I switched to using PWAs for social media apps for similar reasons the author outlines. A pleasant, but somewhat unintended consequence is that I just use them a lot less because the experience is pretty bad. It makes me a little sad because I’ve always believed in the PWA dream, but the reality is that they’re bad because companies certainly don’t want to make an experience that rivals the app they really want you to download.
Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
What's funny is that desktop versions of websites in a lot of cases are responsive, and work fine on small screen. BUT at the same time the mobile version is crappy and lacks some features (or just shows "download our app").
Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.
PWAs can be good, but for a lot of social media, they're only as good as their website experience. Many (most) companies seem to make their website intentionally slow and buggy, probably with the idea that users only need to use their web UI for a short while because they lost access to their apps or something.
For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.
The absolutely batshit insane part is that the 'native apps' are almost certainly created using web technologies which call the exact same APIs as the web app.
There's zero reason the web apps should be so slow.
You can't use Facebook Messenger on the web at all, unless you go to Facebook and switch to the desktop version. Then it's a simple matter of zooming in without accidentally clicking anything, using their fiddly interface to load up the conversation you're interested in, and get bounced around the screen as the input focus changes around.
By the stopwatch it takes 3x longer for me to upload a photo to the Instagram web app than it does to Mastodon. Facebook's blue website works pretty well but the Instagram site comes across like something that was vibe coded in a weekend or maybe a straw man that was made to prove SPAs are bad. Contrast that to the Mastodon application produced by a basically unfunded application that's fast and reliable.
Just hours ago I couldn't even copy-paste a description of a post I drafted in another app. Literally nothing happened when I tried to paste. No console errors, no feedback, nothing.
It was a bit of a longer one, but still far below Instagram's supposed character limit. The fact that they somehow broke copy-paste functionality really baffles me.
Surely at some point some team that writes this has to demo it and someone checks it. After however many years of it not working, surely that's strategic, not accidental.
It's such a pervasive pattern and somehow always in the direction: the app works better than the website. If there even is a website.
I was wondering if it's just me. I am using Brave on iOS with all the possible blockers enabled, so I'm not surprised when some website doesn't work well. Instagram literally freezes solid after 5-15s of being on the website, so I usually only quickly scan the top 2-3 posts in the feed. I only follow people I know personally, so this is usually enough to do once or twice a day and stay up to date. If I see a close friend posted a story I kinda want to see then it usually takes two or three hard closes of the browser to actually see it. Sucks, but sucks less than being mental gamed into doomscrolling every time I get an app notification.
I don't know if big companies even know how to make web apps. Honestly. Which is extra insane to me because there's so much investment in web technologies. On my team at $BigTech there's like 1 or 2 people out of 30 people on our team that knows web, the rest are mobile. I'm a web guy but I refuse to touch our web-app because they butchered the tech stack and I don't have the energy to deal with that BS. We still have an mobile-web version distinct from the 'desktop' version because.... I don't know why, whoever wrote it never learned about responsive web design and we never bothered to move out of the stone ages because if people want to use the app on their phone, they should download the native app of course! And by "native" I mean we built our own half-baked framework so that we could cross-compile for Android and iOS.
Also I don't think these people know how capable PWAs are. There's very little you can't do in a web-app that you can do with a native app.
Native phone apps give me the creeps. I assume the developer's are able to track me in various ways even without my giving permissions. Is that an unfounded fear on my part?
Can an app uniquely identify me if I don't give it
control over my phone number / nearby devices?
Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).
I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).
Android 15 supports Private Space [0] that is essentially a separate profile you can install apps into that you can put to sleep. Basically I put all low trust apps into it, but can still access easily enough.
Network is a permission on Android, it's just that phone manufacturers and likely Google don't want you to be able to control it. Most custom ROMs, including GrapheneOS expose it properly, often at the install dialog.
Some time ago, I used a module for Xposed on Android called XPrivacy which did exactly that. Yes, creepy app, you can have my location. It's Antarctica.
It does look like Xposed has successors, but my current approach is to just be selective about installing apps.
I use netguard and forbid network access by default for all apps. Mildly annoying for apps that need network access as I have to approve, but it's worth it.
On play store you can see the permissions that an app uses and they are grouped by category. Have full network access is set in the "others" category, same as notifications and vibration. This is a category where (supposedly) permissions are automatically granted.
But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.
I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise.
