Hacker News new | past | comments | ask | show | jobs | submit login
Alternatives to Google Products (restoreprivacy.com)
1169 points by wuschel on June 10, 2018 | hide | past | favorite | 504 comments

Hi all,

I'm an engineer working on Firefox Platform (Gecko). In the linked blog post, the author recommends Firefox (thanks!) and links to a "privacy recommendations" for it, which include items such as "resistFingerprinting" settings.

I'd like to remind everyone that turning on this setting has far fetched consequences to how you experience the Web. Your dates, timezones, preferred languages will all be masked which will result in weird experiences.

The option is behind a flag and without UI precisely because it is a pretty complex feature, that we didn't iron out yet, and which should be well understood before being used.

It concerns me to see it being references and recommended without any explanation whatsoever.

Of course I'm likely biased because I'm on the receiving end of bug reports from people who experience the Web in weird languages and with wrong timezones because they followed some tutorial that recommended it. :(

Is there a moderate resistFingerprinting setting? I don't mind my date/tz/language being known. There are 150m+ people living in my timezone who use en-US.

I don't want my fonts, plugins, user agent, or detailed HW/graphics features (e.g. canvas/WebGL hash) being known. Those can uniquely identify me according to https://panopticlick.eff.org.

Those can uniquely identify me

So does your resolution. And that's hard to mask because JS usually needs to know it.

If you're not using the browser fullscreen, chances are that you're using a unique innerWidth+innerHeight.

As unsatisfying as it is, the current best solution seems to be not to care about privacy most of the time, and then take privacy seriously when you do. Whonix is excellent for this.

Your resolution alone will not likely uniquely identify you. The idea is to eliminate many of the data points that make it easy to track you across IPs. Resolution is very common if you're browsing with a maximized window so it's not in the same league as these others that quickly diverge amongst users.

No, not alone. But if you're not masking your IP address, it probably will.

Weirdly, I tried to measure how unique my window.innerWidth/Height was, but panopticlick no longer seems to measure this. It only uses my full screen resolution, which of course is much less unique than canvas dimensions.

> No, not alone. But if you're not masking your IP address, it probably will.

If you're not masking your IP, resolution and anything else is largely irrelevant for tracking you.

The Tor Plugin sets the window sizes to predefined values that match various fullscreen resolutions. So there are options, but they all involve tradeoffs.

Don't huge swaths of people have the same resolution, though? Yes, I understand other things come into play here (OS, Browser, available plugins, etc) but I am skeptical that people are really building UUIDs based on someone's screen resolution. Or, if they are, that such IDs are meaningfully accurate.

It's all about the bits. You need 33 bits to identify 8 billion people. All that is required is for these bits to be independently uniformly distributed.

Say everybody uses one of four resolutions equally. That's two bits: 00, 01, 10 and 11. Now let's say that people's gender is also binary, distributed 50/50 and independent from what resolution someone uses. You can just tack that bit onto the two you already got and now you have three (the ability to distinguish between 2^3 = 8 individuals).

I won't go into the details, but if you have an estimate for the probability distribution of browser resolutions, it's fairly easy to extract the proper amount of bits of entropy. Being independent is a bit harder to make sure of, but as long as you pick things which aren't too obviously correlated, you can just take a safety margin and use, say, 40 bits to identify people, and it's probably fine (and for tracking purposes, a false positive isn't the end of the world, either).

That said, while I support the concept and idea behind panopticlick, I've always felt it overestimated the unicity of my browser. Or maybe I just really underestimate it myself. I don't know.

Not if the browser is not full screen, this is resolution/size of browser window.

Nope, you can get the screen size, too:

    > window.outerWidth
    > screen.width

But I resize my browser all the time? Even with timezone + language surely it's a very short lived fingerprint? When it's not manually sized it's snapped to either side of a standard screen.

idk - it seems like that can't be enough?

If fingerprinting uses a hash based on a number of input criteria, then you only need to perturb one of those inputs to make the entire hash unusable. Perhaps Firefox is perturbing the other inputs (?) such that screen resolution doesn't matter much. (Just guessing and looking for a positive angle here).

I had to work on fingerprinting (not my proudest moment) and disabling hashing to avoid this problem was literally the very first thing we did. Just a datapoint, of course.

True, but that's assuming inputs go to a hash rather than something more robust like a probability function.

It's hard to imagine any non-toy implementation of fingerprinting doing anything that naive, really.

> As unsatisfying as it is, the current best solution seems to be not to care about privacy most of the time, and then take privacy seriously when you do. Whonix is excellent for this.

No offense, but advice like this is useless. It reduces to, "someone I don't know thinks the average person with no special risk factors should think this way about their personal privacy based on who knows what priors."

Different people have different reactions to risk, have different actual exposures to risks, different competencies, and different tolerances for the hassles of opsec. And potential future risks of data slopping about are unknown.

There is no such thing as a "best solution" when talking about this.

