Hacker News new | past | comments | ask | show | jobs | submit login
Privacy is Power: Why the fight for privacy matters (standardnotes.org)
352 points by mobitar on Feb 7, 2017 | hide | past | favorite | 147 comments

Best part of the article: explaining how privacy is a public good.

TLDR: privacy isn't just about "keeping secrets" or having "something to hide".

Privacy for a whole population is power. Once a population has lost its right to privacy, once people's conversations and movements are monitored, they're rendered powerless. It becomes easy to strip away their other rights.


Worst part of the article: the recommendations at the end.

The author lists a kitchen sink full of privacy tools including Telegram, which the entire infosec community agrees is terrible. Do not use Telegram.

Use Tor, use Signal.

> Worst part of the article: the recommendations at the end.

> The author lists a kitchen sink full of privacy tools including Telegram, which the entire infosec community agrees is terrible. Do not use Telegram.

> Use Tor, use Signal.

Usability, or lack of annoyances, will always trump security and privacy. Tor is way too slow for most purposes. In my experience, I don't believe it can be a generic mass solution (people in most places around the world already have slow connections - sharing that with others would be the last thing they'd want to do, even though more people running Tor means it gets better, on average, for everyone).

Signal is way too deficient on features and usability compared to Telegram. I want to get out of Telegram and use Signal, but it's at least a few years behind Telegram in various ways (speed, features, lack of good desktop options, relying only on phone number with no usernames or other ways to add/establish contacts, and more). By the time Signal catches up, I believe Telegram would be far ahead again. For messaging and privacy, what would be better to have is a decentralized system that has good usability, multi-device support and can become popular.

> people in most places around the world already have slow connections - sharing that with others would be the last thing they'd want to do

You seem to misunderstand how Tor works. It doesn't require you to become a relay (i.e. carry other people's traffic) to use, and never has.

Furthermore, my experience with Tor on bad connections is that, once the connection to your entry guard is established (once per reboot, takes 30s to 1 minute on terrible connections with packet loss), Tor was just as slow as the original connection.

For those who have decent Internet access, it just works to watch Youtube videos, for instance, over Tor.

If you're prioritizing features and usability, WhatsApp is considered more favorably than Telegram.

WhatsApp is owned by Facebook.

They almost certainly do not have privacy as a central focus beyond its utility as a marketing bullet.

It's just more embrace, extend, extinguish.

Facebook is doubling down on Messenger. They don't want to support multiple messengers. As soon as they can find a way to convert those pesky privacy-conscious Europeans to Messenger, WhatsApp is dead.

They may not do it for the best reasons, but they do have a better implementation than Telegram and, the most important, Watsapp is private by default.

Telling people to move from Watsapp to Telegram nowadays is bad advice. for any point of view.

> WhatsApp is owned by Facebook.

> They almost certainly do not have privacy as a central focus beyond its utility as a marketing bullet.

That's certainly one big concern I have with WhatsApp (and that's why I don't use it).

The other thing is WhatsApp is not as good as Telegram in UX like the GP claims it to be. As one example, Telegram has desktop clients that do not need the phone to be around after a one time account verification, whereas WhatsApp, in my knowledge, always needs the phone to be around for the desktop or web app to be useful.

I absolutely agree with you note on the "Best part of the article"...

...But as far as the worst part being some of the author's recommendations on privacy tools, while i agree some of those products are not some that I might have chosen, I respectfully disagree with your premise...I believe the author's intent is really good. I would recommend you think of it this way instead: if a non-trivial percentage of civilians (what I call non-techies) all of a sudden begin to use some of these apps (because of some product recommendations that the author made), some users will use some products, and it will at least greatly raise the awareness across the board...As more users utilize these products, no doubt there will be complaints. This will then lead to so many more people demanding ever better privacy tools...Which I believe will increase any positive momentum for privacy tools, both in quality as well as usage...At least that's how I see it; basically an eventual good thing for everyone.

The author seems to have noticed the criticism and removed Telegram

My understanding is that, against certain actors, Tor is compromised. Am I mistaken?

Please DON'T recommend Signal.

Signal is nearly as bad as other messengers: They get your metadata, your contact list (the hashing is reversible, they even state so), and they don't do federation (= support other peoples servers). They don't even want other implementations of the Signal-Protocol to use their servers, which would cause a huge fragmentation of the user base even if someone implemented an alternative.

The solution? The protocol "Omemo" looks promising: It doesn't require Google Cloud Messaging on Android to implement some power saving features, it sits on top of XMPP which has features like groups or sending images, and it does Multi-Device support while still providing good encryption and deniability (OTR-like). Because it's just XMPP, you can use any Jabber-Server you want (your own, too), as long as it supports some newer fancy features (avatars might be needed, and image uploading if you want that, probably). This means your metadata should be less centralized than with Signal, Telegram or WhatsApp.

SecureChat and Conversations.im already support this protocol, so mobile phones and tablets have good candidates for installation. For PC, pidgin and gajim are beginning to have some prototypes for Omemo plugins out.

Check out https://omemo.top/ and https://conversations.im/omemo/ for more info.

I've personally tried conversations.im (I bought it. It's free and open source if you get it via fdroid or if you build it yourself) with friends and it works ok (single user + group chat). One of my friends used SecureChat on his iPhone and it seemed to work, too. Checking keys in conversations.im could be easier and the scanning function needs an app that requires too many privileges for my taste. It also seems like you need to announce your presence on Jabber if you want to add someone new (and they need to do so, too), but I'm not 100% certain about that. I haven't tested using multiple devices with the same account yet, but a friend told me that the plugins for Gajim and Pidgin weren't really working with that at the moment.

I really hope Omemo solves the messenger problem once and for all. It's 2017, after all.

Those who are privacy conscious must first take the step towards self-hosting. They are many interesting approaches that are trying to make self-hosting practical. They make it trivial to run your own mail server, keep your contacts/calendar/files/notes. Why trust yet another mail/cloud company (yahoo, anyone?)? There are promising existing projects out there (like cloudron.io, sandstorm.io, yunohost). Go try them out today. The projects are open source and have issue trackers where you can contribute even if you are not a developer. Such solutions will empower the average person in the future.

