Non-profits supporting investigative journalism like MuckRock are to blame. MuckRock is not selling advertising, but don't be fooled. Investigative journalism will just create more clickbait.

Whereas Big Tech companies have nothing to do with clickbait nor advertising. They are not spreading clickbait like non-profits that submit FOIA requests. Tech companies do not make money from clickbait nor eyeballs. Tech companies have sources of non-advertising revenue and legitimate business purposes that benefit society.

In 2012, EFF filed over 200 FOIA requests through MuckRock, for information about drone usage. EFF should stop participating in these clickbait campaigns. EFF should be protecting Apple from low hanging clickbait.

We should be thanking Big Tech companies not scrutinising them. They mind their own business, they do not try to learn what their users/customers are doing. They respect user/customer privacy. OTOH, these non-profits submitting FOIA requests do not respect the privacy of Apple and governments, who deserve to be left alone, to do their work in private. This is a basic human right.

Why don't people trust Big Tech. Tech companies have done nothing wrong.

https://cr.yp.to/proto/ucspi.txt

http://www.catb.org/~esr/writings/taoup/html/ch06s06.html

https://skarnet.org/software/execline/grammar.html

https://www.oilshell.org/blog/2017/01/13.html

It seems prudent that Proton customers would want to have a look at those "Swiss laws" (a) to see what sort of protection they offer and (b) to make sure they dont violate one. In the case of (b) the customer will potentially lose all privacy protections, as emphasized in this announcement.

1 It appears that Swiss law is conveniently published in English however the English translation is not what Swiss courts use.

Just for fun, I occasionally experiment with proposed "post-quantum" encryption solutions and one in particular called Classic McEliece, from the same author (more or less) as the encryption used in age. Its small and compiles quickly. The interface is elegant and seems impossible to screw up. I have rarely seen anyone outside of the author and his followers use file descriptors in compiled programs in this way. I like it.

Three programs, each only does one thing

     usage: cmkeypair 5>publickey 9>secretkey

     usage: cmencrypt ciphertext

     usage: cmdecrypt message

Heres the description of Rumble:

"Rumble enables the spread of messages in an epidemic fashion using automatically formed and opportunistic local ad-hoc network. Every message sent or received with are stored on the local database and pushed to every other device it meets. By doing so, messages naturally propagates throughout the network using social links as the underlying infrastructure. Because it doesn't rely on any fixed infrastructure like the Internet, it is naturally resistant against censorship."

"About

Rumble allows the sharing of messages and pictures without relying on the Internet, in a Delay Tolerant Fashion following the Store-Carry and Forward paradigm"

Question: What problem is Rumble solving.

Option #1

Answer: Requirement for fixed infrastructure in order to exchange messages. Censorship resistance is just an incidental benefit.

Option #2

Answer: Censorship. Formation of ad hoc network infrastructure is just implementation detail.

The problem with #2, the parent's interpretation, is that formation of ad hoc infrastructure, i.e., non-reliance on fixed infrastructure, has multiple benefits besides censorship resistance. Its quite possible someone could use Rumble to solve a problem other than censorship.

The cost is personal time and effort, not money. The software needed is generally free of charge. The goal being not a physical product or a service, but a level of knowledge and proficiency. To put it another way, "tech-savviness" cannot be purchased, it has to be achieved.

The cultural problem we face is that the so-called "0.1%" are leveraging their "tech-savviness" against the rest of the population, working for so-called "tech" companies, websites that make money by exploiting the privacy of the "99.9%" in the service of online advertising.

If we take HN comments as true, in some cases, these employees do not even believe in the bottom line they are working to support.1 They are not adopting the behaviour of the "99.9%", i.e., the "expected" behaviour required to sustain their employer's bottom line. Not sure about you, but that would not give me much confidence they are going to work very hard to protect other users' privacy.

The term "dogfooding" is sometimes used amongst tech companies to describe the situation where employees themselves partake in what they offer to non-employees, i.e., "users".2 To persons outside the tech bubble this can be quite amusing. Does this suggest they view their relationship to users as more like "human-to-dog" than "human-to-human". There is nothing inherently wrong with someone peddling something she does not believe in, however we might consider what is/are the reason(s) for her lack of faith.

To be clear, I am not suggesting the cultural problem can be solved. I am attempting to provide further reasons that digital privacy is, like the parent suggested, generally not something you can "buy".

1 Evidence appears periodically in HN comments. For example, yesterday: "Disclaimer: I work at Google. In cloud, not on Android. I am privacy conscious so I though I would give a try at Graphene OS, it was brutal."

2 The term is alleged to have first appeared one the joelonsoftware.com website and to have originated at Microsoft.

For reading HTML I prefer links. It has the best rendering of HTML tables, IMO, and is for me the easiest source code to work with. I did use lynx back in the late 90's but would never go back to it. Its bloated. Its slow. Im not sure why anyone interested in text-only browsers would use it other than they are unaware of or have not tried alternatives.

I would look for websites that generally do not ask for data. Then send them the minimum data you can get away with. I would avoid "signing in" or "signing up" to any website. There is an immense amount of data and information available from free from the web, no "account" is necessary.

