My Android phone prevents me from recording phone calls at the request of my carrier, even though it's totally legal for me to do so in my jurisdiction.
I'm not loving where this is all going.
FWIW the default phone app on GrapheneOS supports recording phone calls.
Edit: apparently the /s is obligatory on this one
The most frustrating part about this "feature" is that you don't know it's enabled until the screenshot is taken and you're left with a picture of nothing.
That and some app authors thinking they're protecting you with this (referring to banking apps in particular)
Why not two people share a device, and when passed from one person to another, delete applications and install all apps and profiles from scratch using verified checksums saved on a blockchain. An OS which could do that is something like Nix. When passed to the previous person same thing, delete and install everything from scratch.
Using smartphones in a smart way, not a dumb way, like timesharing mainframes of the past. Same procedure could be applied to cars and other devices.
Installing apps is the trivial part; isolating, or removing / reinstalling user data is much harder. Especially a few gigabytes of it. An SD card could work maybe.
This all goes against the grain of the smarthpone UX, the idea of a highly personal device that you can use for anything, and might need (or benefit from) at an arbitrary moment.
If the point is reducing e-waste, the solution would rather be opening up the hardware enough to provide long-term software support, LineageOS-style.
Luckily there are alternatives in the form of code displays and NFC chips. However, next year I won't be able to watch porn unless I verify my age using a smartphone, no alternatives are planned. Or rather, I have the "free choice" to choose between a privacy preserving ZKP solution operating in the kingdom of Google or uploading my face to a porn site.
Dark times.
The problem is that certain actions should only be acceptable if initiated by the user, physically. Think of the way Ctrl+Alt+Del works in Windows. This, of course, is not possible if you don't have enough fingers for the action, or something; here comes the loophole of assistive technologies, widely (ab)used for that on most platforms.
If I respected the rules, I would starve to death!
- Bank told me to go to Google.
- Google support told me to go to the Bank.
- (... few emails later...)
- Google support told me to make screenshots of the banking app and google pay.
So have a second phone ready, or stop complaining :) A few years later and 3 phones later... it works again!
In general no one wants to share anything with anyone, but when two people cannot afford a device individually, but it is within reach when they buy it together, time-sharing becomes a totally acceptable solution.
> Installing apps is the trivial part; isolating, or removing / reinstalling user data is much harder. An SD card could work maybe.
Checksums might overlap by quite a bit. No need to remove programs installed by both users. If the total installation of each user is 10 GB, but the installation diverges 300MB only, not a big deal in most cases.
(We're not in Denmark, but I wonder how it is going in our jurisdiction ...)
Also, this isn't just about porn. For example, I can barely use Reddit now if I connect with a UK IP address: the merest hint that there might be some NSFW angle to a post is enough to trigger their algorithm into requiring age verification.
User hostile UI in the name of security is particularly bad: we are supposed to type unique and complicated passwords in text fields without being able to see what we type, and if we get it wrong, we are put in timeout for two seconds. Citrix Netscaler nowadays apparently wants to be extra secure and shows you the most generic error message if you have a typo in either your password or user name and just tells you to "try again later", so you do until you lock yourself out. It's madness.
Who are the product designers of the present with these single-minded attitude not checking how the implementation affects the life of paying customers< Children?! Most take pride - on paper! - about what one can do 'so easily' with their product, just to raise barricades getting there, using it, or those pop up suddenly while using it, bumping into it like into a bollard ona highway. Or just chain them to it against will! I am not aiming at Android only here as this is a generic attitude I found from organization being so self obsessed about what THEY want that no-one else benefits, no-one else have real benefits - only mixed ones with sizeable drawbacks -, defying the purpose of having modern technology. When the life becomes differently complicated, then that is no progress at all, just messing around. I am thinking three, four, or more times nowadays buying any technology, which is sad, as I was so enthusiastic only one but especially two decades ago, discovering advances and gadgets. Not anymore. I spend my money - and TIME! - on things bringing benefit or joy instead, or on those I am FORCED into. Yes, this obsession of providing non-technology services (banking, bureaucracy, identification, ...) apps first (sometimes only, at least to various, sometimes important details of the use/access) which is a hugely demanding matter on users (choose, purchase, pay, setup, learn, re-learn, update, maintain, subscribe, know and accept terms, charge, protect, both physically and data wise, click away suggestions and self promotions while busy with something important) that it is a very bitter pill to swallow.
I hate that banks use this proprietary "standard" for NFC payments
It is already here.
In short, a state is about turf, and a nation is a people, and you need them both to look similar on a map to make a nation-state.
I'm curious about the second part, though. How do carriers influence the call recording feature on your phone? Is it because you run a carrier ROM or is there some kind of integration with the mobile network/SIM card that I'm not aware of?
