Does a google account compromise privacy?

It is not so clear to me what “adding an account” in sailfish actually does. Does it share my data with google? As probably many of us, I use Sailfish exactly because of privacy concerns. So wouldn’t creating a google account on Sailfish defy that purpose?

(BTW I just got started with Sailfish, but I’m already a fan, it already exceeds many of my expectations!)

Have you actually read Google’s terms of service and ‘’’’’’’’’’’’’’’’’’’‘privacy’’’’’’’’’’’’’’’’’’’’ policy? Of course connecting to any Google service from any device whatsoever will result in losing privacy (read = your IP address will be logged, and cross-referenced with other Google products unless you’ve adjusted your privacy settings). There is no Sailfish-specific problem here. Jolla offers that possibility because they knew from the beginning that many people would be asking for compatibility with Google services (and they do - just look around this forum and you will see quite a couple of posts about perceived instabilities/incompatibilities with some GApps), not because they actually believe that interfacing with their services is a good idea.

Google is not a search engine (and even less a technology company), it’s a marketing company. It didn’t become world’s first company by being innovative, no matter how hard they (and many fools out there trying to justify their shady business practices) might want you to think that, but it did so by selling your data to third parties. It’s really that simple. Avoid them at all costs, in all your devices, ever. If you do use Google products, just search for alternatives - there are at least 3 good lists out there.

Thank you for the quick reply rsoto, I completely agree with you about google! That wasn’t really my point though (sorry if that wasn’t clear). Indeed there is no “sailfish specific problem”, but “adding accounts” in sailfish is sailfish specific, and I don’t know exactly what that does.

For example, can I read my gmail in the Jolla mail app without giving google access to camera, contacts, GPS, phone history, etc.?

This question is very easy. The answer is yes

Thank you gabrielg. Why, if I may ask? What does an account in sailfish do exactly?

You can set up a gmail account as a General email account to read your mail. With that i don’t think google can access anything more than what you sent via email.

(Like any other email provider) they also know when your device connects to the email servers.

Well, you can read what data you’ll be shared when you create the Google account in your phone. Basically, contacts, calednar events and email will be sync’ed. To all this, add the fact that Google will record how often you sync, what you sync, from where, etc. etc… If this doesn’t bother you, then jolly good, but in my book this constitutes privacy and it is known that Google is an advertising company that will sell your data, however ripped of identifying information.

Thanks, that was what I was hoping

Of course, that can’t be helped. But it’s good to point this out

Perfect, that was what I was looking for!

Most (but not all) of the abuses come from Google’s Play Service. On android, most of the functionality requires this piece of service. And while it runs in the background it has been documented to constantly ping the mothership (even when the phone is not actively being used) (and independently of individual app’s “persmissions” settings).

Now from that point of view:

