via a hand-coded assembly interface. I would hope that Apple has already thought about this (It wouldn't be too difficult to test -just run it on a device with an advanced clock).
> They can "fingerprint" devices more easily. They have access to all kinds of subsystems, like Bluetooth, NFC, gestures (at low level), etc. Many require the user to give permission, but the first thing the app does, is ask for permission
So it’s a great conspiracy that apps have permission to do things after you explicitly give it permission?
No one is claiming that the app review process helps protect your privacy. The challenge is find something a native app can do surreptitiously to track you more than a website without you giving it permission bypassing OS safeguards.
And on iOS an app can’t access your NFC chip without you giving it permission.
“Running machine code” is not a security vulnerability. If your browser isn’t secure all sorts of exploits can happen from a web browser. That’s how a lot of the early iOS jailbreaks worked.
I used to write machine code, but I don’t, anymore. I am quite aware of how powerful it is, so I have to assume that the very smart people at Apple -who deal with current-day machine code- have a handle on dealing with it.
You didn’t state one example where it bypassed the sandbox. All apps on iOS are compiled to assembly. If writing in assembly magically bypasses a well designed OS’s security model, we are in trouble
You realize that if you are concerned about apps tracking you without you explicitly giving it your location, a website could do the same since there are browser APIs that can retrieve the same information only gated by the same OS controls?
When you go to a website, they have always known the originating IP address.
Not entirely true. Browsers are paranoid by default (because visiting a website is as easy as clicking a link). Operating systems aren't (because the user explicitly installed an app, it's been "vetted" by app store experts, and because... well, the OS vendor wants you to build native apps and not a website, so they have to make it worth the extra trouble of building a separate app for each platform instead of one website that works everywhere).
Also, browsers tend to bring their own sandbox (on top of what the OS already does). For example, Chromium was able to mitigate Meltdown/Spectre before OS vendors shipped an update (except on iOS where browsers can't bring their own engines, so iPhone users had to wait for Apple to ship an OS update...)
Again why would you think Apple the browser maker would be any more or less careful about Safari not allowing websites to access your camera, GPS, photos than Apple the operating system maker?
No one thinks that app review is what stops malicious apps from circumventing permissions. It’s the operating system itself.
And you really don’t want to compare the state of iOS updates to the state of Android updates do you?
Controlled by the same company that wrote the OS in case of Chrome on Android and Safari on iOS. If you don’t trust the operating system to do the right thing on the OS level why do you trust the same company to do the right thing in the browser?
100% agree. The level of tracking has gotten to absurd levels.
I needed a couple of grocery items and happened to be next to an Amazon Fresh. Cool, let’s try it! Went in, found everything I needed and went to self checkout. When it was time to pay, the machine wouldn’t accept Apple Pay. I ask an employee who helpfully informs me that I can pay with physical cards or my Amazon account.
I didn’t have my physical cards, nor wanted to do my Amazon account so I had to leave empty handed. Why don’t they accept Apple Pay? Because they can’t track you. If you use a physical card, they can likely link that card number to an Amazon account and thus attribute the purchase to a person. If you pay with contactless payment they get a one time token that they can’t tie to anyone.
IIUC, contactless payment via apple pay does have a secondary card number of sorts that's linked to your original card.
I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.
Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.
Walmart is the same. I believe it's very very slightly more expensive to process Apple Pay payments (Apple's getting a tiny fractional amount of the sale), and this was the actual sticking point.
Walmart rolled out their own QR code payment plan just so they didn't have to revshare anything. When you're the size of Walmart, you can get away with those types of decisions even though they are technically very much inferior
Payment services like credit cards demand a significant fee for a (nowadays) technically trivial service: instant cash-free payments. These could be replaced with modern instant bank transfer standards, like FedNow in the US:
These don't require external middle men (like credit card companies) and are therefore almost free. Unfortunately the US is late to the party (in India and some other countries these are already widely used for years), so many banks don't support FedNow yet.
If they were really concerned about interchange fees, they wouldn’t accept American Express cards either. The difference between the interchange fees of Visa vs Amex is much greater than tap to pay versus non tap to pay.
There is a reason that there are a lot more places that don’t accept Amex than don’t accept tap to pay. You see this a lot internationally.
Just this year alone, every mom and pop place I went to in Costa Rica, Canada, UK and France accepted Apple Pay but only merchants in the UK widely accepted Amex.