This is mostly a language confusion for non-native English speakers. Nation, country, state, a people, nationality, ethnicity, citizenship etc. are used in confusing ways for speakers of other languages.
For many, "nation state" just means an independent state (roughly speaking, a UN member, note also that the UN is called United Nations), because just saying "state" could mean a subdivision, such as a US state. And "country" can be confused with the subdivision of the UK (they call, e.g. Scotland a "country").
In more precise contexts of political history, "nation state" mostly refers to modern (post-World War I) countries that more or less correspond to a people speaking the same language and having the same ethnic identity. It delineates nation states from the previously more common multi-ethnic empires and kingdoms, such as Austria-Hungary or the Holy Roman Empire etc.
Similarly, in English, nationality is often an exact synonym for citizenship, while speakers of other languages expect it to mean ethnicity, e.g. an ethnic Hungarian in Romania with Romanian citizenship would be considered a "Romanian national" in English-language news. This often makes people confused/angry. Also, in some contexts in English, "ethnicity" is more like a euphemism for something like "race", but not quite (e.g. in the US "Latino" is considered an "ethnicity" but not a race). In that sense "Hungarian" would not count as an "ethnicity" at all, but still phrases like "ethnic Slovak" refer to a minority group in a different country than Slovakia. But also "ethnic" can also just mean with "exotic foreign origin", e.g. "ethnic food" or "an ethnic woman" (this was really weird when I first read it). But I digress.
If a malware were able to snatch the key material that represents the credit card outright or it could (by running as root) act to the TEE like it were Google Pay's NFC controller app, it would enable the actor controlling the malware to spoof the credit card on their own phone... and since tap-to-pay is considered authenticated, chances are next to zero you can dispute the payment.
Of course you can. The AS numbers of major hosting providers are well known and it is already common practice to ban associated IP addresses for stuff that should only be done by legitimate users.
I've never heard Belgium as a stand-in-for-Brussels-as-a-stand-in for EU.
> ... because just saying "state" could mean a subdivision, such as a US state ...
It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.
I'm pretty sure that data is stored in the secure enclave, which is impossible to access by design, root, no root, bootloader unlocked, google approved or not.
It's possible that this one random rom that you mentioned passes it today, but it might not pass tomorrow.
[citation needed]
The theory here is that it provides a marginal security improvement if there is malware on the phone, but if there is malware on the phone then there are a hundred other things it can do to the same effect and you're likely screwed anyway. And by doing this, you also block the user from taking screenshots, which is bad, because screenshots are harder for computers to parse, and that's a marginal security advantage. If the user is going to send e.g. their account number to someone else (for a legitimate reason), it's better that they do it as a screenshot than that you force them to type it as text, because text is machine searchable. Which is worse when that messaging system gets compromised and then the attacker can do a text search for a pattern matching a bank routing number and be more likely to discover that message than if it was only there in a JPG.
Meanwhile the primary consequence of preventing screenshots is to inconvenience customers, which is an actual cost to the bank, because there is only a threshold amount of BS customers will put up with before switching banks and banks are constantly pushing up against that line already with all of their other BS.
But then the lower-quality banks do it anyway because there is a box they can check which sounds like it's locking something down, so they check it without thinking. Which is a great canary for customers who want to know if their bank is dumb -- if they require this then they probably do all kinds of other dumb stuff and it's a strong indication you should switch banks before you get screwed by them doing some other foolish nonsense.
The Penny supermarkt app on android disables both screenshots and text selection with the error that it is disabled by admin.
I assume that in the pornography you've decided to consume, the participants are not clad in balaclavas.
They're showing their faces to everyone, in perpetuity, which many may no longer want to, and - considering the exploitative nature of the pornography industry, where rape is endemic - some didn't consent to in the first place.
So maybe consider that when you're complaining that your own face may be linked with pornography. Is what you're doing ethical? Do you reasonably have any right to complain?
Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").
Most of other posts here are just post-rationalization and victim blaming.
That's probably the issue the other post aludes to. The identity wallet will only be available via Google Play or the Apple App Store (as far as we know). So without a phone and a Google or Apple account, you're won't be able to provide your age information to e.g. PornHub.
Some people tend to demonize porn, and it might be unethical in their eyes, but fact is: it is not illegal (in most countries). I don't argue that there are issues in the porn industry, but this is an issue with the platforms, that they don't allow the upload of non-consentual material, or and have processes to take it down. This is a 'THEIR' problem (the platform not the victims).
There some of these issues also exist in the standard movie and music industry as well. Hell, it even goes up to company executives and politics. But this is up to law enforcement do their job and to remove the illegal stuff and prosecute the involved persons, not by branding everyone as a suspect.
