
Jumbo: Privacy Assistant for iPhone - octosphere
https://www.jumboprivacy.com/
======
Nextgrid
I’m willing to bet good money this app still leaks data in the form of app
analytics.

~~~
jammygit
From the privacy policy:

"Analytics Our iOS application can send analytics to our analytics providers:
Segment and Amplitude. We do not track or store any personal information in
our analytics. Instead, we ask Apple to generate a unique deviceID which we
use as a unique token for analytics purposes. Our analytics are 100%
anonymous."

~~~
gregdunn
I feel like a unique ID isn't enough to protect your identity from an
analytics provider, especially if they're receiving analytics on you from
multiple sources.

~~~
Nextgrid
Exactly. They just have to correlate device type & OS version & IP address &
date/time to have a pretty good idea of which other apps (& their “unique” IDs
you have).

The more they do it the more they can narrow it down, until they reach the
point where they have a set of IDs that _only_ ever come from the same
device/version, IP address as well as very similar times of day.

~~~
way66
No, because we've designed protection against collecting IP address, device
type and OS. We don't use any SDK from Segment, Amplitude, or any third party
analytics. Our iOS app only sends a device UUID, an event name
(user:opened:app) and some event properties (not personal information).
Someone should feel free to reverse-engineer our network requests to confirm
what I'm saying.

Also, let's talk about IP address.

We have a CloudFlare worker that sits between our app and our analytics proxy
(which role is to send data to Segment). And this worker from Cloudflare is a
piece of code that removes the user ip address from the request made to our
proxy, hosted on Heroku.

Here is the worker code:
[https://gist.github.com/pierrevalade/85bbe1e5278b81813e08e7e...](https://gist.github.com/pierrevalade/85bbe1e5278b81813e08e7ed9a76250b)

That way, only Cloudflare gets the user IP address (and to my the best of my
knowledge I don't know how to access it), and our servers never get it.

~~~
Nextgrid
How can I confirm what you are saying is true regarding the IP address, other
than taking your word for it (I heard that worked great with Facebook)?

Why does your privacy policy mention third-party analytics then? Why do you
mention “Segment sends the data to Amplitude” in another one of your comments
if you claim here that you don’t use any third-party analytics service?

Also, just wondering - why do you need to send _anything_ in the first place?
People have been building software just fine for decades before this whole
“analytics” plague started going around, and I didn’t notice software quality
being improved by it (if anything software has gone significantly downhill).

~~~
way66
1/ What do you mean confirm what I'm saying for the IP address exactly?

2/ I said we don't use any (mobile) SDKs from 3-parties analytics, but we do
use their backend (Segment, Amplitude). We send the requests from our
anonymous proxy directly to their servers.

I was worried that mobile SDKs would leak other data (iOS version, device
size, ...) that I don't want to know about. And as a general rule we don't
like to use SDK/code from 3parties for security reasons.

3/ We use analytics to track how many users are using the app, and how many
users are using the cleaning features. This data does help us to make
strategic decisions.

~~~
Nextgrid
1) I mean how can I prove what you’re saying is true as a user? As far as I’m
concerned the app is sending a packet to a domain name you control. Nothing
guarantees me this is actually a Cloudflare server running your code to remove
my IP address. Ten years ago I would’ve just trusted you, but in today’s day
and age where _everything_ tries to stalk you in one way or another with full
impunity, trust no longer exists.

2) Good thinking!

3) Doesn’t the App Store give you stats on how many people downloaded their
app?

Also I’m concerned about “strategic decisions” - so it’s a business behind
this app then. What’s the business model? Last time we had a business claiming
to unsubscribe you from newsletters... turns out they were actually sharing
data with marketing companies, so I’m rightfully concerned.

~~~
way66
1/ I’m thinking about ways to have trustable 3-parties audit us. Open for more
ideas. What do you think?

3/ yes, unroll.me made the wrong calls. But for Jumbo we can’t even access
your data, everything happens client-side. You could say that at some point
the client will upload all your to our cloud, but that’s really not going to
happen. Again, here, how to trust us? First, audits. Second, my reputation.
Third, independent researchers would reverse engineering our app, and look at
the networks call made. Open for more feedback

Our business model is the one of Dropbox. Pay (you or your employer) for more
features.

~~~
Nextgrid
1) your idea would probably be a lot more costly (you have to pay for the
audit after all) and even then some people still wouldn’t trust it. Maybe just
design your product in such a way that there’s nothing to audit? People have
built software & successful businesses around that for decades without the
“analytics” cancer, so please don’t tell me that you can’t do the same.

If your model is a good old “pay for good software” model, then why not just
_ask_ what features people want? Why do you feel the need to _stalk_ what
people do instead of politely asking?

~~~
way66
How would you trust me if I tell you that there isn’t any analytics?

------
radley
I used it to remove old tweets, but nothing else. The presets aren't very
flexible. The oldest tweets I could delete was anything more than 3 months
old. I would have preferred a longer timeframe like older than 2 or 5 years.