Still, an "internet" category would have been nice...
An app can use the VPN API to intercept network traffic. This is all done with plenty of security popups (one to inform you an app is trying to register as a VPN, the another popup when it's first activated, and the while it's active there's a permanent notification that says "your connection may be monitored" with a quick button to kill the VPN).
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
In the beginning of Android / iOS, just installing an app and registering was enough for the company to get your device's MAC address and thus your indoor location with accurate precision.
They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."
All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.
Simply your IP address can be used to track you so any app or website you visit knows roughly where you are with every http request unless you use an always on VPN. It can also fingerprint you in various ways without the need for any special permissions.
Agree with you about fingerprinting (also a bummer). I guess the difference here though is that I must be actively engaging with a website in order for it to be tracking me, but an app (I assume) can be tracking me basically whenever it wants.
iOS always asks for permissions. I suspect the same is true for unrooted Android.
But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.
You realize that if you are concerned about apps tracking you without you explicitly giving it your location, a website could do the same since there are browser APIs that can retrieve the same information only gated by the same OS controls?
When you go to a website, they have always known the originating IP address.
> but the new trend is surveillance pricing. A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
First of all, no, a company has no idea when you get paid. The reality of lots of apps (like McDonald's) is discount pricing. You pay full price at the store if you're a rich person who can't be bothered with apps. Downloading an app and creating an account is the modern equivalent of cutting out coupons or buy-10-get-one-free cards -- price-conscious consumers will go to the trouble and get cheaper prices. They're just loyalty programs. Price discrimination like this is nothing new, and it lets rich people subsidize the lower costs for people with less money.
These apps run in sandboxes. There's not much to surveil. Obviously don't grant them permissions to see your contacts or track your location all the time. Will the app be able to tie all your purchases to a single identity? Of course. But the stores already do that anyways if you use the same credit card for each purchase.
I don't mind downloading apps for the 5-10 stores/restaurants I go to most. Beyond that, I obviously won't because it's too much of a hassle. But the loyalty discounts I get save me real money. I have no problem with that.
Its more than coupons. These apps track your location, usage and so on then sell this data to a 3rd party. Coupons don’t do that. Do you read full useragreement you accept when installing apps? Most people wouldn’t understand the legalese in those.
A coupon could still be an image you find online that can be scanned and that’s it. Apps are totally not necessary unless they squeeze something out of the user.
To you and me, the consumer, the value of an app is "the same" as the old loyalty cards. But the value to the company is huge! How often you open the app (how often are you thinking about their food), how often you accept an offer, what the price of the offer is, what card you used to pay, where were you when you opened the app etc etc.
Going to be fun times when in 10 years time they sell all that information to your health insurance provider for them to go "Holy hell" and jack your insurances prices up 5 times over.
100% agree. The level of tracking has gotten to absurd levels.
I needed a couple of grocery items and happened to be next to an Amazon Fresh. Cool, let’s try it! Went in, found everything I needed and went to self checkout. When it was time to pay, the machine wouldn’t accept Apple Pay. I ask an employee who helpfully informs me that I can pay with physical cards or my Amazon account.
I didn’t have my physical cards, nor wanted to do my Amazon account so I had to leave empty handed. Why don’t they accept Apple Pay? Because they can’t track you. If you use a physical card, they can likely link that card number to an Amazon account and thus attribute the purchase to a person. If you pay with contactless payment they get a one time token that they can’t tie to anyone.
IIUC, contactless payment via apple pay does have a secondary card number of sorts that's linked to your original card.
I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.
Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.
Walmart is the same. I believe it's very very slightly more expensive to process Apple Pay payments (Apple's getting a tiny fractional amount of the sale), and this was the actual sticking point.
Walmart rolled out their own QR code payment plan just so they didn't have to revshare anything. When you're the size of Walmart, you can get away with those types of decisions even though they are technically very much inferior
Payment services like credit cards demand a significant fee for a (nowadays) technically trivial service: instant cash-free payments. These could be replaced with modern instant bank transfer standards, like FedNow in the US:
These don't require external middle men (like credit card companies) and are therefore almost free. Unfortunately the US is late to the party (in India and some other countries these are already widely used for years), so many banks don't support FedNow yet.
If they were really concerned about interchange fees, they wouldn’t accept American Express cards either. The difference between the interchange fees of Visa vs Amex is much greater than tap to pay versus non tap to pay.