Costco used to take exclusively Amex. So it is possible.
In any case, it’s not only the transaction cost but also the availability of an alternative. Forcing a different credit card network is different friction than forcing swipe vs tap. (Or using the Walmart app.)
Do you have any evidence that Walmart negotiated a special deal with Amex to the lower their fees to match Visa and MC?
There are plenty of companies that don’t accept Amex and every Amex user knows that they need to carry a none Amex card with them. Either that or they have never left the country which is doubtful for the Amex demographic.
And I have no idea why this is even an argument on a post about companies wanting you to use their app
No, they don't. Apple isn't involved with the transaction processing at all, the phone just acts as an EMV device to transmit the payment details to the terminal.
One possible future to look forward to is one where everyone is essentially forced to become a commodity player that exposes an API for your AI Agent to order food, book a rideshare, book a ticket, check flight status or whatever. I don't think they'll go willingly but the market may force their hand.
"never hand your phone over the counter" - do people actually hand over their phones to random strangers? I'd never do that unless I really know the person
Yeah I've seen younger people hand it over to railway workers, airport gate agents, event employees etc whenever something does not immediately work or the worker has a query. Very reckless and pretty common
Incredibly concerning, but it's just another outcome of anxiety disorders
Blogger in question here, Taiwan is so utterly app dependent it's a pretty common thing at banks, hospitals etc. And the apps here have so atrocious UX that nobody bothers to teach you how to use them, staff are used to just doing things for e.g. old people that can't figure it out.
Giving your phone number is just as bad. I was buying stuff at World Market and they had big signs touting 20% off some things... but when you got the counter they told you didn't get that unless you coughed up your real working mobile number so you could receive some BS code.
There are actually phone numbers that post all text messages they receive online automatically. Personally this has never worked for me though because all the services I tried to sign up for someone else had already used that number
I'll do you one better, download a no root firewall that channels all of your traffic through a fake VPN which then drops it. You will be amazed at how many ads you don't see.
Obviously if you're not competent or are lazy with whitelisting apps when you need them to use the internet and then disabling it again this will be unhelpful to you; continue to feed the machine.
I am not super technical (blue collar electrician) but I use a PiHole (/r/PiHole or Pi-Hole.net) to block the majority of online tracking/advertising.
Extremely intuitive, relatively inexpensive... you can even force your entire network to obey ad-blocking lists (I tell my DHCP router to issue DNS lookups to PiHole; if individual machines need to be un-filtered they manually set DNS to 192.168.0.1 [router] instead of default PiHole) .
I don't carry a cell phone / use apps, but I know there is a method to make your on-the-go queries also filter through your home network's PiHole .
I also use a pi-hole, but I have had to mess with the configuration and troubleshoot things so often that I don’t feel comfortable recommending it to non-technical people.
I also think the average person is more likely to need this on a cell phone almost exclusively.
>I don’t feel comfortable recommending it to non-technical people.
Everybody is so "¡wow cool!" about Pi-Holes, until a desired website breaks... and then DNS-filtering gets temporarily disabled, typically forever.
So definitely requires a semi-technical person to maintain complex lists... my home network features separate PiHoles: one is default issued, via DHCP (with minimal blocklist), primarily for guests/IoT/fallback; the second filter is manually-configured as DNS on only my devices (it breaks just about anything I haven't whitelisted).
This allows a third option, which has users manually entering their router IP as DNS (bypassing all PiHoles, relying upon ISP's upstream DNS resolution)... but if you don't manually set a DNS, the DHCP still resolves to a minimal seven-rule blocklist.
----
There is apparently a method of using pfsense to capture all network DNS requests and then run them through a default local resolver... but I found it easier to just use DHCP to issue local DNS IP (am only semi-technical, myself).
Very similarly, I use NextDNS, with all the filters enabled except few exceptions that I manually add.
It's basically like a Raspberry Pi hole; but on cloud, very easy to configure and with so many options and ready-to-use blocklists. It's free up to 3 million queries a month.
On Android there a gotchya - google play services is capable of acting as a
transparent proxy so remember you MUST also disables google services framework / play services internet access to truly block some apps from using the web (I learned this when a webcam app 'icsee' bypassed the VPN firewall by using play services proxy network access.
There is a bug in older android which allows data to leak past the VPN while the device is starting and if you disable/enable the VPN connection mid connection.