Assuming there's 4k possibilities for width and 2k for height, that's 8 millions possibilities right here. Compared to ~2 billions of people accessing the internet, the odds of having a unique one seems really really low.

It's one of many different data points that can be used to identify you though, and if you aren't full screen at a standard resolution then it's a very good one.

Of course keeping in mind that a good number of those will rarely be seen. (e.g. anything less than 100px)

> JS usually needs to know it

What do you mean by this?

JS is often used to change the position of elements based on the window size. If you give it wrong info, it will break the layout.

True, but if you round it down to the closest multiple of (say) 32, you significantly reduce the information content while leaving JS/CSS layout essentially the same.

Indeed, it will surely make resize look less sexy (jumping by 32s instead of pixels), and you might waste a few pixels of screen real estate on some sites at some times -- but it's the kind of tradeoff that some people happily do for more privacy.

Related, does anyone know if privacy badger include "screen size determination" in its heuristics?

I can't imagine that's 'usual'; most sites will do absolute positioning in css, if at all. As you suggest, trying to layout pixel-by-pixel designs is notoriously awkward and best avoided.

I'm not talking about absolute positioning, but calculating positions and width/length based on rules (like the browser does with CSS, but for stuff the browser can't do). For example: https://css-tricks.com/scaled-proportional-blocks-with-css-a...

Sure, I just don't think that kind of thing is 'usual'.

You could still do fingerprinting for resolution based on media queries in CSS.

That https://panopticlick.eff.org link was interesting, but I don't see what about my user agent string makes it so unique (1: 76540.09) ?

  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36
Looks fairly generic, I think I'm running a mainstream chrome browser on a mainstream OS.

One problem is that your user agent is matched against all tested user agents from all times. This includes very old ones. If the user agent was used to track you online, they would account for that it frequently updates and for a lot of users (considering that most browsers update automatically these days).

So the site should really only take into account your OS, maybe its major version, and browser version (which changes frequently so trackers can’t rely on that). Or at least not count any that are not used anymore.

Using Javascript the page can query more details about the environment including installed plugins, addons, configuration settings (language etc), certificates and fonts. That combination is often unique.

This is amazing, I use Ghostery, Privacy Badger and Scriptsafe in Firefox, and I was MORE private in non-private window! wth?

I suspect it's partly because these plugins don't function fully in a private window?

After the constant succession of revelations of the sorry state of privacy, along with myriad data breaches, all I want a browser to do is lie and obfuscate. So I'll gladly take the sledgehammer boolean of resistFingerprinting for now.

I've yet to come across an extension that does something like this so I'm presuming it's not possible via extensions?

Are Mozilla working to make this more granular and let me whitelist individual features on a per site basis?

I'd far rather lose tracking than get the very minor benefit of a (slow loading) web font or en-GB over en-US. Especially if I can opt in the few I trust or need those features.

> After the constant succession of revelations of the sorry state of privacy, along with myriad data breaches...

I remember reading an article about how Richard Stallman interacts with the internet a while back. I remember thinking that it seemed totally insane. But in light of the reality of 2018, I am coming around. The way I see it, I can keep tweaking privacy settings in a browser, or opting out of collection, or doing any number of other things to attempt to protect my privacy, _or_ I could just stop using services that do not respect my privacy in the first place. Perhaps certain aspects of modern life have taken too much, and they need to be abandoned until they are reformed?

> I remember reading an article about how Richard Stallman interacts with the internet a while back.

One of these you mean?

[1] https://news.ycombinator.com/item?id=16869515

[2] https://stallman.org/stallman-computing.html

It was directly related to #2, but I only made it there as a result of reading some other article. It has been a while and I don't remember the source.

I agree. I'm coming around to some of his view, and no longer see him as quite so extreme. Still think he weakens his message with the alternative language, like "used" instead of user etc. Always have.

The difficulty of course is right now it's nearly everyone at it. Too early to say if GDPR will make an appreciable difference, though it seems like it should. So that leaves few choices outside of gnu everything or layers of hacks and browser extensions. I have hope that many services will start being much more careful in what tracking and data they actually need after recent events.

The irony is that everyone knows a bit too much about RMS and exactly how he behaves online or in interviews. His efforts at privacy have backfired.

RMS’s efforts are not for not privacy as some absolutist doctrine: no one must know anything about me. Instead they are about freedom: people should know about me what I let them know about me; I am in control of my data and my online presence. We know lots about RMS’s internet habits specifically because he shares them with us using free and open services.

He's put his own special RMS twist on the classic 'vagrant in the library' model of internet use, taking it a step further by shunning browsers entirely and not using cellular devices. IIRC, he does explicitly mention privacy as being one of his motivations.

For FF: https://addons.mozilla.org/en-US/firefox/addon/random-agent-...

I think this one is no longer working with the newest FF versions, but check back in on it every once in a while.

For Chrome: https://chrome.google.com/webstore/detail/random-user-agent/...

Not as configurable as I'd like, but it gets 25% of the job done.

