The problem is not that software developers are sleeping, it's that most users do not care much and are not willing to pay for privacy despite saying it's important for them. This might change when people actually realize what companies can and will do with their personal data and how easy it is to categorize, predict and manipulate people with only a little of their behavior data. Until then, people will just enjoy their free search engines, social networks, phone operating systems and will be content paying with their private data.
Some things are changing for the better though: Many people finally become a bit more informed about privacy, also thanks to the effort of journalists uncovering some of the biggest data scandals.
In addition, at least for EU citizens the situation should massively improve on May 25, 2018, as then the new EU data protection directive will come into force, which will significantly increase the rights of people to control how, when and by whom their data can be used. And with a maximum fine corresponding to 4 % of the worldwide revenue, companies will finally have some good incentives to be more careful with the data of their users.
I'm a dev on a marketing team and we build all our own AdTech instead of buy products, for the most part.
The (mostly young) online paid ad guys are way more paranoid than the old conspiracy theorist hacker types I grew up around. All we do is talk about how advanced the tech around attribution is, all the data DSPs are collecting about you, etc. All of these guys seem to have an attitude where they're making a deal with the devil and they want to make as much cash as they can before retiring to some island off the grid. It's really bizarre.
Those 'after me the deluge (French saying)' people are the worst. Same as rich people fucking up the globe but massively buying 'escape hatches' in New Zealand. If you're that kind of person, you should be burned at the stake.
There's dozens of tools around for this, but I recommend this fairly simple combination:
- uBlock Origin - just straight up blocking ads solves the problem, some lists also block other kinds of trackers, it also has an excellent advanced mode feature that can be used to whitelist
- EFF's Privacy Badger - blocks or trashes tracking cookies automatically, includes social blocking too
- HTTPS Everywhere - force SSL on with as many sites as possible
- Consider referrer control extensions too, though they may break some sites
Other tools in this field include Ghostery and Disconnect, but Ghostery has some sketchy ownership and Disconnect seemed to break random sites - plus most if not all of the stuff they catch will already be blocked between uBlock Origin with privacy lists and Privacy Badger.
I second uBlock origin and Privacy Badger, as they have (to my knowledge) no commercial interests. As OP said, many other extensions/tools actually belong -through intermediaries- to data collection companies, so they might protect you from some threats but actually spy on you as well. Ghostery allows you to opt out of their data collection though, so it seems that the tool is at least partially trustworthy.
I was primarily talking about browsers because web ads were the concern - and also probably the most common way to be spyed on.
But for desktop and mobile I can't endorse enough running a software firewall with outgoing blocking and active prompting - many of these will also let your block things from injecting into other applications, adding themselves to startup, etc. XPrivacy on mobile works wonders. Outpost used to be my recommendation on Windows, but it's unfortunately dead now, so I've been running ZoneAlarm lately, which does a decent job. If someone knows something better, please let me know.
Privacy Badger strips cookies from some third-party requests. SDC clears cookies (and LocalStorage) from all non-whitelisted domains after some time passes. Effectively overrides cookie expiration time globally.
Privacy Badger is made specifically to just block tracking cookies without impacting the user experience so it tends to be my recommendation. I believe it will indeed do local storage too as of 2.0 though I could be mistaken about that.
In the past I've had my browser dump everything on exit, every time I exit, but that can be a major inconvenience. SDC sounds like an interesting middle ground though.
It's not that ordinary people don't care; it's a cost benefit problem --- the time/bullshit-costs of moving data from entrenched cloud providers is large.
The joy of hacking is that everywhere we go, we beat a path. We build good clients for bad APIs, we figure out the weird munge and consistency problems involved in data transfer, and we automate the process of managing servers. These levels of responsibility and abstraction are modern software, and the more we go there (personally and professionally), the easier it becomes for viable consumer-grade alternatives to appear.
We also set-trends more than we realize. Almost every major newspaper has a tech section, and much of that is fascination with our culture, and reflection on privacy issues.
The privacy problem at its core is a political one, and it needs a political solution. I think the belief that software will fix the world, which is quite common among developers, is quite problematic because it often fuels behaviour that is not always very helpful. The truth is, the overwhelming number of societal problems get solved politically, and technology is often just the means to turn political decisions into reality. This might change in the future, but so far it is true.
The data protection directive is a good example: With the political engagement of Jan Philipp Albrecht (and many others), he did more to protect peoples privacy than any hacker or software developer I could name.
So if you really wanna do something about this, don't think about how you can solve the problem using technology, but for a change think about how you can help us achieve a political solution first.
> The privacy problem at its core is a political one, and it needs a political solution.
I'm with you --- my views are pretty much in agreement this, and with Schneier in Data and Goliath.
However, while legislation and regulation are the only things that will prevent us from full-blown monopolistic dystopia, there are meaningful ways in which technologists can make privacy preserving behaviors easier to adopt on a wide scale.
The most obvious example of this is Signal. It wasn't brought about because the government said it had to be built (though they did end up funding it), and not only has it significantly advanced the privacy of instant messaging for millions of people, and moved the Overton window on expectations of encryption, it provided a new open standard (and FOSS reference implementation) for other messaging services to adopt.
Yes those are very good points, and they are actually contained in the EU data protection directive:
* You have the right to know exactly what a company knows about you, for which purposes it uses that information, and how it processes it.
