Our latest blog post is aimed at people who 'get it' about online privacy, but who struggle to convince friends and family to take it seriously. We hope it helps!

Donate

Discord Server

Message Link

Cross posted from: https://feddit.uk/post/39979350

[TRANSLATED ARTICLE]

EU chat control comes – through the back door of voluntariness

The EU states have agreed on a common position on chat control. Data protection advocates warn against massive surveillance. What is in store for us?

After lengthy negotiations, the EU states have agreed on a common position on so-called chat control. Like from one Minutes of negotiations of the Council working group As can be seen, Internet services will in future be allowed to voluntarily search their users' communications for information about crimes, but will not be obliged to do so.

The Danish Council Presidency wants to get the draft law through the Council "as quickly as possible", "so that the trilogue negotiations can begin promptly", the minutes say. Feedback from states should be limited to "absolute red lines".

Consensus achieved

The majority of States supported the compromise proposal. At least 15 spoke in favor, including Germany and France. Germany "welcomed both the deletion of the mandatory measures and the permanent anchoring of voluntary measures", said the protocol.

However, other countries were disappointed. Spain in particular "continued to see mandatory measures as necessary, unfortunately a comprehensive agreement on this was not possible". Hungary also "seen voluntariness as the sole concept as too little".

Spain, Hungary and Bulgaria proposed "an obligation for providers to detect, at least in open areas". The Danish Presidency "described the proposal as ambitious, but did not take it up to avoid further discussion.

The organization Netzpolitik.org, which has been reporting critically on chat control for years, sees the plans as a fundamental threat to democracy. "From the beginning, a lobby network intertwined with the security apparatus pushed chat control", writes the organization. “It was never really about the children, otherwise it would get to the root of abuse and violence instead of monitoring people without any initial suspicion.”

Netzpolitik.org argues that "encrypted communication is a thorn in the side of the security apparatus". Authorities have been trying to combat private and encrypted communication in various ways for years.

A number of scholars criticize the compromise proposal, calling voluntary chat control inappropriate. "Their benefits have not been proven, while the potential for harm and abuse is enormous", one said open letter.

According to critics, the planned technology, so-called client-side scanning, would create a backdoor on all users' devices. Netzpolitik.org warns that this represents a "frontal attack on end-to-end encryption, which is vital in the digital world".

The problem with such backdoors is that "not only the supposedly 'good guys' can use them, but also resourceful criminals or unwell-disposed other states", argues the organization.

Signal considers withdrawing from the EU

Journalists' associations are also alarmed by the plans. The DJV rejects chat control as a form of mass surveillance without cause and sees source protection threatened, for which encrypted communication is essential. The infrastructure created in this way can be used for political control "in just a few simple steps", said the DJV in a statement Opinion.

The Messenger service Signal Already announced that it would withdraw from the EU if necessary. Signal President Meredith Whittaker told the dpa: “Unfortunately, if we were given the choice of either undermining the integrity of our encryption or leaving Europe, we would make the decision to leave the market.”

Next steps in the legislative process

The Permanent Representatives of the EU states are due to meet next week on the subject, followed in December by the Ministers of Justice and Home Affairs, these two bodies are due to approve the bill as the Council's official position.

The trilogue then begins, in which the Commission, Parliament and Council must reach a compromise from their three draft laws. Parliament had described the original plans as mass surveillance and called for only unencrypted suspect content to be scanned.

The EU Commission had originally proposed requiring Internet services to search their users' content for information about crimes without cause and to send it to authorities if suspected.

I wanted to share an interesting statistic with you. Approximately 1 out of every 25 people with a Google Pixel phone is running GrapheneOS right now. While it's difficult to get an exact number, we can make educated guesses to get an approximate number.

How many GrapheneOS users are there? According to an estimate released by GrapheneOS today, the number of GrapheneOS devices is approaching 400,000. This estimate is based on the number of devices that downloaded recent GrapheneOS updates. Some users may have multiple devices, such as organizations, and some users may download and flash updates externally, but it's the best estimate we have.

