Privacy

cross-posted from: https://sopuli.xyz/post/12558862

> So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending. > > It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article: > > > In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it. > > What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost. > > It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register). > > But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor. > > Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce. > > It’s obviously an encroachment of the data minimisation principle under the #GDPR. More data is being collected than necessary. > > ¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this: From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion To: someoneElse@clearnet_addy.com I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?

I've heard and read recently about a warrant that shows that the US government is monitoring push notifications on iOS and Android. This is possible because push notifications mostly work remotely, using "push notification post office" servers at Apple and Google.

I am aware that certain apps; such as Threema, Signal, Proton, Tuta, and others; use their own servers for push, but not all apps will do this. If I was to run a deGoogled Android ROM or an alternative mobile OS, how would push notifications be handled? And is there an option that doesn't involve a central server at all?

Is there some way to really know when you microphone is being used on android 13? I know there are notifications for it if applications are using it and it might even display some icon, but that doesnt really help if the phone is in my pocket.

In f-droid, there used to be application called vigilante that did this, but it's development was discontinued because apparently its features are part of android itself now, according to its github page.

I also don't know if the system itself can be trusted to always tell me. I started thinking about it more when I noticed that google play wants to update some 'qualcomm voice assist' application that was installed without my permission and isnt even displayed on the list of applications. I also cant modify its permissions so i have to assume it has permission to do anything.

So is there any program or anything that lets you know when mic is recording and maybe even if phone is transmitting that information, even if android itself isnt telling me about it.

I wish i could just install some better operating system, but that isnt an option for me at the moment.

Cloudflare blocking medical information

I was having some medical problems involving increasing pain coupled with a somewhat terrifying symptom. I did a web search to work out what I might be dealing with & whether going to the ER was essential or whether it was just a matter of pain tolerance. I use Tor for everything -- but especially for healthcare matters. It would be foolish to step outside of Tor and compromise sensitive medical data. Most of the search hits that looked useful were sites giving medical information from behind anti-tor firewalls, many of which are Cloudflare. My usual circumvention of using archive.org was broken. For some reason archive.org simply gives a “cannot connect” msg, lately. I get the impression archive.org has started blacklisting fingerprints of frequent users because changing browsers and window geometry often solves the problem.

I found one article saying the need for ER is really just a matter of pain but I would have liked to see more articles saying the same thing. During my search which was mostly thwarted by an enshitified tor-hostile web, the pain intensified to a point where I simply had to go to the ER.

Security nannying interferes with family comms

I’m only connected to my family over Wire & XMPP. The iPhone version of the xmpp app my family uses drops the ball on notifications, so #XMPP was effectively a black hole. (This is possibly a defect in the iPhone system and may not even be an app-specific issue.. an honest bug regardless)

The #Wire app developers decided at some point that my AOS version was unacceptable so they coded a self-destruction mechanism in the app. The incompetence of their nannying manifested into a mostly broken app. If someone msgs me on Wire, the app shows just as much text of each msg that fits on the notifications screen in one line. Effectively, the first 5 or so words on inbound msgs and no way to see the whole msg and no way to send an outbound msg of any kind.

So I could not notify my family due to #securityNannying. There are often cases where a developer appoints themselves as an authority on security and decides for everyone (who they effectively perceive as children) whether the user’s unknown security model is compatible with the level of security the app gives. E.g. a typical manifestation of security nannying is when a project removes an encryption algorithm because they arbitrarily think it’s too old. Too weak for what use-case? They cannot know all the ways the tool is used. Sometimes the two endpoints are both on the LAN (or potentially over a sufficiently secure VPN tunnel), in which case app-level encryption is often not even needed. Yet a project will decide to nix an algo and two differing implementations lose interoperability. Why not have a popup warning and allow adults to make an adult decision as to whether the security circumstances are suitable for the situation?

Hospital staff insist on using Google

Anyway, in ER I’m asked for my email address by someone who handles finances. I supplied it without thinking (mind was elsewhere). When I got out of the hospital I did an MX lookup on her address before she could send a msg. Google! WTF… no, I do not consent to Google having a view of my health records. So before she sent anything I requested erasure of my email address and supplied my snail mail address (which she likely already had). She was supposed to followup with financial aid information. But she never did. I can only guess that her take was apparently that if I’m unwilling to make it easy on her by allowing her to use Gmail, then she’s not willing to cooperate on the financing situation.

