Indeed, from reading that issue, it appears their app cannot be bundled for the official F-Droid repository because it uses Google Play Services for notifications.
I understand why some apps need to distribute updates outside of f-droid.org repo because it's too slow to vet/build updates: for example Newpipe needs to update as quickly as Youtube breaks 3rd party clients, and F-Droid's update vetting process takes too much time for that. But i don't understand why an app like Session would setup their own repo and not try to push to f-droid.org repo without the Google trash. [1]
At least, they're not actively trying to shut down libre forks (with spyware removed) like Signal did to LibreSignal years ago, that's already a very good point for them!
[0] Exodus Privacy is pretty cool. It uses static analysis to find known trackers/malware in Android APKs, and is developed by a french non-profit. If you don't use only F-Droid apps, you should definitely use Exodus Privacy to know what kind of crapware you're setting up. (Spoiler alert: >90% of Google Play Store is malware).
[1] The argument in the ticket is about the notification system. Because some Android (and iOS!) phones have energy policies preventing most background connections (unless privileged like for Apple/Google notification servers). That is not a problem on a device you own (eg. Replicant/Lineage) but is definitely a problem on CrapDroids (like Samsung and Huawei i believe) and on all iPhones, and this produces a situation where users will miss notifications until phone goes out of sleep and will blame the app for that, while their OS is responsible for the loss. One of the many shameful consequences of letting evil corporations control our computing devices, that leads to further centralization of all network activities.
Any service that claims to be "free" and doesn't have a very obvious business model gets me very suspicious. I usually start reading the service's privacy policy.
This website's "Privacy Policy" states:
> We collect [personal information] by fair and lawful means, with your knowledge and consent. We also let you know why we’re collecting it and how it will be used.
Yet personal data is collected through Google Analytics without being mentioned anywhere and without my consent. The policy is also the linked privacy policy for the Android and iOS app. It doesn't let the reader know why personal information is collected and how it's used, as it claims. Is that different in the actual apps? Also, what data does the website and the app collect?
Definitely need to improve Privacy Policy. I've just used some random privacy policy generator a few months ago when it was just a random side project.
There is a paid PRO plan in the app. It's pretty standard for site builders - pay for custom domains and premium blocks. I'll add this info to the website.
This is a "feature", not a bug. Twitter keeps asking for phone numbers all the time and then suggests you also allow others to discover your account via phone number.
So this guy merely enumerated a lot of phone numbers and found accounts of users who agreed to have their phone number publicly match their account.
Yeah. Not long ago I thought I can finally try Twitter, but 20 minutes in (just enough time to follow a couple of people and to start getting familiar with the UI) I found UI to be totally blocked by the demand I submit my phone or else. Naturally, I figured I don't need Twitter that much.
So to call a feature nobody asked for which they went a long way to introduce a "bug"... yeah.
Same thing happened to me when I just wanted to sign up to follow some esports organizations. It says a phone number is optional during signup, then a few minutes after I create my account it becomes locked and I get an automated message saying that I'm suspected of being a bot, and the only way to unlock it is by giving them my phone number.
I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.
I also recommend using Cookie AutoDelete for Chrome [0] or Firefox [1]. You can define a whitelist of websites where you actually need Cookies (because you want to stay logged in), and the rest will be forgotten when you close the tab. It even allows different rules in Firefox Containers.
Even with tracking you merely need a privacy policy in a place users can find. It's considered implied consent to continue using a site if the site makes a reasonable effort to make you aware that such a policy exists.
However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.
> Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
> Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
> Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
> Explicit consent must be expressly confirmed in words, rather than by any other positive action.
Most sites don't adhere to that at all as there's pretty much no way to "not agree", which means they can not rely on consent as a legal basis for processing PII.
I feel it's important to note that, although implied consent doesn't mean anything in a GDPR context, consent isn't necessarily required at all. It's only one of 6 different justifications a business can use to show their activities are legitimate: https://gdpr-info.eu/art-6-gdpr/
And they all have their own stipulations. Contract requires that the data is needed to perform your part of the contract, legitimate interests requires documentation proving you do need the data and weighed the risks to users
I keep wondering why people who seemingly care about their privacy continue to use Google products/services, doing all their online activity while logged in to their Google account.
Younger people growing up are used to living in the shadow of an ad company. Ad company keeps pushing the envelope on privacy but those who most vocalize opposition are getting older. Cycle repeats until ad companies win.
I have actually been running the Edge beta for about a month. It's pretty good. I've noticed that since I no longer use Chrome, a lot of the ad-tracking related items have gotten much more generic over time (such as the news articles on my phone on the chrome homepage).
I at least I feel like I'm being tracked a little less by a single entity.
As much as I want to use Firefox more, it doesn't "just work", unlike Chrome.
Every other update it destroys my containers and I have to recreate them. Or it will just stop responding to keyboard input after an update. I have to go in and disable all add-ons, restart and enable them. I get it, add-ons are hard.
I'm just afraid that if I start syncing my bookmarks etc that I do with Chrome, Firefox will destroy them someday and I'll be left spending half a day recovering.
I do want to use it more, but I also need it to just work every time.
Chrome is the fastest browser for YouTube because Google intentionally made it slow on other browsers. So, sometimes this speed is just the result of monopolistic actions.
I think this is the value of others like Vivaldi and Microsoft standardizing on the Chrome web page engine. They will strip away any ad company privacy layers. Only Firefox is truly free at this time and Safari doing whatever they do.
Safari's implementation of AdBlockers is the same as the one that's planned and criticized for Chrome - isn't it a bit wierd to bring it into this debate?
For me Chrome is the fastest browser all around. It may not be substantially better than Firefox anymore, but it's still the best. The day it stops being the best I will consider shopping for another browser.
(I mention Firefox specifically because it's the only browser that uses something other than webkit/blink, now that Edge is out)
That site says digg is "hard". When digg had a comment structure similar to reddit, I used to comment quite actively, but too many political types were following me and creating a weird echo chamber, so I asked them to delete my account. 15 minutes later, my account and all my comments were gone. Maybe something changed when they removed that structure, I suppose.
When you say you “asked”, do you mean you had to write a message to someone requesting deletion? Because that counts as hard. Ideally the site should respect your use of a simple button.
Please don't rely on the Referer being present (ever). It's an optional header to send in a request and you can configure your browser — at least Firefox — to not send it for privacy reasons.
Logout (or anything else that triggers changes of any kind) shouldn't be a GET request.
