Privacy

Archived version

[...]

The inquiry will focus on whether TikTok adequately informs users about its advertising policies and provides them with the opportunity to opt in rather than opt out.

[...]

Concerns have been raised that TikTok, owned by the Chinese company ByteDance, does not fully disclose the details of its terms of service and privacy policy at the time users sign up. Under South Korean law, digital platforms are required to give users the freedom to decide if they wish to receive marketing communications, ensuring that consent is obtained clearly and transparently prior to any such communications being sent.

[...]

The [South Korean media regulator Korea Communications Commission] KCC's probe into TikTok comes amidst a broader global conversation about the responsibilities of social media platforms in protecting user data. As authorities worldwide seek to enforce stricter data protection measures, companies must navigate complex legal landscapes to maintain user trust and compliance.

[...]

I call my credit card supplier to make a payment over the phone. This is because other payment methods are a shitshow¹. The robot says it will record my voice and use it for verification purposes. I’m not okay with that so I press buttons until a human comes on. I order the payment to draw from a checking acct. Then the operator transferred me a bot that said “state your name to confirm this payment”. Now what? I was trapped.

I wonder if this is something I should be giving a shit about. My data is routinely exfiltrated by criminals. I’m not sure if voice prints are being stolen in that way or how they might be used. Perhaps voice print is even more secure for the consumer. If the voiceprint cannot be used to create a voice, only to verify it, then a voice print may even be less useful for criminals than security questions. Any thoughts on this?

¹ (billpay is outsourced likely to a privacy abuser; will not do autopay because I want control [the purpose of privacy]; mailing a paper check is best for privacy but cannot be bothered for various reasons).

One of my banks is threatening to freeze my account unless I disclose my residential address where I sleep at night (with proof! Thus all info that proof comes with). Their privacy policy starts with the standard “we take privacy seriously” then they go on to say deeper in the doc that they may share my personal info around to the full extent allowed by law (using weasel words that try to imply the contrary to sloppy/fast readers), vaguely to credit bureaus (who I have no contract with and who will share the data further, or leak it in a breach). This bank claims “regulations require…” No, they do not. The regs say they must collect residential address OR business address, or if those are not available an address to a family member. So the bank is bullshitting.

At the same time, another bank says in so many words: sorry to inform you we were breached. Cyber criminals have all your sensitive info. We take privacy and security seriously. We offer you a credit monitoring subscription to compensate you. If you are interested, you can share your sensitive info with that monitoring org, who in turn will share the info with their subcontractors. And anonymous access is blocked so you must also share your IP address.

In light of these two shitty¹ banks, I would like to give a big fuck you to those who say:

• “You don’t want your bank to know where you live? What are you hiding? What kind of dodgy shit are you into?”
• “You expect your bank to let you access your account from Tor? LOL. Why don’t you trust your bank with your IP address? Why don’t you want your ISP to know where you bank? What kind of dodgy shit are you into?”
• Bruce Schneiere: “cryptocurrency is a solution looking for a problem”
• “Cash is for tax evaders. You have no legitimate cause to demand cash payment or to pay in cash.”
• “A cashless society protects us from criminals & money launderers”

In the very least, we need a general right to be unbanked.

¹ I don’t mean two imply these to banks are exceptionally shitty. They are just like any bank. All banks, credit unions, etc, are shitty in the same way.

(edit) Bank B also waited several months after they knew of the breach to inform me. So I imagine there were months of backroom chatter: “can we hide this? Do we have to tell the press and the victims?” They must have spent those months debating about whether or not to tell victims.

cross-posted from: https://slrpnk.net/post/13145612

> (edit) Would someone please ship some counterfeit money through there and get it confiscated, so the police can then be investigated for spending counterfeit money?