Self-hosting has a severe metadata tradeoff. Suppose that you and I each self-host a mail server. Now we e-mail each other to talk about how great decentralization is and how much we both hate wiretapping.

With self-hosting and SMTP, there is now a very clear TCP metadata record showing how my home IP address connected on port 25 to your home IP address. Maybe the next day you write back, and there's another nice clear metadata record showing your address connecting to me. Now any ISP between us, and anyone who can tap the ISPs' cables, knows that you and I are corresponding.

If we were both using Gmail, this metadata pattern would pretty much not appear at all: we would each make an HTTPS connection to Gmail and exchange a bunch of data, and while in principle my upload would be matched in size by your download, it would be extraordinarily noisy in many ways and hard to correlate in practice. On the other hand, Gmail would know everything about us.

Having Gmail know everything about us is clearly terrible and not a good privacy solution. However, having all of the ISPs be able to learn our detailed correspondence patterns and relationships is also clearly terrible and not a good privacy solution. So, self-hosting being a clear privacy win for messaging will require a lot of technical improvements on the metadata front. It isn't a clear win in this respect today; it most likely depends on whether you see ISPs (and people who can compromise or coerce them) or Google (and people who can compromise or coerce them) as a bigger risk overall.

Not really. Google can monetize your information much easier than an ISP.

Self hosting puts you in control, which means you have potentially more safety so long as you manage risk. Physical custody of your data is very valuable. The metadata thing is more of a theoretical risk.

Embrace the fact that email is not ephemeral and can end up in the wrong hands from your perspective. The other party that you're communicating with is a far more likely leak than some rogue ISP or police action.

> Google can monetize your information much easier than an ISP.

More to the point: Google is a more central actor, who gets to see the data of far more users, than your ISP ever will.

Moreover, this moves from giving a third party your data, to giving them your metadata, and while people consistently underestimate the value of metadata, there is still an incremental improvement there.

But in the context of privacy is power, who is your real adversary? Clearly it is the state. And they have shown time and again that they are watching all ISP traffic, with their consent, whereas Google is making a sincere effort to resist.

I feel like using something like TOR would help here: it would create a background noise of other traffic while also providing a way for other users to not have to connect directly to the remote server.

So I ask: is there a way to provide an optional TOR endpoint? e.g. can I have an MX record with high priority that points to a .onion address, and then have a backup (with lower priority) that points to the normal global IP?

I'm not sure MX records would work without either modifying SMTP servers or using Tor in transparent proxy mode.

Postfix, for instance, has [transport maps](http://www.postfix.org/transport.5.html), but those let you pick a transport based on the email domain, not the MX host.

Right now, some people use [onionmx](https://github.com/ehloonion/onionmx), which maintains both a [static mapping](https://github.com/ehloonion/onionmx/blob/master/sources/map...) from domains to onion services, and a dynamic one using [SRV records](https://github.com/ehloonion/onionmx/blob/master/SRV.md).

Currently there is no support for this in MTA software. If it were supported, you could imagine having somewhat better privacy properties for e-mail with other people who also used this particular setup. However, if you simply re-decentralize your e-mail using today's e-mail technology, you won't get those benefits in the short term.

Why would you need software for it in the MTA? Use a local resolver with tor's dns option + automapping

You can of course provide MX records of different priorities.

I think the difficult part is getting outbound MTAs to actually understand that a .onion domain shouldn't be looked up over DNS.

> I think the difficult part is getting outbound MTAs to actually understand that a .onion domain shouldn't be looked up over DNS.

If you're running a local tor-compatible resolver they should be!

However according to RFC 7686 https://tools.ietf.org/html/rfc7686: "Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup"

How about https://ring.cx/, based on peer-to-peer discovery and connection?

If you want anonymous mails setting up a normal server isn't good enough. You'd need an anonymous remailer like Mixminion to get even a basic level of privacy. But development on anonymous mail software has stalled ten years ago. There doesn't seem to be much interest.

This seems like an argument for argument sake. Our ISPs (not mine anyway) doesn't learn our detailed correspondence patterns. Google does. It reads my email and throws out ads. Seems trivial to decide who respects my privacy more.

Also, if ISPs are "tapped", you have a problem at the government level. IMO, privacy issues and government intrusion are not something technology can beat. Forget home servers and decentralization and usb sticks - If it's in your head, any determined government will waterboard that information out of you.

I actually don't use Gmail for partly the reasons you mention, so I'm not at all unsympathetic to your view!

However, I tend to think of governmental privacy threats as the most important ones, and I assume that many other people in this discussion (and in the community of people who strongly advocate decentralization) share that perspective. Your prioritization is sensible if you're much more concerned with corporate monitoring (especially if you live in a jurisdiction with effective data protection legislation).

You might also want to consider people who live under extremely violent or repressive governments, whose concern with government as a threat actor may be easier to sympathize with. They're probably better off in the short term with something like Google because Google will likely resist data requests from their governments, while the ISPs (being local and sometimes state-owned) will likely not resist those requests. While they can't resist every surveillance or coercion scenario, it's easy to imagine that they can fly under the radar easily by using Gmail if it's popular where they live and they aren't doing other things online that the government finds interesting.

So be abandon the wires and build an alternative internet?

Pretty expensive, and governments won't be more reluctant to tap the undersea parts and try to compel people to help them tap third parties, right?

Assuming there are undersea cables to tap, yes. Wouldn't this be a key element (for good or bad) of satellite/dirigible/balloon served internet - the ability to create a separate series of internet services?

How can you safely use a satellite or balloon (over the radio spectrum) if you can't safely use an undersea cable?

(This isn't purely a rhetorical question; maybe the balloon can be more tamper-evident than an undersea cable would be, or maybe the model for where link-layer or network-layer encryption can be applied could be more transparent or more controlled by a user or customer. But overall, it's tricky to explain why using RF, which there are tons of spy facilities worldwide and even in space to intercept, is safer than using an undersea cable.)

Are you sure about this? 20 years ago I was running a then-novel Linux machine with my own email etc. etc. but eventually I stopped because on the whole it wasn't worth all the effort.

I know perfectly well, from experience, that I could vastly increase my privacy (or reduce the huge volume of information that I choose or passively accept liability for sharing, eg by having a FB account and not logging out of it every time I go to another tab etc. etc.). But how much of my time do I want to spend on opsec?