There is a reason that there are a lot more places that don’t accept Amex than don’t accept tap to pay. You see this a lot internationally.
Just this year alone, every mom and pop place I went to in Costa Rica, Canada, UK and France accepted Apple Pay but only merchants in the UK widely accepted Amex.
No, they don't. Apple isn't involved with the transaction processing at all, the phone just acts as an EMV device to transmit the payment details to the terminal.
Giving your phone number is just as bad. I was buying stuff at World Market and they had big signs touting 20% off some things... but when you got the counter they told you didn't get that unless you coughed up your real working mobile number so you could receive some BS code.
> A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
I know there's various data apps can collect. On iOS at least it seems like you have to grant permission for the app to access most of it. But how on Earth is this supposed to work? How does the app on my phone know if I just got paid?
One possible future to look forward to is one where everyone is essentially forced to become a commodity player that exposes an API for your AI Agent to order food, book a rideshare, book a ticket, check flight status or whatever. I don't think they'll go willingly but the market may force their hand.
indeed, been preaching this kind of thing for ages. the main apps i keep on my mobile are my web browser, my comms apps (element, telegram and signal), and some other stuff from f-droid like retro music, ffupdater, newpipe, termux and stuff like that.
any social things i add as pwa through the browser.
not interested in any of those fast food or store apps. never selling ad-space (and privacy) on my own device to save $2 on a hamburger and some fries, and even if i did want them, chances are high they wouldn't run on my device anyway (feature not bug) lol
thankfully in my area, we have some good local places where you can order food just fine over their website. and if it didn't work over the website, i can simply do it the old-fashioned way, pick up the phone and say "i'd like to place an order for XYZ.."
Using the website doesn’t get you around these clauses either. It’s more like “don’t agree to terms you don’t read”. Chatgpt can help spot things like this without much effort now, but about every single business is going to have an arbitration clause.
This is all true. But I work in a company where the folks are actually nice guys. Lately we wanted more people to use the apps so we could block bots more aggressively on web because it is getting annoyingly expensive
For all of these same reasons, I never signed up for the "member rewards" program at the local grocery store. I did read the terms and conditions once, when I needed a good laugh.
"never hand your phone over the counter" - do people actually hand over their phones to random strangers? I'd never do that unless I really know the person
Generally agree with the sentiment, I basically only have banking apps, messaging apps, and a browser on my phone.
I am skeptical, though, of the price discrimination claims. If McDonald's decides that the right price of a Big Mac for me is $1 and for you $4, that creates an arbitrage opportunity. You can pay me $3, and I pocket $1.50. The result is that I buy more big macs, and they bump my price up. You buy less, and they take your price down. Now it just trades at the market rate it was before, but with more steps.
Arbitrage between McDonalds burgers doesn’t really work. It’s not a meaningful open market - someone paying $1/burger can’t go in and buy 100 burgers and sell them to someone else for $3. For one reason, it’s illegal. For another, no one would buy them, they’d think it’s a scam.
This assumes the information is clear and consistent enough across time and distance for arbitrage to happen. Pricing in-app, per customer, changing per day would introduce too much unpredictability for most customers to attempt arbitrage. If people in a group all check their apps, and the person with the best prices orders for everyone, it could work in the context of a shared meal.
But imagine trying to sort out X number of people who each want a different basket of items from, say, the Walmart app. Each of those items fluctuating daily in price for each customer independently makes arbitrage almost prohibitively difficult to coordinate.
The best case scenario is something like Steam sales, where a wishlist function notifies you when items you've "watched" are on sale. There are third parties like, for example, Deku Deals that track this pricing data across time for console games.
But Amazon is already trying to banish external AI agents from any access to its data. And what does a price history graph even mean if prices are specific to each customer and stochastically varied each day to induce impulse purchases?
Just another confirmation that the majority of the IT industry depends on spying in order to be profitable and for developers to make a good living. It’s a disgrace really.
An annoying trend I've noticed is being asked for phone number or email at checkout (IRL). I bought a blood pressure meter a few days ago, and the salesman asked "what phone number should I put on the order?" Zero. Fuck off. I guess most people just answer out of reflex, or believe it's required to complete the purchase. It's creepy and irritating.
