[ignoramous]

Are you on Android? Use Firefox with NoScript or uMatrix (also as your default webview) and setup AdGuard DNS [0] or a pi-hole. You could consider using a VPN like Orbot (free Tor-as-a-proxy) [1], PerfectPrivacyVPN (supports multiple exit IPs, multiple-hops, and server side firewall) or set one up using Algo/Streisand [2].

If you do not want to root your device:

1. Install NetGuard or No Root Firewall to view what's going on from network perspective.

2. Install ExodusPrivacy to generate a report on apps wrt sdks in use by them.

---

If you are okay to root the device:

1. Install XposedMod, and then XPrivacyLua module, and work through the options.

---

If you're okay with flashing a ROM:

1. Consider LineageOS + microG

2. If you are using Pixel, consider ChromeheadOS (edit: CopperheadOS) [3].

---

If you're okay with a new device:

1. Consider purchasing puri.sm Librem 5.

---

[0] https://news.ycombinator.com/item?id=18788410

[1] https://guardianproject.info/apps/orbot/

[2] https://github.com/trailofbits/algo

[3] https://copperhead.co/android/

[Skunkleton]

For anyone considering the above, this is a failing battle. The only way to stop this sort of tracking is if we have a cultural shift, start putting laws in place, and actually enforce them.

For example, did you know that many shopping malls track you with license plate readers? Did you know that your credit card transactions are up for sale? Or that your cell phone provider will give up your location to a third party with a flimsy consent?

[ignoramous]

You are absolutely right that we need laws and regulations to govern all the tracking that's going on, much like how call-tapping is illegal.

Bruce Schneier has written a book on the topic, and you can view him speak on it here: https://youtube.com/watch?v=GkJCI3_jbtg Highly recommend it.

I'm no expert but I do not agree with the 'failing battle' part... still quite a way to go in that regard, I think, specifically because the Math behind crypto hasn't failed us yet (ocassionally, the implementation has) and because the government agencies themselves need tech that helps them stay underground (Tor, for instance, continues to get funding from the US Government).

Is it getting difficult? Yes, absolutely. People still hold the 'nothing to hide' stance and most are okay giving up privacy esp if it means their life becomes a little more secure and things get more convenient (most would support AI powered street surveillance that helps keep tabs on criminals, for instance).

[Skunkleton]

Its a failing battle to try and outsmart the people who are _professionally_ prying into your private information. You might make it harder for them, even harder to the point where you partially fall out of their datasets, but you will never truly escape. These days it isn't even enough to stop using privacy comprising technology. As I said above, the only real solution is a social one. If you try a technological solution you will always lose because you are significantly out funded.

Also: vote with your wallet. If you see a technology that aligns with your ethical goals, pay for it. To that end I will probably buy a Librem 5, even though I don't expect it will actually do much for my privacy.

[DavideNL]

In the end unfortunately none of the ad/tracker blocking solutions are solid; All an app developer has to do is use an IP address to fetch ads (avoiding dns resolution and thus dns based blocking won't work.)

Or, fetching the ads from the same hostname as also used by the app itself to provide whichever service the app provides, which means that hostname can't be blocked even by a firewall because the app itself will stop working.

So i agree, the only proper solution is laws to stop the privacy abuse.

[crankylinuxuser]

The laws won't work.

The internet isn't a "US" thing. It's not a "EU" thing. It's not even a "China" thing (GFoC aside).

The internet's a worldwide thing. And that means, sure your puny law may say you can't do X (ad tracking). Ok. I'll just make a shell company in shithole country, pay some protection money, and run tracking or whatever. And that data I generate will be sold to anyone who wants to buy. I'll make it so everybody has to buy to compete - even if against the law.

And it too is a failing battle in the US. Experian, Equifax, and Transunion... If what happened regarding Equifax didn't bring the corporate death penalty either by fines or dissolution of their corporate charter, nothing will.

[PeterisP]

The advertising infrastructure is largely funded by the big advertisers, and legal issues certainly matter to them.

When (for example) Toyota is paying a bunch of money to target customers in France, they're playing with the same rules as Ford is when targeting the same customers. They don't have to do things against the law to compete in advertising, and they'll even be eager to identify competitors breaking advertising law to screw them over; there has been lots of legal action taken as a result of such industry self-policing to ensure that competitors aren't able to benefit from misleading advertising.