How many Google Pixel users are there? Despite Google's extensive data collection, this one is surprisingly harder to estimate, since Google hasn't released an exact number. There's a number floating around that Google has 4-5% of the smartphone market, which is between 10 million and 13.2 million users in the United States. I can't find the source of where this information came from. That number is problematic, too, because Japan supposedly uses more Google Pixel phones than the United States. The Pixel 9 series was also a big jump in market share for Google. I couldn't find any numbers smaller than 10 million, and it made the math nice, so that is what I went with.

Putting the numbers together, it means that 4% of Google Pixel users are running GrapheneOS. That means in a room of 25 Google Pixel users, 1 of them will be a GrapheneOS user. If you include all custom Android operating systems, that number would certainly be much, much higher.

To put it into perspective, each pixel in this image represents ~5 Google Pixel users. Each white pixel represents that those ~5 people use GrapheneOS:

Even with generous estimates to Google's market share, GrapheneOS still makes up a large portion of their users.

cross-posted from: https://lemmy.ml/post/39190924

Despite heavy criticism from civil society and large parts of the EU Parliament, the EU Commission has now published its proposal for the “Digital Omnibus”. Contrary to the Commission's official press release, these changes are not “maintaining the highest level of personal data protection”, but massively lower protections for Europeans. While having basically no real benefit for average European small and medium businesses, the proposed changes are a gift to US big tech as they open up many new loopholes for their law departments to exploit. Schrems: “This is the biggest attack on European’s digital rights in years. When the Commission states that it ‘maintains the highest standards’, it clearly is incorrect. It proposes to undermine these standards.”

This gets us to the central problem of today’s surveillance state. No one running the cameras wants to be observed. One reason that city officials object to releasing Flock data, for example, must that they themselves are among the recorded. The cameras are on them too; they too can be tracked. Everything means everything for these everywhere cameras.

cross-posted from: https://feddit.uk/post/39495921

The EU Council seems to agree to the new compromise "without further changes"

The EU Council has received new Chat Control proposal with broad support
CSAM scanning would now be voluntary, but with some exceptions
Lawmakers met today (November 12) for further discussion

It's official, a revised version of the CSAM scanning proposal is back on the EU lawmakers' table − and is keeping privacy experts worried.

The Law Enforcement Working Party met again this morning (November 12) in the EU Council to discuss what's been deemed by critics the Chat Control bill.

This follows a meeting the group held on November 5, and comes as the Denmark Presidency put forward a new compromise after withdrawing mandatory chat scanning.

As reported by Netzpolitik, the latest Child Sexual Abuse Regulation (CSAR) proposal was received with broad support during the November 5 meeting, "without any dissenting votes" nor further changes needed.

The new text, which removes all provisions on detection obligations included in the bill and makes CSAM scanning voluntary, seems to be the winning path to finally find an agreement after over three years of trying.

Privacy experts and technologists aren't quite on board, though, with long-standing Chat Control critic and digital rights jurist, Patrick Breyer, deeming the proposal "a political deception of the highest order." Chat Control − what's changing and what are the risk

As per the latest version of the text, messaging service providers won't be forced to scan all URLs, pictures, and videos shared by users, but rather choose to perform voluntary CSAM scanning.

There's a catch, though. Article 4 will include a possible "mitigation measure" that could be applied to high-risk services to require them to take "all appropriate risk mitigation measures."

According to Breyer, such a loophole could make the removal of detection obligations "worthless" by negating their voluntary nature. He said: "Even client-side scanning (CSS) on our smartphones could soon become mandatory – the end of secure encryption."

Breaking encryption, the tech that security software like the best VPNs, Signal, and WhatsApp use to secure our private communications, has been the strongest argument against the proposal so far.

