Google is an advertising company and it's not in their interest.

It's absolutely technically viable to build an app store that incentivizes using the minimum amount of permissions possible, or to even feed fake data to overly nosy apps. In fact it's been done, but it'll be a cold day in hell before Google makes it easy.

Eg: https://playsearch.kaki87.net/

It does seem a bit surprising, I thought it was totally blocked on iOS without user consent?

I assume that it is dependent on the platform, and what you are accessing.

The problem is that we first design platforms/APIs to automate everything, and secondly try to make it secure/explicit. We need the opposite.

Won't happen till laws demand it.

Very few companies/programmers I know write 'secure first'. Most of the time it's "this shit isn't working, turn off the security stuff and see if it works then we'll re-enable it later"

What app developers want/do is irrelevant. I am saying that it should be impossible for any individual app to access or connect to anything without explicit user consent.

We need to stop automating everything and then complain that companies aren't putting optional banners everywhere. This is beyond stupid.

For what it's worth, the opinion isn't universal. As a user I like the Haiku approach of not even having "user accounts" and on Linux I have 'sudo nopasswd ALL' on. Coddling everyone and sandboxing everything without any options to get that stuff out of the way isn't acceptable to me. Security or even privacy aren't always my top priority, and I should have that freedom available to me, even if you want the option not to have it.

The reality is there are two operating systems for mobile devices for >99% of the population.

The reality is many applications developed for those devices try to harvest data from the user, often without their consent. Contact details, location data, correlation to other apps installed, and so on, in order to make money.

The reality is that this is unethical without explicit consent, and nothing will stop these actors except technical barriers to this malicious activity.

Your desire to sleep in your apartment with the windows open and doors unlocked and cameras off is yours, but if there is a binary decision of "have these protections or not", the answer is clear.

Personally I am not advocating for "protection", protection against what? Your own device? Why is your device harming you to begin with?

The online data privacy crisis isn't really about data or the bad actors, but the lack of understandability and control over our own electronics.

To solve the problem you need to make users more involved, remove automation in favor of manual processes but simplified as much as possible. "Protections" are mostly band-aid hiding the real cause.

Seatbelts don't need to be worn by good drivers, because they won't get into accidents!

>protection against ... your own device? Why is your device harming you to begin with?

Yes. Because some apps do more than they claim to do, and users are unaware, and thinking that all citizens can be perfectly informed and thus do not need to put guardrails on app permissions is foolish.

>but the lack of understandability and control over our own electronics.

The lack of control over the data that can be extracted by bad actors that seem like good actors.

>"Protections" are mostly band-aid hiding the real cause.

The real cause is that humans can be malicious, others can be fooled, and the first goes after the second.

> Seatbelts don't need to be worn by good drivers, because they won't get into accidents!

All humans are fallible, but it may be out of your control. There is no other human between you and your device.

> Yes. Because some apps do more than they claim to do, and users are unaware, and thinking that all citizens can be perfectly informed and thus do not need to put guardrails on app permissions is foolish.

Why do you even have to trust what apps say? That's my problem with this reasoning, we are under the assumption that programs control your device and that nothing can be done about it except adding warnings. Why do programs need instructions to access data? How about forcing the user to plug any environment access into the app? Anything that isn't plugged cannot be accessed, no trust required.

> The lack of control over the data that can be extracted by bad actors that seem like good actors.

The solution is to give control over the data, not with protection, but understanding. You are transforming this tech problem into a human problem.

> The real cause is that humans can be malicious, others can be fooled, and the first goes after the second.

Again no human between you and your device/program. We however decided that software can be malicious.

It is easier to build automation on top of a simpler/manual/secure process, than it is to make a fully automated system secure.

I am not saying that automation shouldn't be possible at all, but that platforms shouldn't be designed this way.

If users had to consent to contact access, socket connection, and every single packet sent (obviously they would need to become readable to layman) there would be way less demand for data privacy laws.

Honestly with most users the opposite seems to happen. They get warning fatigue and start clicking YES on everything

That's understandable, and so perhaps that we need to re-think our computing model to replace yes/no popups with something a bit more involving.

By "involving" I do not necessarily mean harder, the goal isn't to make computers less accessible, but if we give users the ability to control whatever go in and out their devices maybe that making them a bit more interactive so instead of clicking "yes" to allow keyboard access you could drag a keyboard icon to the app or any other device you want to use as input instead.

Consent doesn't need to be presented as yes/no, there are multiple ways to make users understand what is being accessed.

There are but anything that requires decisions, individual separate decisions, every time will induce fatigue. Addressing that problem isn’t going to happen by changing the ui presented at each individual interaction, it happens by finding a way to make the vast majority of those decisions ahead by stating your personal default, then overriding it as necessary. A process that can be done once, or occasionally, and applied 100 times can be involved and still be worthwhile. Making it involved and repeated ad nauseam is a good way to ensure nobody will actually bother every time.

There is also a problem with how apps are made, they depend way too much on environment calls. And obviously adding 50 permissions isn't realistic.

Now, making the base process manual doesn't mean that the user will need to do the same thing over and over. I am not against automation, but I believe that it should come from the user, not a fancy system that some external entity decided is the best way to handle permission.

By outsourcing the responsibility to your data, you are effectively giving up on understanding it.

Ideally, I believe that consumer computers should become interactive/programmable systems where the OS is responsible for exposing all the environment calls, and the apps all stateless functions. The process of mapping environment access to app is manual, but create consent AND customizability. Plus additional benefits like easing the development of cross-platform applications and maintainability.

>The complainant installed the popular apps MyFitnessPal, Fnac and SeLoger on their Android smartphone.

Local storage, whether straight to disk or through UserDefaults, has no permissions on iOS.

Of course the personal data needs to be transmitted prior to interaction! How else could we send the "consent-banner-displayed" event to Google Analytics to know if it's working?!