I don't want to be in a defensive posture for the rest of my life, hiding from bad actors and constantly worrying about some overlooked chink in my digital armor. Frankly, if the future is endless low-grade cyberwarfare I'd rather be on the offensive and steal other people's data for my own advantage than be endlessly upgrading my door locks.

Well, have you checked out the platforms I linked? This is the whole point of the self-hosting platforms. They don't want you to put in the effort any more than buying a phone. You install apps and leave the security to the platform. At this point, this is really about how good the platform gets in insulating the user. If you feel like an early adopter, go try those platforms.

I will and I appreciate the effort and care you took to explain them.

I guess I'm just jaded because I've been through so many cycles of 'this will automate your security needs' followed by 'every system can be gamed' a couple of years later - much as Phil Zimmerman commented The natural flow of technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months.

Nowadays I worry less about my privacy on the assumption that it's probably hopelessly compromised anyway, and more about being able to hold an unpopular position or opinion without official interference. For example I think it's far more important that gay people enjoy full civil rights, be able to marry etc. than they had better privacy tools that would allow them to remain in the closet indefinitely.

>For example I think it's far more important that gay people enjoy full civil rights, be able to marry etc. than they had better privacy tools that would allow them to remain in the closet indefinitely.

That's like saying that having 100% uptime and zero failures is more important than having backups. Sure the former would be ideal but in reality that answer doesn't cut it. Sure civil rights and free speech and personal autonomy are ideal, but over here in the real world there are a lot of people who still have to hide to avoid bad stuff happening to them.

I also don't think you can use 'automate' and 'security' like in the previous paragraph and expect good results.

To clarify: many concepts that we today accept as part of the natural order of things would get you killed if discussed in earlier times. We don't know what things that could get you in trouble today will turn out to be facts taken for granted in future cultures, but in order for that evolution to take place, there must be a safe way to discuss unpopular (especially to the extent of being dangerous) ideas. If the people behind any great historical revolution had been unable to discuss their ideas safely, it's reasonable to assume it might never have happened.

You should learn to multi-task :-) But seriously, we all prioritize and fight for things what we care deeply about. In the end, I live in a better world thanks to people like you who fight for civil rights.

Thanks, though I don't want to present myself as any kind of leader in this area.

Consider that without privacy, people fighting for civil rights may be unable to safely coordinate and organize themselves well enough to make progress.

I'm not arguing that privacy isn't important, but if I have to make a choice, it's not my highest priority in every context.

They make it trivial to run your own mail server, keep your contacts/calendar/files/notes.

Sadly, no, they don't. The lack of easily installed and good quality self-hosting options is probably the single biggest barrier to more people doing this. Most people don't use Google Mail because they're particularly fond of Google; they use it because it's convenient.

Running a real mail server (an SMTP host), in contrast, is certainly not something for the faint-hearted.

Running a mail store, with some sort of automatic fetching from an ISP or third party mail server and some sort of forwarding to send mail via that server, is a bit more practical for those who don't want a full-time job. Then you can provide things like IMAP or webmail access on top. Even so, it's still prohibitively difficult to actually get it set up and working reliably if you're not already a reasonably experienced system administrator, particularly if you don't have a dedicated machine to run it so you can't just install someone's turnkey package that assumes it can install or modify whatever it wants.

If you believe this is not the case, I invite you to link to some instructions that could reasonably be followed even by someone who is generally technically competent (but not an expert sysadmin) so they could host their own mail, contacts and calendar locally instead of using something like Google Mail. I suggest that no such instructions currently exist.

For email, cloudron has a built-in email server (it's poorly advertised) - https://cloudron.io/get.html#selfhost . You can then read up https://cloudron.io/references/selfhosting.html#email. Install rainloop for web ui.

For contacts, calendar, just install the ownCloud or nextCloud app. On android, https://davdroid.bitfire.at/ works great.

> The lack of easily installed and good quality self-hosting options is probably the single biggest barrier to more people doing this.

Ever heard of mail-in-a-box[1] ?

[1]: https://mailinabox.email/

That was actually exactly what I had in mind when I mentioned turnkey packages.

This is highly impractical, and possibly even detrimental to your privacy/security. For one, most people are simple not qualified for such an undertaking, but that's probably not the biggest problem. It's the people who may think that they are qualified and may follow your advice and self-host. Some exceptions aside, almost nobody should put anything up on the internet unless they've done it in some professional capacity before. It's a fallacy to think that an average Joe can push a button and replace Google by paying 10-20 bucks a month to a cloud provider. For most people, a better solution is to use services like signal or protonmail/tutanota (at least until end-to-end email matures, at which point other big players will support it too)

This is not a solution to the real problem: social networks having in-depth knowledge about the whole population.

By all means, I don't want to discourage anyone from self-hosting. The problem is: There will always be agents (private people or companies) who leak information about others (on purpose or because of a lack of concern) which allows shadow profiling of people who want to opt out. Furthermore, these agents don't necessarily grasp the dangers which the disclosure of their social network brings for them.

What we need are stronger laws as to what social networks (and other services) are allowed to store. For instance, FB shouldn't be allowed to know anything about me without me consenting to it.

Public has its benefits. So does private. It's only when they work together that you get the optimal solution.

If I self-host (as painful as that is), what happens when my internet goes down randomly (or my computer has to reboot, or whatever)? Should all incoming emails really be dropped with an‌ "oops, try again later" message to the sender?

I sure as hell wouldn't want that.

There are lots of hidden costs to self-hosting...

"oops, try again later" is not what is happening when your mail server reboots. Email uses asynchronous protocols.

> "oops, try again later" is not what is happening when your mail server reboots. Email uses asynchronous protocols.

Wha...? How do you think my server receives emails while it's rebooting?