Continue Reading - https://www.techradar.com/vpn/vpn-privacy-security/this-is-a-political-deception-new-chat-control-convinces-lawmakers-but-not-privacy-experts-yet

Just installed GOS on my phone, really like it. I want to know how GOS users setup their profiles to learn from them. So far, i found out the followings:

1. everything in Owner

2. leave Owner blank. Put everything in another profile names User.

3. leave Owner blank. Put all Google stuff in user Google. Put all FOSS app in FOSS user. Put all bank stuff under Sensitive user.

4. use Owner as an app repo. So install Google Play, Acrescent, Fdroid. Install apps from there, but dont use them. Instead, when create new user, push those apps from Owner. This is similar to Side of Burritos on Youtube.

anything different?

Stumbled across this last night. Never heard of it before. I am just getting into the documentation, but I wondered if any of you have some sauce on Tahoe-LAFS. Good, bad, indifferent. Any scary stories, anecdotes? Gotchas?

https://home.of.tahoe-lafs.org/

As weird as the title sounds, my family really dislikes me using Tuta and not Gmail. Is your family also like this?

"Come on, Sarah, can't you just be normal and use Gmail like everyone?"

• my mom, scolding me.

cross-posted from: https://lemmy.zip/post/52889139

cross-posted from: https://lemmy.ml/post/38782740

As gradually leaked the last days by various news outlets, the EU Commission has secretly set in motion a potentially massive reform of the GDPR. If internal drafts become reality, this would have significant impact on people's fundamental right to privacy and data protection. The reform would be part of the so-called "Digital Omnibus" which was supposed to only bring targeted adjustments to simplify compliance for businesses. Now, the Commission proposes changes to core elements like the definition of "personal data" and all data subject's rights under the GDPR. The leaked draft also suggests to give AI companies (like Google, Meta or OpenAI) a blank check to suck up European's personal data. In addition, the special protection of sensitive data like health data, political views or sexual orientation would be significantly reduced. Also, remote access to personal data on PCs or smart phones without consent of the user would be enabled. Many elements of the envisaged reform would overturn CJEU case law, violate European Conventions and the European Charter of Fundamental Rights. If this extreme draft will become the official position of the European Commission, will only become clear on 19 November, when the "Digital Omnibus" will be officially presented. Schrems: "This would be a massive downgrading of European's privacy ten years after the GDPR was adopted."

I'm currently using LibreWolf (a Firefox fork) as my primary browser, with uBlock Origin set to block scripts by default on all but a few sites. When i need to use a site that's not one of these trusted ones and refuses to work without JS (for example, forums.linuxmint.com), is it better for my privacy to temporarily allow JS or to open the site in a different browser like FF or Vivaldi?

Does switching browsers actually make it harder to track me, especially ones that don't have full modern CSS and JS support like Dillo, Links2, Alhena, and NetSurf?

cross-posted from: https://reddthat.com/post/53812773

FreeTube wasn't loading a video, so I tried opening it in the YouTube website instead. Rather than being able to watch a 13 second video (here it is in case anyone wants to know), I managed to capture is one of the most dystopian screenshots I've personally seen. Every single element of this image is truly astounding if you look close enough and think about it for a moment.

13 seconds of your life now costs you even more time to prove you're not trying to scrape a video from a hundred billion dollar corporation with nearly infinite resources, advertisements and clickbait grabbing at your attention, every interaction logged and sold to thousands of data brokers, and you can't even show your appreciation without selling more information by creating an account. How did we get here?

This idiots going to get it banned

Edit: Based on the article: Facebook has recently gotten an Ex-Meta Member into the Data Protection Agency of Ireland near end of 2024. They were sued for 250 million euro. They are back now actively trying to push for lower data protections in the EU publicly saying "It will hurt Meta"

Edit 2: The link was free when I read it but they changed it to subscribed so not even worth going into the link now. If you have alternative ways to read it then I recommend that. Sorry for not being able to find better sources

Almost one year ago I made this post about how the Wikipedia page for the "Nothing to hide" argument removed the text stating that it is a logical fallacy. I advocated for it to be added back. Three days after that post it was added back.

