Yeah I’m very much who would complain harder about spare batteries being out of stock, than a software update being 4 months late.
Hey, @Paperpilot, the posts mentions CalyxOS by saying they have a limited sandbox mode and implies that it’s better than /e/. I also know that they replace root of trust to be able to lock bootloader. They emphasize privacy too.
Do you know of them? Are they as serious as you want them to be about privacy?
I merged your topic over here
I feel like in both the discussion here and there about the recent GrapheneOS-rant, privacy and security are not kept as two things - of course they do depend on each other, but they are not the same. LamaSinge points it out there as well:
- you can receive more privacy by using a de-Googled device, not passing lots of your data/ habits to Google (which for the Fairphone provides /e/OS, besides others)
- you can receive more security by using an up-to-date OS, with not only the monthly security patches but also the monthly and quarterly Android-version updates (which, according to the Graphene post, do not completely get into the monthly updates, so they never reach a Fairphone)
The first point, more (Google-)privacy can be accomplished on a Fairphone by using /e/OS (or other custom ROMs like iodé or CalyxOS)
For the second, the security, Fairphone does provide monthly security patches, but delayed. They do not provide monthly and quarterly Android updates, only the yearly Android version updates. Neither does /e/OS for the Fairphones, and they also have delayed security patches. And lag behind on updating their integrated libraries, which many apps are forced to use outdated then.
CalyxOS was usually at least somewhat up-to-date with the monthly security patches, but seem to restructure right now.
If the GrapheneOS writer of the above post would read this, they would probably shake their heads and either run away or rant about this comparison - because with outdated software you of course take the risk of exposing all your data to unknown, not just to Google. Any you might not even realize it until too late.
But for the main group of Fairphone users I would assume that they prefer not giving their data to Google and taking the (whatever big or small) risk of being hacked/ exploited over giving their data to Google certainly.
Because a hack seems unlikely, is unfamiliar, whatever reason.
And a GrapheneOS user wants to make sure not to pass their data to anyone - not to Google, not to any data dealers, hackers, or ransomware-users. And therefore accept the downsides of not paying with the phone, of lots of manual configuration, some trial and error, research in the forum, etc.
Edit: So I don’t really see the issue of the ifixit-post pointing out the Fairphone as a privacy-focussed device. But at the “downsides” paragraph I think it would be fair to tell about missing updates, both on stock and /e/OS
3 Likes
Theory is one thing but do we have any evidences of real exploits having affected e/OS users while Pixel users (running stock or GrapheneOS) were not affected?? Even Samsung enterprise editions switch from monthly to quarterly security patches after a few years. That is one security update every 3 months, which is probably even worse lag compared to eOS. And we are talking about phones used in corporate businesses… Sure they have other security features (knox etc) but common, is this whole thing about delayed security patches such a big security risk? Do you know any corporate IT dept using pixels with GrapheneOS?? To me it seems that delayed updates provided by Samsung, Fairphone or e/OS are okayish for 99% of users, incl businesses, unless you’re a special target. Sure I’d live to see monthly updates with 1-2 days delay max but not even Samsung is doing it!
1 Like
I think you’re hitting the nail on the head right here, good point! The question, if the user base of the different operating systems are likely to be affected is important:
(As I’m not a security researcher and don’t follow the current vulnerabilities and exploits in the wild too closely, I’ve heard stories and reporting.)
I think a good place to start informing oneself about the security risks of using mobile privacy is the Citizen Lab (at the University of Toronto): Research Archives - The Citizen Lab
Every year they publish many many blog posts and research papers outlining some of the apparent targeted attacks on dissident individuals and groups in all kinds of authoritarian states.
(While I do not live in Tibet or China, but rather in Central Europe) in the 10 years years I’ve owned Fairphones, I have also become more politically active:
For me personally not only my online privacy,
but also my device security has become more important over time:
While the current government of my nation is not yet spending the amount of money necessary to hack my phone individually,
I can’t affold major security risks on my most intimate device!
I’ve in police searches more than free times in the past five years, for example at protests against the car industry.
And while it is illegal for them to plug my phone into their computer, that has not stopped them in the past.
Increasingly everyday users are being picked out, for example at border crossings.
1 Like
So: The targeted surveillance of people might have previously been confined to Tibetan dissidents or minority groups, this is no longer the case.
With technical progress and cheaper and cheaper tools,
many democratic nations are buying them to spy on people.
This is no surprise after the 2013 Snowden Revelations.
Most importantly:
For the next few years. I’m very concerned about the authoritarian power grabs in my home country.
While I might not yet be targeted, this is not a guarantee for the future! And even so:
I believe privacy and security are our digital human rights.
And we owe it to oppressed minorities everywhere to defend these rights,
even in our moves towards fairer electronics!
I understand your concerns. But you seem to have a higher threat model than most people here (with targetted physical attacks) and maybe you’d be better off with a pixel and GrapheneOS then.