The sending server will automatically try to deliver the email again for a few days. If the receiving server is occasionally down, there will be a delay, but if it's not down for very long (many days) the email will eventually be delivered.

self-hosting is generally done on cloud vps providers (like ec2, digital ocean). Also, email is asynchronous. Email has a lot of retry logic built into it. You seriously don't think it behaves you think it does, do you? Imagine the amount of emails dropped :-)

> Email has a lot of retry logic built into it. You seriously don't think it behaves you think it does, do you? Imagine the amount of emails dropped :-)

Retries on the order of a few minutes, maybe. I think I've very rarely seen maybe a handful of retries, one a day, in certain cases (thanks to mailer-daemon notifications from Gmail). I don't imagine servers keep retrying for days on end beyond that (maybe internet outage was a poor example here though). Am I wrong? How long do retries go on for? Like imagine if you were on a trip when your server crashed. Now you miss emails for two weeks and you imagine that when you reboot it after coming back the senders will keep retrying? Is that really how it works? And if it does, would you really want to have that level of availability? You never have to worry about that kind of thing with a service provider, but as soon as you maintain your own server you have to constantly monitor it and be able to fix it ASAP.

I have been self-hosting my email for a few years now. (I use Zimbra BTW) Whenever the server goes down for whatever reason, the sending SMTP will retry. Each server has their own configuration, and can be changed by the adminsitrator, but it's usually a few days. As an example, on their default configurations, Exim will retry every 24h, and give up after a week. IIS will retry every 2 hours and give up after 2 days.

nobody says you have to self-host on your personal pc using your home connection.

I thought that was the point, since you didn't trust other people not to be mining your data? If it's another person's machine then they could just read your emails...

No, you self-host because you retain the ownership and control of your data. You choose service providers whose main business is not to snoop your data. For example, if you choose a server from amazon ec2 or linode or your local vps provider, they are not going to snoop your data because they are in the business of selling servers and not mining all your servers.

Okay, different question: any reason to believe the government isn't making them share dumps of their servers behind your back? I thought paranoia about the government reading your emails was the other huge reason to want this sort of thing in the first place.

If you're that worried then you can encrypt your server or data folder if needed.

What's the point though? Wouldn't the key need to be on the server if I encrypt it? Otherwise how can my mail server even work?

Largest issue with privacy is that in my experience generally speaking that the average person does not see privacy as a priority, or worse, questions the need for it.

There's a third possibility, which is that people are rationally aware that the cost of preserving privacy on the individual level significantly outweighs the benefits most of the time (rather like not buying insurance), and that in any case the technological, economic, and political asymmetries between individual and corporate/governmental actors are so huge that it's pointless anyway.

I use Tor some of the time. I would like to use Tor all the time for everything, but the reality is that using Tor is slow as mud so for 98% of my browsing activities I use Chrome, even though I know I'm giving away a lot of information about myself in the process.

Likewise, I live in a house. I can lock the doors and windows, but the reality is that any determined individual or group could easily kick in the door and enter the house. Do I spend a fortune rebuilding and reinforcing the structure so that I can have a front door like a bank vault, or do I invest a bit of money in simpler security options and cultivate good relationships with my neighbors?

It's not that people don't care about privacy (though not everyone does), but that subconsciously most people realize they can't possibly win an arms race and so opt for greater quality of life at the expense of security.

> "There's a third possibility, which is that people are rationally aware..."

I agree that this possibility exists but I also think it's a tiny minority of people online. There's enough info out there to demonstrate that people aren't rationally aware of many things (although they may believe they are).

In the current example, I'd bet that most folks don't even understand how much info they reveal online and what can be inferred about them. The very reason the house analogy exists is because it's tangible and 'real-world' but it's not really a fair comparison. If people had the option to live in a fortress, that still had windows and easy access for approved people, and didn't look too different, they'd likely take it. Such options either don't exist or are too expensive.


Also: peer pressure. As a non-Facebook user, I get questioned about why fairly often, and my family makes passive-aggressive noises about missing pictures and whatnot.

And here, any time this comes up, someone thinks they're being clever by pointing out other intrusive systems of surveillance (like cell phones) that I surely must be unaware of or inconsistent about.

My theory regarding some (certainly not all) people in the latter group are well aware of how much they're giving up and don't like the idea that other people are doing better at maintaining privacy, a bit like the drunk pushing a drink on someone trying to get sober. A lot of other people are simply unaware of the power of the data they're giving up, or believe that since "everybody else does", it can't be that important.

Social cues are really important.

Even as a non-Facebook user, if you were to only post on HackerNews all of the time, a lot could be inferred about you. Apparently, the value of sharing exceeds the cost in privacy. There are many types of thoughts of that people would share on the internet, some more revealing than others (e.g. "Today is Friday" vs. "I am 190lbs"). Some people must be very skilled at posting inert content which does not in any way tie to their personal lives, others may not be -- or simply don't care, or believe the sharing value to be very high, etc.

In terms of psychology, UI/UX design and engineered content could try to maximize the likelihood of getting a user to post emotionally-charged or revealing content.

Of course. Facebook (or Google, for that matter) isn't magic, just in possession of a really intrusive nose for others' business and the war chest to do something about it.

Detectives, private or otherwise, are sometimes very skilled at doing the same thing in conversation (of course, this is not automated and very expensive). This isn't news.

What is news is the scope and automation. The surveillance-entertainment complex is unhealthily healthy.

People may not know exactly what data they are giving away or the mechanisms by which is can be harvested and exploited, but they're constantly reminded that hackers/ corporations/ government have magic powers to find out anything they want to know.

So my argument is that most people figure it's a lost cause anyway and choose not to invest much effort in learning about computer security, relying instead on the legal/regulatory system to oversee that like any other complex public policy issue.

Yup, I think the same (although, unfortunately, I don't think the legal/regulatory system is equipped to handle it as they're made up of the same people).

The earlier comment implied that there was some form of cost/benefit analysis being undertaken, which is is what I was disagreeing with. The current situation reminds me more of learned helplessness [1], in which people are effectively powerless.

[1] https://en.wikipedia.org/wiki/Learned_helplessness

Ah, I'm sorry I didn't articulate it more clearly. I see your point with learned helplessness, but despite being well-informed and experienced on this issue - enough that I was an evangelist for PGP way back when - I've just given up on the pursuit of perfect security.

Far from surprising, this is the natural course - anyone with enough education to use PGP should know that perfect security is impossible.

That's why no reasonable privacy activists aim at it as if it was an attainable goal!

> most people realize they can't possibly win an arms race and so opt for greater quality of life

They may believe this in some cases, but it's based on an incorrect risk assessment. We evolved in a world where nothing persisted forever. Everything faded with time and copying was always imperfect, which limited how far information could spread. Surveillance had both an initial cost to collect data and maintenance costs to store and use it. In that world, the risks are bounded.

