freedomPusher

People are often told if their data is published, they have no expectation of privacy. But I found an interesting gem in the EDPB Guidelines of 04/2019 which counters that to some degree:

59. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves for their own purposes – they must have their own legal basis.²⁰

²⁰See Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland no. 931/13.

IMO, that means #AI bots cannot exploit openly public data if it’s data that’s personal to a European or someone residing in Europe.

If you long-tap an image that someone sent, options are:

• share with…
• copy original URL
• delete image

The URL is not the local URL, it’s the network URL for fetching the image again. When you send outbound images, Snikket stores them in one place, but it’s nowhere near the place where it stores inbound images. I found it once after a lengthy hunt but did not take notes. I cannot find it now. I think it’s well buried somewhere. What a piece of shit.

I’m just noticing this instance for the first time. Judging by the hostname, it’s a node that’s devoted to #XMPP chatter. But I cannot reach it. Getting timeouts from Tor. This could mean that they are down, or it could be that they block Tor in the rudest possible way (dropping packets).

To me, it’s a ghost node because I can reach a tiny cache of posts from !infosec@community.xmpp.net locally:

https://sopuli.xyz/c/infosec@community.xmpp.net

cc: @wintermute@feddit.de

cross-posted from: https://sopuli.xyz/post/13489053

In the onion v2 days we had underwood2hj3pwd.onion. There were half a dozen other onion email providers but Underwood was the only one that did not have a clearnet email alias (IIRC). That was a useful feature because you could distribute an onion address to a MS Outlook or Gmail user and they could not use it to share their correspondence to you with Google or MS in the loop. They had just two options: step off the ad surveillance platform or not contact you at all. That option died with Underwood.

The other onion email services all have a clearnet translation. So if (for example) I give a gmail user this address:

foo@yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion

and they are motivated to reach me, they can figure out that the corresponding clearnet alias is foo(/at/)onionmail.info and then they can use that address to send me a msg that is then shared with their surveillance advertiser. And worse, that’s less effort for them than obtaining an onion email account.

So what I do now is give an XMPP account. Since Google has abandoned jabber and MS never partook, XMPP avoids Google and MS. But XMPP is not a drop-in replacement for email. OMEMO is glitchy/buggy with pitfalls.

I would like to offer an email option. Ideally, an onion email service would offer a clearnet alias that cannot be determined from the onion address, which implies a different userid string.

Those who condemn centralised social media naturally block these nodes:

• #LemmyWorld
• #shItjustWorks
• #LemmyCA
• #programmingDev
• #LemmyOne
• #LemmEE
• #LemmyZip

The global timeline is the landing page on Mbin nodes. It’s swamped with posts from communities hosted in the above shitty centralised nodes, which break interoperability for all demographics that Cloudflare Inc. marginalises.

Mbin gives a way for users to block specific magazines (Lemmy communities), but no way to block a whole node. So users face this this very tedious task of blocking hundreds of magazines which is effectively like a game of whack-a-mole. Whenever someone else on the Mbin node subscribes to a CF/centralised node, the global timeline gets polluted with exclusive content and potentially many other users have to find the block button.

Secondary problem: (unblocking)
My blocked list now contains hundreds of magazines spanning several pages. What if LemmEE decides one day to join the decentralised free world? I would likely want to stop blocking all communities on that node. But unblocking is also very tedious because you have to visit every blocked magazine and click “unblock”.

the fix

① Nix the global timeline. Lemmy also lacks whole-node blocking at the user level, but Lemmy avoids this problem by not even having a global timeline. Logged-in users see a timeline that’s populated only with communities they subscribe to.

«OR»

② Enable users to specify a list of nodes for which they want filtered out of their view of the global timeline.

The “disobey”¹ onionmail server has been accepting my POP3 logins without issue for months/years. There has been “no new messages” for as long as I can remember and I have also not sent mail for a long time. Then I tried sending myself a message and I get “500 Mailbox full”. Yet my inbox is empty.

It’s quite disturbing because I have no idea when the admin apparently decided out of the blue to delete my account. It might have an automated removal, perhaps due to such sparse/rare traffic. But regardless, it makes it hard to trust any #onionmail server because they all run the same code. This same scenario occurred on another onionmail server as well.

Does anyone here use onionmail?

¹ a5dkbvgakon2lxmauleiizkv6i3s36wp6w3i32a3buc4xmtdnbttmryd.onion

While composing this post the Lemmy web client went to lunch. This is the classic behaviour of Lemmy when it has a problem. No error, just infinite spinner. After experimentation, it turns out that it tries to be smart but fails when treating URLs written with the gemini:// scheme.

(edit) It’s probably trying to visit the link for that convenience feature of pre-filling the title. If it does not recognise the scheme, it should just accept it without trying to be fancy. It likely screws up on other schemes as well, like dict, ftp, news, etc.

The workaround is to embed the #Gemini link in the body of the post.

The linked¹ #gemini article is the political platform of the French green party in Belguim w.r.t. digital rights. It was translated from French.

I’m overall impressed enough to vote for them. But I do have some concerns:

“At the Belgian level, we propose to establish a legal guarantee of 5 years for new electronic devices.”