• On Jolla’s SFOS, the managing of a Google account doesn’t rely on any piece of Android library. So adding a Google account at least will not grab your camera, audio or GPS.
• Still your SFOS needs to synchronize your data (exact time schedule can be setup in the account). Every time it needs to update information (calendars, emails, etc.) from Google, everytime it needs to send an e-mail, etc. it will make a connection to Google’s server.
  • no matter what, that’s something that Google logs, meaning that at least they can (and will) infer your activity over time of the day and thus track you over time (e.g.: you tend to send e-mail between “UTC 0600 and 1000”)
  • if you don’t go through great lengths of obscuring it (either tuning a nice Tor setup, or at least use some VPN that you trust), Google can also see the IP address you’re connecting from and have a rough idea of where you are connecting from and thus track your movement (e.g.: sync was initiate while you smartphone had an IP address known to belong to the Wifi network of a shop. Then the next couple of syncs where from an IP address register to a given cell provider in a given region. Then the sync continued from an IP address belonging to the Wifi network of your work) (Thus Google can deduce that you stopped at a shop on your way to work, and know exactly which shop and which is your place of work.) That’s not as precise as the meter-range precision offered by GPS, but Google doesn’t give a damn, that already precise enough to market the shit out of your daily behaviour and marketeers. (Very rough simplification: Was that shop a baby shop? Google knows you and your SO might be expecting soon. Be prepared for a deluge of relevant ads.) (That’s a simplification, the actual information might not be as abvious to the general public, but even more powerful)
• The information it self isn’t encrypted
  • unless you go to great lenght to setup e-mail encryption (e.g.: using S/MIME or GPG), every single e-mail your read or send is stored in the clear on GMail’s server. That was already source of scandals during GMail’s infancy as it was relying on keyword recognition of the currently opened e-mail to serve context relevant ads around the GMail web interface. Now keep in mind the level of natural language processing that modern AI has achieved and draw your conclusion. (Yes technicall googles server could read all your e-mail, deduce everything about you and market the shit out of it).
  • calendars, contacts, etc. aren’t encrypted at all. Warnings about AI apply here too. Google knows you better than you know yourself or even better than your mom.
• The good news though, come from the GPS side of things: in SFOS it’s easy to configure whether your smartphone gets its position only from sattelite, or whether it uses a service to determine an approximation based on Wifi and Cell towers signals observed around. When activated, it doesn’t rely on Google at all (it used to rely on Mozilla in the past). So at least Google doesn’t get a constant stream about your position and what’s around you (I mean, beyond what it can deduce based on your IP address. See above)
• Then there’s the Android side of things:
  • by default, SFOS only comme with AOSP, the opensource part of Android, sans google service. (There might be a few stray forgotten left over URL here and there, but nothing as dramatic as the situation criticized by /e/ on real Google smartphones). Some application will happily work without the services (e.g.: WhatsApp, Uber, etc.) other will crash due to missing functionnality.
  • you can if you want install Google’s own official Play Services (using something like opengapps and patching your system.img) then you’re basically back at the total abuse mentionned at the top with google getting a constant stream of pretty much everything that they want (with a few compatibility limitation: current AlienDalvik cannot pass cell tower information to Android apps, and nothing Bluetooth can be access directly, only as service (Bluetooth speakers show up as audio outputs, not as paired bluetooth device) - But basically this is not due to any type of protection that’s just missing functionnality in AlienDalvik).
  • you can also install microG an opensource reimplementation of the same API - that one is a lot less abusive than the original one, and you have tons of plugins for location where you can decide who (or even if anyone) gets to see your location data. And there are quite a few application that will happily work with what functionnality is already in microG even if it’s not perfectly re-implementing Google Play Service) (DRM and some banking app that all rely on Google’s detection of rooting/hacking are the sore points that will completely fail).
  • All of the above concerns Google Account and Google Service. That’s completely side stepping other issues (Uber has been caught red handed grabbing the mic and spying around you, AliExpress has an obsession with stay active in the background. I had written a Howto on the old askbot about this. It’s slightly outdated as it doesn’t cover application that automatically get started when you share something in android - they normally get you a list of additionnal options to share to, e.g.: in addition of being able to “Share to WhatsApp…”, WhatsApp itself will build a list of shortcuts to conversations in which you might want to directly post the shared photo)

In this context I find pretty naive all the complains about privacy infringement with regards to COVID tracking apps: Goolge already knows pretty much everything about your life. Do you really think they would give a damn about some cryptographically anonymized list of bluetooth tag’s your seen? When they fucking already can know precisely who (is in actual person identify, not random cryptographic string) you were standing next to when looking at a peculiar advertisement? Sweet summer child…

So in short:

• if you’re paranoid about your privacy: do not use Google, and avoid standing nearby people who use Google, Facebook, etc. (but its too late: they all know you very well based on the e-mail, photos, etc. featuring you that went through their server, even if never created your own profile.)
• if you’re very afraid about your privacy: do not use Google
• if you’re mindful about your previvacy, try to reduce your attack surface:
  • only use services that you need.
  • also when needed (disable or schedule auto-updates).
  • try implementing privacy measures (S/MIME or GPG encryption, IP address obfuscation like Tor or VPN) when realistically applicable
  • try using alternatives when available (microG instead of Google Play Services).
  • install blocker: use Defender II for system-wide domain blocklisting, use uBlock/Privacy Badger/DecentralEyes in Firefox (plugin work even in mobile), prefer Bromite (comes with adblocking plugin pre-installed) instead of Google Chrome (plugin are disabled in mobile version).

Thanks a lot for your efforts on giving a survey of these issues – much helpful.