* You have the right to revoke a company's permission to process/store your personal data, and a right to have your data erased (there are some exceptions though)
* You have the right to obtain a digital copy of all your personal data (including data that was generated through your behavior, e.g. by clicking on "Like" on Facebook) in a common machine-readable format, and also to have that data transferred to another company if you wish so (this should make it easier to change providers)
* You have the right to know (actually you even need to be told beforehand) for which purposes your data will be used and by whom it will be used. If you should be subjected to a fully-automated decision making process (e.g. your credit score gets calculated algorithmically) you have the right to know which kind of algorithms are used in the process and how their internal logic is structured.
To add to that, I have found that a lot of my friends in the software developer community, who used to have the "nothing to hide, nothing to fear" mentality, are finally paying more attention to privacy related issues in light of the new administration in the States. Reminds me of what Snowden said a few years back, "Even if you trust the government today, what happens when it changes?”. I have noticed a similar phenomenon happening among my non-technical family members as well. So yes, I am totally with you that things are changing, I am excited to see how the dynamic changes in Silicon Valley for companies that used to rely on that mentality. However, I am still worried that this might just be an initial reaction to the regime change in the States and it might die down soon as people, at the very least the non-technical people, might become tired of how hard it is to use products that are privacy and "freedom" respecting and might fall back to the convenience of the products and services offered "free" but for the price of their privacy.
I can't help wonder if it is a generational memory thing.
The people doing tech now didn't grow up or live through a massive war and police states. Because those that did had insulated them from that.
It seems like we humans are incapable of learning from past events because we primarily learn by experiencing. End result is that we take the status quo for granted until it changes, boiling frog like.
It is definitely a generational and cultural thing.
For example : I feel the same way about American positivity on self driving cars, because I live in a country where people can drive on the wrong side of the road, or footpaths. Where beggars can swamp your car during a light, or where gangs distract you by tapping the back of your car.
These are cultural memory and experience.
In India, people are very pro surveillance, many believe that we have nothing to hide and those who do are likely criminals.
We are only building civil liberties groups today.
Side note: apparently the boiling frog thing isn't true. If it gets hot it jumps out.
I agree that a big share of responsibility lies with consumers not choosing privacy-minded alternatives.
I wouldn't write off software developers completely though. There likely are some who simply do what they're told without speaking up or questioning the decision, even though they know better / think differently. They stick Google Analytics on a site instead of raising the idea of using Piwik instead. Or they add Facebook and Twitter share buttons without asking whether they can be optionally loaded. Maybe they'll be shot down by a superior, or maybe the superior doesn't even care and allows the software developer to decide. Depending on the size of the software's audience, that small decision could make a substantial difference in privacy.
When they deny you auto insurance or double your rates, because your brother living 1000 miles away looks like an alcoholic on Facebook. THEN, you'll start thinking about your privacy.
You do realize, companies are already lobbying for and soliciting access to Facebook data.
Tick tock...
P.S. I became friends with and helped out a convicted felon, this past year. Three DUI's. Their life is now back on track.
Per corporate-sought data maximalism, our Facebook friendship could cost me in terms of insurance premiums or even simple insurability, employability, perhaps my ability to get or maintain a mortgage. God knows. And that's a further part of the problem, that this is all feeding into corporate "black box" algorithms and decisions.
Maybe I start getting "enhanced screening" at every pass through an airport, because the government -- or a private/privatized screener -- is using Facebook to acquire this third party data that, so far, it's (supposedly) prevented from acquiring directly. You see, it's not just alcohol, but this person used to be into drugs.
So, do I need to rethink my whole decision to help this person? Will data domination dissuade simple kindness and decency? And that proverbial "second chance"?
Privacy. Ultimately, it strikes at the core of our society and our humanity.
A far greater threat than the ostensible threats ostensibly (um, data, please) being prevented.
Or, in the case of private business, a far greater loss than the profit supposedly being maximized.
Yes, this is not the users fault as is kind of implied by the first statement. Most users (lamen users not tech savvy) don't have/don't know know they have much choice when it comes to privacy.
That's why this has to be controlled by regulation rather than driven by market demands (which you allude to in the closing paragraph).
If people don't care about privacy, then government is wasting their time creating regulation that doesn't matter to people. That's not useful.
If people don't know about the privacy implications of technology, is adding regulation the best way to inform them? There are lots of organizations like EFF that are much more effective with their resources to inform people compared to government. And wouldn't it be speculative to create regulation without first determining how people feel about it?
Don't get me wrong – I think privacy is extremely important – I just don't think government can address it nearly as well as the free market, which is much more in tune with how important it is to people.
Most people are not aware of the scale of this thing. And it's just getting going. I don't think people's ignorance is a good reason to not protect them. If all the companies are at it (which they are due to lack of regulation and need to compete), then what good is it informing the user. What choice do they have? It's all very well saying they can choose to not use said service/product etc, but that is tant-amount to bribery - and an unrealistic prospect. So what actually happens is people click through the T&C's grudgingly (well, the ones who understand what going on), and downwards we go.
We should not be forced into such a choice and the only way that will happen is regulation.
EDIT: then again, this will never happen, because where do you think the gov gets their information from!
I think people are much more aware of it since Snowden. And, as with all knowledge, people have chosen to respond in different ways. Some have become much more privacy-minded and actively seek out like-minded products and companies. Others haven't because it's not that important to them, which is their prerogative.