Yikes, waaay too short. Needs to be at least 10 years. But it helps that they advocate FOSS:

“Generalize the ability to use free software on all devices to decrease software obsolescence.”

Though this statement is far too vague. If a maker of hardware with proprietary non-free software only gives 5 years of support, there needs to be a legal obligation that they port FOSS to the device at the end of the warranty. This is missing in the green party’s plan.

A lot of other things are missing in their plan, but generally their principles are sensible.

¹ (edit) actually it cannot be linked using the URL field due to a #LemmyBug. But at least it was linkable in the msg body.

I think the stock Lemmy client stops you from closing a browser tab if you have an editor open on a message, to protect you from accidental data loss.

Mbin does not.

A vast majority of the fediverse (particularly the threadiverse) is populated by people who have no sense of infosec or privacy, who run stock browsers over clearnet (e.g. #LemmyWorld users, the AOL users of today). They have a different reality than street wise people. They post a link to a page that renders fine in the world they see and they are totally oblivious to the fact that they are sending the rest of the fediverse into an exclusive walled garden.

There is no practical way for street wise audiences to signal “this article is exclusive/shitty/paywalled/etc”. Voting is too blunt of an instrument and does not convey the problem. Writing a comment “this article is unreachable/discriminatory because it is hosted in a shitty place” is high effort and overly verbose.

the fix

The status quo:

• (👍/👎) ← no meaning.. different people vote on their own invented basis for voting

We need refined categorised voting. e.g.

• linked content is interesting and civil (👍/👎)
• body content is interesting and civil (👍/👎)
• linked article is reachable & inclusive (👎)¹
• linked is garbage free (no ads, popups, CAPTCHA, cookie walls, etc) (👍/👎)

¹ Indeed a thumbs up is not useful on inclusiveness because we know every webpage is reachable to someone or some group and likely a majority. Only the count of people excluded is worth having because we would not want to convey the idea that a high number of people being able to reach a site in any way justifies marginalization of others. It should just be a raw count of people who are excluded. A server can work out from the other 3 voting categories the extent by which others can access a page.

From there, how the votes are used can evolve. A client can be configured to not show an egalitarian user exclusive articles. An author at least becomes aware that a site is not good from a digital rights standpoint, and can dig further if they want.

update

The fix needs to expand. We need a mechanism for people to suggest alternative replacement links, and those links should also be voted on. When a replacement link is more favorable than the original link, it should float to the top and become the most likely link for people to visit.

Some will regard this as an enhancement request. To each his own, but IMO *grep has always had a huge deficiency when processing natural languages due to line breaks. PDFGREP especially because most PDF docs carry a payload of natural language.

If I need to search for “the.orange.menace“ (dots are 1-char wildcards), of course I want to be told of cases like this:

A court whereby no one is above the law found the orange  
menace guilty on 34 counts of fraud..

When processing a natural language a sentence terminator is almost always a more sensible boundary. There’s probably no command older than grep that’s still in use today. So it’s bizarre that it has not evolved much. In the 90s there was a Lexis Nexus search tool which was far superior for natural language queries. E.g. (IIRC):

• foo w/s bar :: matches if “foo” appears within the same sentence as “bar”
• foo w/4 bar :: matches if “foo” appears within four words of “bar”
• foo pre/5 bar :: matches if “foo” appears before “bar”, within five words
• foo w/p bar :: matches if “foo” appears within the same paragraph as “bar”

Newlines as record separators are probably sensible for all things other than natural language. But for natural language grep is a hack.

cross-posted from: https://sopuli.xyz/post/13155149

other people’s iPhones more intrusive than other people’s droids

According to the linked research, all iPhones are spying on everyone within Wi-Fi range. If your phone of any kind is squawking wi-fi, all in-range iPhones are grabbing various bits of data like your MAC address and the SSIDs your phone normally looks for (e.g. your home SSID) and reports that back to Apple along with time and location data. The same study could not say the same for Google. So other people’s iPhones are more of a privacy intrusion to you than other people’s droids.

your own iPhone is less intrusive than your own droid when navigating

However, another study shows an inversion between Apple and Google when it comes to what you own and use for navigation. If you use an iPhone for navigation, the iPhone will only send one or two BSSIDs near you to Apple’s server, and the server then floods you with detailed information about other possible BSSIDs around you and their position, so your own device computes your precise location, not Apple’s servers.

Whereas if you navigate using Google’s location services, your device feeds everything to Google and Google’s server does all the work, computes your precise location, and tells you. This is of course more intrusive because Google learns your precise location and time, and (IMO) is likely interested in whatever shop you might be in.

These two studies actually seem superficially contradictory. But there is a difference between ratting out other portable devices and reporting stationary devices.

free-world proponents might be able to exploit Apple for better nav

In any case, the take-away for people living in the free world: forget about using Google Location Services to improve your navigation if you do not want to feed Google your precise location. OTOH, there seems to at least be a theoretical possibility for people not pawned by tech giants to use Apple’s API to get better-than-GPS navigation. Though I suspect it would mean many people would have to share someone’s sacrificial Apple account or get burner accounts.

I’m always on the look out for ways to improve my shitty navigation on a deGoogled phone that’s limited to a slow energy hungry GPS receiver -- without feeding the baddies.