Ted SpenceLet’s talk about a problem - software cannot be trusted anymore. In the past, if I allowed an app to send me notifications, I’d get alerted for things I wanted to hear about. Now every app uses spurious notifications as a way to artificially boost their daily active user count. I am one by one having to shut off notifications on apps that used to be reliable products. I’ve disabled notifications on linkedin because it keeps sending me ads and random unnecessary alerts.
Even worse, companies are subject to neverending pressure to drive up usage and revenue. First they sell ads. When ad blockers become common, they move to subscriptions. When subscription revenue isn't enough, they bring back ads for subscribers - but now the subscribers can't avoid them. This is why I canceled @TheAtlantic - my paid membership now includes unskippable advertising.
Marcus Müller@Tedspence @TheAtlantic revenue – I can see that, from a commercial perspective; actually, you'd aim at profit, not revenue, and yes, having ads costs you (if just through disgruntling customers, but also in administration, development and IT ops).
But there's no reason that *usage* is but a very weak proxy. Yet, I've uninstalled apps just because they kept adding new notification categories each update.
Who will happily follow a *new* notification after suppressing the last five categories?
@Tedspence
And you're probably on point with the daily usage observations – this is external, artificial pressure that you yield to in order to be allowed to play the game – to be a top-listed app, instead of one that appears in the fifth position in a search on the respective app store. Such a stupid way of Google & Co to poison their own pond.
And you're probably on point with the daily usage observations – this is external, artificial pressure that you yield to in order to be allowed to play the game – to be a top-listed app, instead of one that appears in the fifth position in a search on the respective app store. Such a stupid way of Google & Co to poison their own pond.
@funkylab The intense pressure for continual exponential growth drives every app to start abusing whatever privileges a user gives it.
@funkylab In many ways it's the same sinister dynamic as the one that drives companies to constantly ratchet up the requests for tips. Incentives drive companies to advertise low prices while driving down employment costs, in the expectation that someone else will cover the gap if they just make the default tip percentage on the credit card terminal higher every year.
Michael Kohne@funkylab @Tedspence I swear, my biggest ask for the Play Store (Google's store for android) is a filter that hides apps with advertising.
@funkylab @TheAtlantic A real opportunity for #Apple would be to allow users to report inappropriate or unwanted notifications in apps. That would rapidly highlight the problem that some apps have major issues with spamming users!
We fundamentally need a new type of option: the ability to grant software privileges that are completely phony. I need to be able to *pretend* to grant an app the ability to send me notifications, but then to have all those notifications sent into the void. Untrustworthy software should not be able to know what privileges I have granted it.
Hak Foo 
@Tedspence It should go further, basically anything a decent test-mocking framework can do, this permission system should do. Not just null data, but your choice of random- or user-specified garbage. Not just routing notifications or outbound messages to the void, funneling them to a logfile.
It pays for itself when you can see what the "invite your friends" message actually says before committing, or teleport to San Jose when an app only allows online-cancellations for California residents.
R. L. Dane 
Sounds like a good fearure for #GrapheneOS to work on 😁
⁂ Fish Id Wardrobe@Tedspence potential problem on Android which I think we'll see in the future: they might be reluctant to add that (excellent) feature you describe, because … they make their living from advertising.
Bas (Tools on Tech)@Tedspence Things like notifications are finally opt-in, unfortunately it's always all or nothing.
I need Android to save my settings so that I don't have to redo it when I switch phones and I need a bulk, yeah nah, option.
@Tedspence And +100 to phony location services. Why yes I do live in Antartica all year. Weather is lovely
turmoni@Tedspence this is close to something that I used to do with XPrivacy on my phone quite a few years back; it needed a phone with XPosed installed, but it allowed you to feed junk data to apps or silently deny their requests
coldclimate@Tedspence I'd love that
Daniel Durrans@Tedspence @revk “Yes you can know my location... which I will select from a map while granting the permission”
@Tedspence @revk "Oh, you want access to my microphone? Here… have a recording of Never Gonna Give You Up on loop.”