> I don't think people's ignorance is a good reason to not protect them.
Even if there are some who are completely in the dark about privacy, this mindset would lead to regulation protecting people from literally everything, as there will always be people ignorant of something. I don't think it's the right default stance to take.
> We should not be forced into such a choice and the only way that will happen is regulation.
We have a right to privacy in the sense that we can choose not to use a product or service that invades our privacy. But we can't force our right to privacy on others.
The good news is, if there's a market for privacy-minded products, entrepreneurs will provide for that market. And I believe there is a market, because there's an increasing amount of privacy-minded alternatives.
> EDIT: then again, this will never happen, because where do you think the gov gets their information from!
Hah, this we can agree on! And I think it highlights an important point: How can we trust government to protect our privacy when they've been the biggest aggressor against our privacy?
Whilst I don't agree with all you said, indeed the problem we have as a society is that (as snowden et al have revealed), is that I cannot even trust my firmware. And if I cannot trust my firmware, what is the point of securing anything above it.
A market solution to privacy issues involves consumers making informed choices about how much information they share, which is currently relatively difficult. Companies are able to track a wide variety of information with only minimal effort to inform people or acquire consent.
Regulation could make their use of data far more visible, or even require explicit consent for different instances of tracking. This isn't holding the market back, it's enabling individuals to make more efficient decisions about which transactions they think are actually beneficial to them.
I'd actually say it's relative easy to find privacy information about a product or company. Independent researchers and organizations (like EFF) are exposing privacy violations all the time. It's oftentimes just a search away.
Case in point: Pokémon Go. It didn't take long at all before they were exposed (http://adamreeve.tumblr.com/post/147120922009/pokemon-go-is-...) for requesting full access to your Google account. The subsequent outrage caused them to take a more privacy-minded stance.
My point being, this information is and can be made available to consumers without requiring government or regulation. A whole new non-profit organization could be established that does just that: researches and publishes privacy-related data on products/companies. It could even have a program that rates and awards gold stars to those that pass their requirements, like EFF's Secure Messaging Scorecard (https://www.eff.org/node/82654).
> This isn't holding the market back...
Regulation always makes it harder for new entrants to the market, while simultaneously keeping incumbents in power (because they're often large enough to handle the time and money required to comply). And with less competition comes less choice, poorer service, and higher prices.
It sounds backwards, but not regulating privacy actually makes it easier for privacy-minded companies to enter the market and find success.
>I'd actually say it's relative easy to find privacy information about a product or company. ... It's oftentimes just a search away.
And I think that's still far too much effort to expect from people for every single company they interact with. People should not be able to give up their privacy without actively choosing to do so.
>Regulation always makes it harder for new entrants to the market, while simultaneously keeping incumbents in power ... not regulating privacy actually makes it easier for privacy-minded companies to enter the market and find success.
In order to have a competitive market for privacy, it needs to be a visible choice.
If companies can hide data gathering in the small print, it makes it hard to convince people that your product is meaningfully different. Whereas if the other company has a big notice saying "We sell your data to advertisers" and yours doesn't, it's a lot easier to sell.
Yes, the cost of compliance will marginally reduce competition overall, but competition in terms of privacy will be greatly increased because people will actually factor it into their decisions.
>it's that most users do not care much and are not willing to pay for privacy despite saying it's important for them.... Until then, people will just enjoy their free search engines, social networks, phone operating systems and will be content paying with their private data.
What's worse is that there are privacy-respecting alternatives available out there, all for free or close to it.
For search engines, you can use startpage.com and duckduckgo.com.
For social networks, you can use Diaspora. You might have to pay for a cheap hosting account though.
For phone operating systems, you can use LineageOS (formerly CyanogenMod).
For PC/laptop OSes, you can use Linux.
But no one wants to bother with any of these things. They'd rather use whatever's mainstream, and they're perfectly happy to post all their private information on Facebook for the whole world to see.
Mostly accurate, until you say '
"they'd rather use whatever's mainstream"
Ignoring that the options people do choose are vastly more capable, usable, convenient, reliable, supported, etc, than any of the options that would protect their privacy.
People are making tradeoff, but it has nothing to do with what is 'mainstream'. The mainstream choices are mainstream because they offer tremendous value in comparison to the privacy preserving alternatives.
How many people who had no relationship with a university have you gotten set up on Linux? There is a solid chunk of people that just cannot afford the cost of running Linux once you take into account the risk of having to spend a bunch of time mucking about with your package manager or something else with a high cognitive cost.
Granted, I switched from OSX to Ubuntu back in 2013.
This is total BS. I've set up two friends with Linux Mint machines; one is elderly and the other middle-aged and not a techie at all. Both of them are quite happy with them because they never have any problems, and I almost never have to even answer any questions. I did give them each a 15-minute orientation course beforehand, but considering that KDE works a lot like Windows (before the whole Win8/Metro debacle), it wasn't hard for them to adapt. WhyTF would they need to "muck around with a package manager"? And how is that harder then messing around with Windows' total mess of "installers" which don't do proper package management at all? In fact, Linux package management is superbly easy: just open up the software center, search for whatever you want, select something, read the description, and click "install" and type in your password. How is that hard? It's sure a lot easier than looking for random software on random webpages and worrying about it having malware baked-in like most Windows software on places like download.com.