Facebook appears to have a caching component as it will send a large databurst when it's connection is restored.
Here's a typical article but the reason firewall isn't standard is you won't get ads and that juicy data stream stops. You will find some apps punish you for restrictions to their internet - learn which ones and uninstall them.
https://www.airdroid.com/mdm/android-firewall-settings/
> A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
I know there's various data apps can collect. On iOS at least it seems like you have to grant permission for the app to access most of it. But how on Earth is this supposed to work? How does the app on my phone know if I just got paid?
Author here - they can only do surveillance pricing on you if they know who you are when you're paying. They can't do that at a kiosk or counter because they would only know whose paying when you use your credit card and have already seen the bill.
If you use an app they already know you who are and so the second you open the app it's showing you the surveillance prices.
> I’ve had shop staff tell me about some discount if you download their app, and when I decline, say something like “It’s really easy! Here, just give me your phone and I’ll do it for you.”
This behaviour is pretty prevalent worldwide, I believe. Especially the phone plan setup use case happened to me in Bangkok, too. This happens to me in India at gas stations, cafes and even local supermarkets. All want me to install their apps, and the first step is to log in with my mobile number.
With auto-detection of mobile numbers/Google Accounts on Android, it's even easier to create an account in one click.
indeed, been preaching this kind of thing for ages. the main apps i keep on my mobile are my web browser, my comms apps (element, telegram and signal), and some other stuff from f-droid like retro music, ffupdater, newpipe, termux and stuff like that.
any social things i add as pwa through the browser.
not interested in any of those fast food or store apps. never selling ad-space (and privacy) on my own device to save $2 on a hamburger and some fries, and even if i did want them, chances are high they wouldn't run on my device anyway (feature not bug) lol
thankfully in my area, we have some good local places where you can order food just fine over their website. and if it didn't work over the website, i can simply do it the old-fashioned way, pick up the phone and say "i'd like to place an order for XYZ.."
Android has some viable non-root "application firewalls" or other apps that use Android's VPN functionality to filter traffic. These can prevent apps, including system apps, from accessing remote servers, e.g., DNS resolvers, ad/tracking servers, etc. There are also Android apps that can automate killing apps that try to run in the background
Not sure iOS has anything equivalent
The problem with "apps" isn't the surreptitious attempts to access remote servers for data collection, surveillance and tracking/ads. Websites do more or less the same thing. The problem is that the corporate mobile OS sucks, it's user-hostile and exceedingly difficult to try to control
The advantage of websites is they do not require using a computer running a corporate mobile OS
The corporate OS may also include terms requiring arbitration to resolve disuptes
At least in the case of Android, an advertising services company OS, those terms may be on a remote server (owned by the company), not on the computer owned by the "user".^1 As such, the user may block access to them along with all the other advertising-related garbage
Using the website doesn’t get you around these clauses either. It’s more like “don’t agree to terms you don’t read”. Chatgpt can help spot things like this without much effort now, but about every single business is going to have an arbitration clause.
It's definitely dystopian: "we reserve the right to be judged by the judge we have been treating to yearly all-inclusive vacations and to whom we've been paying his grandchildren's college tuitions."
Generally agree with the sentiment, I basically only have banking apps, messaging apps, and a browser on my phone.
I am skeptical, though, of the price discrimination claims. If McDonald's decides that the right price of a Big Mac for me is $1 and for you $4, that creates an arbitrage opportunity. You can pay me $3, and I pocket $2. The result is that I buy more big macs, and they bump my price up. You buy less, and they take your price down. Now it just trades at the market rate it was before, but with more steps.
Arbitrage between McDonalds burgers doesn’t really work. It’s not a meaningful open market - someone paying $1/burger can’t go in and buy 100 burgers and sell them to someone else for $3. For one reason, it’s illegal. For another, no one would buy them, they’d think it’s a scam.
At least in most areas of the US, selling food is illegal without various inspections, a clean commercial kitchen, and so on. There are usually exceptions for homemade baked goods and prepackaged goods, but nothing that would apply here.
This assumes the information is clear and consistent enough across time and distance for arbitrage to happen. Pricing in-app, per customer, changing per day would introduce too much unpredictability for most customers to attempt arbitrage. If people in a group all check their apps, and the person with the best prices orders for everyone, it could work in the context of a shared meal.