I actually used to use the Firefox one. IIRC when they changed the extensions system the dev announced he couldn't support it in the new system.

Time to give the chrome one a look, thanks.

NoScript, uBlock or uMatrix offer this (largely). Fingerprinting relies heavily on Javascript. Many sites work just fine without it or with first-party JS only (fingerprinting is mostly done by third-party trackers).

If Firefox really cared more about privacy than about its money flow they would have disabled 3rd party cookies by default instead of explicitly hiding¹ that setting.

Apple can do it. There's no reason why Firefox can't. And if there is a reason, it should have been dealt with years ago.


¹ i just noticed that in Firefox 60, the setting is no longer as hidden as it used to be. Good!

Most casual users would be quite upset if cookies stopped working. "Why does this site not stay logged in"? Etc.

You think Apple is upsetting casual users?

Not all cookies, just 3rd party ones.

I don't know, I think if a user is following all of the steps in this article, they likely know what fingerprinting is. Running an Android device without the Play Store, for example, is by far a much more difficult & complicated thing to do than just toggling a flag in a Firefox browser.

That, and the user is likely used to having less-than-ideal browsing experiences if they run any adblockers. I do agree that the article should outline what the consequences would be for disabling browser fingerprinting; they simply have one sentence recommending it, and nothing else.

By the way, what does GDPR say about fingerprinting? Is it legal? (Asking because the EU explicitly made cookies an opt-in technique, but not sure if they considered fingerprinting).

The EU did not make cookies an opt-in technique. The EU made irrelevant cookies opt-in. Cookies that are essential for the functioning of the service do not need a notice. If you require user accounts, you don't need to show a cookie notice. If you implement a shopping cart without user accounts, you also don't need to show a cookie notice.

Unfortunately most websites don't understand this simple idea and show the cookie notice indiscriminately (or, perhaps, they just all use cookies for tracking in which case the notice should be there).

That’s one of the most frustrating aspects of GDPR in relation to cookies - many businesses that could happily run a site with no cookie opt-in end up implementing one anyway because that irritating pop-up gives the end user a perception of ‘handling privacy well’.

I’d be so keen for the solution to lie in the browser UX- in the same way as we currently request location information - rather than the current mish-mash of badly implemented, often disingenuous site overlays that have become the modern equivalent of the ‘enter site’ splash screen...

> That’s one of the most frustrating aspects of GDPR in relation to cookies - many businesses that could happily run a site with no cookie opt-in end up implementing one anyway because that irritating pop-up gives the end user a perception of ‘handling privacy well’.

Have you actually seen examples of that? sad...

If you're a business, you have tracking on your site. The cookie warning it's almost always warranted.

Probably most websites use Google Analytics or an alternative.

> Probably most websites use Google Analytics or an alternative.

How is this not essential though? You can't effectively run a business without some understanding of your traffic and where it's coming from. Also, you can use Google Analytics in a way that doesn't store PII.

I could run the business just fine without Google Analytics. Would just be in the dark a bit more.

I'm not associated with EU so I haven't pondered on this as much as others. My first thought is that this should really be up to the browsers and their users on what info Analytics software is able to work out just from the user being on the page.

Users should just assume that every business will absorb all available information. At least then we wouldn't see those ridiculous cookie notices everywhere.

As a web developer, I'm kinda surprised 3rd party cookies ever became a thing in the first place.

Users should just assume that every business will absorb all available information.

Users don't know what "available information" is. And frankly, not even the browser developers do - we keep discovering new ways to track people (e.g. using ETags) with features that weren't intended for that. So it's quite hard to claim the user can simply decide what to share.

Yea, maybe you should prioritize 'ironing' it out.

This feature is not even part of the UI yet. It's in progress. I really don't understand why technical people would start recommending its use to others on blogs in its current state. All you create is lots of bug reports coming in to Mozilla, forcing them to put resources into responding to users who blindly followed the blog and now their Firefox is "not working" anymore.

>I really don't understand why technical people would start recommending its use to others on blogs in its current state.

Because when ordinary users ask "what can I do to protect my privacy?" you have two possible answers:

a) "Nothing, you're not smart enough to do this, you're screwed"

b) "These things"

B has a high learning curve, but telling people about it scares them off. If you care about your friends privacy and want to get them past that learning curve, it's better to let them stumble into issues and be there to answer questions.

But then the answer is not "These things" and let the FF devs deal with the fallout. The answer would be "This is what you can do and you'll see quite a few odd results. Ask _me_ when you have questions and I'll explain as good as I can.".

I have quite a few of these switches on. First party isolation for example breaks the paypal payment flow on some, but not all, shops. It also breaks quite a few pages that recognize it as an adblocker. I know what to do if that happens, but I would never just recommend enabling that switch.

Do you know why there are so many separate things bundled under a single flag? Would it take much effort to add sub-flags for entirely separate anti-fingerprinting features?