I think these are really not viable options for most people.
Social networks? How to persuade people to join the better alternatives when all their relatives and friends use the popular ones?
Devices? Most people do not want or need a desktop or a laptop these days. Smartphones are much more convenient and easier to use.
Alternative phone operating systems work well on very few of these devices and the installation procedure is rather harrowing. Might completely brick your phone if you don't know what you're doing, who wants to take that risk?
Those that do need a proper computer probably prefer compatibility with everyone else, and that means they will not run Linux.
Search engines? People would rather trust and use Google or whatever because DuckDuckGo looks and sounds like it's made for five-year-old kids. Startpage.com is spewing stuff about goverment spying and hacking on the front page.
After switching to DuckDuckGo from Google completely more than a year ago, I have to say it's quite good. Bangs (https://duckduckgo.com/bang) are particularly useful.
Are the results as good? Probably not. But there's always a trade-off we make when choosing our tools. It's not always about choosing the one with the most features or the one that's most popular. Sometimes ideology matters, and I'd say that's the case for many who choose a search engine like DuckDuckGo over Google. I'm more than happy to trade not-quite-as-good search results for privacy – and I know that the more people who do, the better those search results will become.
> Kids today are growing up with iPads in their laps that teach them how to code.
No. They're growing up with iPads in their laps that teach them how not to code. Computing used to be creative perforce. Now the larger trend is to consumption - perforce.
There is a heartening smaller trend to creativity with Pi, Arduino etc...but it is tiny compared to the mainstream use of computers.
Yes. I've noticed that trend too. A lot of today's teenagers spend most of the time on their phones to consume content and to communicate. Most of them use PC only for homework. I feel like the amount of time spent in front of the screen is the same, but not for the same purpose, and not the same screen. I was a teenager during the transition, the iPhone was released just on my generation's transition between primary and secondary education. Still, we all prefer laptops.
Naturally, since we spent bunch of time on PCs, we tried and explored many different things. I started learning HTML when I was 11 or 12, I don't remember precisely, but I discovered it accidentally. I found out about View source and how to save a web page (HTML), then I started playing with the code. This was enough to get me interested and I started learning HTML and later, programming. Today I am 23 and I work as a mobile developer. I heard a lot of similar stories, not just in programming, but for graphic design and other fields that use a computer as a tool.
The smartphone is simply not a creative tool, and it's not an open platform. You can't "peek" inside of a mobile app like I was able to peek into HTML. If I didn't, I would never discover it and it would never lead me to other platforms and programming languages. You can't see and play with raw files. You can't just open a photo in an editor, which leads you later into some creative fields like graphic design. Sure, you can "get creative" in Snapchat with your photos, but Snapchat is not a professional tool. When we wanted to edit our photos, we had to first get Photoshop, and learn the basics of working with it. Since it is a professional tool, it is an invaluable skill. I feel like this doesn't happen anymore. Applications like Snapchat are enough to fill their need for creativity and those kids are less likely to discover useful tools.
I got into tinkering with my PC because I had to edit config.sys and autoexec.bat to change virtual memory settings in order to play the computer games I wanted.
I share the concern that a phone is a consumer gadget much like the console was as a gaming platform compared to the Amiga/ST/PC stack. I'd imagine that kids that grew up with Amiga/ST/PC were much more likely to become programmers than those that grew up with consoles (Megadrive/SNES).
I remember first being exposed to html/css at around 14 when I wanted to customize my MySpace page. I was curious and decked that page out (yes, it looked like puke but I was learning, dammit!).
Today's generation doesn't have that option in any of the popular social media platforms.
I would love to see some stats about the percentage of internet users that studied how to code in 1990's and today. I bet it will be at least one order of magnitude in favour of the former.
And? In the 1990s _nobody_ but the people most interested in computers used the Internet, now it's a commodity. Of course there's going to be a huge difference in that statistic.
That is the point. The ratio of people developing and people consuming is, imo, a healthy indicator of the internet. And we are, in the last decade and amid all the efforts to encourage people to code, having less people interested in software development than before. My main guess is that a lot of potential developers became content creators in silloed social networks.
Why do you say there are less people interested in software development than before? (And do you mean less absolutely or less as a fraction of the whole?)
Because before, to be a content creator on the internet you had to be a developer. Now, you don't need, you can use software created by others. This is good, is abstraction building. But it doesn't come for free. I don't have numbers to back my impression, though :)
(I mean fraction of the whole, but I would love to have the data to see if we are not having more people leaving software development due to increasing complexity or retired tech than joining. How many have left software development with the downfall of Delphi, Visual Basic, Clipper?).
The original sense of creativity has gone lost towards 'tying things together'. You can easily tie things together on an iPad but its comparatively hard to actually create something new.
Umfortunately many people praised the shareconomy without seing the downside that a shareconomy seldom creates new.
that's pretty normal. Once a technology goes into the mainstream and matures, people don't have to learn how it works anymore but juts use it. 50 years ago every car driver needed to have a pretty good understanding of their car. Now not too many people have even a basic understanding of cars but they still use one.
I actually had the same thaught. Learning to read or even basic writing doesn't compare to the skill and effort it takes to write something interesting, let alone a novel. You just know enough to consume what others have written. Basically the same as learning to use an iPad.
Exactly. The whole premise is a cop out. Software engineers will collectively all care about privacy and security when their employers do. The employers will when their users/customers demand it. For right now, they prefer free to private/secure.