Then Shannon invented a way to copy information perfectly, without the cumulative noise that limited the scope and risk of any failure of privacy,

> Do I spend a fortune rebuilding and reinforcing the structure

No, because your door is limited in how many people can attack it simultaneously and how long attacks can continue without being noticed. It would be incredibly foolish to apply the same evaluation to privacy, where data is persistent and risks is unbounded.


Sorry, I have to cut this a bit short - meds are being annoying today. Maybe see one of my recent comments[1] on this topic?

[1] https://news.ycombinator.com/item?id=13459109

> Shannon invented a way to copy information perfectly

No, this is at least as old as the written word.

I would also suggest that humans are an incredibly social species, and while some of our more complex social behaviors encourage privacy, the vast majority of our social construct is based on sharing and not privacy. There are very fundamental reasons why social media sites are the largest human networks ever created.

The defensive position for privacy in western psyches are also very correlated to modern history coming from extreme social change around religion, the world wide trauma of the holocaust and WW2, and more generally rapid social change as a whole which threatens our tribal motivations.

Our species ability to closely integrate as a pack is almost as fundamental to our success as is our pattern recognition. If we can survive the rapid breakdown of tribalism(interpret as social association) that we are traveling through now, and arrive out the other side, privacy will certainly then be a hindrance too the species progress in that future. Pattern recognition is the trait that enables us, and the gasoline for that engine is Data.

Those are such sweeping conclusions about human nature and it's future course. Privacy has been a fundamental part of humanity forever, as was sharing. Obviously, as this is even the case for many animals, including those we evolved from.

Privacy is incredibly important today, as it has been forever. Simply looking at how humans learn, change and adapt to different contexts, it would be impossible to imagine our current civilization without privacy. If you take away a specific person's privacy, you would significantly dampen their social and intellectual development. Perhaps you envision a future of perfectly rational beings where nobody would be harmed by killing privacy, but we don't even know how one could get there.

Implying that we can, will or should change our nature in this respect is an idea from the wildest of scifi dreams. Perhaps, some day, but we have achieved so much while being these tribal, silly humans, and we'll probably achieve so much more without/before significantly changing our nature.

I'm not sure why one would even want to give up privacy. Many of our biological features seem useless to us as modern humans, but I don't see how privacy is one, whether from a practical, philosophical or enjoyment standpoint.

I think the conclusions here are too vague and sweeping to have any merit. Privacy enables civilization. Without it we get tyranny. Primitive societies had little to no privacy and the idea that one day "humanity" will be so enlightened that the many compelling reasons for privacy will be outweighed by the benefits of having tons of data is unfounded imo.

What you're really getting at is that it isn't that people don't care about privacy, it's that privacy, to happen, has to be systemic.

It can't be that you decide to have privacy and to do it you have to personally build a moat with your own two hands. It has to be that we as engineers build viable systems that respect privacy -- and then, given the choice between a viable privacy-protecting system and the status quo, it becomes much more practical for regular people to choose privacy.

This is a very important point. Nothing happens until it's made easy and presented as a choice.

I also think that some user education is in order, and needed for this choice to be made. I'm not cynical about it, though - I believe that humans can learn a whole lot more about the internet than they have in the decade to two that most of them have been using it in the west.

Excellent analysis, and stated more clearly than I could.

The bit about the arms race is on point. Also worth mentioning that privacy isn't single-dimensional and the relative cost/benefit analysis for each scenario differs.

For example, your stereotypical teenager cares quite a bit about privacy from her parents, less so from big corporations and the government. Which is why she might engage in privacy-conscious behaviors like using Incognito Mode or using Snapshot instead of MMS. Neither are a good defense against state-sponsored surveillance, but it mitigates the risk of your tech-illiterate mom stumbling upon an embarrassing search in your browser history.

Today maybe. But early adopters shape tomorrow.

True, and it is very hard to convince them when they spend so much time and get so much enjoyment out of being un-private, FB, Twitter, Instagram. How can you convince someone who vomits their life online to care about privacy?

I frequently question the need for privacy. I usually conclude that it's selfish and unsustainable.

Rather than inhibit productivity in an attempt to preserve what's left of privacy, shouldn't we instead strive to make transparency more fair?

I'm having trouble understanding those who blindly defend privacy. Do they really think that in 100 years, we won't be collecting massively more information than we are now? Do they somehow think that technological progress will stop? Don't they realize that sensors, cameras and drones keep getting increasingly cheaper? Do they not realize how much we have to gain from collecting and analyzing this kind of data?

Is this whole movement only meant to delay the inevitable by a few years? Why bother?

What's privacy?

Privacy & identity are two sides of the same coin.

All the data about me is me. It's my identity, my self.

I have the right to control what is publicly known about me.

I also have the right to know how any data about me is gathered and how its used.

That's privacy. And identity.

> I have the right to control what is publicly known about me.

> I also have the right to know how any data about me is gathered and how its used.

Can you explain why you're expecting any of this? Then, can you explain why you think that's feasible?

Here's a few questions that I hope will highlight how ridiculous your expectations are:

- How many times have you shared information about a person without its consent? For example: "I saw John at the bar yesterday".

- How many times have you gathered data about a person without its consent? For example: taking a picture of a crowd.

US Constitution's Bill of Rights pretty much covers it.

I designed, implemented, supported 5 regional health information exchanges. I'm also chin deep into protecting the secret ballot. I have more than passing knowledge of the relevant issues, technical and policy.

"Then, can you explain why you think that's feasible?"

So it's feasible to record every waking moment of every single person, but infeasible to disclose that activity and track it?

Have you ever tried to correct your credit report? Had your identity stolen? Been discriminated against, or disenfranchised, because some system some where decided you were the wrong color? Or lived in the wrong zip code? Are you on any watchlists, eg TSA no fly, FBIs inventory of peace marchers?


You advocate radical transparency (Brin's Transparent Society), but then profess incredulity when that right is demanded. Nice.

I think seeing this as an inevitable, when humans still have some choices in regards to the technology they buy and keep in their homes, is a lazy extrapolation.

More importantly, it's very important to keep in mind the massive benefits of privacy, be it psychological, philosophical and practical. This is both because of our hard-wiring and the natural importance of information. It's inherently interwoven into our lives, we don't even know how we'd act if we couldn't have any privacy. It could be debilitating for our intellectual development.