As a teenager I worked at a discount store, and sometimes ran the service desk, which (among many other things) involved processing returns. The returns form included a spot for "phone number", to which some customers would respond, "my number is unlisted". We honored that. Today in the USA, it seems the phone number is the new Social Security Number, which everybody wants to use for tracking. Stores used to give out physical discount cards (which I wasn't keen on either...) but now (obviously because it saves them money) so many stores have switched to a system where your account is tracked through a phone number or an app or both. No thank you.
I often use my old landline number when stores ask me for a phone number. I gave it up about 20 years ago. I feel a little sorry for the guy who has it now (only a little sorry) because whoever it was reassigned to, probably gets many spam calls on my behalf.
I feel sorry for their database because I was a teenager with a bunch of guitar pedals and an ongoing need for 9V batteries. I made up a LOT of phone numbers.
Already pisses me off that companies make a profile of me based on credit card numbers. I’ve had this number for decades. I’m sure you could build a complete profile of me based on my cell number, and this is the only “social” site I use. I got off fb in 2008, never even joined the rest (twitter, insta, reddit, et. al.) just because my phone number has been raped out of anyone else who has my name and number in their phone.
This is dumb. Websites have many more ways to track you across websites than apps have to track you if you don’t explicitly give them unnecessary permissions.
Native apps have privileged access to far more personal data on your device. A website has, what, cookies and fingerprinting? You can already mitigate this on Firefox but even if not, it isn't in the same league
I switched to using PWAs for social media apps for similar reasons the author outlines. A pleasant, but somewhat unintended consequence is that I just use them a lot less because the experience is pretty bad. It makes me a little sad because I’ve always believed in the PWA dream, but the reality is that they’re bad because companies certainly don’t want to make an experience that rivals the app they really want you to download.
Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
What's funny is that desktop versions of websites in a lot of cases are responsive, and work fine on small screen. BUT at the same time the mobile version is crappy and lacks some features (or just shows "download our app").
Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.
What is the relevant setting in about:config?
PWAs can be good, but for a lot of social media, they're only as good as their website experience. Many (most) companies seem to make their website intentionally slow and buggy, probably with the idea that users only need to use their web UI for a short while because they lost access to their apps or something.
For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.
The absolutely batshit insane part is that the 'native apps' are almost certainly created using web technologies which call the exact same APIs as the web app.
There's zero reason the web apps should be so slow.
I'm convinced many companies purposely gimp their web sites to drive people to apps.
Uber for example doesn't seem to work from my phone browser.
What surprises me is how many engineers must be involved in this kind of scummy shit and keep it tightly under wraps.
You can't use Facebook Messenger on the web at all, unless you go to Facebook and switch to the desktop version. Then it's a simple matter of zooming in without accidentally clicking anything, using their fiddly interface to load up the conversation you're interested in, and get bounced around the screen as the input focus changes around.
They've gone an admirably long way to fuck up a text input.
> Uber for example doesn't seem to work from my phone browser.
Remember when uber wouldn't work for regulators either?
https://en.wikipedia.org/wiki/Controversies_surrounding_Uber...
Instagram - major offender.
By the stopwatch it takes 3x longer for me to upload a photo to the Instagram web app than it does to Mastodon. Facebook's blue website works pretty well but the Instagram site comes across like something that was vibe coded in a weekend or maybe a straw man that was made to prove SPAs are bad. Contrast that to the Mastodon application produced by a basically unfunded application that's fast and reliable.
Just hours ago I couldn't even copy-paste a description of a post I drafted in another app. Literally nothing happened when I tried to paste. No console errors, no feedback, nothing.
It was a bit of a longer one, but still far below Instagram's supposed character limit. The fact that they somehow broke copy-paste functionality really baffles me.
Yep. Either it’s actually that bad or it’s just purposefully hampered. Same end user experience either way.
Surely at some point some team that writes this has to demo it and someone checks it. After however many years of it not working, surely that's strategic, not accidental.
It's such a pervasive pattern and somehow always in the direction: the app works better than the website. If there even is a website.
I was wondering if it's just me. I am using Brave on iOS with all the possible blockers enabled, so I'm not surprised when some website doesn't work well. Instagram literally freezes solid after 5-15s of being on the website, so I usually only quickly scan the top 2-3 posts in the feed. I only follow people I know personally, so this is usually enough to do once or twice a day and stay up to date. If I see a close friend posted a story I kinda want to see then it usually takes two or three hard closes of the browser to actually see it. Sucks, but sucks less than being mental gamed into doomscrolling every time I get an app notification.