Royce WilliamsI see the point and agree - just adding some nuance:
In the authentication realm, relatively authentic location is pretty useful. As a defender, reducing the cost of an attacker faking the location of an MFA prompt trigger ... makes things worse. (May still be worth the trade-off, though - YTMMV)
@tychotithonus @danieldurrans @revk authentic data and authentic apps do go together - no argument from me. But when sketchy apps start asking for access to the clipboard, to Bluetooth, to local networking - why should they deserve to know I have denied them access?
Totally agreed - the tricky part is that an attacker can use the same layer to lie to an authentic app. (But that use case may be more rare than the ones you're advocating for!)
@tychotithonus @danieldurrans @revk if you use denial of privileges to lie to an authentication server, wouldn’t the risk just be that your own access would be locked out, or that your own login data would be less secure?
@Tedspence
To clarify, I'm thinking of the use case where the legitimate user who is being presented with an MFA prompt is also presented with the location that the original authentication request came from, as a rough way to discern MFA triggers initiated by an attacker who has guessed or stolen their password. The user is shown a location name, and/or map where the request came from. This is an MFA fatigue/bombing countermeasure (that isn't perfect, but does raise the cost to the attacker).
And to further clarify, I suspect that what you're after is worth this trade-off. It's just something that defenders need to keep in mind as well.
@tychotithonus @danieldurrans @revk yeah, the worst problem I could imagine is a sketchy app that happens to use a legitimate authentication provider. What happens if a silly mobile game tries to use google auth? The invalid location data you provide to a sketchy app would then reduce the effectiveness of google auth for real apps. Maybe this argues towards handling OAuth requests through some sort of OS interface that bypasses embedded web browsers.
I am Jack's Lost 404@tychotithonus @danieldurrans @Tedspence @revk
I think part of the issue is the paradox that the "only trustworthy companies" are also the ones most heavily engaged in surveillance, ads, and sales of data... sort of like "Hey that's a nice phone you've got there, it'd be a shame if anything happened to it. Just give us ALL of your data, You can trust us" 
Richard Loxley@Tedspence @bread80 yes, this. I’d love it for WhatsApp which deliberately punishes you by degrading the UI if you don’t allow it to harvest your address book :-(
leah & tigers & bears, oh my!@Tedspence the "let's not and say we did" model of permissions
Sprite_tmAndroid actually has that, but it's hidden behind layers of 'developer only' stuff... can send always-black camera images, null island gps coords etc. You can enable it using some app, but ofcourse I don't have it currently installed and I forgot the name >:(
Jessie Nabein (Old Account)@Tedspence XPrivacyLua does this on #Android AFAIK
https://github.com/M66B/XPrivacyLua
It is similar in status to uMatrix: no longer supported, still working (for now)
However, it has a barrier to use in the form of requiring an unlocked, rooted Android device, which thus may imply a bit of technical know-how and comfort to do so...
I doubt Google would ever deliver a fake-data option, but I could see something like GrapheneOS do this (as Lineage is too mainline/AOSP directed).
Wayne Werner$ sketchy_app --with-notifications > /dev/null
Jay Thoden van Velzen ☁️🛡️
@Tedspence this is an interesting idea also from a defenders' perspective.
It raises the idea of 'honey-authorization' roles that do nothing, have no legitimate use, but instantly trigger security alerts when assumed by any account
mhoye@Tedspence I straight up want to be able to lie to software. Access to my contacts? Enjoy this ocean of autogenerated gibberish. Location? I’m on the moon, fuck you.
@mhoye if you have the ability to spoof your location, I highly encourage you to select Bouvet Island. In addition to actually having an ISO 3166 country code, Bouvet Island is occupied entirely by walruses and is visited by humans once or twice per decade
@Tedspence strong suggestion. I’d also considered the Marianas Trench.
excited for the mastodon rise@Tedspence I daydream mostly about a mobile OS that grants me this capability.
But also for notifications, filters. They wouldn't be perfect, but you could let some through.
GPS would be huge.
Contacts, but only some would be huge.