But imagine trying to sort out X number of people who each want a different basket of items from, say, the Walmart app. Each of those items fluctuating daily in price for each customer independently makes arbitrage almost prohibitively difficult to coordinate.
The best case scenario is something like Steam sales, where a wishlist function notifies you when items you've "watched" are on sale. There are third parties like, for example, Deku Deals that track this pricing data across time for console games.
But Amazon is already trying to banish external AI agents from any access to its data. And what does a price history graph even mean if prices are specific to each customer and stochastically varied each day to induce impulse purchases?
what stops anyone from creating a third party order book that allows people to submit bids and offers on price discriminated items? It can match buyers and sellers just like a stock exchange.
The vendors who want you to just buy things in their app will treat any such exchange adversarially, and will ultimately always have the upper hand.
They can respond with litigation, as Amazon already is against third-party LLM agents accessing their marketplace. They can respond by banning accounts for violating the terms of service, making examples out of those who profit the most. They can watch the external marketplaces and cancel (undelivered/unfulfilled) sales they believe are linked to arbitrage.
All they need to do is make it inconvenient enough to discourage 80-90% of customers from participating in arbitrage.
But they are doing this all for what? Won't the market average out to the same unit price at the end of the day even if they can successfully create discriminatory spreads?
Think more in terms of behavioral psychology rather than idealized market dynamics which require rational actors and easily accessible information. Each corporation wants to optimize their customers' behavior for efficient extraction of wealth.
They want each customer effectively siloed in an ephemeral, eternal now: whatever the phone screen presents in this moment, and little else. The consumer may have a few scattered memories for context when presented with a potential purchase, but ideally isn't tracking prices or doing much research. The goal is to create those circumstances and (within them) reduce friction spending money as close as possible to zero.
Do that to as many customers as you can. Subvert their software and turn their own computers against them to achieve it. Instill learned helplessness and stimulus-response leading to purchase. Unit price and revenue will sort themselves out once you have a bunch of addled addicts staring at your shiny products in a digital environment you design and control.
That's the game. And that's why these companies will oppose arbitrage with all they can bring to bear, and fight with the brutal jealousy of gangs defending turf.
And surely a for-profit extrajudicial court system that holds a monopoly on extrajudicial courts is going to be a fair and impartial resolver of disputes, especially when the defendant is essentially a valued repeat customer and the plaintiff is some nobody and not a major revenue source. What could possibly go wrong?
Arbitration between businesses acting in good faith makes perfect sense. Arbitration between an individual customer of a large corporation is nothing but a violation of that individual's basic rights.
They are locked in by the arbitration agreement. No matter how many times they rule in the consumers favor, Disney would still have to pay filing fees every time a consumer filed.
If the arbitor was actually biased you can challenge it in a real court.
I'm interested in people that still have faith in the USA court system.
I just checked, Disney's market cap seems to be around $140,000,000,000. If you were to be forced into arbitration, lose, and then attempt to demonstrate that the arbitor was biased and challenge such in court, do you really think that would work before you ran out of money? How many people in America do you think have enough money to bring that case to trial?
This is all true. But I work in a company where the folks are actually nice guys. Lately we wanted more people to use the apps so we could block bots more aggressively on web because it is getting annoyingly expensive
All the banks I have an account with here in India require SMS permission to use their apps, along with . The last straw was HDFC with their latest app revamp.
LOL in the name of security, HDFC is trying to move their OTP verification to be almost entirely app-only, (not open-source TOTP which can be generated by authenticator/any other auth app; you can only use HDFC's app for that even if you want to log in via desktop).
I think that’s pretty common worldwide. In Australia I’ve never encountered a bank or government service that allows any widely accepted secure 2FA. It’s always SMS or their own app. There used to be physical hardware tokens as well but they are going away.
I don't even care that much if they want to handle the 2FA with their proprietary methods. There are Android APIs that broker the OTP SMS delivery to the app without the app needing full access to the phone's messages.
If they can't do it on iPhone, they don't need to do it on Android.
For all of these same reasons, I never signed up for the "member rewards" program at the local grocery store. I did read the terms and conditions once, when I needed a good laugh.
Seems like that Disney + example can’t be allowed right? Those are two completely different products (theme park/streaming service). Is the law really that f’ed up?
My major pain point is that Google requires me to use the YouTube app to authenticate when I sign. If it wasn’t for that, I wouldn’t have it on my phone at all.