Surely this is a thing worth thinking about, and possibly fighting for? Otherwise, someone could simply extrapolate from our use of earlier weapons that we will probably have nuclear war, so all activism about anything is moot. This sort of careless extrapolation is beside the point EVEN if it's true.

> Otherwise, someone could simply extrapolate from our use of earlier weapons that we will probably have nuclear war, so all activism about anything is moot.

I don't think we should stop nuclear weapons either...

Transparency is only scary when you're constantly reminded you should have something to hide.

I blame privacy advocates for sustaining this so-called chilling effect.

In reality, the chilling effect is a consequence of poor judgement. Those who are wired correctly shouldn't fear making mistakes, and should instead embrace the learning opportunity. Only then can a person really be honest and enlightened.

Privacy correlates with intolerance. We should strive to eliminate both.

This is easy to say when you live in a situation where you're part of the majority and all your behavior is within strict limits of the current culture.

Take homosexuality for example. Having that information in the open means death in plenty of places. In addition, even in places like the USA it has become accepted only fairly recently but would have gotten you in serious trouble a while back. Culture change can't happen if any event towards this change is immediately punished. The change needs to start small in closed private social circles. Only when a lot of private battles have been won is there hope for a more mainstream acceptance of a new norm.

Take being Jewish for example. In 1920s Germany it wasn't that big of a deal if people knew you were Jewish. However things changed, different people got in power and started to abuse it. What was previously a simple case of "I got nothing to hide" suddenly turned into a question of life & death. It's naive to think that these kind of events will never happen again in any place in the world.

Losing privacy would greatly hurt any cultural change that needs private law breaking, and this includes any future laws.

As for technological progress stopping, of course it isn't going to stop. However this goes both ways. Privacy protecting technology also has progress. Any technology that reduces privacy has a counter-technology that protects privacy. What's more, we can use the same political system that could hurt us with a lack of privacy to instead protect our privacy by prohibiting/limiting privacy breaking activities.

Of course no progress just inherently happens. There are actual driven & talented people working on both sides every day. There is no inevitable victor here, there isn't even a clearly leading side yet, it's very close with strong trends in both privacy-reducing & privacy-increasing directions. Every contribution matters and it's definitely not too late to decisively lead us to a far more private world.

> Take homosexuality for example. Having that information in the open means death in plenty of places

The fancy cyber word for this is "Opsec". If you're living somewhere where your homosexuality will get you killed, STFU. Don't email people about it. That's really tragic and wrong, but it's reality.

In an era where military supremacy has made decisive military action impossible, the reality is that ISIS type people duping the simpleminded to commit horrific acts is a thing. That's makes a vision of privacy that most people Instinctively want a threat in many people's eyes.

ISIS et al are an excuse in anti-privacy moves. More people die to bee stings etc than to terrorist attacks. What's more, the terrorists that get caught are caught thanks to classical investigative work not dragnet spying. It's a classic case of exploiting the fear of the masses to shift even more power to those in power.

Yes, lots of people will need convincing to make political progress towards more privacy. The same holds for less privacy.

It is worse that not emailing people about it or even mentioning it. Facebook will know your sexual orientation without you ever saying a word about it.

This is what's increasingly worrying, they don't even need you to tell it like it this, they can find about it by analyzing your everyday behavior.

I don't disagree. The only thing to do as an individual is to seek refuge, either by hiding or moving.

It's a tragic state of affairs.

Privacy correlates with intolerance. We should strive to eliminate both.

OK, let's make a deal. You permanently eliminate all intolerance from everyone who could possibly have a negative influence on anyone else's life, and I'll accept that eliminating privacy might not be catastrophic for someone. Fair?

In the meantime, the point of advocating privacy/anonymity rights is precisely that there are power imbalances in the world, and some of the people more powerful than you probably do have prejudices that would make your life worse if they acted on them, consciously or otherwise.

I have a bank account which I manage online. I am not ashamed of it. Yet the password is something I wish to hide. That's privacy, at the most basic.

One could argue that this is security, so someone wouldn't be able to misuse the funds in your account. The password itself isn't interesting; just the access to information and funds is. Perhaps a better example would be whether your account balance and transactions were publicly available?

What is security if not a way to keep something private?

Museums have security, yet they share their contents. Security does not exist solely to protect privacy, unless you expand privacy to mean something much broader than what people generally mean when discussing privacy.

And regardless, my point was to provide a clearer example: that the secrecy of the password is accidental: the privacy it's protecting is the account.

I think you'd get a lot out of reading Daniel Kahneman's "Thinking, Fast and Slow" and Jonathan Haidt's "The Righteous Mind". They're not directly related to privacy, but I found them really helpful in understanding human psychology and different aspects of human thinking.

Everybody has something to hide.

You might claim there is nothing in your thoughts or actions that wouldn't mind the world seeing but that would make you either wrong about yourself, or incredibly rare as an individual if true.

Humans might be a social species but there is a colossal rift between social species and the hive-mind you seem to be advocating.

I would also be careful with statements like this;

Those who are wired correctly shouldn't fear making mistakes

Judging what does and doesn't constitute 'wired correctly' has led to some serious atrocities in the past.

If I was able to do so, would you agree to allow me to publish real time any thought you're having and any information that's in your brain?

Welp, we're fucked.

No, everyone understand privacy and it's value, they don't understand privacy ONLINE.

No, there's plent of offline examples too.

For example, some countries require consent to take a picture of a person in both public and private place.

Not everyone values privacy the same way.

Or perhaps you're saying that if you value privacy differently, then you're not a True Scotsman?

Already provide one example, but another might be that all parties that might be on an audio recording must agree to be recorded prior to the recording being made.

Yeah but how will you know? Sure you could sue someone who publishes a tape of your conversation, but if they simply use the information against you without exposing the fact of its existence you're fucked anyway.

Even worse, what if, besides just recording your conversation, they go even further and understand and remember what you said? That could potentially be even more harmful!

