The level of comfort, or rather lack thereof, you're fine with dictates how you'll use your devices. Privacy is mandatory to me, so every app that refuses to work with my setup gets the boot. Banking is done in the browser with a separate PIN device. The moment the device gets discontinued I'll go back to paper or phone like an old person. FOSS apps are FOSS and will break because they don't have millions of ad money to fund development. I know that and learned to accept that fixing setups is part of my digital life. That's just one end of the spectrum though. Everyone needs to find their balance with privacy to avoid getting fed up by it.
Privacy
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
I posted this before when another user posted a similar problem. Obviously yours is particular with google so some parts may not apply, but the gist is that you need to figure out your threat model.
You need to step back and review your threat model, then figure out the balance point between privacy and convenience/QoL. There is no such thing as complete privacy unless you go completely offline and live like a hermit. So something has to give, and your threat model will help you identify that. Figure out first what exactly you’re protecting, and from who. Then you can assess which ones you will deem non-negotiable when it comes to privacy, some where you can relax a bit in exchange for covenience (and this has levels as well), and lastly the ones where you have no choice because blocking something will make it cease to function. Having this threat model will also help you figure out what extent you would want to expose yourself depending on the service. Don’t put everything into the same tier because that will be impossible. Good luck.
Thanks friend!
I remember this comment. Best advice I've seen on this sub.
I'm using GrapheneOS, and suprising amount of apps (including my bank app) works without Google Services. And if there's something I need for work that doesn't work without them, I have another profile with sandboxed Google play (which isn't enabled on my main profile), and use the app there, where it's separated from all of my data. No need to root my phone, and so far it worked great.
As for sharing your Nextcloud stuff, what I did was for services that need to be public, I just got a cheap (like, few dollars per year) domain and use Cloudflare Tunnel (Cloudflared). It handles all port forwarding for you, and you don't have to make anything public on your router - just install cloudflared on the server and have it forward the port you want to your domain. You can also set up geoblocking and ACL pretty easily, so it's perfect for that.
I've however recently moved to using ZeroTier, because it has a nice mobile VPN app, so I just run zerotier (it's literally two commands to install and join a network) on my server, and if I need to access something there I just launch it on my phone and connect through ZeroTier. This, however, won't help if you want to share stuff from your server with others, since they'd have to install a ZeroTier client and also join your network. For Jellyfin, Nextcloud and Sunshine, though, it's amazing.
And if that still feels like too much hassle for you, I'd recommend looking into Proton Drive. I'd consider that one of the best hassle-free alternatives to GDrive, which launched recently.
Gonna look the cloudflare thibg. Thanks
If you're not completely giving up on privacy I would avoid cloudflare. I just run an always-on wireguard tunnel that routes back to my home network from my wife's and my phones, and that kills like 3 birds with one stone (phone traffic is encrypted and hidden from my carrier, home server is accessible, and ads are blocked via DNS).
Cloudflare is not at all sensible from a privacy standpoint. Cloudflare is a bigger privacy offender than Google and far more detrimental to our rights.
https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md
Reverse proxying your website through Cloudflare is actually an attack on privacy. You make yourself part of the problem by arbitrarily blocking several demographics of people from your website including Tor and VPN users (people doing their part to retain privacy).
One thing I forgot to mention - last time I recommended cloudflared, I was told that the TOS for cloudflared forbid use for high-volume streaming of data, such as movie/audio streaming, or sharing of large files for download.
I never had an issue with it, but I didn't use it for streaming, only to share/download a small to medium sized file once per few weeks. I suppose that if you were to publicly post a link to a few Gb large file, and had hundreds of people download it through the cloudflared, they may take an issue with it. Maybe even if you were regurally watching streamed movies from your server through it. So just a heads up, make sure to check the ToS first.
Ultimately there are always going to be people who don't have smartphones or computers, so society (including things which are currently almost mandatory to participate in society, like being able to bank) should be accessible to these people. If it's accessible for them, it's also accessible to people with smartphones or computers who have just removed the spyware from them.
I don't do mobile banking; I just bank from my desktop browser. Not sure if this is an option for you or not, but I would have thought that online banking in the web browser should be even more common than having a mobile app for it.
Not sure what you mean by "home brokers" blocking you but if you mean their wifi blocks you, I've experienced that too on GrapheneOS but have found that VPNs allow me to use pretty much any public wifi.
Does your government app have a web alternative? If not that seems incredibly discriminatory against people who don't have smartphones. If it has a web alternative but doesn't work with any particular privacy settings, do you have a local library with computers you can use?
It makes me sad that progressive web apps were killed off
For banking, can you use a browser instead of the app?
I do very little banking through my phone - what's there to do?
There are some browsers that support sites-as-an-app, such as Cromite and Hermit, that may solve this issue.
