If you don’t know me, I make frequent write ups about privacy and security. I’ve covered some controversial topics in the past, such as whether or not Chromium is more secure than Firefox. Well, I will try my hand again at taking a look at some controversial topics.

I need ideas, though. So far, I would like to cover the controversy about Brave, controversy around Monero and other cryptocurrencies, and controversy around AI. These will be far easier to research and manage than Chromium vs. Firefox, for example. I’d like to know which ideas you have!

Which controversial privacy topics do you know of that you would like to see covered?

PLEASE DO NOT ARGUE ABOUT THEM IN THE COMMENTS!

Please save any debate for if/when I make a write up about the topic. Keep the comments clean, and simply upvote ideas you would like to see covered. I won’t be able to cover everything, so it helps bring attention!

Above all else, be kind, even if you don’t agree with an idea or topic :)

  • SpicyAnt@mander.xyz
    link
    fedilink
    arrow-up
    55
    arrow-down
    2
    ·
    25 days ago

    Step 1 of installing GrapheneOS for de-googling your life: Buy a Google Pixel phone

    Look - I know, I know. I get it. Google allows you to unlock the bootloader while maintaining the phone’s unique and excellent hardware security features. The argument makes sense. It is compelling. Other manufacturers do not give you this freedom. I am not arguing about that. I have a Pixel phone running GrapheneOS myself.

    However… It is just so very obviously ironic that one needs to trust Google’s hardware and purchase a Google product to de-google their life through GrapheneOS. I think that it is a perfectly valid position for someone to raise their eyebrows, laugh, and remain skeptical of the concept either because they do not want to support Google at all, or because they simply will not trust Google’s hardware.

    The reason why I think that this is “controversial” is because I have seen multiple instances of someone pointing out the irony, followed by someone getting defensive about it and making use of the technical security arguments in an attempt to patch up the irony.

      • EngineerGaming@feddit.nl
        link
        fedilink
        arrow-up
        8
        ·
        25 days ago

        Yeah, there is a whole “separate OS”, but, to my knowledge, there hasn’t been evidence of it casually being able to collect arbitrary data from the actual phone’s OS.

        • interdimensionalmeme@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          25 days ago

          It has been made impossible to personally audit, the safe assumption, the null hypothesis is that it does until proven otherwise, which would be impossible and in any case implausible under our current surveillance capitalism.

            • interdimensionalmeme@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              15 days ago

              There are multiple encryption layers and the private keys are not on the device. Even a governement agency would struggle auditing some random phone. They’re not doing it, our security is not their concern. Also they don’t want us knowing about their backdoors.

    • EngineerGaming@feddit.nl
      link
      fedilink
      arrow-up
      11
      ·
      25 days ago

      My issue with that is that Pixels are expensive, and in some places are not sold officially (meaning they can only be bought from smaller resellers with usually much less generous return policies). The newest models are outright unaffordable new. The only ones below $150 are either secondhand or out of support, so that’s what poor people are left with? Plus, no headphone jack.

      I use Graphene myself, but I dislike absolutism. I don’t in the slightest regret buying my Pixel even though $300 is a painful sum to spend on a phone (and it was on the cheaper end if we’re talking about up-to-date models!), but I know that my mother would never spend this much on a phone - so I look into Divest or Lineage on more common and affordable phones.

    • j4p@lemm.ee
      link
      fedilink
      arrow-up
      8
      ·
      25 days ago

      Bought a second hand Pixel 7 in like new condition at the time for $250 on back market (dropped it, bought another, still cheaper than the equivalent iPhone 14 lol). That at least means I am not financially contributing to Google, but I do agree that I don’t think there is a way to verify that the hardware is completely foolproof even if its the best option we currently have.

      I guess that’s true of any hardware though, and we have to make our assumptions based off known quantities such as Pixels’ unique hardware security features?

      But yeah, it’s a minefield out there. Let’s get carrier pigeons.

    • N0x0n@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      25 days ago

      Yeah… And probably all big players have somehow backdoored their phone :/.

    • bruhSoulz@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      25 days ago

      This is entirely valid as a concern. In my matrix GC someone just said pixel and oneplus are best for modding and I was like… The whole point of me trying to degoogle is to contribute less to their economy, why would I buy their bs hardware😭☠️

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    36
    arrow-down
    2
    ·
    edit-2
    24 days ago

    Matrix is defacto centralized around Matrix.org & servers they provide (where the cost of hosting makes it largely inaccessible to low-spec & medium-sized servers causing them to inevitably shut down & recommending users back to Matrix.org). All the metadata gets synced back to the mothership that was funded by Israeli intelligence. Avoid it.

