this post was submitted on 15 Aug 2024
3 points (63.6% liked)

Privacy

799 readers
11 users here now

Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
c0mmando@links.hackliberty.org
3
Fedi design needs to evolve for privacy -- for anonymous posting (links.hackliberty.org)
submitted 4 weeks ago* (last edited 4 weeks ago) by soloActivist@links.hackliberty.org to c/privacy@links.hackliberty.org
8 comments fedilink hide all child comments
 

I have lots of whistles to blow. Things where if I expose them then the report itself will be instantly attributable to me by insiders who can correlate details. That’s often worth the risks if the corporate baddy who can ID the whistle blower is in a GDPR region (they have to keep it to themselves.. cannot doxx in the EU, Brazil, or California, IIUC).

But risk heightens when many such reports are attributable under the same handle. Defensive corps can learn more about their adversary (me) through reports against other shitty corps due to the aggregation under one handle.

So each report should really be under a unique one-time-use handle (or no handle at all). Lemmy nodes have made it increasingly painful to create burner accounts (CAPTCHA, interviews, fussy email domain criteria, waiting for approval followed by denial). It’s understandable that unpaid charitable admins need to resist abusers.

Couldn’t this be solved by allowing anonymous posts? The anonymous post would be untrusted and hidden from normal view. Something like Spamassassin could score it. If the score is favorable enough it could go to a moderation queue where a registered account (not just mods) could vote it up or down if the voting account has a certain reputation level, so that an anonymous msg could then possibly reach a stage of general publication.

It could even be someone up voting their own msg. E.g. if soloActivist is has established a history of civil conduct and thus has a reputation fit for voting, soloActivist could rightfully vote on their own anonymous posts that were submitted when logged-out. The (pseudo)anonymous posts would only be attributable to soloActivist by the admin (I think).

A spammer blasting their firehose of sewage could be mitigated by a tar pit -- one msg at a time policy, so you cannot submit an anonymous msg until SA finishes scoring the previous msg. SA could be artificially slowed down as volume increases.

As it stands, I just don’t report a lot of things because it’s not worth the effort that the current design imposes.

top 8 comments
sorted by: hot top controversial new old
[–] CameronDev@programming.dev 8 points 4 weeks ago (2 children)

If you need to anonymously whistleblow, use the right tool for the job:

https://www.theguardian.com/securedrop

https://www.nytimes.com/2018/09/19/reader-center/confidential-tip-line.html

[–] soloActivist@links.hackliberty.org 3 points 4 weeks ago* (last edited 4 weeks ago)

Those do not obviate the use cases I have in mind. Secure drops are useful tools for specific whistle blowing scenarios. But they are not a one-size-fits-all tool.

I routinely use framadrop and then transmit the links to regulators or whoever I am targeting to act on a report. But what if the target audience is not a specific journalist or regulator but rather the entire general public? The general public does not have access to reports submitted to the Guardian’s dropbox or NYTimes’ dropbox. Those are exclusive channels of communication just for their own journalists. The report then only gets acted on or exposed if the story can compete with the sensationalisation level of other stories they are handling. If I’m exposing privacy abuses, the general public does not give a shit about privacy for the most part. So only highly scandelous privacy offenses can meet the profitable publication standards of Guardian and nytimes. The reports also cannot be so intense as to be on par with Wikileaks. There is a limited intensity range.

The fedi offers some unique reach to special interest groups like this one without the intensity range limitation.

NYtimes is also a paywall. So even if the story gets published it still ends up a place of reduced access.

They are great tools for some specific jobs but cannot wholly replace direct anonymous publication. Though I must admit I often overlook going to journalists. I should use those drop boxes more often.

(edit) from the guardian page:

Once you launch the Tor browser, copy and paste the URL xp44cagis447k3lpb4wwhcqukix6cgqokbuys24vmxmbzmaq2gjvc2yd.onion or theguardian.securedrop.tor.onion into the Tor address bar.

That theguardian.securedrop.tor.onion URL caught my attention. I did not know about onion names until now. Shame it’s only for secure drops.

[–] MolochAlter@lemmy.world 2 points 4 weeks ago (1 children)

Why not simply set up an instance yourself with the features you'd like to see?

Anon identities may not work in the strictest sense but I'm sure something like throwaway accounts made without email addresses or something along those lines would be doable.

[–] soloActivist@links.hackliberty.org 1 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

Self hosting would mean I could control account creation and make many burner accounts. But there are issues with that:

  • If there are several burner accounts then the admin would have to make it easy for others to create burner accounts or else it would be evident that all the burner accounts are just the admin’s, which does not solve the aggregation problem. It introduces complexities because the DNS provider and ISP would have the identity of the self-hoster. One could onion host but that greatly narrows the audience.
  • It does not solve the problem for others. Everyone who has the same need would then be needlessly forced to independently solve all these same problems.
  • I do not have high-speed unlimited internet, so I would have to spend more on subscription costs.

I think it complicates the problem and then each author has to deal with the same. If it’s solved at the fedi API level, then the existing infrastructure is ready to work.

(edit) I recall hearing about a fedi client application that operates in a serverless way. I don’t recall the name of it and know little about how it works, but it is claimed to not depend on account creation on a server and it somehow has some immunity to federation politics. Maybe that thing could work but I would have to find it again. It’s never talked about and I wonder why that is.. maybe it does not work as advertised.

[–] MolochAlter@lemmy.world 1 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

I'm not suggesting you host a normal instance, I'm suggesting making a fork that makes the instance logless and allows anonymous burners.

The important thing is to be a black hole for investigating origins of posts, right?

A logless instance that does not keep track of accesses/ips/etc would mean that even in the case of a subpoena there's nothing to turn over, and the ability to make burners with just an id and a password would ensure nothing is trackable.

You will need to make some adjustments to prevent botting but other than that this takes care of cross referencing, in my book.

Basically the same stuff that companies like mullvad do for their VPN hosting.

[–] Enkers@sh.itjust.works 2 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

In this case, wouldn't it be important for the informant and platform to be controlled by different people? It'd look mighty suspicious if you were ever suspected of whistleblowing or leaking and you just happened to run your own instance that specifically caters to that need.

[–] MolochAlter@lemmy.world 2 points 4 weeks ago* (last edited 4 weeks ago)

Probably, but there's clearly not a lot of interest at present, and anyone running one such instance would absolutely incur scrutiny nonetheless.

It'd probably be simpler to send the information to a trusted moderator on some specialized community through some dead drop, rather than going through the hassle of making a whole system for throwaway accounts, at that.