Unfortunately some financial apps are "app or nothing".
Just wondering if it's that way for OP's bank.
I don't really use the app or the website (maybe to check a balance), so I have no idea what uses there are. Frankly I wouldn't have banking at all if I could avoid those bastards.
And a lot of others require a special app for 2fa. I for example still need a app when using the website.
I found that having a second phone (just my old phone) as a dedicated banking device. How often do you need to initiate a bank-transfer while on the go anyway?
I'm about 4-5 years from where I started to self host things. I went through a raspberry, minipc and now I built a small rack where I have a custom built PC where I self host things. Is it a pain in the ass to start without anyone teaching you? YES. I spent a lot of time trying, testing, failing and retrying, but it was a nice trip, I learnt a ton of things and a lot of things I'll learn, I'm still definitively not an expert but I'm improving myself.
I tried (more than one time) nextcloud and I've definitively not liked it. I tried filebrowser which is more near to my use case, than I finished choosing a WebDAV instance using apache, it is perfect for my use-case, compatible with my windows job-pc and mounted perfectly from my LineageOS Android phone.
I've LineageOS without microG and any google thing at all; all I need is self hosted and available through a custom domain and/or through a VPN I self host. 90% of my apps are Foss.
My bank app works great without an official Android OS ( I didn't root my phone).
It's all about the amount of time you can invest through it:
- A lot of time: learn about self host, try the available solutions and choose which one fit your use-case
- Some time: find available solutions that don't require you to do anything (like proton drive, private nextcloud instances etc...)
- No time: use Google.
If you need something, I have some free space on my server that you can use (don't trust me or anyone else, use it by thinking).
Don't give up!
I have a powerful homelab and a phone with zero proprietary software. There are some sacrifices but ever since I let go of dependence on proprietary software I am much happier.
I think the best thing for cases like this is to see if the applications you want to use allow you to do what you want to do just using the web browser. Oftentimes there's a progressive web act that will function well enough, or the desktop site can be accessed on mobile with enough function to make it through.
Can you do your banking through their website? Can that government app be used similarly through desktop?
I've tried and could not use none of them without the website requesting the app to login or to verify the transactions
Try using the "Desktop site" feature of Firefox.
Then don't. It's that simple. It is impossible to live a 100% private life, you have to value your own time and enjoyment.
This is why I have a degoogled phone and a googled phone. I carry them both around with me but any bank app, or other data harvesting app or necessity goes through that phone,so I may keep the majority of my stuff clean and free (as much as I can within my capabilities)
I self host a nextcloud service on my old desktop that serves as a server but every now and then the updates crash something. Sharing calendar and notes is too complicated if you don’t have a vps or a domain.
Self hosting is a pain imo. You can pay a small cloud provider with nextcloud. There is a middle ground between big tech and self hosting.
Do what your comfortable with that doesn't impede on your life. i.e. you don't need to dig a moat and put up barbed wire around your house, you can just close the curtains at night as a starting point.
FWIW Banking apps have always worked for me on grapheneos without any extra work.
Make a list of what data is important to you, and who has access to it, and if your comfortable with it. If not use privacy guides to select a new provider
- Emails - Gmail -> something else?
- Location - Google, Cell phone company -> (your degoogled so google shouldn't have this)
- Search - Google -> ddg?
- Photos ?
etc, just do things that arn't too much trouble and increase your privacy
What do you say? Am I too lazy or it is unpractical to stay away from big tech?
Laziness is what the surveillance advertisers are exploiting. It is everyone’s duty to resist the tyranny of convenience that Tim Wu articulates in a famous essay.
After a year I'm starting to think that maybe my data is not worth the hassle just to keep big tech out of my digital life.. I guess Big Brother wins
Think of it as boycotting. Exposure of your personal data may not be worth the effort of protecting it, but the big picture is that privacy seekers are not just looking for confidentiality. Privacy is about power and agency. You are exercising your right to boycott a harmful entity. Boycotts are no longer simply a matter of not handing money over, because data is worth money. So boycotting now entails not handing your data over. Giving Google your data feeds Google’s profits.
So you are really asking, “should I give up the boycott”? The answer is no, because the boycott is not just a duty to yourself; it’s a duty everyone benefits from (except Google).
Dont root your phone
It breaks the security model. Instead flash a ROM that is AOSP based
I'm on unrooted lineage with mindthegapps / Google play services with my Google Services Framework ID registered with Google, but I still have to make 3 attempts to log in to my bank with the first 2 attempts always giving a vague error like "we're not sure why we couldn't connect", similar with fidelity. Using a password manager so I'm entering the same credentials every time.
(Edit: in the case of fidelity, instead of faking a connection issue it tells me my account is blocked and to call support to unblock it - that's also fake because I called once and they said my account wasn't locked and trying to log in a second time always works)
My understanding is that it's impossible to pass strong integrity unless you're using the stock unmodified rom with the bootloader locked.