Exactly one year, to the day, after the logical fallacy text was removed, it got removed again. On October 19th of this year, a different user removed the text from the Wikipedia page, despite plenty of evidence that the "Nothing to hide" argument is a logical fallacy.

I am back here, once again, advocating that the text be added back.

P.S. It's an absolutely crazy coincidence that the same edit happened to the same page on the same day exactly one year apart.

Starting today, all paying Tuta users can request 25% off their first year of Ente’s encrypted photo storage so you can not only keep your emails and calendars private, but also your photos.

Ente provides end-to-end encrypted photo storage, ensuring that only you hold the keys to your data. Ente doesn’t mine your data and doesn’t show you ads.

We at Tuta are thrilled to have teamed up with Ente to build privacy-first tools that are both secure and beautifully easy to use. Whether you’re backing up precious personal pictures or need to sync images from one device to another, Ente makes sure your content stays yours - and only yours.

(cross-posted from: https://lemmy.dbzer0.com/post/55755024)

cross-posted from: https://lemmy.world/post/37402366

This is the main reason I completely ditched Reddit, if you use the new Reddit interface instead of the old one (old.reddit.com), you'll see a constant request being made to "https://www.reddit.com/svc/shreddit/events" (open your DevTools > Network tab, can't see on Firefox idk why).

The problem is, if you add this to your Ublock Origin filters the website won't load properly, that's why uBO team didn't block it already.

You'll notice this request isn't only being made from a interval but also when you do basically any action in the site, like pausing or resuming a video (send timestamps of when did you pause or resumed).

It sends other kind of data like what subjects you're seeing when closed a tab or the related subjects of a post you click, this all can be used to trace a perfect profile of you and things you like.

You can avoid that using the old.reddit but it still has the same kind of tracker, even tho you can block it here without major issues.

By my analysis, old Reddit interface does the same but to a random URL path that always starts with "reddit.com/api/something". Ex.: reddit.com/api/friends So you can block anything that starts with "www.reddit.com/api" in your custom filters (after all you're using old.reddit.com), then you're mostly free from Reddit trackers (more or less). Side effect is, you won't be able to use the chat in the old interface.

After making a post about comparing VPN providers, I received a lot of requested feedback. I've implemented most of the ideas I received.

Providers

• AirVPN
• IVPN
• Mozilla VPN
• Mullvad VPN
• NordVPN
• NymVPN
• Private Internet Access (abbreviated PIA)
• Proton VPN
• Surfshark VPN
• Tor (technically not a VPN)
• Windscribe

Notes

• I'm human. I make mistakes. I made multiple mistakes in my last post, and there may be some here. I've tried my best.
• Pricing is sometimes weird. For example, a 1 year plan for Private Internet Access is 37.19€ first year and then auto-renews annually at 46.73€. By the way, they misspelled "annually". AirVPN has a 3 day pricing plan. For the instances when pricing is weird, I did what I felt was best on a case-by-case basis.
• Tor is not a VPN, but there are multiple apps that allow you to use it like a VPN. They've released an official Tor VPN app for Android, and there is a verified Flatpak called Carburetor which you can use to use Tor like a VPN on secureblue (Linux). It's not unreasonable to add this to the list.
• Some projects use different licenses for different platforms. For example, NordVPN has an open source Linux client. However, to call NordVPN open source would be like calling a meat sandwich vegan because the bread is vegan.
• The age of a VPN isn't a good indicator of how secure it is. There could be a trustworthy VPN that's been around for 10 years but uses insecure, outdated code, and a new VPN that's been around for 10 days but uses up-to-date, modern code.
• Some VPNs, like Surfshark VPN, operate in multiple countries. Legality may vary.
• All of the VPNs claim a "no log" policy, but there's some I trust more than others to actually uphold that.
• Tor is special in the port forwarding category, because it depends on what you're using port forwarding for. In some cases, Tor doesn't need port forwarding.
• Tor technically doesn't have a WireGuard profile, but you could (probably?) create one.