I’m certain they’ll accept help. So maybe go test, report bugs and issues and get involved if that’s a priority for you. Triage some of those weird bug reports. Write a guide on how to properly enable the feature, what it does and what to expect if it’s enabled. Explain what’s a bug and what’s just part of the expected - and sometimes annoying - behavior.

Or just donate if you can’t do any of those things.

Prioritize it over the probably 1,000s of other things they have to do, which we might not have any idea about? Just because one person was kind enough to try to help people with a short cautionary message, therefore bringing this specific issue to our attention?

I'm a little discouraged when I see articles like this that seem to be completely tuned for developers or look over completely decent pro-privacy alternatives like Apple.

For example, the "best" calendar alternative is Etar which looks to a Github repo. Really? At the very least you could mention Apple Calendar. Is Maps.Me (which uses AdSense) really better than Apple Maps? I'm not a fan of hooktube either - it just further cements YouTube's monopoly.

I think what what bothers me is that "privacy focused" tends to be conflated with FOSS. I'm really thankful for organizations like Mozilla and Signal that are trying to deliver privacy focused applications to real people. However I also think we should recognize Apple-like companies who are also privacy focused without necessarily being FOSS. I think that will help move more non-technical people out of central databases.

It's not that "privacy-focused" tends to be conflated with FLOSS. Rather, it's nearly impossible to guarantee privacy in proprietary software. The transparency of FLOSS makes it trustless. Want to know what data of yours, if any, is being collected? Look at the code.

This is why, when it comes to privacy, Apple isn't worth consideration. All we have is their word, and that simply isn't enough.

> Want to know what data of yours, if any, is being collected? Look at the code.

I find this to be an extremely un-compelling position. A relatively small proportion of the general population has the skills to meaningfully look at the code, never mind the time. Moreover, even for someone who is capable, such an exercise quickly becomes non-trivial on an unfamiliar codebase for an app of any complexity.

In many cases there's also no guarantee that the code you're reading is the code that's running.

> I find this to be an extremely un-compelling position

It's more damaging than that. The bundling of privacy and FOSS advocacy weakens the former. Few without deep technical knowledge is sympathetic to FOSS. The potential audience for a privacy pitch is broader. By bundling the two, however, the technical advocacy community limits the appeal of the former to those supporting the latter. This is an issue because the opponents of privacy rights are not similarly limited. Hence, we find ourselves reliant on Google, Apple, Facebook and Amazon being benevolent dictators, in their services and Washington.

> Few without deep technical knowledge is sympathetic to FOSS.

Few without deep technical knowledge do even know what FOSS is.

Yes, all they know is “this is impossible to install” and “what is a GitHub” and “where do I log in to the cloud?” and “this is the ugliest software I have ever seen in my life”.

Unless we’re talking about hosted FOSS, in which case you get the worst of both worlds.

I run my own mail server so this comes from a place of love: FOSS for server side products for consumers is a joke.

While I generally agree with you about the soundness of the FOSS==privacy argument, I think you're misstating it subtly. The claim isn't necessarily that the privacy sensitive user specifically will be able to audit the source but rather that someone somewhere will have done, and will have written about problems they uncovered. See also many eyes making all bugs shallow.

Not always. Heartbleed was present in OpenSSL for two years before anyone noticed.

Many eyes make all bugs shallow, but if there aren’t enough eyes with the skills or the time then problems will remain deep, even for important software like this.

Perhaps everyone thought everyone else had done the work?

Heartbleed was a very subtle security bug, the discussion here is about privacy violations. You think that detecting if, I dunno, mutt is secretly uploading your contact list is going to escape detection for years?

It will. IIRC HomeBrew’s integration of Goigle Analytics went unnoticed for almost a year, and only then they included an opt-out option (it’s still opt-in by default)

Heartbleed was found though.

Thinking out loud here, what's the best counterfactual on HB?

I can imagine a ClosedSSL that gets hammered in a blackhat presentation. I can imagine ClosedSSL getting fixed, eventually.

It's just hard for me to imagine that happening faster because people like Neel couldn't read the code.

Maybe the counterfactual is that ClosedSSL is also well funded and cares deeply about security, so it finds HB internally.

But openness doesn't preclude funding. And closed source doesn't grant you an automatic security focus.

So rich ClosedSSL vs poor OpenSSL isn't an apples to apples comparison.

All things held equal, openness provides one extra possible avenue to find and catch bugs, and so such projects will tend to have more caught on average.

What does HB teach us then? Just that some bugs are hard.

Now, to be fair, if "openness" is just used as a substitute for internal security audits, a way to shrug and farm out that work and blame to passers-by, then that would be obviously terrible.

That probably happens more than we'd like to admit, but I still don't think it's the typical reason people open their code.

OpenSSL can just as easily act as a point towards FOSS for privacy given that it was a vuln that was discovered externally (multiple times by distinct parties).

Closed source code, even if it has no hidden purpose, may be hackable as well. Nothing is perfect. I think you are making an unfair comparison.

That's something reproducible builds address.

You can't check if the server actually runs that reproducible builds.

Right, that really only helps for local binaries.