The actual SE filesystem available to a logged in user is pretty complicated. But the short story is that user-data is completely isolated. Presumably application binaries (which require digital signatures by default) are shared; although the "installed" state is not. Successive releases of Android have restricted access to any legacy "shared" data on the device (media folders particularly; pictures and video taken by the camera device have been strongly protected since Forever).
Verified checksums on a blockchain are only useful if they are verified by some provider who associates a blockchain ID with a real-world identity. Not sure what "blockchain" really adds. If anyone can create a blockchain ID, then "verification" doesn't really provide useful information.
Second, porn is just the beginning. This will also be rolled out to social media, and I wouldn't be surprised if in a few years this will be required in lots of places where children could be exposed to something that politicians find offensive.
Tbf it is 2025, not 2010, it isnt that hard
User data and user programs. Clean installation kind of user programs.
> Verified checksums on a blockchain are only useful if they are verified by some provider who associates a blockchain ID with a real-world identity.
Nix associates a unique id to each program version or package or config file. The verification happens on the Nix package manager.
The user uploads his exact config of OS somewhere, in his own home server, at a goverment server, at AWS, on a blockchain, somewhere. A blockchain seems like the best solution to me.
Most banking apps in Germany use this API and thus work on GrapheneOS and other non-Google controlled ROMs with a locked bootloader.
PlayIntegrity is unnecessary and mostly offers vendor lock in to Google's ecosystem.
It's worse. An app author can even be notified if a screenshot was taken.
The capital itself isn't going to do anything sitting in the bank. It's used to procure a team of PhDs, an team of SWEs, DevOps, business people, HR, marketing, access to a GPU supercomputer (renting a couple of 5090s off Vast.ai ain't gonna cut it). For, say, $50 million, you could get the blueprints to an Android phone and port your choice of Linux userland and get drivers working, and then do a run of 20,000, sell them for $1100. Compared to training GPT5, $50 million is cheap. If we use an estimate of $1 billion for the whole thing, making a Linux phone running a hypervisor with an Android VM to run banking apps seems not-impossible. (Based on AVF.)
I don't want my phone to generate fake photos; I do want it to always let me manually take screenshots, but require turning on a permission that's a little awkward to find to allow an app to do so.
These seems a bit like a scam. Why can't they ask the recevier?
Beyond preventing screenshots, it blacks out the window content in the task switcher, which is useful if someone is looking over your shoulder. This, by the way, is a good way to check if screenshots are allowed. If the window appears black in the task switcher, screenshots won't work.
The idea is similar to the "**" password fields.
I would very much like to record phone calls made by me.
When the company on the other end denies what we agreed a recording would be useful.
It is fine for historical documents, but doing today means you really want to piss people off. And by the way, PDF files support signatures, both handwritten and digital. There are ways other than printing a 100+ page document and scanning it just so that your signature shows up on a single one of these pages.
That's doesn't sound right. On mine, a message is displayed saying that the app does not allow screenshots, and no image is written to the device.
Password fields are inputs. Screens are bi-directional.
It's ridiculous the EU allows this.
Note that this doesn't mean that a state with multiple ethnicities/languages can't be a nation state. Indians, for example, generally have a clear national identity, despite being citizens of a huge federal republic with dozens if not hundreds of languages spoken, some of which don't even share a common language family. So, India is a nation state, unlike Belgium.
That means Netflix et al can (and do) ban everything that even remotely smells like a datacenter IP range and not a residential one, because that is a common method of evading regional bans or undermine pricing structure.
And on top of that... if the focus of your website is humans, you might want to cut off all datacenter originating traffic as well. Save yourself the hassle of dealing with AI scrapers.
They no longer believe in owner control. Either that or they consider themselves the device owner, which is even worse IMHO
includes the ability from a user to take screenshots programmatically in case of need. You do not want third parties to be able to; you want the User (yourself) to be able to.
But if I install via the playstore like most people then no, I don't think it's the user's fault. Testing every single app seems like a big ask but we're also talking about a 3 trillion dollar company. I mean FFS a 1 trillion dollar company didn't even exist 10 years ago and 10 years before that a 500b company barely did. So I think they can stand to lose some profits and do harder work. Really, if we don't hold these companies to high standards then that bar just continues lower and it's a race to the bottom. They'll be as lazy as we let them be
People will go to great lengths to bypass annoyances. Excessive false alarms is even called "alarm fatigue"
You will not have them change their policies if they do not have a good person inside, who will slowly move the boat.
I fought for audit findings because they were pissing me off at a personal level and it wirked. But the auditor did not change their procedure, just reverted the finding. Until the next year.
I told them that their app prevents this. To their surprise.
I told them that I would use the web site and they were happy that there is a workaround for their own limitation.
I had other wild stories with this otherwise good bank.