    Cloudflare is a CIA front. They offer “free” DDoS protection + static proxy thereby giving Cloudflare the ability to MitM all TLS connections thru their servers. They convinced so many ‘developers’ via ‘influencers’ that every tiny site needs Cloudflare in front of it as a precaution/optimization, but it is an entirely premature optimization that doesn’t need to so widely deployed, but it is. 🤔

    Microsoft has always been an enemy but somehow managed to Trojan horse their way into the minds of developers again (neo-EEE) trying to centralize how software is created. Like we avoid Microsoft Windows, the rest of the Microsoft ecosystem should equally be avoided: Copilot, LinkedIn, Outlook, Exchange, Office, Teams, Azure, VSCode, npm, GitHub (Sponsors, Codespaces, Copilot). Literally none of these projects/services can’t be replaced to help protect the privacy of your clients, coworkers, contributors.

    • Chulk@lemmy.ml
      link
      fedilink
      English
      arrow-up
      11
      ·
      24 days ago

      Cloudflare is a CIA front. They offer “free” DDoS protection + static proxy thereby giving Cloudflare the ability to MitM all TLS connections thru their servers.

      I just started to learn about privacy in depth this year, and this little fact about Cloudflare has sat with me more than most things that I’ve learned. I feel like very few people think about the implications of Cloudflare’s practices. Even if its not a CIA front (I feel like it is), we should feel uncomfortable giving any private entity such power. Unrelated, but their crazy lava-lamp wall, as cool as it is, kinda gives me bad vibes lol.

      • chappedafloat@lemmy.wtf
        link
        fedilink
        English
        arrow-up
        2
        ·
        20 days ago

        I learned about Cloudflare mitm quickly because when you use Tor browser you will see how many websites use cloudflare because you can’t access all those sites. So I did a little research about this problem about cloudflare and found out how serious and huge problem it is.

  • m_f@midwest.social
    link
    fedilink
    English
    arrow-up
    34
    arrow-down
    1
    ·
    25 days ago

    Browsing with JS disabled by default and expecting most sites to have basic functionality like “display this text”

    • shaserlark@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      arrow-down
      2
      ·
      25 days ago

      Oh boi I’m trying to get people to use simplex exactly because of this. I managed to bring most people to Signal and they’re cool with it because it just works, but I don’t trust them at all. Sure there was this court order where they didn’t have any user data except account created date and last active date, but since almost everybody uses either Google‘s or Apple‘s push notification servers turns out that doesn’t matter so much from what I undertstood.

      • refalo@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        25 days ago

        You can use your own builds of Signal (or preferably Molly-FOSS) including a self-hosted server. You can bring your own push notification as well.

        • shaserlark@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          ·
          25 days ago

          I think that’s really cool. Unfortunately most people won’t be doing that, they don’t even care that WhatsApp, etc. are scraping all their data :(

      • ᗪᗩᗰᑎ@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        25 days ago

        Google‘s or Apple‘s push notification servers turns out that doesn’t matter so much from what I undertstood.

        Can you elaborate? It’s my understanding that push notifications are only used to trigger Signal to check if there are messages - the message data and who/what triggered it is not being sent to Google/Apple. If you don’t trust push notifications, you can always use a De-google’d phone and the Signal APK which will fallback to polling the server; this will obviously impact battery life as the app needs to constantly be checking for new messages.

        • shaserlark@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          ·
          24 days ago

          I‘m referring to them handing over the data to law enforcement of the US and other unknown governments.

          What exactly they hand over I can’t tell you, it might be harmless. In the case that they revealed they used push notifications data to identify a pedophile who was using some encrypted messaging service. I hope he gets what he deserves but for us it means we shouldn’t trust anything that uses Apple‘s or Google‘s push notification servers.

          Yeah I know about Molly etc., but the point is, no one I know is going to degoogle their phone and use that. It would be easier if they’d just use a more private, decentralized app that also doesn’t ask for a phone number ffs.

  • Zagorath@aussie.zone
    link
    fedilink
    arrow-up
    28
    arrow-down
    1
    ·
    26 days ago

    There is no expectation of privacy in public.