Even then, it might work well for you, and if I had the patience or the time it could work well for me, but it'll never be of any use to my mum or my brother, neither of whom are technical.

I suppose it depends on how it ends up being implemented. I was envisioning something fairly automated, which could presumably spit out PACKAGE VERIFIED information that could be used in systems not requiring users to be technical.

Apple makes its money from expensive hardware. And respecting your privacy and security helps selling it a lot. And they earned trust by being serious about it for a long time.

Until it paid for them them to sell out their Chinese customers. There they didn't think for a second.

I have no more trust in the American government to not spy on its citizens than the Chinese government. If iCloud data is encrypted and only the user has the private key. It's just as secure as being on American servers.

Note that only some of your iCloud data is end-to-end encrypted: https://support.apple.com/en-us/ht202303. The rest is also encrypted, but Apple does have the key and can likely be legally compelled to share it with authorities.

What am I missing? According to the link, everything is encrypted at rest besides email. No one thinks email is secure.

The difference being that Tim Cook handed Beijing the iCloud private keys for Chinese users

How did he do that without completely rearchitecting how iOS works? Do you have any citations?

This is about the architecture of iCloud not iOS. Apple has the keys to all encrypted iCloud data (iCloud email is not encrypted at rest).

The only exception is iCloud keychain, but I believe only if you decline the default setting to create an iCloud security code (I'm not entirely sure about that)


I'm not saying that this is what happened and I don't know the background of this story, but it would have been easy (technically speaking) to just push an update to Chinese users that will extract their private key and send it back to Apple without any significant changes.

AFAIK the Secure Enclave chip is specifically designed to make this impossible. There is no planned method to extract the private key from it. ("Planned method" meaning anything that's not an exploit or an electron microscope.)

Maybe generate the key in the normal processor, send it to apple for escrow, and then push the key to the secure enclave? I have no idea whether the secure enclave supports loading existing keys, but generally this is how it's done.

> I have no more trust in the American government to not spy on its citizens than the Chinese government.

This is more than a little hyperbolic. In the US you need a warrant.

Also, in the U.S., police don’t shoot unarmed suspects, get caught planting evidence on camera and the judicial system prosecuted and convicts fairly regardless of race and class and always follow the rules.....


Apple actually had some of the worst security for a long time. They even lied about Mac OS being immune to viruses rather than market share so low hackers didn't care about it. They still made piles of money due to great product development and marketing. Their brand was the main, selling point for a long time. The iOS situation is quite a turn around for them on privacy/security. They still sell them on mainly image, features, apps, and so on. Just like before [plus Windows-style app dominance] with privacy/security reporting in media likely about boosting sales.

I don't trust it, though, if we're talking domestic surveillance. The ECI-level leaks said FBI "compels" domestic companies to enable their stuff for eavesdropping. Whatever that means is secret. In the Lavabit case, the FBI argued to the judge Lavabit wouldn't be harmed if they lied to their customers about the compromised. The judge agreed. So, court orders, fines, retaliation, forced lies, and secrecy orders of all that are a possibility in the United States. Just don't put secrets on anything made in America or by Americans. You can use American tech for obfuscation or untrusted functions, though.

Pre OS X versions of Apple OS had even smaller market share and way more viruses than current versions with much bigger market share.

Uhm 2014 ... https://en.wikipedia.org/wiki/ICloud_leaks_of_celebrity_phot...

By comparaison, while there have been a few issues with Google, for a company that processes so much personal data, their track record is excellent. I can't think of any major personal data leak that could be attributed to Google.

Maybe Apple got better within these 4 years, TBH, they most likely did. However, I don't consider 4 years to be a "long time" for a tech giant. Their privacy focus is relatively recent.

Did you even read the Wiki article you linked to? Even if we ignore your conflation of information security and privacy, the Fappening was not caused by a security breach at Apple, but rather through the use of targeted phishing attacks.

Definitely, and note that GP explicitly mentioned security, which is a good thing because they are tightly linked. You can't have privacy if you don't have security.

The thing is: we often associate ad tracking and (lack of) privacy. It is certainly one aspect, but it is far from the whole picture. The most damaging form of privacy violations are usually not caused by advertisers but first by people who are close to you (ex: revenge porn), and second by hackers (ex: blackmail). I used the fappening as an example because nude pictures are the archetype of private data.

As for targeting phishing, I think companies who take privacy seriously have to do something about it. Phishing is the number one threat users face when it comes to cybersecurity and therefore privacy.

Now comes the debatable part: hackers targeted the iCloud platform, why? Why not Picasa, or Facebook, or whatever place images are stored? My hypothesis is that iCloud was the best target for such an attack, partly because compared to the others, it didn't offer as much anti-phishing security.

EDIT: I just noticed I didn't mention governments. First, for most people in western countries, government is unlikely to be their biggest problem. So I would rather focus on the immediate surroundings (ex: boss, partner, neighbors, etc...). And if the government really is after you, then an Apple solution might be good, but I don't think they are completely turstworthy. They are still bound by the US law after all, and they are not completely zero-knowledge. To make things clear, Google and Facebook are also out in that case.