I found https://prism-break.org a good list of software/services helping our privacy.

privacytools.io is great too. (Disclaimer: I contribute to it a bit)


- print a letter on a laser printer, drop it off at any USPS pickup box. No return address. Strong 4th amendment protections

- write in a journal with a pen

>print a letter on a laser printer

but be careful, just for a case:


This jumped to my mind immediately with the laser printer mention!

here is a stupid argument for privacy that i just invented based off of the article's mentioning of 1776:

if the british colonists had no privacy, the american revolution would never have happened. troublemakers would have been either nipped in the bud, or never even thought that they could successfully challenge the existing power structure.

what god-fearing amurican is going to argue against privacy when you frame it as a patriotic issue? sure, there's no logic or graceful rhetoric here, but who needs logic when you have emotional arousal?

those of us who have enough brain cells to rub together need to start thinking about how to slam the idiots with arguments they can't get around while maintaining a veneer of nationalism. "you're unamerican if you're against privacy, because we needed privacy to execute the most hallowed event in our civic religion: revolution against the british." that kind of garbage.

it's time to discard clean argumentation and jump into the mud-- it's the only way to make people care about an abstract issue that people have been taught to disregard like privacy.

You've just come up with a variation on the theme of "First they came..." [1] by Pastor Martin Niemöller (1892-1984).

> First they came for the Socialists, and I did not speak out—

> Because I was not a Socialist.

> Then they came for the Trade Unionists, and I did not speak out—

> Because I was not a Trade Unionist.

> Then they came for the Jews, and I did not speak out—

> Because I was not a Jew.

> Then they came for me—and there was no one left to speak for me.

The deeper reasons for privacy are historical, political, and ultimately may become a matter of life or death. It wouldn't be surprising, history is full of precedents.

[1] https://en.wikipedia.org/wiki/First_they_came_...

The problem with that argument is with people who argue poorly. The American Revolution required privacy which means we went to war. Ergo, the response is then, "What are you trying to overthrow the government?"

They don't fundamentally see the need for privacy. They don't understand the value of privacy until they're having weekly home inspections for health purposes (read: contraband). Then the response is, "You think the government is going to shore up enough manpower to start searching everyone's home on a weekly basis?" Well, no. But as a former servicemember, I lived that life. It's the same thing they're doing with your digital information, but instead of the known inspection where you can hide something, it's everything at all times.

Instead of addressing the point, they deflect the argument.

It's not stupid, it is logic and not just emotional arousal, and it is actually fairly clean argumentation. The issue isn't just the American Revolution. It's the French Resistance. It's protecting the ability to prevent the Federal government from imposing a tyranny today. (The person you're talking to may feel there is no such danger. Ask them how they would feel if Hillary had won.)

It's unfortunate that you use such inflammatory language because you are basically correct. Dissent cannot exist in a culture without privacy. Either privacy through obscurity, or privacy through so much being out in the open that finding signal in noise is impossible.

Unfortunately modern machine learning tools all but destroy any chance of privacy through noise.

I remember reading a piece showing how with metadata alone it would have been trivial to identify the main actors of the US revolution before they could even start and prevent them.

Sort of what the predictive policing does in the US with crime.

It would be nice to see the issue of privacy, especially in regards to data privacy, evolve beyond a black and white matter. Privacy is important it allows for a bubble of safety and security in our lives. On the other hand, there is real value and utility through data, but often at the expense of privacy.

I think that the trade-off between the utility of data and privacy can be explored in such a way that everyone benefits. Ensuring a balance of power in regards to privacy between individuals, government, and private entities is a worthwhile, but difficult, venture. Data is a good medium for this discussion because of its increasing value in an age where we're collecting more than we can use. Government and society can benefit from data driven policies and public datasets (ala data.gov). Individuals can regain control and benefit from a collective use of data. Corporations already hold and make profits on massive monopolies of user data, but often liability involved with private data preempts sharing.

I think these kinds of conversations will need to be tackled and absorbed by the wider audience before it can have a real impact. In any case, it will be interesting to see what direction privacy as an issue goes toward. Personally, I will be continuing to be more aware of the issue and use products that have privacy in mind.

Why is "very few people care" an argument _against_ privacy solutions? There are so many niche markets in this world. Not everything needs to be a billion dollar business.

Its the inverse of network effect.

A few years ago I bought a GPG card and used it to encrypt long term backup media. I created a key, did the whole PGP thing, etc.

It was cool and all, but it's value from a communications perspective is zero. I have about 2,000 contacts that I keep track of... and exactly two had public keys. The value of that network is near zero, because I really don't transmit anything via e,ail that has a high value justifying the considerable hassle.

At work, we have the ability to use Microsoft rights management to optionally encrypt email or attachments. It is easy as pie -- literally press a button. In some cases Outlook will nudge you to do so! With nearly 400M messages, less that 20k were protected, and most of those were for a pilot using policy based encryption.

People aren't paranoid enough. Being paranoid carries so much negative stigma, it feels that we are selecting against it. Try to a remember the last time you revealed your paranoia and weren't a complete buzzkill. But hey, you can fear what you know. You can even fear what you know you don't know. But you can't fear what you don't know you don't know!

"Missed any? Shoot me a message on Twitter: @bitario"

I don't have a Twitter account, but if the author happens to be reading this (or if anyone wants to shoot a message to him), I use Threema for secure messaging. I love it. But I admit to not having used the others so I can't comment on how it ranks against the competition.

https://threema.ch/en https://play.google.com/store/apps/details?id=ch.threema.app...

What's the advantage of this over, say, Signal?

Is signal previous name textsecure ? Those who dropped SMS support of their secure texting application so now it requires a data plan to be remotely useful.

That's about when Openwhisper / Signal lost me, I'm not gonna trust them with anything anymore. Also worth mentioning that all communication go through a single point of failure central server, it requires a phone number to register and is not available outside the worst privacy offender device: smartphones.

You can chose your identifier (not linked to a phone number). On the other side they are closed source.

The simplest argument for privacy: if the powerful value it, so should you.

The slightly more complicated truth: people with power have different problems and threats.

True. But then, keeping within the frames of parent's argument, if you want power (you do), you want privacy.

Sort of ironic to see bitcoins being hacked away due to lax security with the phone system, too. Ud think after mitnick, it wouldnt be possible, but our leadera today are actively choosing to ignore history's lessons, and we enable them.

