Klaus Zimmermann's Corner

Is this app by Google the world's first legal ransomware?

A few days ago, an article at the XDA developers website raised lots of eyebrows claiming that Google had created an app that allowed remote locking and disabling of an Android phone if one of its installment payments failed to get through.

Although quite shocking as a headline, this really should not come much in surprise for any of us. After all, financing has always carried its risks, and a reposession of other goods such as a house or a car have been understood as an acceptable consequence of credit mismanagement. And even on the Technology side, there's nothing really new being employed here: "remote management" has been in place for things like Windows PCs since the dawn of the modern office, and even corporate smartphones have some form of remote administration that can brick a device in certain cases.

And yet, that sort of article reads like a horror campfire spook story. It's terrifying. But why?

My answer is that this appeals to our loss of something that we see as so personal, so private, yet so under not our control. We've seen this before at one time with yet another problem with Windows in 2016: ransomware. You wake up one day, turn on your computer only to find out that your entire hard drive has been encrypted with your data out of your reach now. Panic ensues as you realize that your data while so close to you is simultaneously so far away from your reach.

And likewise, this app by Google does a similar chilly reminder to financed phone users: "go on, carry your phone with you, use it as much as you want - just remember it's not really yours until you finish paying. And if you don't, I'll remind you again about who really owns it." Following this definition, I could very confidently say that Google has created the world's first legal ransomware. Pay up, or lose your device.

Petya: class of ransomware that set the backdrop for this entire family of malware with its scary messages

Petya locks up your computer if you don't pay; Google locks your phone. Coincidence?

The creepiest part is that this model, or this "framework," is that it doesn't necessarily have to stop there: if financed phones can be locked up remotely, why can't your financed car that has "smart devices" built into it? Or your financed house, with a "smart door" that will prevent you from coming inside (or leave) if you haven't paid this month's installment or rent?

In fact, just scuttle the whole "financed" bit altogether: let's make everything pay-per-use like a giant jukebox. You pay a monthly fee to use your computer, your TV (even open-air) has a subscription to just be able to turn on. Everything is now a paid service, no more products in the sense of ownership!

So this leaves the question: how can we protect ourselves better from this kind of threat? What does this all teach us?

First and foremost, the same answer as usual: using free software matters, and this is especially true depending on the platform you're using. This sort of threat coming from a PC manufacturer, for example, would have been pretty empty and even laughable, as in a desktop, we can install whatever software we want quite easily, sometimes going all the into the bootloader.

Thanks to the amazing Free Software community, we have a huge ecosystem for this, and we can thrive in complete freedom from our computers. we don't have to cower and run when some bully like Microsoft tries to shut down the PC competition with questionable security practices. When it comes down to a smartphone, however, that's when things get shaky.

Attempts to "free Android" (even though it's ahem Open Source) have had mixed efficiency, and some of the more popular like Cyanogenmod have been discontinued, and did not even try to replace everything with the Free Software stack. Money-backed initiatives to introduce free software to phones (like the Ubuntu Touch) have not succeeded either in the long run. From this sad state of Free Software on mobile, I can only derive one conclusion: if you want computing freedom, do not use a phone. You simply cannot expect any consistent software freedom when using a mobile device.

I know this is easier said than done, but it's the truth even in 2020 as I write this. Freedom of choice of platform is important, and thankfully we still have ways to keep using laptops and desktops for almost all of online things today, unlike so many apocalyptic predictions that the desktop "would die off in a few years" due to smartphone popularity. Besides, smartphones are a privacy and survaillance nightmare, and you're better off without them regardless.

Clearly, the state of affairs in the mobile world is not looking good for us, Free Software enthusiasts. However, I for one do not have any expectation of freedom in that platform, and I'm happy to avoid it as much as I can.

Do you think it is possible to achieve a good level of user-freedom and privacy in a mobile device nowadays? How would you do it? Let me know in Mastodon!

Last updated on 11/16/20