It will take an outside force to change that like legislation or if people get in "trouble" for sharing things that disagree with the powers that be.
The super hard thing is to help people value their privacy/security.
They already share everything on their social accounts showing they don't really care. They only care when an ex uses that information to stalk them or something. Or they make stupid myopic comments like "I have nothing to hide..." until you do because one of your FB friends has a muslim sounding name. Then they want privacy and security but still only from that person/group.
Actually I prefer the original Google privacy policy, I would not have signed up to gmail if it had, then, the current non-privacy policy. It's going to take me years - at least - to back out of using Google products, but I am starting that process; and just hoping I end up actually having a choice.
Privacy is one more "race to the bottom" where the government has to intervene, since acting one at a time consumers are helpless.
People have disagreed in this very thread. And can you honestly say that finding out the author was being hypocritical didn't weaken his argument in your mind? It did in mine: this is a very human impulse and in this case it leads us wrong. Now instead of evaluating whether what the author said it's true, we're evaluating whether the author is trustworthy. This needs not to even be considered because the author's statement stands on its own, independent of who said it.
> The point was that there is no accountability in the article. It even says "they're sleeping" instead of "we're sleeping".
I get the point, but why make this point? It's not an ad hominem attack because the logical leap from "the author was a hypocrite" to "the author is wrong" was never explicitly made, but it's hard to imagine a reason why attacking the author is relevant if you don't make that logical leap. And many readers will make that logical leap, as evidenced by responses to my post. If the intent is only to attack the author, it's off topic; if the intent is to undermine the author's statement, it's an ad hominem; either way it's counterproductive to the kind of discussion I want to see on HN.
Security is the responsibility of people who implement software. That's important and it's worthwhile to stay on that topic.
I don't think there can be a satisfactory proposition of "accountability". We have an Oligarchic system which again, systematically undermines the rights of users. Software which is made primarily for short term profit, will undervalue privacy, because it does not sell. Things are centralized because with the current technology that's how they scale, and are easier to control, and convenient. And also because data about you is important, that's the real treasure.
De-centralization is what will give power back to users. Ofcourse I don't want every user configuring their own synchronization solution instead of using Dropbox, and Drive. But running your own server , with modular services like these (sync, backup, email etc), should be like installing apps on your phone.
I get what you are saying - "Practice what you Preach", but wouldn't blame the author for using Medium for reaching a broader audience. Many developers do use Medium. Advocacy which is done on invasive but popular platforms such as Facebook, and Medium (which is not the worst but still) is better than Advocacy done in a way aligning with each and every ideological belief that you have. Those two do not have to be mutually exclusive, but sadly the current scenario is different.
Is it really? RMS doesn't appear to have a problem reaching as broad of an audience as is willing to listen to him, and afaik he does not compromise his principles by using non-free software.
I disagree with the statement. But let me make this clear, I think RMS is great, and plays a very important role in todays society. He has an exceptional devotion to his ideology, but seen from a normal person's eyes, he is an extremist. For this normal person,(and the masses in general) abstaining from propriety services is not the solution. You cannot expect everybody to just install Linux and start using FOSS alternatives (as things are now). The barrier to entry is too high.
The end result is that we are trapped in our own bubbles, preaching to only those who already agree with us. Ideological purity goes on to alienate people. The new generation of computer scientists, developers are not exposed to these ideas, because they are not as accessible. They are using facebook, slack and medium, and we refrain to use those. These are tradeoffs, and clearly, there is needs to be a balance.
And by tradeoff, you mean you are giving your usage, which is all these platforms really want from you, and in exchange, you get the ability to reach an audience who is not interested in the ideology you're preaching. Is that accurate?
You can post on your site and send people there from social media, cross-post to medium/tumblr/... Medium even is "nice enough" to give you links to "this was first published at", including rel=canonical links to hopefully make search engines happy.
I am a practicing IP, software and information attorney.
I wrote (as in, me personally, in Node) and just released http://gibber.it , which is currently in beta, to allow users to send end-to-end encrypted messages through basically any place in a browser that you can enter text.
It currently works quite well on gmail, nytimes.com comment boards and on reddit. It will soon be working on facebook (their content-security-policy is very strict - rightly so - and I am making the extension compatible with these requirements).
* It currently functions as a chrome extension.
* Sign up, invite connections just like any other social network.
* Encryption is end to end, AES 128 with nonce'd salts.
* Use a password you share with your connection (NOT your login password) to send connection invites - this is used to encrypt your keys during the invite process. (Make sure to accept the return invite! This is how your connection sends his or her keys back to you. Also note that you will likely need to reload any tab running the extension after accepting an invite in order to get the keys to load.)
* Use the chrome extension to encrypt and decrypt messages as you browse.
Please note that the system is in BETA. Still many tweaks to work out. Use is at your own risk.
Please feel free to ask any questions you may have. I welcome any and all feedback. Love the system? Hate the system? Please let me know. More about me here: http://www.lawyernamedliberty.com
Edit: Please note that the gibberit homepage - AND NO OTHER PAGE - uses google analytics. This is clearly detailed in my privacy policy. Aside from that, I do not use any tracking software.
I know it's more fun to play blame the nerds, but this author needs to sit down and have a bit of a think about why they're blaming people for building the things they were paid to build, rather than the people who decided that the things should be built. But there are no easy answers there, all you get is a sense that there are an overwhelming number of force vectors that all make the status quo happen.