cross-posted from: https://slrpnk.net/post/11937000

> The article is normally paywalled but I prefixed 12ft.io/ to it, which worked for me. Google supposedly quit caching websites but old caches are still reachable with 12ft.io. > > The UK’s GDPR might make it hard for banks to use people’s purchase data to derive their alcohol & tobacco habits, so apparently banks have to rely on interviews. Still, it would be foolish to rely on the GDPR. There are also stories of banks looking at spending data to deny mortgages, which I would guess is happening in a place without privacy safeguards like the US. > > I’ll quote the article here as well: > > > Homebuyers could be forced to provide detailed information about the amount of money they spend on alcohol each month to qualify for a new mortgage under a new clampdown on reckless lending. > > > > In a sweeping review of the mortgage market published today, the Financial Services Authority (FSA) said lenders needed to be far more rigorous about their financial checks of potential borrowers. > > > > It said lenders should delve deeper into homebuyers’ personal spending including the amount they spend on alcohol and tobacco. > > > > Spending on shoes, clothes and childcare could also be assessed under a new, industry-wide “affordability test”. > > > > At present, the FSA does not prescribe rules about assessing a consumers’ ability to repay a mortgage and practices vary from one lender to the next. > > > > In its document, the City regulator said: “There is clearly a responsibility on all lenders to extend credit only where a consumer can afford it and, in our view, a robust assessment of both income and expenditure is key to ensuring affordable mortgages. > > > > “We propose to require all lenders to assess the level of a consumer’s expenditure in determining the affordability of a mortgage product, to ensure that lending decisions are based on a consumer’s free disposable income.” > > > > It conceded though that there were some flaws with its plan with consumers potentially underestimating their spend or “failing to incorporate past experiences into their budgeting”. > > > > The new measures, which aim to stamp out risky lending that has been criticised for compounding the financial crisis and tipping hundreds of thousands of homebuyers into negative equity, also include a plan to ban self-certified mortgages, dubbed “liar’s loans”, and to stop lenders from exploiting consumers who have fallen behind on their mortgage payments. > > > > It also proposed that the FSA should regulate mortgages for landlords for the first time. > > > > Self-certification mortgages were aimed at self-employed people with irregular incomes. The mortgages, which did not require proof of income, accounted for one third of new loans in 2007. > > > > Their proposed banning was first revealed in The Times last week. > > > > But the FSA stopped short of ruling out “supersized mortgages” by introducing caps on loan-to-value, loan-to-income or debt-to-income multiples. > > > > Such mortgages were typified by Northern Rock which, at the height of the housing boom, offered 125 per cent home loan deals. > > > > Gordon Brown wrote in a newspaper article at the weekend that it was “critical we end reckless banking practices that have left so many people worried about their finances”. > > > > Jon Pain, managing director of supervision at the FSA, said: “The mortgage market has seen extraordinary upheaval over the past 18 months and while it has worked well for the vast majority of borrowers, some have suffered great financial distress. We recognise that we need to bring about a step change in regulation.” > > > > He said there had been a “mutual assumption by too many borrowers and lenders that the good times could not end.” > > > > The new reforms, he said, would ensure firms “only lend to people who can afford to pay back the money”. > > > > But mortgage experts questioned the ease of imposing some of the new measures and expressed concern about the possible impact on homebuyers. > > > > Ray Boulger, mortgage expert at John Charcol, said the new affordability test could prove difficult to implement. “I think it will be very difficult in practice to go into too much detail,” he said. > > > > Homebuyers, he said, often forget the detail of their spending. “They will remember the weekly shop but not the £3 they spend on a sandwich each day.” > > > > Paul Broadhead, head of mortgage policy at the Building Societies Association, said he had “significant reservations about the possible unintended consequences of some of the ideas.” > > > > He said: “We believe that home ownership is something that should be encouraged, and it is vital that lenders retain the flexibility to respond to the very individual financial circumstances of individual borrowers.” > > > > He added that self-certification mortgages were suitable for a minority of people and that an outright ban was “not appropriate.” > > > > The Council of Mortgage Lenders said it was “important that the principle of consumer responsibility is not lost in such a regulatory environment, as it is a basic tenet upon which transactions of all kinds between firms and consumers rely”. > > > > The report said there was a “clear and non-controversial case” for banning self-certification mortgages, instead compelling lenders to insist that customers provide evidence of their income. > > > > “Our analysis shows that self-cert borrowers take out larger loan amounts than borrowers with standard products and fall into arrears much more frequently. To address these issues we propose to require verification of income for all mortgage applications,” it said. > > > > The loans have been vilified as a significant contributor to the banks’ toxic loans problem because some customers have lied about their income. Defaults on self-cert repayments have been at much higher rates than the industry average. > > > > HBOS and Bradford & Bingley were among the biggest self-cert lenders. HBOS was sold to Lloyds TSB in a rescue deal in September last year and B&B collapsed and had to be partially nationalised. > > > > The plan to bring mortgages for landlords into the FSA’s scope for the first time was necessary the regulator said because of the big part the industry had played in “fuelling property price appreciation” > > > > The FSA said: “As well as being a general contributor, buy-to-let funding funding has particularly helped to inflate prices of certain property types and locations such as city centre apartments. > > > > “The overall impact on house prices inevitably has implications for our interest in the sustainability of the mortgage market.” > > > > The market for buy-to-let mortgages has grown rapidly. Gross advances grew from £3.1 billion in 1999 to £44.6 billion in 2007. > > > > The paper has been put out for consultation until early next year with a “feedback statement” to be published in March.

Any tech finance folks know what information ATMs get from bank cards?