Takeaways

• If you don't mind the speed cost, Tor is a really good option to protect your IP address.
• If you're on a budget, NymVPN, Private Internet Access, and Surfshark VPN are generally the cheapest. If you're paying month-by-month, Mullvad VPN still can't be beat.
• If you want VPNs that go out of their way to collect as little information as possible, IVPN, Mullvad VPN, and NymVPN don't require any personal information to use. And Tor, of course.

ODS file: https://files.catbox.moe/cly0o6.ods

I made a spreadsheet comparing different open source VPN providers.

Part 2 here

Providers

• IVPN
• Mozilla VPN
• Mullvad VPN
• NymVPN
• Proton VPN

Notes

• Please do not start a flame war about Proton.
• Please do not start a flame war about cryptocurrencies. Monero is the only cryptocurrency listed because of its privacy.
• The very left column is the category for each row, the middle section is the various VPN providers, and the right section is which VPNs are the best in each category.
• IVPN has two differing plans, which is why "Standard" and "Pro" are sometimes differentiated.
• For accounts, "Generated" means a random identifier is created for you to act as your account, "Required" means you must sign up yourself. Proton VPN allows guest use under specific conditions (e.g. installed from the Google Play Store), but otherwise requires an account.
• Switzerland is seen as more private than Sweden. Gibraltar is seen as privacy neutral.
• All prices are in United States Dollars. Tax is not included.
• Pricing is based on the price combination to achieve the exact time frame. For example, Proton VPN does not have a 3 year plan but you can achieve 3 years by combining a 2 year plan with a 1 year plan.
• The availability section is security based. Availability is framed around a GrapheneOS and secureblue setup.
• The Proton VPN Flatpak is unofficial, but based on the official code.
• Availability on secureblue is based on the ujust install-vpn command. Security features must be disabled on secureblue in order to use the GUI for IVPN and Mullvad VPN, but not for Proton VPN. Mozilla VPN and NymVPN are available as Flatpaks, which are safer than layering packages.
• I wanted to include more categories, such as which programming languages they are written in, connection speed, and security, but that became far too difficult and complex, so I decided to omit those categories.

Takeaways

• NymVPN is very very new, but it's off to a strong start. It wins in almost every category. I actually hadn't heard of it until I started this project.
• If you want a free VPN, Proton VPN is the only one here that meets that requirement.
• If you want to pay week-by-week, IVPN is the only one that allows that.
• If you're paying month-by-month on a budget, Mullvad VPN is the cheapest option.
• NymVPN is the cheapest plan for anything past 1 month.
• If you want to use Accrescent as your main app store, IVPN is the only VPN available there for now.
• If you want to pay for a bundle of apps, including a VPN, Proton sells more than just a VPN.
• Mozilla VPN is terrible. The only thing it has going for it is a verified Flatpak, but NymVPN also has that so it doesn't even matter.

If you have any sense of privacy, you know better than to use Google's official Youtube clients - not to mention, they're really kind of terrible.

To view Youtube video comfortably and limit Google's privacy invasions, the main third-party clients are:

• NewPipe and derivatives (Android)
• Grayjay (Android)
• Freetube (Desktop)
• Grayjay desktop - x64 only (Desktop)

Unfortunately, if you've been using those third-party clients for a long time, you know Google plays a game of cat and mouse with them, to discourage users from using them:

• Google breaks something or other (usually the player API) or Google blocks your IP because it detects a non-Google player.
• The developers of those clients play catch-up, make their clients work again for a while.
• Google breaks them again. Rinse. Repeat.

And Google now having free rein to be as abusive as they want under the Trump regime, it's not getting any better ☹️

The developers who react most quickly to Google's shenanigans are the FUTO developers behind Grayjay: when Google breaks it, usually they have a fix within hours, if not less. And there's a reason for that: they're paid to do it. Incidentally, I encourage you to purchase a FUTO license: it's money well spent to encourage FUTO. They've really earned it.