If the moral imperative is on engineers to band together, and refuse work for the purpose of breaking us out of the feedback loops we're in, you're going to need a lot more principle and actionable advice in your argument than some shitty hand-waving to throw developers under the bus so you can huck your notetaking app.
Best and most-relevant comment, as always, just sitting down here at the bottom and all lonely.
Blaming engineers for this problem is shooting the messenger. Engineers, so far as I can tell, are the only group who do care about privacy, and spend their hard-earned free hours making products to address it. They're soundly ignored by consumers, who quite frankly don't give a shit.
But I guess "blame the nerds" is all the rage these days. Just like it was when I was a nerdy kid in the 1980's. And just like it was when my dad was a nerdy kid in the 1950's. It's never enough, nerds. Give more to society. Work harder for free.
The doomsaying about privacy in this article is way overblown if you ask me.
I agree that most of these big companies/governments are greedily collecting as much data as they can without even a clear plan of how it all will be used, and that the amount of data being collected is definitely way more than most users know.
But will I someday be prosecuted for the news articles I read or the songs I listen to or my amazon purchases or my google searches? I guess maybe, but that is a HUGE maybe.
If the number one motivator for internet privacy is so that if there is someday an oppressive totalitarian government I will be safe, then I'm not convinced. Besides - I doubt the new government will really be stymied by my use of a private server.
The truth is most of the data collection benefits us all in at least some small way. Spotify provides better recommendations, google provides better search results. Even the ads we are served are more appropriate for us (for better or for worse).
And when people do absolutely need privacy there are suitable options already available. But these are niche products for a reason: most people lead innocuous lives.
> But will I someday be prosecuted for the news articles I read or the songs I listen to or my amazon purchases or my google searches?
In case you've missed it, there have been a lot of articles on HN recently about US immigration going through people's phones and social media accounts looking for things they can use against them. e.g. https://news.ycombinator.com/item?id=13702981
Totalitarianism doesn't turn up all at once. It starts against those people, one person and marginalised group at a time.
Do you really think that writing our own encrypted messaging apps and using our own servers instead of Azure/AWS/Google is an important step in protecting ourselves from a totalitarian government? It seems to me to be too little too late
Decentralization and encryption make mass surveillance harder to implement and harder to hide, so yes. Technology alone isn't enough, but technological and political approaches support each other.
You know what else would make mass surveillance hard? If we encrypted all our hand written notes and invented spoken languages known only between friends and families-- but sometimes privacy is sacrificed for the sake of convenience.
Clearly there is huge variance in the value individuals place in privacy. And I guess that is where the author and I disagree.
It does sound too little too late, but it does seem to be possible for a subset of people to outrun an oppressive state. It's helpful but not sufficent; we've all seen how the "Arab Spring" turned out.
I meant too little too late if we fall in the hands of a totalitarian government.
I mostly just think cloud computing provides a lot of benefits to society and spurs innovation, and the idea that we should roll our own (costly) servers for the sake of privacy is not convincing.
> But will I someday be prosecuted for the news articles I read or the songs I listen to or my amazon purchases or my google searches?
The fear is not of being prosecuted. It is of not being prosecuted. Never having your day in court. Being put on watch lists and "no fly" lists without any recourse. No way to examine the evidence against you. The fear is not a orwellian world, the fear is a world driven by kafkaesque bureaucracy. You are right that privacy may not always protect us from violence, but it will protect us from indifferent and abusive bureaucracy.
> If that is the political situation then I do not think it matters whether I use my own server, or encrypt all my messages
I don't know why it wouldn't matter. And it is the situation; you can be put on the No Fly List without your knowledge and with no recourse, and now popular legislation would not only deny travel on that basis but gun rights too.
The post described a situation in which a government could do anything with or without evidence, in which case it doesn't matter if they have evidence.
And I also think without us rolling our own isps, the government will always have a back door.
And truthfully I think Amazon has a better chance of fighting invasive government behavior than I do as an individual.
> will I someday be prosecuted for the news articles I read or the songs I listen to or my amazon purchases or my google searches? I guess maybe, but that is a HUGE maybe.
Perhaps you aren't vulnerable, but there are many who are. What if you are Muslim or interested in Islam? LGBTQ in a small town? And do we know who will be in power and what the risks will be 20 years from now? We can't wait until someone starts to abuse power; it will be too late to stop them.
Also, I think the parent greatly underestimates the risks of abuses of power. Read the history of the civil rights movement, for example, when the U.S. government tried to blackmail Martin Luther King, or conducted COINTELPRO. People feel vulnerable to this day; when U.S. government mass surveillance became public recently, evidence showed that people began self-censoring their searches.
Finally, one reason many in the West feel safe is that institutions were built to protect against abuse of power. There is nothing genetically different about Western leaders that makes them less prone to abusing it. For example, a military coup in the U.S. might seem very unlikely; one reason for that is the structure of the defense institutions are designed to prevent it, partly based on what happened with the German military before WWII.
What are we doing to protect and provide freedom to the next generations, as our predecessors did for us?
> most of the data collection benefits us all in at least some small way
You may feel that way, but shouldn't people be able to disagree and have a choice?
People definitely should have a choice and I acknowledged that niche security products do exist--and if they were ever threatened I would be concerned.
