I don’t have a precise answer as I’m not from that team, but as a developer I think I have a decent idea as to why, and it’s mostly political.

First, I don’t think it’s necessarily the ability to install Play Services that makes them think it’s not FOSS, but that they distribute non-free firmware blobs which are necessary to make practically any modern phone function properly, that’s just the unfortunate reality because “we live in a society” that enables it. By that logic, I think they believe the vast majority of running Linux kernels on the planet are not FOSS. GNU would rather have things that are not practical and don’t exist today… their stance is not currently realistic in our capitalist society IMO. They hope for things to change, but hope doesn’t make change.

I also think some people look down on the Play Services thing merely because they went out of their way to explicitly support it in the OS, and basically nothing else. They disagree ideologically with F-Droid and they don’t offer any other app stores by default to my knowledge.

Even still,

Even if only 51% of the SSNs exposed hold a minimal quality to be used in identity attacks, this translates to added risk to an unprecedented 138 million people.

Plus, identity attacks are not the only risk of this data being exposed. Stalkers, violent offenders etc. now have addresses/phone numbers and other info they can use as well. Their definition of identity attack also may not be the same as yours. Even if it’s just a name and SSN, that may not qualify to them, but could be useful to someone else in a negative way.

Biggest lie of the year award… it’s trivially easy to check how many unique SSNs are in the leak, and it’s 272 million.

I don’t think it’s about FOSS-ness as to why they don’t like F-Droid, but security and privacy. They don’t want to give up signing keys and compilation duties to F-Droid, and I don’t blame them. Even with reproducible builds, almost nobody is publicly verifying projects that claim to have them (Signal anyone?).

Right, which isn’t confusing at all /s

Yes but my grief was with the naming… why not call it vertical-center? Just “center” is very confusing to me because it does not include horizontal.

Indeed I don’t know enough about the EU or GDPR to say definitively, but I know for the US, there is generally nothing wrong with possessing leaked data, or it would not be so commonplace. There are often many online articles that discuss leaked data in depth, so you know they have it, and nobody is suing them for it. The NPD leak check site also appears to be legal and hasn’t been challenged to my knowledge, and it even gives out people’s complete address history and phone numbers, as well as partial SSN and DOB. There are also sites that regularly host “doxx” of people they like to make fun of, as well as leaked corporate IP, for years, and nothing has happened to them either.

Sorry I’m not sure I understand what it is you think I’m missing. It’s FOSS, works on Linux, has a CLI, works for both files and directories… please enlighten me what I got wrong?

Is it just me or is the irony lost on the author? It says “align-content: center” but it’s only vertically aligned…

https://github.com/HACKERALERT/Picocrypt

Dunning-Kruger effect

Possessing PII is not illegal… it’s only a problem for whoever leaked it originally. This is why some sites regularly host doxx info and never get taken down, even after many legal demands.

There have been several leaks with driver license and passport photos of people from all over the world, usually from sites or services that need to verify identity like for stock trading or porn.

True but you can at least have it require biometrics to reopen the app and you can still get notifications then because the db is technically unlocked.

https://npd.pentester.com/

protip: the “required” birth year is fake, it accepts any number >= 1900 and still returns all matches regardless of birth year

And just as easy for crooks with this same data to thaw it for you.

It has tons of dead people, duplicates, invalid entries, foreign residents, etc., basically anyone or anything that ever needed a SSN.

Unfortunately the US doesn’t work that way. Unless you want to continue living under a rock, you have to deal with your credit.

I tried to create an account with TransUnion but it said the identity check failed and won’t create an account, I have no idea what to do now.

if a hostile party has access to the handset, that encryption isn’t particularly helpful

Things like Molly-FOSS might help better with that, keeping its database locked and encrypted at rest on its own separately from any OS encryption or security. Perhaps GrapheneOS or similar could be beneficial as well.

If you want something with not so many government ties, and maybe more decentralized, there is also SimpleX, Briar and Tox.