Eyv
Eli the Bearded@Tedspence This is my Lynx browser cookies config ("accept always" use save file "/dev/null") writ more general. I'd also love app by app lying about location.
maxy@Tedspence Always wondering what I'm missing out because of my decision to install only free software from F-Droid on my LinageOS. (With the exception of the odd messenger.)
Some apps feel randomly unfinished. But even those with declared "anti-features" don't ever seem to act up. This thread makes me go nope. I have no idea what you're talking about, and now I'm not curious any more.
I will not allow my own devices to work against me.
@maxy In the old days, operating system developers assumed that all programs installed by a user were trusted. In those days, it cost a huge amount of money to buy a new software program, so of course you trusted it! Unfortunately, those days are over - even if you use open source products, there's always the risk that some corporation buys up a project and starts shipping nefarious and unwanted updates.
Even if you're on a fully OSS stack, you need to be protected from rogue software.
medium rare bird@Tedspence this is not fundamentally new, this is selecting the inputs to a program written to a capability interface. it's definitely a paradigm most users will never have seen, but it's literally what fd redirection in unix shells does.
I wholeheartedly agree that capability-oriented OS APIs are the only user-first way to design an OS, and every practical option for an OS/userspace fail this horribly.
@Tedspence the place I think this is closest to practically implementable is probably freedesktop-based Linux where we already have a capability interface for things like screencasting through desktop portals... but spoofing location, etc. is not yet easy to do.
it would be wonderful for the FOSS community to lead here--cc @postmarketOS
novatorine 🏴🏳️⚧️@Tedspence graphene OS kind of does this with the location permission
Louis Ingenthron@Tedspence Wait, why would that be better than just turning them off?
cheetah_spottycat@Tedspence I think graphene OS does this.
Piko Starsider 
@cheetah_spottycat @Tedspence I was going to say this
Aaron@Tedspence Containers for apps. lol
Rado 
@Tedspence Android lets do you do this, I think - if you disable the notifications for an app in the settings, I think that the app has no way of realizing that the notifications it's sending are being blocked.
apm77@Tedspence I always found it effing stupid when a website can tell if cookies are accepted only "for session". There is no earthly reason for the browser to tell it.
marina s@Tedspence isnt that what they call piping?
El Satánico Dr. Katow@Tedspence That would be NIIIICE
Shahin@Tedspence also: Ken Thompson “Reflections on Trusting Trust” https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Joshua Graves@Shahin @Tedspence that’s a good one. Also the line of “you can’t trust code you didn’t write yourself.” Looking at you, GPT.
photon@Tedspence Lately I have resorted to turning off all notifications and only whitelist those of apps that I consider important or trustworthy. As soon as an app sends a spurious notification it gets the privileges revoked.
@photon @Tedspence Yep, I think a lot of people work that way now - there's no other way to function without being bombarded with bullshit.
Jacob@Tedspence it’s such a pain and hostile to customers. I deleted Uber recently because it spammed me with discount notifications. Naturally you can only have notifications on or off, and I’m not about to toggle that setting every time I actually need to use their service.
Greg Brooks@Tedspence the most gross implementation of this is the games my kids install on their ipad which send notifications saying that “we miss you” while they are away at school.
Jeff@Tedspence That's exactly why I don't allow notifications on my phone for anything other than allowed people communicating with me... and alarm clocks.
Billy O'Neal@Tedspence Yeah app that does this gets notification privileges taken away immediately from me
Steve Hill 🏴🇪🇺@Tedspence linkedin seems to invent new categories of content to email me about, and subscribe me to them, even though I'm unsubscribed from most categories.
Zorin =^o.o^=@Tedspence YES, this so much.
Apple started doing this with Photos, you can grant access to only certain photos. BUT they didn't do it quite right; they still tell the app partial access has been granted, so the app knows the user is holding back.
I'd love to see this with Contacts (share only a subset of contacts), location, etc. but damnit don't snitch to the app that I'm lying to it.
If an app needs to know REAL location for security reasons, that could be an entitlement that has to be granted, and the developer would have to provide a good reason.
Grant Denkinson@Tedspence Yup. My first reaction to an alert is usually to turn off alerts.