    By which I mean that things like blurring a house from Street View are unreasonable.

    • RiderExMachina@lemmy.ml
      link
      fedilink
      English
      arrow-up
      15
      ·
      26 days ago

      IMO, blurring a house in Street View could lead to the Streisand effect, especially when 99% of all other property is unblurred.

      If you want to remain private, in the case of Street View, your best bet is to keep it as inconspicuous as possible, otherwise people will start looking closer and ask questions; the exact opposite of what you want, even if you have nothing to hide.

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        19 days ago

        Yeah, there’s a reason I added that clarifying second sentence. To be a little more nuanced (but still overly simplistic because I don’t feel like writing an enormous essay right now), I would say you don’t have any expectation of privacy by default in public, but that anything that might reasonably amount to stalking because it’s targeted tracking of an individual, even if it involves footage of someone in public, is certainly not ok.

  • refalo@programming.dev
    link
    fedilink
    arrow-up
    25
    ·
    edit-2
    25 days ago

    F-Droid not being trusted. They build and sign a developer’s code on their behalf, so there is a chance for injection there.

    There are reproducible builds, but I would argue it’s not taken seriously enough. Like right now nobody is publicly verifying Signal’s supposed reproducible Android builds and they’ve historically had problems keeping it working.

    Also how most (or all?) Play Store apps (including FOSS) contain proprietary code.

  • bruhSoulz@lemmy.ml
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    25 days ago

    Its not private if it needs a phone number (cough SIGNAL cough)

    “Its to protect the kids”, “Its to fight terrorism”

    That one filthy muslim country banning VPN’s with the guise of it being impermissible (“haram”)

    • Zagorath@aussie.zone
      link
      fedilink
      arrow-up
      10
      ·
      25 days ago

      I don’t even care about the privacy aspect per se. Phone number as user ID is a crappy UX that fundamentally does not work when international travel, multiple devices, or needing to get a number changed. It also doesn’t work for shared accounts or people who might want multiple identities.

      Some of these relate to privacy, secondarily, but my primary concern is the UX.

  • OneMeaningManyNames@lemmy.ml
    link
    fedilink
    English
    arrow-up
    17
    ·
    25 days ago
    1. Whether phones are listening or not

    2. What is the redacted part in the rationale to ban Tik Tok

    A note on the latter, it is presented as national security threat. They won’t say what it is. I presume because some of the shit they don’t want a foreign power doing is sth they very much do themselves.

      • OneMeaningManyNames@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        24 days ago

        See, I am not the guy who will stop thinking for myself because experts say there is no evidence of sth. I am not saying that there is real time eavesdropping at all times, but I have not seen convincing arguments that a working microphone cannot be used for pushing ads by simple and widely available mechanisms. In fact, the sheer amount of people who complain about this should be considered evidence in itself, especially when they never had thought of a given topic before discussing it with someone. I have considered phone proximity and shared IP address but they don’t seem to make an exhaustive explanation. I think that some stories point to Meta doing this extensively, and that disallowing microphone access for Meta products alleviates the effect. Many privacy communities I believe they are infested by spooks and trolls pushing disinformation narratives, and one of them is that phones are NOT listening as a smart thing to say and/or believe. I might as well think that this is itself can be related to the redacted part in the rationale to ban Tik Tok. Having said that, I think that the only feasible to do this technically is by a regularly updated list of keywords, rather than other ways that would leave a processing or networking footprint.

    • sntx@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      25 days ago

      83 Posts, 1626 Comments of completely unliked 0-bit information posts without metadata like time of post.

        • juliebean@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          25 days ago

          that is generous of you. i’m on the same instance as them, and can find no discrepency between viewing your profile through lemm.ee vs on programming.dev

          alas, i think they’re just attacking their percieved quality of your posting, and it is not that they’re missing all of the good stuff.

    • acockworkorange@mander.xyz
      link
      fedilink
      arrow-up
      6
      ·
      25 days ago

      Others take issue with the idea that technology might be allowed to trump legal process. In a 2015 California Law Review article arguing that forced decryption is necessary to balance individual rights and government power, Dan Terzian, presently an associate at Duane Morris LLP, argues that the EFF’s view is too expansive.

      “Scores of companies now encrypt their data,” Terzian wrote. “In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas.”

      Only if you consider corporations persons. They’re not.

      Excellent suggestion, btw.