I didn't mean to be so inflammatory, but I think the premise of the article -- that we should be rolling our own servers as opposed to using cloud computing systems -- is a ridiculous one. By the author's line of thinking we should probably start encrypting our handwritten thank you notes to our grand parents for no other reason than maintaining our privacy.
I never said that it should be illegal for someone to seek privacy, but I do believe that the article advocates a silly solution.
> I never said that it should be illegal for someone to seek privacy
I'm not talking about legality (though that is important); I mean that typical end users should have an option, a practical way to have privacy and function in the real world.
For example, someone looking for a job often needs Facebook and LinkedIn; they have no option.
> for no other reason than maintaining our privacy
I believe privacy is important, as a thing itself and not as a direct means to an end, to more people than you think.
Given the current political situation in the US, I'm surprised you're doubtful there will one day be an oppressive totalitarian government that uses this information against you. Do you really doubt that there are currently politicians in power who would not hesitate to leverage this data to their benefit? If so, it seems we're living in different realities.
Could you give a specific example of how typical data (ie internet browsing records) could be exploited by a politician? Will they arrest me? Tax me? Publicly shame me for reading the New York Times?
I'm aware that there are places like North Korea where this is a problem -- but what the article was advocating, private servers, encrypted messaging. Do you think if only the Chinese had thought of that, they'd be fine and free on the internet??
My main point is that an oppressive government is a huge problem, and it really doesn't matter whether you use aws or roll your own server, because either way you're screwed if you've let it get to that point.
Those are two problems, and they both need solutions. Centralizing everything makes it easier for the government to abuse it's position. Sure, they can still abuse if if everything is distributed, but it's a lot more work.
> My main point is that an oppressive government is a huge problem, and it really doesn't matter whether you use aws or roll your own server, because either way you're screwed if you've let it get to that point.
But we aren't at that point yet. So lets not give up trying to build things the right way just because we may be screwed in the future.
That's a good article -- but I will say that (for now at least) facebook is a level-playing field and anyone and everyone can equally leverage its targeting abilities.
Sure its more refined than older ad technology, but picking the tv or radio shows during which one runs ads, or picking the magazines and newspapers in which one runs ads is not that different from targeting facebook ads. The first politicians 100 years ago to target ads on the radio probably gained the same advantages that Trump did in 2016 with facebook.
> If the number one motivator for internet privacy is so that if there is someday an oppressive totalitarian government I will be safe, then I'm not convinced.
That's not the argument, kind of like the argument for not having unprotected sex with strangers is not that if you use protection and have sex with someone who has HIV, you will be immortal and live forever.
Furthermore, it's really not just about you. Say, you're gay or have a spine in country X or Y, there are so many possible cases. Those people matter, not those who are content that they themselves are not threatened at this very second, or intend to remain on the "good" side of power.
> But these are niche products for a reason: most people lead innocuous lives.
Most people are complicit. Most of us are not dangerous to any murderers or crooks, while lending support, so we are innocuous to them. And congratulations to all of us, too. Well, at least we have ads that are "more appropriate to us" I guess.
Many people are doing something about this. Change is slow but surely happening. We don't have the right products to trigger a privacy revolution but they are being built. Deploying a server and installing most of the apps required for day to day use had never been simpler. See cloudron.io and sandstorm.io (though sandstorm seems to have failed to find a business model).
This kind of argument is like shaming people for not using solar panels or some other green tech because they are too 'lazy' to make the sacrifice. Or shaming people for not using linux as their desktop operating system. Or for using MP3s.
The reality is you need to make the economics and usage of it better than the current de facto reality. There are reasons why the current status quo is the status quo, and you have to be more compelling than the status quo to beat it.
It's why signal forces everyone to use phone numbers as identifiers & use google play services. It is why PGP has failed. It is why your next consumer privacy product will probably still use those cloud services, but client side encrypt.
Now that solar panels are meeting the price of gas, we will very soon see solar overtaking a lot power plant production in the world. Because it will be the cheapest.
I think it's both of these things plus money. If the culture has an interest in privacy, the technology exists to make privacy feasible and someone can make money from it, you have a path of least resistance (or at least a level playing field) towards more privacy.
I don't think I could agree that the "author is wrong" without some cavets, but I do agree that privacy is in part driven by culture. As an anecdote, I recall when I lived abroad just how many of my German friends used false information in their Facebook profiles. They were rarely under their real name, and the pictures were often obscure and few in number. It wasn't universal in every instance, but it was common enough that the expat Americans such as myself would sometimes talk about "going anonymous" like the Germans did. When I asked a friend or two about this, the answer was always the same. Privacy. There was simply a much greater concern over groups that had their data. (I'm inclined to believe there's a historical basis for this, but it's just supposition.)
So I think people will be more concerned about privacy when it becomes important enough for them to do so. And I believe that's not likely to happen until the evidences of the abuses against themselves becomes too large to ignore. But the abuses of privacy today are largely unseen and unheard. And so the culture of being social and sharing is more dominant than the culture of privacy.
I don't hold developers and engineers directly responsible for ensuring people's privacy (though they could certainly do more to improve it. Their business model often relies on people giving up their privacy, true. But as Facebook stated long ago, "the information users provide is voluntary." Users do not seem to mind volunteering.