I put non-messaging apps into deep sleep (no background services). My mobile provider app prevents users from making a phone wifi hotspot. Wonder what the others do.
> Sometime in the next 5 years, someone will be forced into arbitration with Uber after being hit by one of their self driving cars
I got hit by an Uber when crossing the road last year. I reported it to Uber who said publicly "oh that's terrible and not ok, DM us" and then completely ignored me.
What I want is a setting on my phone (and in my browser) that just says yeah, give them everything they wants. Cookies, nearby devices, photos, bluetooth, you want it take it. But every time the app/website tries to read from there it just says oh, sorry, no photos
An annoying trend I've noticed is being asked for phone number or email at checkout (IRL). I bought a blood pressure meter a few days ago, and the salesman asked "what phone number should I put on the order?" Zero. Fuck off. I guess most people just answer out of reflex, or believe it's required to complete the purchase. It's creepy and irritating.
As a teenager I worked at a discount store, and sometimes ran the service desk, which (among many other things) involved processing returns. The returns form included a spot for "phone number", to which some customers would respond, "my number is unlisted". We honored that. Today in the USA, it seems the phone number is the new Social Security Number, which everybody wants to use for tracking. Stores used to give out physical discount cards (which I wasn't keen on either...) but now (obviously because it saves them money) so many stores have switched to a system where your account is tracked through a phone number or an app or both. No thank you.
I often use my old landline number when stores ask me for a phone number. I gave it up about 20 years ago. I feel a little sorry for the guy who has it now (only a little sorry) because whoever it was reassigned to, probably gets many spam calls on my behalf.
> is being asked for phone number or email at checkout
For amusement, I often counter that by simply smiling and asking the cashier for their phone number (maybe with a sleezy wink). Their inevitable grin does rather drive home the point that, no, neither of us are giving our number to random unknown strangers.
The more effective way to do this that is popping up everywhere is a loyalty program that uses your phone number as the identifier. Buy 10 coffees, get one free, but the purchases are only tracked if you input your phone number.
Already pisses me off that companies make a profile of me based on credit card numbers. I’ve had this number for decades. I’m sure you could build a complete profile of me based on my cell number, and this is the only “social” site I use. I got off fb in 2008, never even joined the rest (twitter, insta, reddit, et. al.) just because my phone number has been raped out of anyone else who has my name and number in their phone.
I feel sorry for their database because I was a teenager with a bunch of guitar pedals and an ongoing need for 9V batteries. I made up a LOT of phone numbers.
It's good advice, but I don't think it's sufficient anymore. I'm quickly losing faith in any kind of "vote with your dollars" argument that by not using the app you can pressure the company to provide a functional website. The big players are too big now and they are close to being able to create and control their own customer base rather than having to woo them. I don't see a positive future without radically stricter laws and enforcement (as in, if a company is conditioning any service on tracking, they're fined in the double-digit percentages of gross annual revenue). These bad actors will not change unless they're bludgeoned into doing so.
Just another confirmation that the majority of the IT industry depends on spying in order to be profitable and for developers to make a good living. It’s a disgrace really.
Are there any desktop browsers out there that are actually great for making apps for websites, so we don't have to rely on React slop?
I've always found it an unelegant, unsandboxed experience to use conventional browsers, but it'd be nice to migrate to something that takes the best of webdev and removes the worst of desktop Windows.
This is dumb. Websites have many more ways to track you across websites than apps have to track you if you don’t explicitly give them unnecessary permissions.
Native apps have privileged access to far more personal data on your device. A website has, what, cookies and fingerprinting? You can already mitigate this on Firefox but even if not, it isn't in the same league
Geolocation sharing can be disabled as reflected in your source. Everything else you linked to is trivial, but notwithstanding, it all relies on JS which, as I already said, can be disabled. Oh, and many aren't even available in Firefox: https://developer.mozilla.org/en-US/docs/Web/API/Battery_Sta...
> What information do you think apps have without your permissions that websites don’t?
Your actual personal information. Access to photos, messages, metadata (name, address, contacts, notes, metadata, habits).
You realize that the same OS settings also are used to enable websites to read your GPS, camera and microphone?
If you don’t trust your operating system to follow your instructions when using an app, then why do you trust the same operating system with your browser?
Do you have any evidence to support your conspiracy theory?