I don't know if it is geolocked somehow, I wouldn't be surprised if it was. for example, Japanese iphones always make a shutter sound in japan or in airplane mode
There is a waveform thing in the corner you can press during a call. It will say "this call is being recorded" and waits 5 seconds, then records the call.
strangely... the recording doesn't end up in voice memos, it ends up in notes.
The people at the top are idiots because the idiots were able to secure advisory positions. They were able to secure positions because those promoting them were either tricked or idiots themselves. This pattern repeated all the way down.
So I really do mean grease the wheels. And I really mean we won't kill the beast overnight. But we won't make any progress towards fixing things if we won't look at how the problems are created in the first place. We'll only perpetuate the problems if we oversimplify things, as that's exactly what got us into this mess in the first place.
my GrapheneOS phone has the record button. :) though I have to obtain all-party consent to do so legally in my jurisdiction (but that's my responsibility.)
Very impressive.
For example, there's generally no reason a customer would use their internet banking app with traffic routed via a datacentre other than for the reason you proposed (masking their IP address), so if the bank wants to prevent people doing that then blocking all data centre traffic is an effective way of doing it.
With a LLM, you can spend the money to develop the model, then spend some money marketing it, and if you get enough paying customers to cover your costs and a bit more then you're done. Done in the sense that you're now competing on the same level (roughly) as other LLM providers. Even if it's at a smaller scale, you can offer a similar product with similar features.
With a phone OS, that isn't enough. You need to become big enough that significant numbers of app developers are willing to publish apps on your store, including most major ones (Netflix, Spotify, WhatsApp, social media, banks, government agencies, etc.). Running a VM isn't a full solution: banking apps are already actively blocking usage just based on phone settings that they don't like; unlses your OS does a very convincing job of masquerading as a genuine Android/Apple device you're likely to run into problems (and if you do the latter you might hit legal problems). You also need to convince major manufacturers that it's worth bundling your OS with their phone.
Without those, for a significant segment of the population your phone OS will always be seen as an inferior product to Android / iOS.
I'm assuming (hoping) it's Android letting me know and not the app passive aggressively side eyeing me.
respecting rules is more important that saving your life. /s
As far as being an "also ran", I mean, that's going to be true for any LLM as well. Your second rate LLM is also always going to be seen as inferior just because it isn't ChatGPT, regardless of any other actual merits. Human psychology is fascinating because they aren't rational. Every time I get fooled into buying some stupid piece of crap because there was an advertisement that tickled my brain in the exact right way, I see just how irrational everybody is, given just the right set of words. Why do I bring this up? We could waste countless hours arguing over the infeasibility of a phone OS vs the infeasibility of an LLM, it's all in our heads, but doing so wouldn't get us closer to the goal, which is dominated by the singular question: can you virtualize enough, and pass through enough of android, to get banking apps to run in a VM on some real hardware, so that dom0 can be debian?
However Walloon people definitely feel Belgian and have a Belgian pride.
Also, i don't know if a nation state is defined by having a national identity?
MitID is different from the proposed app-based solution for age verification which is designed to not leave a trail. The age verification app will initially be enrolled using MitID (or perhaps by a physical visit to a citizen service point where you can show physical credentials and answer security questions), but subsequent presentations of age verification proofs to service providers will be done without involving a central party.
All in all it is a good design from a privacy perspective. The major issue with it is that ONLY a smartphone based solution is planned, and that there is a high likelihood that it will depend on Play Integrity attestation. This will force everyone to be customers of Google or Apple if they want access to the full internet. I think it is technically possible to also offer alternative solutions based on secure hardware tokens which would still enable people without smartphones to verify their age in a privacy preserving way, but this is not planned.
Then again, this is also what makes me almost throw my Android phone against the wall when I try to do the same on that phone.
Bilions of emails? No, it cannot, not even store it, let alone process it fast enough to make usable
Maybe, but this is what I managed to gather through a 30-year career in tech, in three huge companies, from IT management to SVP.
https://developer.android.com/privacy-and-security/security-...
This works by signing an attestation using a hardware-backed key (which is in turn signed by Google). So, there is no way to emulate this in software, because your ROM simply does not have the private key to do so. Part of the attestation is information on whether the booted operating system was signed:
https://source.android.com/docs/security/features/keystore/a...
Again, since this is all hardware-signed, you could only fake this information if you were somehow able to extract the private key from the secure element. The primary weakness is that you could try to patch out the part of the application that asks for this attestation. But they found a solution to that, remote attestation. Instead of the app asking for the attestation, e.g. Google's servers or your bankcan ask for the attestation and for the reasons outlined above, your custom firmware is not able to fake this. If your bank, etc. implemented remote attestation, you can simply do not do banking on your phone anymore.