> Now comes the debatable part: hackers targeted the iCloud platform, why? Why not Picasa, or Facebook, or whatever place images are stored?

Possibly because the celebrities targeted used iPhones, and didn’t publish their private pictures to Facebook or a Google service.

The iPhone 5s is the first one with a great secure enclave, and it was planned out a lot longer than 4 years ago.

I use Apple products instead of Google's. They also look much better.

This is true iff you look through the code yourself, or are willing to trust that others have done so in as thorough a manner as your use case (attack vectors) necessitate.

Apple isn't worth consideration if you are willing to put in the effort, or delegate trust, to other systems. If you'd prefer to delegate trust to them, how is that effectively different that FOSS that you haven't examined?


When devs announce how their software handles privacy concerns, they have an incentive to be honest because all it takes is one discovery of conflicting code and their trust is lost. But if the code is closed source, that incentive for honesty is removed. Of course the media can still seek circumstantial evidence and make accusations, but that’s a far cry from version control.

Separately, closed source code invites new incentives to disrespect user privacy for profit.

So, there are these two major categories involved, both of which are mitigated by opening the source code.

Apple remains liable for both of them.

All that Apple has is an observation that they sell hardware too. I guess we are just assuming they already make enough money from advertising as it is and don’t really want more.

I think there is a significant difference.

Companies get hit with multi-million dollar fines for violating their privacy policies. So there's your incentive.

I just don't see open source as better protecting privacy. See for example the telemetry in .NET Core or VS Code [1]. Users discover this stuff by watching network traffic, not through code audits.

1: https://github.com/Microsoft/vscode/issues/16131

Is a multi-million dollar fine enough to matter?

Let’s assume Apple violated their privacy policy and was fined $999 million, the highest “multi-million dollar” fine they could be assessed. That’s just barely more than 1% of their market cap.

Fines are definitely incentive to do right but the fine must be felt. I’m not aware of any cases where the tech giants have been levied a fine that really hits them hard.

The fine you're proposing would cause a much larger hit to market cap than you're suggesting. Consider, Apple made ~20 billion in profit last quarter, your hypothetical fine would be a precipitous hit to profit margin which, when reported on the quarterly earnings call, would cause an abrupt downturn in share price. Consider the 13% hair cut earlier this year when the market thought Apple was going to miss. Then there's the existential panic of "does this mean Apple is in for more such fines?".

I guess jail time will have to do.

Fines are accounted as overhead.

Watching network traffic is limited to circumstantial evidence, and not even that without a circumstantially isolated environment. Those are a couple of scenarios where these accusations can be made.

Let's consider the incentives in each case and how they enable you to distribute your trust. Apple is a for-profit, publicly traded corporation. Their purpose is to make money, and they will likely do whatever they can to achieve that. More importantly, only they can see their code, not you and not other users. All you can possibly have is their word, and they will say whatever it takes to sell you their product. If they lie or exaggerate, there's no way you or anyone else could know.

On the other hand, open source projects come in all shapes and sizes. Generally, they have a strong community of both developers and users around them. If you don't feel like looking at the code, you don't even have to trust the project itself. You can look to the community and its abundance of users, at least a few of which have audited the code and share your use case. And these users aren't just neutral third parties. Nay, they're better than that. They, too, value their own privacy, and are therefore motivated to protect it.

This is silly. Apple publishes their privacy policy. If they were found to be violating it, they would lose business and be liable for expensive lawsuits. And security researchers are extremely good at finding these things. So yes, Apple has a very powerful incentive to tell the truth.

As for the theory of "open source community," see the MyBTGWallet scam. This open source project, recommended by the Bitcoin Gold team, stole $5 million via a single line of code. Being open source isn't much protection really.

He's telling you about the fact that there's conflict of interest between you and crapple and you tell him an anecdote where some scum of this earth stole money and open source software was involved. Does this really sound like a compelling argument?

Yes. There are bad and good actors on all sides.

Just because something is closed source doesn’t make it bad. And just because something is open doesn’t automatically make it good.

It does however increase the chance that it will be bad, because the average snake that produces closed source software is likely to be motivated by greed, so it has the incentive to milk you as hard as it can without turning you away from products (using lies of course, you can't check anything after all, it's closed shit).

But seeing sibling explanation being downvoted into oblivion makes me think no one is interested in discussing this anyway so why waste breath.

With tools like Guix (and then hopefully, eventually distributed networks like IPFS / Dat doing the distribution) we will be able to have people audit free software and every user being guaranteed to have the exact version that was audited.

The future looks good if we just continue to implement it the way it should be.

>Rather, it's nearly impossible to guarantee privacy in proprietary software. The transparency of FLOSS makes it trustless. Want to know what data of yours, if any, is being collected? Look at the code.

>This is why, when it comes to privacy, Apple isn't worth consideration. All we have is their word, and that simply isn't enough.