I'm not sure if the browser vs. an app has access to the accelerometer, but this is another case where something on the phone provides information that a normal desktop would not:
"Researchers Talal Haj Bakry and Tommy Mysk warn that 'Facebook reads accelerometer data all the time. If you don't allow Facebook access to your location, the app can still infer your exact location only by grouping you with users matching the same vibration pattern that your phone accelerometer records.'"
“Although the accelerometer data seems to be innocuous,” Mysk says, “it's jaw-dropping what apps can make up of these measurements. Apps can figure out the user's heart rate, movements, and even precise location. Worse, all iOS apps can read the measurements of this sensor without permission. In other words, the user wouldn't know if an app is measuring their heart rate while using the app.”
65% of browser traffic comes from mobile and 95% use mobile for browsing sometimes according to a quick internet search. What should they be doing, carrying around their laptop with them?
Wait until you're home to browse the internet. I'm such much of that browsing was just boredom. If any of it was important, it could have either been planned ahead of time, or you could have just waited until you got home. If it were so important you'd remember it when you got home to a real computer.
It's clear improvement. People keep trying to solve these technology problems by layering on yet more technology, or by switching to other technologies. That's a game of cat and mouse. The much better path is abstaining from use. The vast majority of what people do on their phones is mindless scrolling. Actual work can wait until you're in front of a laptop or a desktop. It will be much more efficient and capable than a phone. There might be some edge cases where a phone really is best, but these are not common.
Most people think their phones are useful, when really their phones are addictive.
why would adtech companies pay apple millions to keep their app as default option if it was not for getting data . Same thing but hey it requires common sense.
So you don’t see the difference in using Google as your default search engine where Google can only track you when you are searching on their website and having them control your entire OS?
> but the new trend is surveillance pricing. A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
First of all, no, a company has no idea when you get paid. The reality of lots of apps (like McDonald's) is discount pricing. You pay full price at the store if you're a rich person who can't be bothered with apps. Downloading an app and creating an account is the modern equivalent of cutting out coupons or buy-10-get-one-free cards -- price-conscious consumers will go to the trouble and get cheaper prices. They're just loyalty programs. Price discrimination like this is nothing new, and it lets rich people subsidize the lower costs for people with less money.
These apps run in sandboxes. There's not much to surveil. Obviously don't grant them permissions to see your contacts or track your location all the time. Will the app be able to tie all your purchases to a single identity? Of course. But the stores already do that anyways if you use the same credit card for each purchase.
I don't mind downloading apps for the 5-10 stores/restaurants I go to most. Beyond that, I obviously won't because it's too much of a hassle. But the loyalty discounts I get save me real money. I have no problem with that.
Its more than coupons. These apps track your location, usage and so on then sell this data to a 3rd party. Coupons don’t do that. Do you read full useragreement you accept when installing apps? Most people wouldn’t understand the legalese in those.
A coupon could still be an image you find online that can be scanned and that’s it. Apps are totally not necessary unless they squeeze something out of the user.
So the McDonald's app knows I'm... at McDonald's when I use it? And that I'm using the app to order?
That doesn't seem like I'm giving up much information. Considering I'm placing the order at that McDonald's anyways, and they know the addresses of their franchisees.
Like I said, the same information is already revealed when I use a credit card.
I'm not granting it permission to track my location when I'm not using the app, obviously.
Ad SDKs exploit OS bugs to get location data. These specific ones have since been patched, but historicaly they read ARP tables, EXIF geo tags, and colluded with other apps that legimately had location permissions to get that info. It wouldn't surprise me if there are other live exploits quietly being used today. https://www.usenix.org/conference/usenixsecurity19/presentat...
That's a very naive look on the situation. There are plenty of websites that can explain how this is just not accurate better than I could attempt to summarize it. If web searching is not your thing, I'd assume a GPT could point you in the right direction
The argument was that apps can surreptitiously gather information from you. The apps in question didn’t get your location data without you specifically allowing it.
Websites can also ask you for your location.
In the comment you replied to I asked
> from your GPS without you giving them permission?
Individually, yes, each app cannot obtain much data. But all the apps sell their bit of data to a third party, and buy the resulting profile about you, because they can identify you.
So no, the McDonalds app doesn't know when you got paid directly. But it does know that you bought a cheeseburger in the last two weeks of every month, and it knows that your grocery expenses are higher in the first two weeks of every month, and you tend to eat at a restaurant in the first week of every month, and you take less ubers in the last week of every month; it's not hard to conclude that you get paid at the start of the month.