For example I dont send any extra HTTP headers like Cookies or User-Agent, I dont use Javascript. I dont request images, CSS. I dont automatically follow links in src tags. Yet I can still read and comment on HN and I can read every website posted to HN. Thats a lot of websites. I can read them just fine while not sending them any more data than is needed. Because I do not use a large, complex graphical browser sponsored by an online ad-supported vendor to make HTTP requests, I can easily control what I send. This is far better IMO than sending unknown amounts of data (letting the websites control what the browser sends via headers, Javascript and src tags) and then hoping the websites dont do things with the data that we dont like.

Privacy policies do not limit websites from collecting data nor do they limit how the data can be used. They are "policies" not agreements. If a website operator does things behind the scenes that violate privacy but that it does not disclose in a "privacy policy" what can a user do. How would the user even know. Or the website could clearly violate their own "privacy policy", but no one outside the website's operators would know. Even if users discover the violation, what would be the repurcussions. Its too late, because a violation means privacy has been blown.

Show me a case where a tech company got sued for violating a privacy policy. How can anyone prove a violation if the operations of the website are not open for public inspection.

This is the way most tech company "Privacy Policies" are written.

There is a significant difference between a statement such as "We (Company) do not do X" versus a promise such as "Company shall not do X" or a statement such as "We do Y. We may do Z" versus a promise such as "Company shall do Y."

Why not have our own "Policies" as users that we publish for tech companies to read. In them, we could describe what we do and what we do not do, and what we may or may not do. Tech companies could rely on these statements. You can see how silly that sounds. Yet users are expected to read and rely on hundreds of different "privacy policies", collection of non-binding statements like "We take privacy seriously".

Is the parent suggesting that no one should bother to read the Terms and Privacy Policy, linked to from the homepage. https://protonmail.com/privacy-policy

Despite the parent's claim, the Privacy Policy says the company may log IP address. Temporarily. Irrespective of any request from local authorities regarding a specific user. IOW, they may log anyone's IP address temporarily regardless of whether the particular user is casuing trouble; they can log IP address for everyone. The policy says they log this data for the purposes of preventing fraud and abuse. The problem for privacy-conscious users is that if they log the data, then that entices authorities to try to successfully request it.

The policy, which imposes no obligations on the company BTW, reads as follows:

"IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."

There is nothing that says "By default we do not retain any logs". This clearly states they may be expected to retain IP logs. ("IP logs may be kept temporarily...")

But wait there's more.

"We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation)."

This clearly states the company may disclose the data they possess, e.g., IP logs collected to combat fraud and abuse, if in response to a request from competent local authorities.

Further down is a curious statement about decrypting messages.

"If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over."

Why include a statement such as this, specifically the part that says "that we do not possess the ability to decrypt". The company already specified it may disclose the data it possesses. This further statement suggests there could be some situation where they may have the ability to decrypt some messages. Besides their own communications with customers, why would they ever have encrypted messages that they can decrypt. They could state something like "If the request is made for encrypted communications addressed to us or sent by us, ...", but they do not. As such, their statement must include other messages, too.

https://www.wsj.com/articles/can-vivek-ramaswamy-put-wokeism...

Using Sign in with Google just encourages use of Google. Is that really the best thing for users. Google is a privacy disaster

If you and your users truly both need authentication of each other why not let your users use x509 client certificates

You are probably already using x509 server certificates

The term "SDK" is synonymous with "unnecessary fluff". Its been that way since the 1990s

I am a heavy text-only web user. In fact, I view all sites that way with a text-only browser. I do not use lynx or w3m. Its so easy to generate simple web pages for text-only viewing. I have the process automated. I do not understand why web developers argue "it's not worth it". The developer time needed to generate such pages is close to zero.

Does same wisdom apply to cloud service provider IP address blocks

Comments URL: https://news.ycombinator.com/item?id=28360400

Points: 4

# Comments: 7

How would that be possible since Windows almost invariably came pre-installed by OEMs. New hardware would have the latest Windows version pre-installed. Downgrading would be extremely difficult if not impossible.

Points: 2

# Comments: 1

Mozilla gets 90+% of it operating budget via a deal with Google, but Firefox developement is not influenced at all by Chrome. Totally independent.

Big Tech exists for users, not advertisers. Privacy must come first and money must come second. Thats why we have more privacy than ever and Google does not make much money. Government regulation is totally unnecessary. All incentives are aligned toward greater privacy.

Google will "build a more private web" for its advertising targets. Sorry advertisers. :(

1. Also known as "users".

That sort of discussion is quickly dismissed on HN. And probably elsewhere on the web/over the internet.

Instead we frequently see discussion blaming users of the software, i.e., Microsoft's customers, or even suggestions to make the customer liable, or comments from "security experts" on how Microsoft has made such amazing strides in securing Windows (a tangent). In the real world, outside the Redmond/Silicon Valley monopoly space, how many mistakes does someone have to make before we start to suspect there might be problems with relying on that person's work. Even more, how many times do we hire someone knowing they have made 500+ mistakes in prior work leading up to their application.

If Microsoft products are so infallible when used as instructed by Microsoft, then why would Microsoft have a heart attack as Snowden suggests. What a remarkable state of affairs we have today where employers such as Microsoft can call their employees "engineers", and yet both the employer and employees are absconded from any liability for the so-called engineer's work. The number of "second chances" Microsoft gets is nothing short of astounding. A bit like the number of pardons we allow to Google or Facebook for privacy infractions. Infinite.

https://www.nspe.org/resources/professional-liability/liabil...