China is considerably different as well. My completely non-techie first wife could still quite easily use VPNs and knew what they did, for example. If you are in a culture where the government interferes with network access, constantly watches what you do, censors you, and sometimes even confiscates property, then the work arounds become much more common place knowledge.
I agree with the general premise of the article that software developers need to focus more on privacy, something that neither large corporations nor closed source programs are likely to do. A few years ago I became so frustrated with the privacy behavior of the major browsers, which treat users like a commodity to be sold to advertisers and corporations with large internet presences, that I developed Privacy Browser. Currently it is only available for Android, although future development will bring it to other platforms.
Regarding the article being published on Medium.com, I think it is ironic that anyone with strong privacy views would use a platform that requires accepting third-party cookies to create an account or post a comment.
There seem to be many privacy solutions, but little adoption. Sorry, but I have to blame the consumers, not developers. I am actually amazed at how much manpower is being poured into doomed privacy projects. Like how many encrypted messenger apps are there, that never stand a chance against WhatsApp and Facebook?
I'm not sure you can really blame the consumers. All products claim to be "secure", and consumers have no way of knowing what is and isn't secure. Plus of course security isn't a binary and all security solutions have problems of one kind or another, which makes things extra-confusing.
But how can you change the situation, if consumers don't care enough to educate themselves? A government decree wouldn't help in this case, as governments can't be trusted with protecting privacy.
Since you ask, I think a neglected part of the solution might lie in getting businesses to communicate securely. Unlike individuals, businesses actually care quite a lot if their data leaks.
I think maybe people have wasted a lot of time trying to peddle crypto to hippies and politicos, when lawyers and insurance companies might have been a more receptive audience. The only way PGP was ever going to get any adoption was if people feared getting fired for sending unencrypted private info.
And of course once there's a critical mass of people who know what a private key is due to their work, it's a smaller step to get individuals to encrypt things voluntarily.
>businesses actually care quite a lot if their data leaks.
How are you coming to that conclusion? Companies may say they take security seriously and they want to avoid becoming the next Sony or Home Depot, but how many actually allocate resources accordingly? It's much more efficient to just issue a press release and offer to pay for credit monitoring services that virtually nobody will actually use.
To be fair this is HN and that's undoubtedly true of most startups. But from my experience large, established, boring companies spend a lot of money on covering themselves against this sort of thing. Or at least on CYA security rituals. If they have money to spend on security theatre, why not try to sell them something that actually works?
I would speculate that it's because they are more concerned with checking boxes for their auditors or insurers than they are about the actual data. As for convincing the KPMGs of the world to take security seriously instead of calling for security theater, well, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it".
What do you think that lawyers and insurance companies have to gain from better crypto (than HTTPS)? Most leaks come from poorly secured servers and compromised credentials. I have a hard time thinking of a realistic threat that an insurance company or law firm could mitigate with PGP everywhere.
I'm curious how other industries handle similar issues. It's possible this is one of those things where we just need enough people to be hurt by it before anyone pays attention. I hope we can stop it before it gets to that level, though.
I'm the opposite to you, I blame developers. They are the ones who build and understand the tech that powers online tracking.
If a user switches from their Google account to a non-related Google website, how are they to know they are stealthily still being tracked thanks to an invisible bit of Google Analytics code?
Do the consumers who purchase a ChromeBook realise everything they do in the OS is tracked and recorded by Google (even simply printing to their desktop printer)?
Are the parents of school children aware of the privacy implications of their kids using ChromeOS in the classroom? ChromeBooks are becoming ubiquitous in US classrooms, and yet there's barely any discussion of the privacy aspects.
Even if these companies assure us they only aggregate the data they collect (never personally identifying individuals), that's still a frighteningly large volume of personal information they capture. Can you imagine the humongous volume of aggregated data that Google must hold on it's users? They probably have the ability to mine that data in ways that most us probably can't even imagine.
What do developers do about this? Nothing. They built this tech and few ever call out these companies on their behaviour. In fact, a great many rush to the defence of these companies and happily recommend their products ("just bought my mom a Chromebook!").
So no, I don't think it's fair to blame consumers, but yes you can certainly blame developers.
I thought it was meant in another way, that the article blames lazy developers for not providing good privacy solutions. Of course certain developers implemented Facebook and whatnot, and are therefore to blame. But "developers" in general can not influence how big companies handle people's data. I can not change how Facebook or Google work, at least not without some genius idea (which may not exist).
> The difference between reading and managing servers is childhood.
That analogy is crap. Is the difference between reading and launching people into space childhood, too? We don't blame authors for kids who can't read any more than you can solve technical illiteracy by bludgeoning software authors. Can we help? Yes, certainly (and check out https://www.cs-first.com/en/home if you haven't). But throwing shade isn't going to magically make an entire class of folks learn something they don't care about.
This dude is 100% right. Every developer I've worked with ever gives zero fucks about privacy. This is one change that has to happen with us, because you're damn right users aren't going to care.
Some things are changing for the better though: Many people finally become a bit more informed about privacy, also thanks to the effort of journalists uncovering some of the biggest data scandals.
In addition, at least for EU citizens the situation should massively improve on May 25, 2018, as then the new EU data protection directive will come into force, which will significantly increase the rights of people to control how, when and by whom their data can be used. And with a maximum fine corresponding to 4 % of the worldwide revenue, companies will finally have some good incentives to be more careful with the data of their users.