I found a few articles on how ATMs work:

• https://web.archive.org/web/20240301022054/https://www.nasatm.com/pages/how-do-atms-work
• https://money.howstuffworks.com/personal-finance/banking/atm.htm
• https://web.archive.org/web/20240712072800/https://www.investopedia.com/terms/a/atm.asp

Those articles all skip the crucial details that privacy embracing users would care about: what all info is on the bank card that ATMs have access to and what does the ATM machines do with it?

In principle, I could only imagine that an ATM would get non-personal details like a card №, acct №, card type, and issuing bank -- not necessarily the card holder’s name or address. I would like to know for certain though. I need to file a complaint against an ATM network and so it matters who the target of my action knows about me. If I disclose the card number connected to transactions I am complaining about to a mediator who shares that with the ATM operator, could the ATM network/operator then obtain my name and retaliate against me for complaining / whistle blowing by blocking all my cards?

cross-posted from: https://sopuli.xyz/post/12558862

> So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending. > > It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article: > > > In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it. > > What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost. > > It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register). > > But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor. > > Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce. > > It’s obviously an encroachment of the data minimisation principle under the #GDPR. More data is being collected than necessary. > > ¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this: From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion To: someoneElse@clearnet_addy.com I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?

I've heard and read recently about a warrant that shows that the US government is monitoring push notifications on iOS and Android. This is possible because push notifications mostly work remotely, using "push notification post office" servers at Apple and Google.

I am aware that certain apps; such as Threema, Signal, Proton, Tuta, and others; use their own servers for push, but not all apps will do this. If I was to run a deGoogled Android ROM or an alternative mobile OS, how would push notifications be handled? And is there an option that doesn't involve a central server at all?

Is there some way to really know when you microphone is being used on android 13? I know there are notifications for it if applications are using it and it might even display some icon, but that doesnt really help if the phone is in my pocket.

In f-droid, there used to be application called vigilante that did this, but it's development was discontinued because apparently its features are part of android itself now, according to its github page.

I also don't know if the system itself can be trusted to always tell me. I started thinking about it more when I noticed that google play wants to update some 'qualcomm voice assist' application that was installed without my permission and isnt even displayed on the list of applications. I also cant modify its permissions so i have to assume it has permission to do anything.

So is there any program or anything that lets you know when mic is recording and maybe even if phone is transmitting that information, even if android itself isnt telling me about it.

I wish i could just install some better operating system, but that isnt an option for me at the moment.

Cloudflare blocking medical information

I was having some medical problems involving increasing pain coupled with a somewhat terrifying symptom. I did a web search to work out what I might be dealing with & whether going to the ER was essential or whether it was just a matter of pain tolerance. I use Tor for everything -- but especially for healthcare matters. It would be foolish to step outside of Tor and compromise sensitive medical data. Most of the search hits that looked useful were sites giving medical information from behind anti-tor firewalls, many of which are Cloudflare. My usual circumvention of using archive.org was broken. For some reason archive.org simply gives a “cannot connect” msg, lately. I get the impression archive.org has started blacklisting fingerprints of frequent users because changing browsers and window geometry often solves the problem.

I found one article saying the need for ER is really just a matter of pain but I would have liked to see more articles saying the same thing. During my search which was mostly thwarted by an enshitified tor-hostile web, the pain intensified to a point where I simply had to go to the ER.

Security nannying interferes with family comms

I’m only connected to my family over Wire & XMPP. The iPhone version of the xmpp app my family uses drops the ball on notifications, so #XMPP was effectively a black hole. (This is possibly a defect in the iPhone system and may not even be an app-specific issue.. an honest bug regardless)

The #Wire app developers decided at some point that my AOS version was unacceptable so they coded a self-destruction mechanism in the app. The incompetence of their nannying manifested into a mostly broken app. If someone msgs me on Wire, the app shows just as much text of each msg that fits on the notifications screen in one line. Effectively, the first 5 or so words on inbound msgs and no way to see the whole msg and no way to send an outbound msg of any kind.

So I could not notify my family due to #securityNannying. There are often cases where a developer appoints themselves as an authority on security and decides for everyone (who they effectively perceive as children) whether the user’s unknown security model is compatible with the level of security the app gives. E.g. a typical manifestation of security nannying is when a project removes an encryption algorithm because they arbitrarily think it’s too old. Too weak for what use-case? They cannot know all the ways the tool is used. Sometimes the two endpoints are both on the LAN (or potentially over a sufficiently secure VPN tunnel), in which case app-level encryption is often not even needed. Yet a project will decide to nix an algo and two differing implementations lose interoperability. Why not have a popup warning and allow adults to make an adult decision as to whether the security circumstances are suitable for the situation?