Quite a few of the things listed in the article are not open source (some of the map stuff, as an example). Last I checked (several years ago), we only have DuckDuckGo's word for it.

I think the idea is not that these are all trustworthy services, but that no single company has all the data on you.

That's provably false when you get to the bottom of what makes proprietary software trustworthy: it has to be verified by qualified people who you trust after being designed and built with enough rigor to not have accidental flaws. That's regardless of whether it's proprietary or FLOSS. I went into detail here:


In fact, the first systems that resisted strong pentesting by NSA were proprietary, shared- or closed-source systems. They shredded everything else. Two are below with another designed like that. The first, safe, kind-of-secure machine that I know of was Burroughs B5000 whose CPU did things like stop overflows, protect pointers, and check function arguments. It was immune to common, root causes of many failures or attacks. OS in a type-safe, high-level language (ALGOL variant). It was a proprietary system whose source was shared with customers. Linux systems still don't have as much code-level security in average case as that proprietary software from 1961. The virtualization solutions in FLOSS still aren't produced as securely as VAX VMM or the separation kernels that followed in 2000's with VMM's layered on top.


http://lukemuehlhauser.com/wp-content/uploads/Karger-et-al-A... (See Layering and Assurance sections especially. Compare to QA practices of favorite FLOSS VM.)


https://www.usenix.org/legacy/events/sec04/tech/wips/wips/04... (Nizza uses FLOSS components. This document is just great at describing the architecture they and the proprietary vendors were using with separation kernels. The proprietary offerings contained a lot of problems FLOSS didn't with their 4-12kloc kernels having less code to screw up. User-mode drivers can boost reliability a bit, too.)

This isn't true. You can use disassembly tools to trace through code, and you can see what imports/exports there are, as well as what API calls are being made using static analysis tools.

You can also use all sorts of runtime tools to see what a binary is doing at runtime, so I imagine it would be pretty easy to see if an application is phoning home, and where home is located, although the data is probably encrypted.

In fact, it might actually be easier for an end user to audit a binary using such automated tools instead of looking at the source code itself. At least with the automated tools, the tools can flag suspicious constructs in the binary that may indicate that it's up to no good, and do so in a way that is more understandable to the end user.

"Look at the code" is an anachronistic strategy.

Nowadays, very little of our data solely relies on our own devices, and most of the value of consumer software occurs when data is being transmitted between systems. When your data lives in the cloud, there is almost always a side-channel way to get at your private data that won't be visible in any Git repository: Just go look at it directly.

Meaning that, nowadays, if we're to live any sort of non-Luddite, Internet connected lifestyle, all we have to go on with anybody is their word. If I limited myself to services where inspecting the source code would give me what I need to know about how well my privacy will be protected, without trusting the word of any third parties, then I'd have to let go of email, telephone, and credit and debit cards (and banking in general). Plenty of other things, too, but I think those three paint the picture well enough.

I thought it was strange bing was not mentioned, even though it has Mozilla's endorsement of having a better privacy policy than Google[0] and is probably the most popular alternative to search in the United States. This far from a complete list of Google alternatives.


I like/sometimes use Bing, and it's decent, but it's not significantly different than Google in terms of data collection. The biggest difference, arguably, is that they pay you for it via Bing Rewards.

DuckDuckGo uses Bing data and respects your privacy more, and probably the best choice for the privacy-conscious.

My primary goal of using Google alternatives is to deprive Alphabet of revenue. Privacy benefits are secondary.

Why do you want to deprive Alphabet of revenue, if not for their privacy-disrespecting business model?

Read a cyberpunk book. The mega-corp as focal point for resources, innovation and political clout is a scary thought.

Consider the almost exclusive dataset they have moated "everyone" else out of, and the long line of disingenuous/unethical business practices. The privacy considerations are the proverbial top of the iceberg.

Using Microsoft products to avoid feeding megacorps would be a strange strategy.

Most of the fictional dystopia center around a single mega-corp not mega-corps... Thus if you have 3 or 4 Mega Corps that would be preferred to a single monopolistic Mega-Corp.

Do you have any book recommendations?

Dune's CHOAM corporation is a great example. Ownership in choam is synonyms with power and wealth. All political maneuvering is based on gaining or keeping control in choam corporation.

For "receiving end" perspectives, watch Blade Runner (the old one) or Altered Carbon. The Expanse probbly qualifies too. For books, Peter Hamilton incorporates different mega-corps in his universe but it's not the main object. Special mention to the Void Trilogy's Commonwealth.

The Expanse's high-political scene is best described by the balance of powerful sovereigns, and how that changes over time. Companies have a lot of power, but that power is primarily expressed by influence in governments. A company gets mining rights from a U.N. charter by influence. Then the company expects the U.N. military to defend those mining rights. Sometimes the company influences the goverment and sometimes the goverment influences the company. The big exception to this is the O.P.A. which always tends centralize power around Tycho.