Sure, there are lots of businesses who would by "under the table" data and apply it illegally, and it is a huge advertising market - but it's absolutely dwarfed by the much, much, much larger advertising market funded by the major international public companies. The advertising money flowing from a single company such as Procter&Gamble or Nestle is larger than all the total advertising turnover from whole smallish industries. If you cut off the tracking-adtech companies from the legal market, it's like restricting oxygen for them - they'll still have some customers, but they'll get an order of magnitude less money to do their things.

[your-nanny]

Actually, in that case the centrality or Monopoly of the Apple store and the Google play store makes regulation easier. Censure Apple or Google for the apps sold in their marketplaces that violate the law and they will be taken down.

[crankylinuxuser]

I'm not seeing that case for:

     1. spying apps
     2. the saudi arabian woman-tracking/permission app
     3. chinese social credit app

In the end, it makes them a pile of money, allows them to function in that country and access to that market, and nobody with power cares.

[ignoramous]

One could do a reverse DNS lookup and firewall the IPs too (admittedly, the IPs would have to be refreshed, and there might be issues with multi-record DNS enteries). See discussion: https://news.ycombinator.com/item?id=19258717

[s3krit]

>did you know that many shopping malls track you with license plate readers?

As well as cell-phone tracking to analyse footfall around the shopping mall (i.e., high-traffic areas, low-traffic areas).

[mindslight]

If you're worried about flashing your device, go spend $100 on a device off the LineageOS list of supported devices, and experiment with that instead. The odds are it'll go fine and you'll be happily using it three months from now.

[minton]

For those curious you can find that list here: https://wiki.lineageos.org/devices

[kzcqt]

I think in 2019 it's practically impossible to completely brick a mobile by flashing wrong stuff on it.

[ignoramous]

True, not because it's 2019 but due to Project Treble's GenericSystemImages that cleanly separate OEM (Samsung, Sony, Lenovo) and silicon-vendor (Broadcom, Qualcomm, Mediatek) related blobs from the Android subsystem, such that the Android bits could be changed or updated independent of vendor support.

https://android-developers.googleblog.com/2018/11/an-update-...

[johnnycab]

Even a cursory glance at some of the sections on XDA or a search for '2019' and 'brick a mobile' will reveal that they are not mutually exclusive events.

[kzcqt]

I meant to completely brick a mobile. As a newbie, it's possible to get into a boot loop, a black screen, etc. which are easy to recover events, but might seem as the end of the world.

I even remember having to short two pins in the motherboard of my mobile to recover from a particularly bad brick. And it worked fine.

But a complete brick, as in you have to throw away your mobile? Impossible, I'd say.

[colejohnson66]

That’s kind of splitting hairs, isn’t it?

[mindslight]

Sure, but that won't help convince someone who's justifiably worried about putting their primary device out of commission.

[prophesi]

Do you have a link to ChromeheadOS? I somehow can't find it via startpage or google.

[ignoramous]

My bad. Sorry, it's CopperheadOS

https://copperhead.co/android/

[nextos]

I would be a bit reluctant to run CopperheadOS now. Sadly the main developer left after somewhat hostile actions from the CEO, and there have been lots of changes in the organization.

IMHO the best option for a secure phone is pure Android without Google blobs. That is, AOSP on a Pixel phone. Plus an F-Droid userland.

If a Pixel is too expensive, you can always try to get an AOSP device-independent image on a new phone that supports Treble. For example, the super cheap Nokia 1 seems to work well [1].

[1] https://github.com/phhusson/treble_experimentations/wiki

[EvangelicalPig]

I think the main developer took a break for a bit and he's back with a new project (in beta) called GrapheneOS.

I don't have a supported device so I can't comment.

https://old.reddit.com/r/GrapheneOS/

https://seamlessupdate.app/ (website)

[danvittegleo]

Agreed. For anyone interested in doing their own monthly signed AOSP builds for Pixel phones with OTA updates, take a look at a project that I built that fully automates the process in AWS: https://github.com/dan-v/rattlesnakeos-stack.

[ignoramous]

AOSP is clean, but doesn't have anti tracking measures available in CopperheadOS: fake IMEI or MAC addresses (this has been mainlined in Android Q, though), for instance.

[prophesi]

ahh, thanks! I should've known that.

[OrgNet]

> If you do not want to root your device:

I want to but I can't even if I "own" it.

> 1. Consider LineageOS + microG

Probably should avoid microG if you care about privacy...