Hospital staff insist on using Google

Anyway, in ER I’m asked for my email address by someone who handles finances. I supplied it without thinking (mind was elsewhere). When I got out of the hospital I did an MX lookup on her address before she could send a msg. Google! WTF… no, I do not consent to Google having a view of my health records. So before she sent anything I requested erasure of my email address and supplied my snail mail address (which she likely already had). She was supposed to followup with financial aid information. But she never did. I can only guess that her take was apparently that if I’m unwilling to make it easy on her by allowing her to use Gmail, then she’s not willing to cooperate on the financing situation.

Human rights

Healthcare and privacy (esp. privacy OF heath data) are both human rights. When we are forced to choose between two obviously human rights are not being protected.

cross-posted from: https://sopuli.xyz/post/4070141

> So I've been using Kagi for a while now as a paid search engine. I always thought it's $25 a month plan was a little steep for search, but a) I got work to pay for it, and b) startpage nee google was getting less and less useful, and bing and whatever used it has... well been worse for me always. > > Anyway, I just got told that they've now adjusted their pricing / added features to Ultimate, and I think (at least now) that's actually added a lot of value if you're into the more advanced LLVM / AI models / chat. I have also been paying $20 a month through work for ChatGPT Plus. I might drop that because Kagi now lets you chat with / use GPT4 as well as Claude2 and a Google LLVM model with the one $25 a month, in addition to all the search and AI Search (with sourcing) together. > > I don't know how well paid search is going to ever do - it might be a short term tool. But for now, not having ads in the search, a straightforward pay for service model that seems to work just as well with their stated privacy goals, and getting multiple AI LLVM is pretty cool "one stop shopping" if you will. I also like giving a shot to alternate models that might be more privacy focused.

(Also, I am aware that using an iPhone is not great for privacy. Please stop telling me.)

cross-posted from: https://slrpnk.net/post/2475061

> I went to a cafe in Amsterdam which turned out to not only be cashless, but their payment processor was “Zettle”. Zettle is owned by #PayPal (who shares customer data with over 600 corporations). > > So my question is, apart from the expected privacy consequence of your bank & the recipient’s bank recording your transaction, what does Paypal walk away with? Paypal is a data-abusing US-based company. But OTOH the shop is in a #GDPR region. Does the GDPR give any protection in this case? > > IIUC, customers consent by default to their data being processed by the merchant & whoever the merchant hires (Paypal), and from there whoever paypal shares with & on down the endless chain. The only notable GDPR protection I can think of is that the data must remain in the EU. So the transaction data cannot be sent to Paypal’s servers in the USA -- correct? > > BTW, I asked the owner why he trusts Zettle & also why he does not accept cash. He conceded right away that he didn’t like it either. He said he’s cashless for security and that when he looked at a number of electronic payment systems, Zettle was the cheapest. For me, “cheapest” is a red flag. It’s probably cheap because the data is probably being monetized. > > Concrete question: if an American feeds a US-issued credit card into a #Zettle terminal to buy a creme-filled artery-hardening pastry in Amsterdam, is there anything to stop Paypal from doing the processing on the US-side of the transaction before selling that info to a US health insurance company?

I am currently a LibreWolf user, but I am also aware of Arkenfox User.js, which I am led to believe offers similar features.

Which is better?

uh-oh

Searching for replacement for Bibliogram, I found an website called imgsed.com .

It was sufficient to my needs.

One problem was that it seemed to fetch only a few comments of a post.

Here's the website's own About page:

>imgsed.com is an online instagram backup tool that helps users save instagram photos through the instagram public API.

> imgsed.com can't verify user information, so you need to pay attention to the copyright when downloading photos.

> If you do not wish to be downloaded, please submit your information remove account

ETA:

Apparently it has crazy much ads, so use of adblocker is very much advised!

Check the article for the relation to privacy

Does there exist a smart scale that respects privacy? perhaps it has an app that will be able to show trends and history but does all processing in app or if it does go to a server then the company can be trusted with that data?

cross-posted from: https://lemmy.perthchat.org/post/193914

> All the activists i know irl use facebook to coordinate sometimes illegal activity

A look at diversity of authoritative NS records in gTLDs.

I think we need a viable alternative that is not controlled by SPOF.

French data protection authority fined Discord for: >Failure to define and respect a data retention period appropriate to the purpose (Article 5.1.e of the GDPR)

>Failure to comply with the obligation to provide information (Article 13 of the RGPD)

>Failure to ensure data protection by default (Article 25.2 of the GDPR)

>Failure to ensure the security of personal data (Article 32 of the GDPR)

>Failure to carry out a data protection impact assessment (Article 35 of the GDPR)

Not surprising..