I guess most people who would buy Fairphones just want to keep a phone for as long as possible, repair it, support fair manufacturing conditions and enjoy good privacy (with privacy mostly meaning here not being constantly tracked by apps/google). Security is of course important but what they (and I) probably would fear the most is remote stolen banking credentials or ransomware. In that respect, I’m not sure Fairphone with e/OS is so much worse than others, e.g. Samsung. Yet do GrapheneOS devs shout against Samsung for providing quarterly security patches? Not nearly as much as against Fairphone and e/OS. This seems quite unfair to me. Granted they did not like that ifixit qualified the Fairphone + e/OS as a secure system (and they are probably right about it) but neither Fairphone nor e/OS advertise their system as being secure according to GrapheneOS definition. The true question is: is the average user insecure by running a Fairphone with e/OS? Or more specifically, will an average user be more insecure by running a Fairphone 6 with e/OS in a few years compared to the same average user running e.g a Samsung Galaxy A56 with OneUI when Samsung will move the device to quarterly security patches??? I guess this is the key question to answer and not to constantly say that nothing but a Pixel+GrapheneOS is safe to use. Most people have Samsung, Redmi, Xiaomi etc and not Fairphone nor Pixels. And only a very tiny minority is running GrapheneOS anyway. We constantly hear about threats being discovered yet why do most of our friends did not get hacked or suffer any exploits if they are running “insecure” systems with possibly severly delayed patches, not to mention all those running EOL devices??? I guess that’s simply because they do not share the threat model that GrapheneOS tries to promote. So it is pointless to warn the average Joe that only GrapheneOS will make him secure online!
3 Likes
Interesting perspective on real world Android security for an average user (not those who would benefit from GrapheneOS but those who are likely to buy e.g. a Fairphone)…
The article is a bit dated but I guess most points remain valid?
I think this is a nuanced take and I agree.
I believe we would be better off if more people made that distinction.
Finally, more people need to learn the difference between privacy and security and think about their own threat model or ideological motivations buying and keeping a phone
I cannot understand why you are still interested in a project whose developers have criticized, and continue to criticize, Fairphone.
They will never be satisfied with other phones because other brands will always take some time to implement the security patches that precisely Google provides. And that’s why they don’t want to change their phones.
Well, to tell the truth, they have attacked almost all free software and open source developments. All those that could compete with them: /e/, LineageOS, CalyxOS, F-Droid, Firefox, Bromite/Cromite, etc.
It is a toxic, destructive, even dangerous community, that pretends to impose itself over the others, attacking the alternatives, trying to destroy them, always from a security perspective.
And what is worse, using it currently means funding Google, giving them money, which is totally unethical to me.
For that and other reasons, I have never had any interest in their project, and bought a Fairphone in order to be able to install LineageOS, CalyxOS or other alternatives.
3 Likes
I have to agree with the main conclusion in this discussion. The average user doesn’t really care to much about security. Usability is way more important. When there are some concerns, e/OS would be a good enough alternative for 99% of the 1% privacy/security aware users of a nice phone.
The moment you lug around a phone, you’re impeding your privacy, as you can be tracked, called,…
When you really don’t want to be tracked, keep the phone at home, use a paper agenda, use land lines when you want to call someone (good luck finding a phone booth), navigate with maps, tell time on a watch,… in other words, go back to the 80’s of the previous century.
Degoogling the phone is already a huge hastle for most, as they miss out on the shared calendar, have issues with contacts,… The moment you use a mobile device, you impede yourself. Most people that want a tad of control over their data, want to have a say in who gets their data when they give it away, not have it collected by the supplier of the OS of their device.
Regular updates would be great though, but hey, that’s why I will be running lineage (and have been running cyanogen/lineage since I got my Moto G2). I’ll compile myself and get the updates that way (when there is no official support)
3 Likes
Great to see the answers from e/os devs regarding GrapheneOS attacks:
8 Likes
Even if the only Fairphone you can get in the USA has e/OS/, I think it’s silly to call Murena the “Fairphone software devs”. 
6 Likes
It’s a headline, it needs to be brief (ideally).
US Fairphone OS devs ---------------------|
Devs of the OS on Fairphones sold in the US
Abbreviation often results in ambiguity.
But of course it’s also possible they simply didn’t care too much.
1 Like
Or alternatively, some form that includes “Murena devs”. This all links back to the ifixit article which was majority focused on the alleged benefits to privacy and security of e/OS/. The FP6 was mostly only relevant in terms of being a vehicle for this ROM.
I used Calyx on a Fairphone4 and i just recently got a pixel with graphene and you cant compare the two. microg is sooo much worse than the sandboxed google play services that graphene have. a lot more stuff just works with the combination i have currently. that said, calyx is definitely better than eOS….
1 Like
i dont think buying a phone from google (if you have it for like 4-7 years) supports google too much… they cant make more than 200-300 dollars off one purchase. if you avoid google software products you probably do more against google. I think also using nongoogle tools like proton and brave and spreading awareness aboout them (since they have very cool userfriendly features) has more impact.
i would love to support fp (i own a lot of fairphone products) but i dont think i’'ll be buying the next fairphone anytime soon… sadly. but as fairphone themselves point out: having a phone for a long time already decreases the environmental impact one has. so i’m at least gonna do that.
1 Like
The main reason I went for a fairphone… My Nokia 6.1 lived 6 years, my Samsung A13 (as phone usable, useless for the rest) was scrap within 1.