The Newpipe developers are also fairly quick to fix their client. Not always, but they do a pretty decent job.

Freetube however can take many days to get fixed. For instance, the native Freetube player is currently broken and it's been broken for a week.

When Google plays with everybody's balls, if you're on mobile, at least Grayjay will almost always get the job done, so you don't have to compromise your privacy and hit the official client.

On the desktop however, ~~unless you have an ARM64 machine and you use Grayjay as a desktop app in Waydroid - which is a totally valid solution that works great, in case you didn't know~~ [EDIT: this is incorrect: there is in fact an x64 Grayjay desktop client - Thanks @portnull@lemmy.dbzer0.com], Freetube will sadly let you down regularly for a long time.

The official workaround recommended by the Freetube developers when Google breaks their player is to use an external player. But there are two problems with that:

• If you don't use the right external players - which Google likely broke too - or the player isn't configured to use the latest and greatest Google evasion code, it's not going to work.
• When spawning Freetube with a URL (typically by LibRedirect from your browser), Freetube ignores the external player and tries to play the video with its broken internal player anyway. You can always manually tell it to use the external player after it's failed trying to play the video itself, but it's an extra step, and you end up running both Freetube and the external player just to view a Youtube video from a website.

So I figured I'd post a little guide on how to setup an external video player that works with Freetube (and gets fixed quickly when Google breaks it) and how to spawn it directly from your browser to view a video and bypass LibRedirect / Freetube entirely.

This little guide is mostly for Linux. If you're not running Linux, the principle should be the same, but the details of how to make this work are different of course.

So the player you need is SMPlayer. SMPlayer is a great mpv player frontend in its own right. Don't worry, both mpv and SMPlayer are usually available in most distros, so you can install it normally with your favorite package manager.

But the thing that makes SMPlayer great is, to play Youtube video, it can use yt-dlp as a backend to fetch the video from Youtube:

And it turns out, the developers of yt-dlp are usually very quick to unfuck Google's fuckeries and make it work again. Almost as quick as FUTO's developers: when Google breaks things, yt-dlp is usually one of the first Youtube clients to start working again.

The problem is, the version of yt-dlp that comes in most distributions is usually hopelessly behind, so it won't work with your distro's official package.

To use the latest and greatest yt-dlp with SMPlayer, you need to use the version in the Github repo. To do this:

• Clone the repo (for example in your home directory): git clone --recurse-submodules https://github.com/yt-dlp/yt-dlp.git
• Make yt-dlp available in your PATH: ln -s ~/yt-dlp/yt-dlp.sh ~/.local/bin/yt-dlp

Then if you invoke yt-dlp from any directory, it should start it correctly:

$ yt-dlp  

Usage: yt-dlp [OPTIONS] URL [URL...]  

yt-dlp: error: You must provide at least one URL.  
Type yt-dlp --help to see a list of all options.  

Then you can try if SMPlayer now plays a Youtube video correctly: smplayer https://youtu.be/jNQXAC9IVRw

Finally, configure Freetube to use SMPlayer as an external player:

Now try to play a video from Freetube: it should open SMPlayer and SMPlayer should play the video correctly.

When Google breaks yt-dlp again, simply go into the repo and do a git pull --recurse-submodules. Do this regularly until the yt-dlp folks work their magic and fix it, which should happen a lot quicker than fixing the internal Freetube player.

Finally, how to spawn SMPlayer directly from the browser:

• Install the RunWith browser extension: this little thing is a simple tool to spawn an external program from the browser and it's really underrated. Not terribly user-friendly to install but it does the job fine.
• In the RunWith extension preferences, configure RunWith like so:

Then if you right-click on a Youtube video link, you'll get an option in the context menu to open it with SMPlayer through RunWith:

I hope this helps 🙂