I would say use flickr, but that's shitified now.
Oddly effectively because I end up using it less in general
Exactly - me too. But infuriating when I try.
When someone sends me an Instagram link I edit to imginn.com instead.
> I'm convinced many companies purposely gimp their web sites to drive people to apps.
And then their app is just a webview wrapper. But that still gives them more access to your device.
I don't know if big companies even know how to make web apps. Honestly. Which is extra insane to me because there's so much investment in web technologies. On my team at $BigTech there's like 1 or 2 people out of 30 people on our team that knows web, the rest are mobile. I'm a web guy but I refuse to touch our web-app because they butchered the tech stack and I don't have the energy to deal with that BS. We still have an mobile-web version distinct from the 'desktop' version because.... I don't know why, whoever wrote it never learned about responsive web design and we never bothered to move out of the stone ages because if people want to use the app on their phone, they should download the native app of course! And by "native" I mean we built our own half-baked framework so that we could cross-compile for Android and iOS.
Also I don't think these people know how capable PWAs are. There's very little you can't do in a web-app that you can do with a native app.
Personally my experience with PWAs has been solid, on Firefox w control over JS. I still use them a lot less because I don't stay signed in.
Native phone apps give me the creeps. I assume the developer's are able to track me in various ways even without my giving permissions. Is that an unfounded fear on my part?
Can an app uniquely identify me if I don't give it control over my phone number / nearby devices?
Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).
I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).
Android 15 supports Private Space [0] that is essentially a separate profile you can install apps into that you can put to sleep. Basically I put all low trust apps into it, but can still access easily enough.
[0] https://support.google.com/android/answer/15341885?hl=en
The web page says Private Spaces can hide an app from the user.
What I want to do is hide my address book and gallery from the app.
> Can an app uniquely identify me
Even browsers can identify* you, if they really want to.
*not as cleanly though, could be tricky for fingerprinting to track one user across different devices/browsers/netowrks.
Recent discussion on fingerprinting: https://news.ycombinator.com/item?id=46016249
Network is a permission on Android, it's just that phone manufacturers and likely Google don't want you to be able to control it. Most custom ROMs, including GrapheneOS expose it properly, often at the install dialog.
They really should just let me spoof all the permissions and associated data for apps if I don't want them to have the access.
Some time ago, I used a module for Xposed on Android called XPrivacy which did exactly that. Yes, creepy app, you can have my location. It's Antarctica.
It does look like Xposed has successors, but my current approach is to just be selective about installing apps.
I use netguard and forbid network access by default for all apps. Mildly annoying for apps that need network access as I have to approve, but it's worth it.
On play store you can see the permissions that an app uses and they are grouped by category. Have full network access is set in the "others" category, same as notifications and vibration. This is a category where (supposedly) permissions are automatically granted.
But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.
I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise. Still, an "internet" category would have been nice...
"Network" is too broad. What you really want for most apps is "can only talk to its home domain from which it was downloaded".
Netguard solves this, available on the play store and F droid
https://netguard.me/
Pro tip: use the fdroid version as it allows you to set a host file to also filter ads, etc.
https://github.com/M66B/NetGuard/blob/master/ADBLOCKING.md
Netguard is fantastic. I even use it on my Sony android TV to block everything except for a few streaming apps.
I love netguard. Some apps refuse to work without network access, but most work fine. The lack of ads is great.
How does it work without root? Any app can just block other apps from connecting to the internet?
An app can use the VPN API to intercept network traffic. This is all done with plenty of security popups (one to inform you an app is trying to register as a VPN, the another popup when it's first activated, and the while it's active there's a permanent notification that says "your connection may be monitored" with a quick button to kill the VPN).
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
Neat, thanks for the explanation!
Given it's a "VPN", would it work alongside real VPN?
The app takes up Android's only VPN slot, but some like RethinkDNS have VPN support built-in, so you can still connect to another actual VPN.
In the beginning of Android / iOS, just installing an app and registering was enough for the company to get your device's MAC address and thus your indoor location with accurate precision.
They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."
All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.
They can track you on a website perhaps even more reliably than on an app, at least on iOS…
The difference is I am not carrying around my desktop computer, the location data stays static.