And that's without your banking app selling your info, which it might do. In which case it knows exactly when you get paid, and your probable current bank balance right now when you place your cheeseburger order.
To you and me, the consumer, the value of an app is "the same" as the old loyalty cards. But the value to the company is huge! How often you open the app (how often are you thinking about their food), how often you accept an offer, what the price of the offer is, what card you used to pay, where were you when you opened the app etc etc.
Going to be fun times when in 10 years time they sell all that information to your health insurance provider for them to go "Holy hell" and jack your insurances prices up 5 times over.
You don't need to use words like "slop", it's pejorative and has nothing to do with the issue at hand.
And the link you use is just different people getting different discount coupons in the app. Companies also mail different coupons to different people based on their purchase history. I can't really find myself getting worked up about different people getting different promotions.
And it's illegal for health insurance to offer customized pricing like that. And the credit card companies already know I eat at McDonald's or wherever else. Using the app isn't adding any new data.
And it's not $0.20 off. It's usually more like $5 off a $15 meal that brings it down to $10. And those numbers add up over the course of a year -- across a few apps, it adds up to hundreds of dollars of savings a year.
That's a beautiful strawman argument; let me have a tussle with it to see if it holds on its own.
First, let's not miss the forest for the trees. We're engaging in a common "hacker" watering hole. Our opsec skills are very likely not representative of what your average person has, and the point of the article is to educate the average person.
Second, most of those apps require you give your pound of data upfront, or they won't work correctly until you grant permissions.
Next, it's not the same if the establishment I'm buying chicken nuggets from ties down my credit card to my identity or if it does the same plus a ton of extra data that I've been forced to grant.
Also, one of the main concerns from the article is surveillance pricing... So yeah, you sure "saved" a bunch ($100) over the course of 1 year at a restaurant, but overall you're worse off because some data broker managed to have all airlines raise your flight prices by $500 because they learned that you're going to have to attend your best mate's wedding.
And last, but not least, the article mentioned the binding arbitration clause that one blindly signs away when accepting the app's ToS:
> Walking into a restaurant to buy a cheeseburger, there’s no way a company can force you to enter a contractual agreement that includes binding arbitration. Downloading an app, however, requires agreeing to a “Terms of Service,” and those can absolutely include a binding arbitration clause, and that clause can be applied even to cases outside the app. This happened to Jeffrey Piccolo when his wife died of food poisoning in a Disney World. Disney made a motion to dismiss because a couple years back, Jeffrey had signed up for a free trial of Disney+, which included a binding arbitration clause, which meant that if Jeffrey wanted to complain about how Disney murdered his wife, they’d have to settle it out of court with a mediator that Disney hired. No jury, no judge, no oversight. [...]
Well, consider me impressed; perhaps I should consider switching away from Android... the only thing keeping me from doing so is Apple's walled garden... the hefty price tags don't help, too.
For my part, I can tell you that Samsung's "Galaxy Buds Pro" app (IIRC) for a while there didn't allow me to customize some settings if I didn't grant calendar or contact permissions... I tested today and that didn't happen (it was probably a bug... though I remember it being present for a LOT of time; enough that I stopped trying to open the app). My workaround consisted in using the widget to toggle noise-cancellation modes.
I should note that, instead of "customize settings" should read as "interact with the app" (as in permission prompt pop-up preventing interaction with main app).
It's not a strawman, please don't be insulting. But OK, let's tussle:
> most of those apps require you give your pound of data upfront, or they won't work correctly until you grant permissions.
That's false. I've never seen an app that required any permissions data upfront, except sometimes my location data while using the app if I wanted to be able to find the nearest restaurant.
> plus a ton of extra data that I've been forced to grant.
Again, there's no extra data. E.g. when I install the McDonald's app, it's not asking for my contacts or my photos or anything like that. This is not common practice among any major brands I've ever seen.
> but overall you're worse off because some data broker managed to have all airlines raise your flight prices by $500
That's not a thing. And it's really easy to check prices anonymously.
As for arbitration, sure check the ToS. The Disney case is the famous one and it's the only one I've heard of, but that was for a paid streaming service, not even an app. Arbitration is a separate problem to do with ToS's... and most of these apps don't even have ToS's you have to scroll through and accept, because that causes friction. So it seems like a different conversation.