I didn't try it for Facebook. It has three general settings (public, friends,
and just me). I've already tuned Facebook as best as I want. It wasn't clear
what FB would overshare or under-share with Jumbo's settings.

~~~
confounded
I also dislike how they’ve conformed to Facebooks notion of privacy (it’s
private if only Facebook can see and use it, not others), as opposed to the
traditional definition of retaining individual decision-rights over
disclosure.

~~~
e1ven
Agreed, but it's still better for most people than having things shared with
everyone.

This seems like the sort of app one might use to prevent James Gunn style
problems from old content.

------
gnicholas
Anyone have a sense of the business model? Seems like a handy way to help
folks manage privacy, but without understanding how they plan to generate
revenue I'm hesitant to get on board.

~~~
ekovarski
Pierre Valade, the creator, stated on ProductHunt that they will monetize via
a premium version in the near future.

[https://www.producthunt.com/posts/jumbo](https://www.producthunt.com/posts/jumbo)

~~~
way66
that's correct. like Dropbox. thanks for sharing that link ekovarski

Pierre, CEO

------
qrbLPHiKpiux
I'm in my mid 40's.

I've learned in my life of computing since the TI-99/4A is that privacy is not
an app or program or device... It's all analog - what the end use does and
does not do. I don't see this really pushed today, the personal responsibility
of personal data.

~~~
module0000
>> what the end user does and does not do

You hit the nail on the head, I couldn't possibly agree more. People have to
think(ahead - sometimes quite a ways) before they act.

------
kylek
The sentiment is nice, but is it naive? (Even having accounts with any of the
listed services feels dubious these days)

Are there (or will there be) any features/benefits for people who don't have
social media accounts?

~~~
binaryblitz
Managing social media permissions is the point of the app.

Is there any benefits of auto insurance for people that don't have cars?

~~~
kylek
Being dubbed a "Privacy Assistant", it could be construed as having
implications beyond just social media.

~~~
way66
Jumbo helps in deleting old Google Search, and Alexa voice recordings. So it's
beyond social media in that sense. Tomorrow we will support Tinder, and more.

------
dstaley
I'm perplexed as to why this is an iOS only application. Surely most of the
actual API calls are being done server-side? It have made more sense for them
to launch a web app instead while they expanded the product offering, and then
brought it to native apps.

~~~
way66
You are raising a good question..

Jumbo works 100% client-side, that's why we have built it as a native app.

You can read more on our architecture on our blog:
[https://blog.jumboprivacy.com/secure-jumbo-never-sees-
your-d...](https://blog.jumboprivacy.com/secure-jumbo-never-sees-your-
data.html)

It's quite cool. We don't have any servers processing your data.

Pierre, CEO Jumbo.

------
e1ven
This looks really nice - There are browser extensions to do a lot of these
things, but those don't work on iPhone, so having a native app is a nice
touch.

I also appreciate that they know they're selling to a privacy-conscious
audience, so they go over the top in assuring that it's all done client side!

Very nice so far.

~~~
jammygit
I like it on first impression but I wonder whether tools like this will
convince people they have privacy, when really they are getting a better
interface to semi-privacy settings in existing privacy invasive apps.

~~~
jrowley
I really like the idea of the app because it lowers the barriers to entry for
an entire set of people who otherwise might not take the necessary steps to
increase their privacy.

These are baby steps for sure, but maybe one day all these people will be
ditching google for duckduckgo and protonmail, etc.

~~~
way66
Absolutely, I’ve designed the product so that my mom can use it. She can’t use
a Chrome extension, but she can download an app like Jumbo.

------
rdl
Pretty cool that this is done client-side, although it does need more presets.
I'd also want to be able to export/import my old posts, or at least manually
review, but that's getting into the kind of features I'd expect from a paid
tool.

------
thanatropism
My years-long history of using Facebook as an idea log (often with long long
posts) is what has stopped me from deleting altogether. This promises to be a
simple way of downloading everything.

Facebook should be scared. It's at least X% of the lock-in they have on
people.

~~~
dddddaviddddd
You can just download an archive of your Facebook data, no need to use this
app:

[https://www.facebook.com/help/212802592074644](https://www.facebook.com/help/212802592074644)

~~~
aphextron
There’s also a plethora of parsers available at this point to output your data
to any format imaginable

[https://github.com/ownaginatious/fbchat-archive-
parser](https://github.com/ownaginatious/fbchat-archive-parser)

------
oh_hello
I like the concept. Simplified privacy settings management and content
deletion make a lot of sense for non-technical users.

------
aphextron
Nobody works for free. If there’s no direct cost, you are the product not the
customer.

~~~
way66
You’re right. Like Dropbox has a free version, and a paid one. Right now we
are launching the free version, and paid features will come later.

------
jklinger410
Man I'm so pumped for iOS users!