Simply your IP address can be used to track you so any app or website you visit knows roughly where you are with every http request unless you use an always on VPN. It can also fingerprint you in various ways without the need for any special permissions.
Agree with you about fingerprinting (also a bummer). I guess the difference here though is that I must be actively engaging with a website in order for it to be tracking me, but an app (I assume) can be tracking me basically whenever it wants.
Then the VPN provider does geolocation instead and get the list of hosts you accessed
Facebook & Yandex used apps to correlate browsing sessions to the app user.
https://localmess.github.io/
iOS always asks for permissions. I suspect the same is true for unrooted Android.
But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.
No thankee.
You realize that if you are concerned about apps tracking you without you explicitly giving it your location, a website could do the same since there are browser APIs that can retrieve the same information only gated by the same OS controls?
When you go to a website, they have always known the originating IP address.
>Is that an unfounded fear on my part?
Given the security record of app stores, probably not.
The author has this backwards:
> but the new trend is surveillance pricing. A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
First of all, no, a company has no idea when you get paid. The reality of lots of apps (like McDonald's) is discount pricing. You pay full price at the store if you're a rich person who can't be bothered with apps. Downloading an app and creating an account is the modern equivalent of cutting out coupons or buy-10-get-one-free cards -- price-conscious consumers will go to the trouble and get cheaper prices. They're just loyalty programs. Price discrimination like this is nothing new, and it lets rich people subsidize the lower costs for people with less money.
These apps run in sandboxes. There's not much to surveil. Obviously don't grant them permissions to see your contacts or track your location all the time. Will the app be able to tie all your purchases to a single identity? Of course. But the stores already do that anyways if you use the same credit card for each purchase.
I don't mind downloading apps for the 5-10 stores/restaurants I go to most. Beyond that, I obviously won't because it's too much of a hassle. But the loyalty discounts I get save me real money. I have no problem with that.
Its more than coupons. These apps track your location, usage and so on then sell this data to a 3rd party. Coupons don’t do that. Do you read full useragreement you accept when installing apps? Most people wouldn’t understand the legalese in those.
A coupon could still be an image you find online that can be scanned and that’s it. Apps are totally not necessary unless they squeeze something out of the user.
McDonalds has been shown multiple times to use their app to figure out how much someone is really willing to play for their slop: https://www.stuff.co.nz/money/350476761/mcdonald-s-under-fir...
To you and me, the consumer, the value of an app is "the same" as the old loyalty cards. But the value to the company is huge! How often you open the app (how often are you thinking about their food), how often you accept an offer, what the price of the offer is, what card you used to pay, where were you when you opened the app etc etc.
Going to be fun times when in 10 years time they sell all that information to your health insurance provider for them to go "Holy hell" and jack your insurances prices up 5 times over.
But sure, we got 20c off a burger.
100% agree. The level of tracking has gotten to absurd levels.
I needed a couple of grocery items and happened to be next to an Amazon Fresh. Cool, let’s try it! Went in, found everything I needed and went to self checkout. When it was time to pay, the machine wouldn’t accept Apple Pay. I ask an employee who helpfully informs me that I can pay with physical cards or my Amazon account.
I didn’t have my physical cards, nor wanted to do my Amazon account so I had to leave empty handed. Why don’t they accept Apple Pay? Because they can’t track you. If you use a physical card, they can likely link that card number to an Amazon account and thus attribute the purchase to a person. If you pay with contactless payment they get a one time token that they can’t tie to anyone.
In Massachusetts, they also would have been required to accept cash, as all business locations are.
(It appears that Amazon Fresh has not opened any locations in MA. That's fine with me.)
IIUC, contactless payment via apple pay does have a secondary card number of sorts that's linked to your original card.
I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.
Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.
Walmart is the same. I believe it's very very slightly more expensive to process Apple Pay payments (Apple's getting a tiny fractional amount of the sale), and this was the actual sticking point.
Walmart rolled out their own QR code payment plan just so they didn't have to revshare anything. When you're the size of Walmart, you can get away with those types of decisions even though they are technically very much inferior
Payment services like credit cards demand a significant fee for a (nowadays) technically trivial service: instant cash-free payments. These could be replaced with modern instant bank transfer standards, like FedNow in the US:
https://en.wikipedia.org/wiki/FedNow
These don't require external middle men (like credit card companies) and are therefore almost free. Unfortunately the US is late to the party (in India and some other countries these are already widely used for years), so many banks don't support FedNow yet.
