Digital Sovereignty Breach: Escaping the Telemetry Trap

I’ve been researching connected Linux devices as an exercise. I would like to get a dumb phone, probably running Linux, and on top of that, I want to replace my Xiaomi Mi Band with something like a PineWatch. At this point, it is just an exercise because I can’t really leave the Google ecosystem, but it would be great to experiment with Nextcloud and some additional self-hosted alternatives soon enough.

In any case, it is really difficult. If there is no serious money behind Linux, there is no incentive to make devices that can run it. You wouldn’t get anything after you sell the device, right? Because you wouldn’t get any telemetry. That’s something you get out of the box with Android users. You can’t have advertising like on Xiaomi, where they physically own the advertising space on your phone. At some point, you start thinking about what part of this device you actually own. It is pretty much impossible at this point to have something else.

So, I will be testing out the PinePhone. I’m planning to buy a new one soon. I want to run Linux on my phone, and this second phone will be my backup, unfortunately. There is no way to run without a smartphone anymore. I’m not saying we need this for computational purposes because we have so many complicated things that we can’t step out of our flats without that complex calculation machine in our pockets. Not really. We just moved so much to that external device-so many things that probably shouldn’t even be there in the first place. Nowadays, it is pretty much impossible to participate in public life without having a smartphone. All the banking apps, security-related things… it is weird.

I want to run with something really old-school, something like a dumb phone, for quite some time just to test it out because I see people experimenting with this. So, I will probably start with that PinePhone, or maybe I will get something cheaper like a Pocophone just to install Linux on it. I have to find a model. That’s also another issue: you can buy something that has a locked bootloader. In this case, well, I’m not that proficient at those systems to be able to unlock it myself unless there is some kind of an instruction, like there was with my old Pixel 3a. So, it will be quite an enterprise.

But then you realize that there are no apps. If you were to run a Linux phone, let’s say with Ubuntu Touch, there are no apps. The number of apps is really, really limited. There is no review process, nothing really. The ecosystem is just not there. Obviously, you have a browser, and that’s more than enough. But unfortunately, at some point, many companies focused on the app so much that the apps provide a decent experience these days, but not the website itself. Some websites have no functions or a limited set of functions. I know this from XTB, the broker company. They have a web interface that doesn’t have all the functions. For example, they don’t have this IKE, a special kind of account in Poland, on the web. They have it on mobile, you can see it, but on the desktop version, you won’t see it. And there are many things like that.

Basically, we are forced to use machines that are collecting telemetry on us, and there is no way around it. There’s no way to step back, take a dumb phone, and just do something with your laptop using your VPN and blocking all third-party JavaScript. There is no way to do that anymore with mobiles. There is no way to reject the idea of owning something you don’t fully own.

This returns to the essay written by Louis Rossmann, or I think it was a YouTube video, where he complained that telemetry shouldn’t be part of the service. You buy a physical product, be it hardware or software. It might be optional for them to take your data and use it somehow-they have to explain why-but you have to get something in exchange. And there has to be an option for hardware products as well to use your own cloud, to set up your own cloud, be it something on-premise in your house or something you’re renting as a VPS so you can migrate. This has to be your data location.

So next time someone tells me that car companies need security data to optimize the tech inside your car-because these days your car is also an iPhone, but on wheels-you have to understand that this data is not really yours. You don’t know what’s being collected, what models are being run, why, and what for. On top of that, if the company goes out of business, or your model goes out of business, or there is some cost-cutting on their end, and suddenly they just forget about your server and it is exposed to any vulnerabilities on the market-this data that shouldn’t be there in the first place will be exposed without your knowledge.

If, when purchasing a car, there was a programmable module that you could just connect to your laptop, like with ADB, and you could just punch in your server credentials and make this car talk to your server… Yes, there might be some kind of a gateway for a bonus, where you could connect your own server to the external server belonging to the car maker for the telemetry, in exchange for some kind of a discount, a club, some kind of benefits. Or for example, if you want to have this data stored, like the history of the vehicle, you could sell it with a packaged version of that data. Repairmen, for example, could get this information on some kind of a blockchain or something, with no adjustments in the middle. I’m not saying that’s the way it should work, but this vehicle that you are buying shouldn’t have more than an OBD2 port, if you wanted to, or something similar that could connect to your own server. It probably shouldn’t even have a 3G connection if you don’t want it to. Maybe there could be a docking station in your house or another way to pull the data to your air-gapped laptop.

Obviously, these are really theoretical, stupid scenarios because at this point in the development of our tech, there is no way for us to even have something like that because these companies probably wouldn’t survive. We can see the examples of Linux phones, something really specific and niche, because they don’t have the money behind them to develop to the point where these tools and this software become usable and popular enough for the ecosystem to follow-the ecosystem of apps, integrations, and people physically using those devices.

Everything should function similarly to the Home Assistant software. You can host it on a Raspberry Pi computer, on your own network. Unless you want remote access, you either configure this yourself to access the network via a VPN, or you can pay for the service to have this integration with their external servers to store your data. But you don’t have to do that. The moment you install Home Assistant and configure it to run on your local network, you can access it via your own browser. It would be great to have that for mobile phones. Just imagine a mobile phone that only calls your local or rented VPS with your keys, with no one having access to it. And only in certain cases, with certain applications where you whitelist this kind of external connection and telemetry, would you allow it to happen. Obviously, at this point, it is a fantasy, but it is extremely frustrating because these people can see everything you do. They can build features on top of that, and you get nothing in exchange for your data that’s been taken.

On top of that, they own your device. We see the very same situation as with the Roomba vacuum cleaners. I have an old model at home, so the maps are not there; it was a really stupid device. But the modern machines have external connections, they store the maps of your flat, and they know when the device runs, when there are interruptions or dynamic movements. It is a tracking device. Yes, it probably can’t be exploded remotely like we saw with the pager operation with Hezbollah, but these are all devices collecting telemetry you don’t know about. Think about it: if you have this robot cleaner, do you really know when it calls home and what’s being sent and why? Some Chinese tech comes with microphones that shouldn’t be there by design. This is the creep of features.

At this point, there is no way to buy a new car that has nothing inside of it, no tech, nothing additional-a really pragmatic choice where you control pretty much everything. The only way to buy a car that actually belongs to you, that no one can mess with remotely, and where you have no subscription, is to buy an old, used car where this piece either was never there or is disabled. Something before 1996, when we had our first cars with OBD2.

But here we have regulations. These old cars are difficult to maintain if they are not popular models classified as classics. In Warsaw, there is a law, not yet enforced as far as I know, but the city authorities have devices to track emissions. Soon enough, they might start enforcing this, and you won’t be able to enter the city even if you can’t afford a better car or you don’t want another telemetry-infused iPhone on wheels. You just want a car. You need an old Hilux, an old Previa, an old Jeep Cherokee XJ. But soon it will be really difficult to drive those vehicles. The very same thing is happening in Spain. Even though their economy is messed up, we keep seeing people being extremely unpragmatic, extremely stupid, and shortsighted in terms of technology and its place in our lives.

I’m extremely frustrated with the European Union. In China, there is no privacy, but they have a stance and a special class of techies who actually out-earn and out-develop the West. But the Europeans are so far behind, so full of fables about the clean society and equality, which is just a dream that will never happen. On top of that, the European Union as an entity is actually dying. So soon enough, we might have those restrictions lifted, but until then, we are just slaves who own pretty much nothing, starting with your car and your flat. With a flat, you are just a subscriber; it can be taken away if you don’t pay your bills. We ended up with nothing to care about and nothing to live for