I AM using GrapheneOS, but its future is also uncertain as Google has gutted AOSP. There aren't really any alternatives, and the problem is that phones are much more than just phones now, they are general purpose computing devices and run many applications that are pretty essential to modern society, such as ticket apps for public transport, government identity apps, payment apps and so on. In my country, Denmark, we are getting mandatory age verification next year, and it looks like it's going to be offered only as an app. These apps are simply not available for non-AOSP Linux phones, and there is little hope that they'll ever be.

Owning a smartphone is becoming less of a choice, and it's becoming harder to own one that respects my freedom. I don't think it is entitlement to demand freedom in an ecosystem that I feel I am forced into.

I say let's fight against smartphone usage being required everywhere. I don't care if the phone is FOSS or not, we still should be allowed to not have a personal tracking device. I am also all for supporting a fork of AOSP. The EU talks big on not depending on US tech companies, it even funds lots of FOSS projects, this should be on top of their list.

The fact that your country is getting age verification, given how democratic and free Denmark is should tell you the prevailing view of the public on the subject matter. Why not focus on what everyone will support - which is being free from tech companies and closed code systems. The 99% of people that do pay for phones, don't think about technology much, they don't even know what sideloading is let along care about it. You/HN is an extreme minority in that aspect, as are android devs. and there are definitely more people being adversely impacted by sideloaded malware. Freedom that is not practical is just wishful thinking. Freedom that ignores the harm caused on others is tyranny by any other name.

I am also doing my part on fighting that, but it is an uphill battle. I will not stop fighting, and I am actively trying to bring my point into the public discourse in my country and organize myself in organizations that fight this.

Until we have laws that guarantee that I won't be forced to be a Google customer, I will demand freedom over my device if I am practically prevented from running an alternative OS because I risk getting my access to the rest of society limited. If it means that some people will be more vulnerable to scams in the mean time, that is not my fault, but the fault of politicians who have failed to secure our right to digital autonomy and our right to remain analog. I also think there should be other technical measures that could mitigate these scams that would not be as draconic, but I don't know enough about what scams you have in mind that I can offer concrete alternatives.

I do not think that is tyranny, but I think Google is definitely being a tyrant and misuse their market position.

I think two things can be true. I agree with most of what you said. I think Google is doing the right thing with the right intent, but they shouldn't be the sole arbiter of who can write apps. It should be similar to the PKI/CA ecosystem, or better yet, governments can directly issue permits of some sort and they could be the CA's.

Agreed. What Google is doing is practically inserting themselves as the only CA in this domain. They, a private company, effectively take on the role of policing the digital infrastructure of many countries, but without being a democratically controlled agency. That makes me very very uneasy.

But to be fair, they are doing that with browsers as part of the CA/B forum/group. If google doesn't like your CA, you can't be a CA.

Also a problem, but at least the power is decentralized for now. Also, browsers are not operating systems, and it is easier to switch to another browser if you don't agree with its list of trusted CAs.

All valid points, except no CA can survive when Chrome isn't supporting them. Most users won't switch browsers because one site isn't compatible with Chrome, they're more likely to just use another site. So using that CA costs site owners customers and they in turn will move away from the CA.

My point sort of being, there is a deeper problem where industries self-police. People complain about oligarchies, ruling classes and corporations running America but at the same time they don't push for or support governments regulating things like this. Governments should be the arbiters of which CA is legitimate, just as which appstore and which app developer. If you want to treat patients, sell drugs, build bridges, sell cars,etc.. you give your id to the government and validate your credentials. App development as well as all other public safety impacting credential validation should be the same way.

If you're in europe, your local government does the validation and OSes like Android will respect the CA's of the country they're operating under. Software should obey laws. And if governments can't be trusted, that isn't a software problem but a political one.