> Why don’t they accept Apple Pay?
Apple charges for the interchange.
This is the same reason that Walmart doesn’t accept it.
Every credit card company charges interchange fees. Apple charges an additional .15 cents.
Walmart doesn’t accept Apple Pay because they want you to use their app and think they are big enough not to.
> Walmart doesn’t accept Apple Pay because they want you to use their app and think they are big enough not to
You can pay with credit card swipe/insert.
You cannot pay with credit card tap-to-pay, or mobile device.
Swipe versus tap-to-pay has literally nothing to do with an app. But it's because of the extra charge.
---
It's funny that you know it's more expensive, and yet claim that is unrelated.
If they were really concerned about interchange fees, they wouldn’t accept American Express cards either. The difference between the interchange fees of Visa vs Amex is much greater than tap to pay versus non tap to pay.
There is a reason that there are a lot more places that don’t accept Amex than don’t accept tap to pay. You see this a lot internationally.
Just this year alone, every mom and pop place I went to in Costa Rica, Canada, UK and France accepted Apple Pay but only merchants in the UK widely accepted Amex.
No, they don't. Apple isn't involved with the transaction processing at all, the phone just acts as an EMV device to transmit the payment details to the terminal.
Incorrect.
https://www.igeeksblog.com/does-walmart-take-apple-pay/
Giving your phone number is just as bad. I was buying stuff at World Market and they had big signs touting 20% off some things... but when you got the counter they told you didn't get that unless you coughed up your real working mobile number so you could receive some BS code.
See ya, jerks.
You can use my phone number, +61 400 000 000 :)
> A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
I know there's various data apps can collect. On iOS at least it seems like you have to grant permission for the app to access most of it. But how on Earth is this supposed to work? How does the app on my phone know if I just got paid?
For me I have a recurring calendar appointment reminder for when I get paid. So anything that requests calendar access would know that.
One possible future to look forward to is one where everyone is essentially forced to become a commodity player that exposes an API for your AI Agent to order food, book a rideshare, book a ticket, check flight status or whatever. I don't think they'll go willingly but the market may force their hand.
indeed, been preaching this kind of thing for ages. the main apps i keep on my mobile are my web browser, my comms apps (element, telegram and signal), and some other stuff from f-droid like retro music, ffupdater, newpipe, termux and stuff like that.
any social things i add as pwa through the browser.
not interested in any of those fast food or store apps. never selling ad-space (and privacy) on my own device to save $2 on a hamburger and some fries, and even if i did want them, chances are high they wouldn't run on my device anyway (feature not bug) lol
thankfully in my area, we have some good local places where you can order food just fine over their website. and if it didn't work over the website, i can simply do it the old-fashioned way, pick up the phone and say "i'd like to place an order for XYZ.."
I've been dutifully following this approach for a little while now and it's had the nice side effect of pushing me to smaller and more local options.
I think it's also saving me money!
Using the website doesn’t get you around these clauses either. It’s more like “don’t agree to terms you don’t read”. Chatgpt can help spot things like this without much effort now, but about every single business is going to have an arbitration clause.
This is all true. But I work in a company where the folks are actually nice guys. Lately we wanted more people to use the apps so we could block bots more aggressively on web because it is getting annoyingly expensive
>Guess who hires them? Not you!
McDonalds doesn't hire them either. But, they will pay a bigger share of the arbitration fees than you do.
>they’d have to settle it out of court with a mediator that Disney hired
It would be a mediator hired by JAMS, a neutral 3rd party.
Is it somehow easier to have binding arbitration in an app vs. a website, assuming there is an account needed for both?
For all of these same reasons, I never signed up for the "member rewards" program at the local grocery store. I did read the terms and conditions once, when I needed a good laugh.
Friendly Social Browser is a great alternative to having to download everyone and their kitchen sink's app but not sure if their privacy is great
"never hand your phone over the counter" - do people actually hand over their phones to random strangers? I'd never do that unless I really know the person
Occasionally restaurants to pay for something if you don't have a credit card. But never had them go take it somewhere.
This is all fine and valid but the real problem is that binding arbitration is legal.
Why wouldn't this physical sign be the same? "If you step your foot over this stone, you agree to the following terms:"
I think if someone yoinks your phone and installs stuff on it the basic options are "call the cops" or "make them call the cops".