I changed banks last week and the new bank (Aspiration) logs in fine the first time every time.
It sounds like the situation is better with graphene but I find it a lot easier to switch banks than roms.
Yeah I've switched 3 times already but every once in a while the app crashes or fails the integrity test and I note in the worse possible time..when I need to pay for something. Looks like the best alternative is to have a cheap android phone just to do banking.
Yeah I did that because of the banking apps issues so I've installed magisk. Looks like I made a mistake.
instead of changing banks, change the phone and try grapheneos's google sandbox thing. i myself already gave up, have lineage and gapps installed, but i do block most of analitics with blokada. i also try to use foss as much as possible, but sometimes theres simply no alternative. in the end of the day, you need to reconsider if you really want to go with the full front assault, or just block most of the stuff.
I'm planning to buy a new phone in the next year or so and looks like pixel is a great option because of graphene. I wish it ran on my poco x3.
Graphene is in an interesting position as far as being the only majorly secure OS out of the box. So don't give up until you try it even on a 200 dollar Pixel 6 or a Pro version if you like larger screens.
Use a second profile for all your normie proprietary apps and google services. Then use your main profile for FOSS and privacy outside of work things. Easy to setup and install. No tweaking really out of the box. I've never had a major broken component even with banking apps. Its kinda like the shit just works. I hate its on pixel devices but I Understand why having a secure chipset. The absolutely only complaint I could muster with Gos is needing location to be inside main and secondary profile at the same time Google maps I don't know why. Beyond that. Its been flawless.
Edit: Don't let other persuade you down the rabbit hole of full self hosting and going crazy micromanaging things for perfection. It'll feel like a second job and lead to what you have which is fatigue of something you genuinely care about and rightfully so. If you need help once your on Gos. Message me. There needs to be less friction to achieve tasks not more or people just won't do it.
if you have x3 pro, you could also try divetos. its a linageos fork with more security. if you have the nfc, then you are out of luck.
Mine is the NFC one ..tough luck.
Everyone is giving solid advice.
It is a trade off as google controls so much.
I think we have to persist. Make our statement and presence. Let banks know. Let everybody know there are people who care. Each day we are more. One day we will be many.
Are there any banks that support FIDO2 in Europe already? I'm so sick of SMS or other shenanigans.
I don't have a phone that supports any of the foss android versions but I have been making due without a google account and free app stores (f-droid + obtainium which is great). That will have to do. I'd love much better privacy but it is too much work. I also do relatively little with my smartphone.
I use and older phone for banking, stock firmware as updated as it can be. VPN connection, no SIM, powered on just for transactions. Still, my bank requires a location for every transaction, supposedly by law. In the beginning I thought I should spoof the location to a fixed one, but I'm tired of this shit, too. It feels like it's impossible to just be in peace, at the same time, apps are being used to rob clueless people their savings and to discriminate, alienate elder people.
For banking apps: my Bank only has them as 2fa, if you say you don't have a Smartphone, and give you the same Programm as Windows App eventually, runs great in a win10 VM, the payments are made in there Webportal
@fernandu00 I am out of #Google myself and my whole family too. I managed to replace all Google stuff with FOSS apps. I have a separate tablet for banking only which has all the usual Google setup but I use it like once a week to pay bills. For small daily banking I use Revolut.com - their app is working fine with all my degoogled devices - both rooted and unrooted. @protonprivacy services replace most of #Google apps that people use and the rest you can find on https://f-droid.org
Yeah I intend to buy a cheap android phone just to do banking ..I guess that's the easiest way to deal with this
I just have 2 extra profiles besides my main one (which has absolutely nothing proprietary), 1 for financial apps and another profile for my work apps. This allows me to keep the financial profile off until I needed, and the work profile active during work hours. The rest of the time, I'm away from al that proprietary crap.
After a while you will find that you really don't need most, if not all of it. But the disconnect does take time.
How do you setup separate profiles?
Go to the Settings -> System -> Multiple Users. Allow multiple users.
On the topic of struggling to connect to self hosted services without a VPS or domain: check out mesh VPNs like ZeroTier or Tailscale. I access all my internal services over Tailscale these days and it’s super simple
Not really a answer to your question but I thought it might help.
I tried the next cloud setup since I already self-host a bunch. And I didn't like it. Like you said updates can mess it up and sharing is annoying. Just in general it was buggy for me.
So I switched to proton. Which even though is hosted on someone else computer, it feels plenty private to me with the E2E encryption. I use proton drive which is easy to share things just like google drive. I use proton Calendar. And I use proton Email. Its slow progress but proton really seems to be fully replacing google for me. They even just added live collaboration to drive. Which was like the one thing I still use google drive for sometimes.