  • undefined@lemmy.hogru.ch
    link
    fedilink
    arrow-up
    10
    ·
    25 days ago

    Browser extensions aren’t the answer to preventing tracking (as apps and other processes outside the browser aren’t blocked)

      • undefined@lemmy.hogru.ch
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        25 days ago

        I use primarily DNS blocking myself, but it’s a custom solution that pulls in a ton of blocklists. I get tired of the “just use a browser extension” as the solution for everything, and any time I bring up IP/DNS-based solutions people say “but that doesn’t block everything” as if browser extensions do.

        • Zerush@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          25 days ago

          The biggest scam is with Browser VPN, they are simply proxies, good to watch country restricted movies but not for more. They don’t protect privacy, because they only can create the tunnel, after the browser is already connected to your ISP server. Bad in countries with dictatorship or teocracies with controlled servers, there only steganographic methods can help in comunications (Hidden messages in Photos, music, or even innocent text files)

          But normally 100% privacy isn’t possible, almost every actuation online can be tracked. You can only avoid the worst with your shitty PC against the server and AI power of big companies, goverments and secret services with their hacker squads. Tey can spy other goverments, they are swallowing this little geeks with their laptop and VPN in a breaktime if needed (China even employ savants (isle gifted autistic people) as hackers in their secret services)

          • undefined@lemmy.hogru.ch
            link
            fedilink
            arrow-up
            2
            ·
            24 days ago

            Hard agree, except I do have an issue with the last paragraph in that I think it’s far dumber than you’ve described.

            Simply blocking (a shit ton of) domains can really get you 99% of the way there. I’m a web developer and it’s stupid dumb how third-party stuff is hosted. It’s either exactly that (third party hosted) or a CNAME or a third party which is easily blocked.

            Look, I know how complex tracking and fingerprinting can be. But from my experience, it’s really not hard to block. Of course, I’m not really speaking to first party tracking where blocking would destroy the entire experience. But for the most part, you can prevent a profile being built about you (at least for tracking and advertising) by blocking with DNS.

              • undefined@lemmy.hogru.ch
                link
                fedilink
                arrow-up
                1
                ·
                24 days ago

                I’m using Quad9 as the upstream resolver too with TLS DNS. But before sending off my query I check my blocklist to return NXDOMAIN for tracking/advertising domains (I prefer doing that to using 0.0.0.0 as is common, it also blocks HTTPS queries which is nice.

            • chappedafloat@lemmy.wtf
              link
              fedilink
              English
              arrow-up
              1
              ·
              20 days ago

              Problem is first party tracking. Blocking is just against third parties. For first party tracking you are just going to have to use tor browser.

    • bruhSoulz@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      25 days ago

      need a convenient solution to force traffic thru tor, doesnt tails have that? why isnt it commonplace tool?

  • propter_hog [any, any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    25 days ago

    JavaScript canvas blocker add-ons (this one specifically comes to mind, because I’ve recently had to disable it since it makes life harder; is it worth the cost of admission, or is it a lot of effort for not a lot of reward?) Other types of privacy add-ons would be good to explore as well.

  • Zerush@lemmy.ml
    link
    fedilink
    arrow-up
    9
    arrow-down
    2
    ·
    25 days ago

    Well, real privacy don¡t exist in the same moment you goes online. Google controls half the internet and MS and Apple the rest, direct or indirect. Even the Dark web isn’t so private as people think.

    An advanced user can reduce the privacy holes, gutting Windows, leaving it in an OS as is, the same with Google products, but also only up to a certain limit so as not to turn navigation into pure text or get blocked in most the pages. For this reason, we must focus on which data deserves to be protected or hidden and which are of a purely technical aspect that ensure the proper functioning of the sites we visit.

    I don’t care that the page knows what country I live in, but if it has to be avoided that it knows my address, I don’t care that it knows the OS I use and the exact resolution of my screen, since this helps the pages not to be out of order or download links take me to downloads for another OS.

    This is all data that matches millions of other users and is not a privacy issue. These problems arise with data that identifies the user directly, such as email addresses, which are unique and perfectly traceable, personal photos published on the Internet, bank details in these very convenient mobile payment apps, posting on Fakebook until when are we going to go pee or when we go on a vacation trip (surely some of the 5637 followers are very interested when your house is empty)…

    There is a lot that the user can do to have a certain privacy at the computer level, but the worst security hole is always the user themselves and the lack of common sense…