We need strong regulation.
Very much in line with Cory Doctorow's thoughts on enshittification: https://youtu.be/Eiu6FxigqrI?si=aT3vzWVSxV2pi_4U
Generally agree with the sentiment, I basically only have banking apps, messaging apps, and a browser on my phone.
I am skeptical, though, of the price discrimination claims. If McDonald's decides that the right price of a Big Mac for me is $1 and for you $4, that creates an arbitrage opportunity. You can pay me $3, and I pocket $1.50. The result is that I buy more big macs, and they bump my price up. You buy less, and they take your price down. Now it just trades at the market rate it was before, but with more steps.
Arbitrage between McDonalds burgers doesn’t really work. It’s not a meaningful open market - someone paying $1/burger can’t go in and buy 100 burgers and sell them to someone else for $3. For one reason, it’s illegal. For another, no one would buy them, they’d think it’s a scam.
Which is why there is such a big push against automated usage of apps/etc, so that nobody could implement such a system.
This assumes the information is clear and consistent enough across time and distance for arbitrage to happen. Pricing in-app, per customer, changing per day would introduce too much unpredictability for most customers to attempt arbitrage. If people in a group all check their apps, and the person with the best prices orders for everyone, it could work in the context of a shared meal.
But imagine trying to sort out X number of people who each want a different basket of items from, say, the Walmart app. Each of those items fluctuating daily in price for each customer independently makes arbitrage almost prohibitively difficult to coordinate.
The best case scenario is something like Steam sales, where a wishlist function notifies you when items you've "watched" are on sale. There are third parties like, for example, Deku Deals that track this pricing data across time for console games.
But Amazon is already trying to banish external AI agents from any access to its data. And what does a price history graph even mean if prices are specific to each customer and stochastically varied each day to induce impulse purchases?
People who create download our app pop-ups need to go to jail.
Downloading software? On MY handheld computer??
Just another confirmation that the majority of the IT industry depends on spying in order to be profitable and for developers to make a good living. It’s a disgrace really.
An annoying trend I've noticed is being asked for phone number or email at checkout (IRL). I bought a blood pressure meter a few days ago, and the salesman asked "what phone number should I put on the order?" Zero. Fuck off. I guess most people just answer out of reflex, or believe it's required to complete the purchase. It's creepy and irritating.
As a teenager I worked at a discount store, and sometimes ran the service desk, which (among many other things) involved processing returns. The returns form included a spot for "phone number", to which some customers would respond, "my number is unlisted". We honored that. Today in the USA, it seems the phone number is the new Social Security Number, which everybody wants to use for tracking. Stores used to give out physical discount cards (which I wasn't keen on either...) but now (obviously because it saves them money) so many stores have switched to a system where your account is tracked through a phone number or an app or both. No thank you.
I often use my old landline number when stores ask me for a phone number. I gave it up about 20 years ago. I feel a little sorry for the guy who has it now (only a little sorry) because whoever it was reassigned to, probably gets many spam calls on my behalf.
This has been a thing since the 1990s when I worked at Radio Shack.
At least they gave me a free battery every month.
I feel sorry for their database because I was a teenager with a bunch of guitar pedals and an ongoing need for 9V batteries. I made up a LOT of phone numbers.
It was only a thing at Radio Shack, and I would never give them my number.
[Your Area Code]-867-5309 is what I always use - alas they are becoming wise to that
[areaCode]-555-1212 is one I use, but any 555 prefix will work as it is not meant for actual phone numbers.
https://en.wikipedia.org/wiki/555_(telephone_number)
I've used 213-456-7890 a few times on throwaway things.
cool example :)
“Can I have your phone number for this order?”
“Nope.”
Already pisses me off that companies make a profile of me based on credit card numbers. I’ve had this number for decades. I’m sure you could build a complete profile of me based on my cell number, and this is the only “social” site I use. I got off fb in 2008, never even joined the rest (twitter, insta, reddit, et. al.) just because my phone number has been raped out of anyone else who has my name and number in their phone.
This is dumb. Websites have many more ways to track you across websites than apps have to track you if you don’t explicitly give them unnecessary permissions.
Native apps have privileged access to far more personal data on your device. A website has, what, cookies and fingerprinting? You can already mitigate this on Firefox but even if not, it isn't in the same league