It has nothing to do with app permissions, thank you for noting that, I'll update the article later. It works like this: as soon as they get your credit card information, they have enough information to go to a data broker and buy every bit of data on you that exists. Now they know who you are, and so now they know when you get paid, your net worth, your buying habits. Likely they're selling data back to brokers do as the other person mentioned even if you're paying less for burgers maybe now you're paying more for airplane tickets or something.
Second, these apps may not have a tickbox TOS but they seem to have one of those implicit TOSs that I'm still not sure how they are legal, e.g. "by using this service you agree..."
First line:
> Important: Please carefully read and understand these terms and conditions (“terms”). They contain an arbitration agreement, jury and class action waivers, limitations on McDonald’s liability and other provisions that affect your legal rights.
It's a binding arbitration agreement that covers disputes outside of the app:
> any claim or dispute (whether in contract, tort, or otherwise) that McDonald’s or any Member of the McDonald’s System may have with you, or that you may have with McDonald’s or any Member of the McDonald’s System, arising from or related to the online services or these terms will be resolved exclusively by final and binding arbitration administered by the American Arbitration Association (“AAA”) and conducted before a single arbitrator using the AAA’s Consumer Arbitration Rules and, if applicable, its Mass Arbitration Supplementary Rules (“rules and procedures”);
> It works like this: as soon as they get your credit card information, they have enough information to go to a data broker and buy every bit of data on you that exists. Now they know who you are, and so now they know when you get paid, your net worth, your buying habits.
This is blatantly false. There are laws against credit card companies and banks selling individually identifiable transaction histories or balances. Financial datasets do get sold but they use anonymization and aggregation to say things like "people in ZIP codes 100xx who shop at Merchant A also spend X% of their fast-food budget at Merchant B."
> Second, these apps may not have a tickbox TOS but they seem to have one of those implicit TOSs that I'm still not sure how they are legal, e.g. "by using this service you agree..."
Right, but this really doesn't have anything to do with apps. These same kind of implicit TOS's exist anytime you shop anywhere on a website. Like you say, their enforceability is questionable -- just because they exist doesn't mean they hold up in court. And if you rent a car in person vs via an app, you still sign the same agreement at the rental counter. I agree that forced arbitration is a problem, but apps are pretty orthogonal to it. If you want to fight forced arbitration, then call your representative and work to raise awareness. Crusading against apps doesn't accomplish anything.
> then call your representative and work to raise awareness
Strongly curious why you believe individual action to protect privacy is less effective than calling a politician. Do you have personal experience with effectiveness in individual lobbying of the government? Or some example I can go learn about? I'm deeply cynical about influencing politics without capital or a cult of personality.
I said call your representative about arbitration, not privacy. Because arbitration is everywhere -- not installing an app isn't going to make much difference.
Reps' offices absolutely tally the subjects their constituents call about, and it affects what bills they vote for and propose. Obviously it has to be lots of people calling, but those are made of individuals. There are tons of examples of successful organizing leading to change. But yes it definitely takes organizational effort.
Sorry if I came off as insulting; I admit I thought your original arguments were too bad-faith to not have been made by a bot or a foreign state actor.
So... We clearly have experienced different things (or rather, the author and I have experienced similar things, and you haven't), and therefore we have very different views on the matter...
You don't have to believe me; I just wouldn't be so dismissive about people sounding off alerts and alarms about increasive abusive and invasive practices, as I've seen different levels of inaccessibility becoming normalized (e.g. you can't access some Spanish governmental services unless you have an Android or Apple phone).
Also, it's surprising to me that — if you're posting in this place — you wouldn't at least be aware of the possibility that ... companies are liars and can abuse or circumvent permissions [0] (e.g. everyone is spying on your clipboard).
So, are you really sure that regular popular apps are on the up and up and only taking what is needed to offer a service, or could they be doing something else and not have your best interest at hand?
> Sorry if I came off as insulting; I admit I thought your original arguments were too bad-faith to not have been made by a bot or a foreign state actor.
I don't need to listen to you doubling down on insults. Your tone is completely inappropriate for HN.
To answer your final question: yes, I really am that sure. iOS now prevents apps from spying even on your clipboard without permission. I have a decent technical understanding of iOS's sandbox. It appears you do not.
But again. Please take your snark elsewhere. It's simply not appropriate for HN:
Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
reply