Human rights

Healthcare and privacy (esp. privacy OF heath data) are both human rights. When we are forced to choose between two obviously human rights are not being protected.

cross-posted from: https://sopuli.xyz/post/4070141

> So I've been using Kagi for a while now as a paid search engine. I always thought it's $25 a month plan was a little steep for search, but a) I got work to pay for it, and b) startpage nee google was getting less and less useful, and bing and whatever used it has... well been worse for me always. > > Anyway, I just got told that they've now adjusted their pricing / added features to Ultimate, and I think (at least now) that's actually added a lot of value if you're into the more advanced LLVM / AI models / chat. I have also been paying $20 a month through work for ChatGPT Plus. I might drop that because Kagi now lets you chat with / use GPT4 as well as Claude2 and a Google LLVM model with the one $25 a month, in addition to all the search and AI Search (with sourcing) together. > > I don't know how well paid search is going to ever do - it might be a short term tool. But for now, not having ads in the search, a straightforward pay for service model that seems to work just as well with their stated privacy goals, and getting multiple AI LLVM is pretty cool "one stop shopping" if you will. I also like giving a shot to alternate models that might be more privacy focused.

(Also, I am aware that using an iPhone is not great for privacy. Please stop telling me.)

cross-posted from: https://slrpnk.net/post/2475061

> I went to a cafe in Amsterdam which turned out to not only be cashless, but their payment processor was “Zettle”. Zettle is owned by #PayPal (who shares customer data with over 600 corporations). > > So my question is, apart from the expected privacy consequence of your bank & the recipient’s bank recording your transaction, what does Paypal walk away with? Paypal is a data-abusing US-based company. But OTOH the shop is in a #GDPR region. Does the GDPR give any protection in this case? > > IIUC, customers consent by default to their data being processed by the merchant & whoever the merchant hires (Paypal), and from there whoever paypal shares with & on down the endless chain. The only notable GDPR protection I can think of is that the data must remain in the EU. So the transaction data cannot be sent to Paypal’s servers in the USA -- correct? > > BTW, I asked the owner why he trusts Zettle & also why he does not accept cash. He conceded right away that he didn’t like it either. He said he’s cashless for security and that when he looked at a number of electronic payment systems, Zettle was the cheapest. For me, “cheapest” is a red flag. It’s probably cheap because the data is probably being monetized. > > Concrete question: if an American feeds a US-issued credit card into a #Zettle terminal to buy a creme-filled artery-hardening pastry in Amsterdam, is there anything to stop Paypal from doing the processing on the US-side of the transaction before selling that info to a US health insurance company?

I am currently a LibreWolf user, but I am also aware of Arkenfox User.js, which I am led to believe offers similar features.

Which is better?

uh-oh

Searching for replacement for Bibliogram, I found an website called imgsed.com .

It was sufficient to my needs.

One problem was that it seemed to fetch only a few comments of a post.

Here's the website's own About page:

>imgsed.com is an online instagram backup tool that helps users save instagram photos through the instagram public API.

> imgsed.com can't verify user information, so you need to pay attention to the copyright when downloading photos.

> If you do not wish to be downloaded, please submit your information remove account

ETA:

Apparently it has crazy much ads, so use of adblocker is very much advised!

Check the article for the relation to privacy

Does there exist a smart scale that respects privacy? perhaps it has an app that will be able to show trends and history but does all processing in app or if it does go to a server then the company can be trusted with that data?

cross-posted from: https://lemmy.perthchat.org/post/193914

> All the activists i know irl use facebook to coordinate sometimes illegal activity

A look at diversity of authoritative NS records in gTLDs.

I think we need a viable alternative that is not controlled by SPOF.

French data protection authority fined Discord for: >Failure to define and respect a data retention period appropriate to the purpose (Article 5.1.e of the GDPR)

>Failure to comply with the obligation to provide information (Article 13 of the RGPD)

>Failure to ensure data protection by default (Article 25.2 of the GDPR)

>Failure to ensure the security of personal data (Article 32 of the GDPR)

>Failure to carry out a data protection impact assessment (Article 35 of the GDPR)

Not surprising..

Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious.

Just what we needed!