Privacy and Security are the battlefields of today, and the wars of tomorrow. It'll hurt Badly when that impending 1984 world rains down on us, very soon. That said, we'll win, eventually. :o)

I'm not so optimistic.

I don't believe people will ever get their liberties back when they are finally all taken away. :(

Our naive and apathetic population will find out eventually.

Society is a sleeping giant. Aslong as food and shelter are there, people will stay dormant.

But eventually, one of these two things will be taken away. Maybe food. Maybe the security of shelter... Look at North Korea, defectors left and right, despite the horrors. Though ill admit to the difficulty of localities. Horrors can be committed, and sustained, upon a minority, while the majority sleeps, we enable north Korea, but only because it's a local, distant horror.

Bur when the majority is fucked.. The hackers, the rebels, the adamant few WILL fuel the fires of revolution.

But ill admit again to the sophistication of our current system and it's cruelty. It will delay improvement. It's a cat/mouse scenario. We're the cat, and we're sound asleep for now. Trump and the falling apart of the EU will shake the house though. Or maybe they wont, but stench of war is in the air.amd the higher ups, no matter how sophisticated, are only human.

It's important not to give in to desperation and paranoia. Education (math, science, history, art) will help keep the population capable and give them the tools to transform society when the day comes where we must act.

It's nice to have a private notes app, my bigger concern is about what happens as the entire ecosystem becomes increasingly monopolized.

Any platform enhanced by ML powered by proprietary data will create huge barriers to entry for potential competitors. Even if privacy becomes important to consumers, app alternatives with have to at least match the mainstream version in 100 other ways. As much as Google has contributed to ML tooling and research, their data will ensure that services like Duck Duck Go stay obscure.

Network effects, economies of scale and the dynamics of VC funding will all exacerbate this as well.

You're right in that it's hard to create a new billion dollar privacy company. But there are plenty of opportunities to create "small businesses" focused on privacy. Basecamp sized companies. In fact, that's the advantage small founders have now: is to not be big, but be intentionally small.

Yeah, that's true, I do dream of a future where more people are creating toy apps for their friends and family with no intention of scaling. Udacity has strayed a little bit from this with their focus on ML courses, but SMBs are absolutely preferable in my mind.

EDIT: also why I love FOSS.

ML - Machine Learning [I may be the only one here who did not know what that means, but in case there is another]

I have in recent months become increasingly aware of this, and have taken steps towards being more private online but I am not completely there yet. Though I do run Linux, stay shy of social media and use Signal for messages, I still lacked a better email provider. (And I am still looking into which VPN to get)

This article was the push that I needed to also finally ditch my old (hotmail) account and switch to protonmail. When you have a lot of communication going on with an email account I feel like the change is not that easy, but it'll be worth it.

Last year I looked at various services for email and finally switched to posteo.de. It's cheaper than Fastmail and Protonmail listed in this article, promises privacy and the company has a lot of good ideals and actions that I like.

I needed IMAP and didn't want to be locked in to one provider if I ever wanted to move out (Protonmail's IMAP is just now in beta, more than two years after the request was made by people, and all users are tied to Protonmail because there is no export of all mails or non-Protonmail-app mechanisms to retrieve mail).

The lack of custom domain support in posteo (for privacy reasons - what it calls "data economy") was a concern for me on portability, but it's a compromise I decided to make.

It's not that privacy isn't locally good if it could be had, it's that or can't be had, and letting only some people (more powerful) have privacy is actively bad.

Just like we have to prepare for the post labor society, we have to prepare for the post privacy society. It's not about what we'd like to be true, it's about what's actually true.

Whenever I ask questions about people's attitude towards privacy they also end up with, I have nothing to hide, and all counter examples are vague and not directly applicable. I'm working on turning the privacy talk around, to frame it around the loss of freedom, Freedom from criminals, Freedom of relationship, Freedom of self expression, Freedom from profiling. We can then explore which freedoms are relevant to the individual and which are not.

Freedom from criminals: Computer systems are not secure. The more we share online the bigger the danger when the data is leaked. A very real concern that is often overlooked is that governments and companies are incapable of keeping our data secure. By collecting addresses, medical data, bank information we are all exposing ourselves to risks of having our identity, money and medical information stolen or to be held for ransom.

Freedom of relationship: Private conversations can be made public, your opinions and interests can be made public without your intention. For example facebook changing their privacy settings suddenly makes your private links shared, or private matters suddenly appear where you don't intend them to be. Like product adverts showing up at work, sharing our private purchases with colleagues.

Freedom of self expression: We loose control of when content goes public. Suddenly our ideas and works can be shared without our consent or credit even without our knowledge. An art sharing site suddenly uses our work in private folders for advertisements because they now have access to them. When uploading on line we lose control of our data and if they are taken there is little recourse.

Freedom from profiling: Decisions are made about you without your direct input affecting the news you see, the products you are advertised, and the prices you are offered. Governments have started placing us on lists along with real criminals based on where we have been, who we have met, and what we have seen. We have no control of the profile that is made on us and we have no access to it.

We, those worried about privacy, can see the overlaps between the loss of freedoms, but by presenting them in these forms it makes for conversations that continue beyond I have nothing to hide. Depending on who I am talking to I can question into which freedom they are comfortable losing and which they are not.

Personally living in a 1st world country with an stable and amicable democratic government my greatest concerns are freedom from criminals and freedom of self expression.

Just use Snowdens quote: saying you don't need privacy because you have nothing to hide is like saying you don't need free speech because you have nothing to say.

To be honest, I actually ran a very private setup (Copperhead OS, Protonmail, MacBook with all non-draconian privacy settings turned on) for about 2 years, but in the end I realized I was gaining (almost) nothing compared to just Google's services, and losing a whole lot in terms of ease-of-use and integration. All in all its the same thing with privacy as it is with security: you can create all the good systems in the world, but if its a hassle, you'll run into privacy/security fatigue soon and the whole system becomes moot because you'll be the weakest link and start bypassing your own systems.

I really like this stance, I think this argument needs a little more sharpening so that it generates action from people who not in our bubble outside of the tech scene.

Really enjoyed this post, seriously, thank you.

Does anyone know what the title image comes from and/or why it's relevant? I really like it!

It's the cover art to an edition of The Martian Chronicles. See:


Civilization is the progress toward a society of privacy --Ayn Rand

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact