Dan Q

Is it possible to allow sideloading *and* keep users safe?

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Terence Eden raises some valid points:

I’ve tried to be pragmatic, but there’s something of a dilemma here.

  1. Users should be free to run whatever code they like.
  2. Vulnerable members of society should be protected from scams.

Do we accept that a megacorporation should keep everyone safe at the expense of a few pesky nerds wanting to run some janky code?

Do we say that the right to run free software is more important than granny being protected from scammers?

Do we pour billions into educating users not to click “yes” to every prompt they see?

Do we try and build a super-secure Operating System which, somehow, gives users complete freedom without exposing them to risk?

Do we hope that Google won’t suddenly start extorting developers, users, and society as a whole?

Do we chase down and punish everyone who releases a scam app?

Do we stick an AI on every phone to detect scam apps and refuse to run them if they’re dodgy?

I don’t know the answers to any of these questions and – if I’m honest – I don’t like asking them.

Google’s gradual locking-down of Android bothers me, too. I’ve rooted many of my phones in order to unlock features that I benefit from (as a developer… and as a nerd!), and it’s bugged me on the occasions where I’ve been unable to run had to use complicated workarounds to trick e.g. a bank’s app. Having gone to the effort to root a phone – which remains outside of the reach of most regular users – I’d be happy to accept an appropriate share of the liability if my mistake, y’know, let a scammer steal all of my money.

That’s the risk you take with any device on which you have root, and it’s why we make it hard to the point of being discouraging. Because you can’t just put up a warning and hope that users will read and understand it, because they won’t. They’ll just click whatever button looks like it’ll get them to the next step without even glancing at the danger signs1.

I’m glad to have been increasingly decoupling myself from Google’s ecosystem, because I’ve been burned by it too. Like Terence, I’ve been hit by “real name” policies that discriminate against people with unusual names or who might be at risk of impersonation2. But I’m not convinced that there’s a good alternative for me to running Android on my mobile devices, at the moment: I really enjoyed Maemo back in the day; what’s the status of Sailfish nowadays?

I get that we need to protect people from dangerous scammy apps. But I’d like to think there’s a middle-ground somewhere between Doctrowian “it’s your device, you’re responsible for what runs on it” and the growing Apple/Google thinking of “if we don’t have the targetting coordinates of the developer that wrote the code, our OS won’t let you run it”. I’m ready to concede that user education alone hasn’t worked, but there’s got to be a better solution than this, Google.

Footnotes

1 Incidentally, I don’t blame users for this behaviour. Users have absolutely been conditioned, and continue to be conditioned, to click-without-reading. Cookie and privacy banners with dark patterns, EULAs and legal small print are notoriously (and often unnecessarily) long and convoluted, and companies routinely try to blur the line between “serious thing you should really read but we want you not to” and “trivial thing that you don’t need to read; it’s just a formality that we have to say it”.

2 Right now, my biggest fight with Google has come from the fact that lately, it seems like every time I upload a Three Rings demo video to YouTube it gets deleted under their harassment policy for doxxing people… people like “Alan Fakename” from Somewhereville, “Betty Notaperson” from Otherplace, and their friend “Chris McMadeup” who lives at 123 Imaginary Street. The appeals process turns out to be that you click a button to appeal, but don’t get to provide any further information (e.g. to explain that these are clearly-fake people who won’t mind being doxxed on account of the fact that they don’t exist), and then a few hours later you get an email to say “nah, we’re keeping it deleted”. I almost expect the YouTube version of my recent video demonstrating FreeDeedPoll.org.uk will be next to be targetted by this policy for showing me scribbling the purported signature Sam McRealName, formerly known as Jo Genuine-Person.

0 comments

    Reply here

    Your email address will not be published. Required fields are marked *

    Reply on your own site

    Reply elsewhere

    You can reply to this post on Mastodon (@blog@danq.me).

    Reply by email

    I'd love to hear what you think. Send an email to b27246@danq.me; be sure to let me know if you're happy for your comment to appear on the Web!