Altered Carbon also uses goverment as the primary seat of power. United Nations Envoy Corps are primarily a reskinning of Dune's Sardaukar, the powerful super soldiers that enforce the rule of law out of fear. There are very powerful corporations, especially those discussed in the first book, but their power is again through the influence of government, and goverment has the authority to act independently.

This is in comparison to a true mega-corp like Final Fantasy 7's Shinra Corporation, where all power exists within the company. Shinra can destroy 1/8th of the capitol city with no repercussions, and there is no significant economic activity outside of the company.

I wouldn't throw someone into the deep end of corporatism based on where this thread started ;) I figured the implicitness of my examples' corps' power fits better as an illustration of the potential short term future.

Yours is a terrifying endgame, but it feels (to me) quite far removed from what we should look out for before it's too late.

Alphabet has several projects that Microsoft does not have a counter-project for and in which my primary ethical concerns are not privacy related.

I'm specifically concerned about their approaches and attitudes on AI and Life Sciences.

That was in 2009 - Windows 10 probably wasn't even a project at that point, for instance.

I doubt Mozilla would recommend Bing over Google again because it's more "pro-privacy."

I think the point is not so much pro vs anti privacy. On the web you have to assume every site is anti privacy, and you may have some rare pleasant surprises. To me the point is rather to spread that trail of data among multiple providers that are not known to sync their data.

As much as I like Microsoft, Bing is awful. Ive used it, and I tried to like it. It can't find anything.

I use Bing a fair amount and I like it.

I'm wondering if you could elaborate on what sorts of things you are trying to find and having trouble with. Perhaps HN could make a few suggestions for how to get more out of your Bing experience.

I've tried switching to it but for looking up code and projects it kinda sucks. Even when I throw hints at it sometimes it just doesn't seem to care. I'm using DuckDuckGo instead for now.

It’s a matter of taste but I prefer the Apple/google clean and white UI with little else distraction than what you are trying to achieve over Microsoft’s “portal from the 90’s/let’s fill every bit of space”. Whether it’s bing or Windows, something as stupid as showing you a different background picture every time means you always have to deal with a new visual, which means more effort to find your way. It’s the same for IE and edge, the default new tab is to show you a busy page with news, weather forecast, most visited stuff. That’s like advertising banners to me.

I’m surprised to learn an it professional regularly finds their way to a search engine home page. I would assume you’d just type your query directly into the address bar? This seems to work for every major browser at least, unless I’m mistaking?

I actually use Bing, and I see the oddity that is their homepage once a month, if that.

(And I think bing is fine for about 80% of searches. The rest I use google, which manages for another 10%, and for the remaining tithe I have to do something archaic like think about how to properly format a search query. Party like it’s 1999.)

Why are you going to Bing’s homepage? The rest of the site is minimalist.

Bing's video search (particularly for porn) is the best in the business.

> (particularly for porn)

I had not considered Bing a serious competitor to Google's search engine until now.

>> (particularly for porn)

> I had not considered Bing a serious competitor to Google's search engine until now.

I can’t tell how much humor was intended here, but that’s a serious competitive point that had not occurred to me. Ever. It’s not something that MS could use in a marketing campaign, but could easily sway lots of people to give it a try when they otherwise wouldn’t.

I'm not sure if it was implemented as a 'competitive point' or if Microsoft just has employees that solved the porn search problem for personal use.

Its image search is also pretty good. If I'm not successful on a google image search, bing usually comes up with quality images. Their maps also tend to better render local businesses and it's easier to navigate the results than google, surprisingly. On the other hand technical searches are way better on google.

That’s likely on purpose now, even if it was accidental in the beginning. Microsoft marketing people are not stupid, and they know the right amount of piracy and the right amount of porn is excellent marketing.

I find bing to be better than any other Google alternatives.

It would be possible for you and your parent comment to be correct simultaneously.


It was also disappointing to hear recently one of their developers say that they mostly just copy what Google is doing to keep up.

Apple iCloud privacy policy mirrors Google's. You gain absolutely nothing if you upload your contacts, photos and other data to iCloud. Apple also regularly gives iCloud data dumps to US government (they approved and delivered data in about 80% of US Government requests in 2017: https://www.macrumors.com/2018/05/25/apple-second-2017-trans... )

(The exceptions here are iMessage and phone backups which are E2E encrypted.)

> You gain absolutely nothing if you upload your contacts, photos and other data to iCloud.

This seems so deliberately wrong that I shouldn’t respond, but I will. Quick and easy synchronization of contacts, calendars, and photos are all features that I appreciate. What’s more, my fearful-of-technology brother tells me how useful they are to him. He mentioned photo sync as a benefit only a few days ago.

The OP was referring to iCloud vs. Google. Not the features of sync in general.

By "gain" they meant privacy. You gain no privacy... you lose privacy when using iCloud and Apple Calendar

"Gain nothing" ... over Google's superior features.

You mentioned the exceptions - both of which didn't happen 5 years ago. Is it crazy to believe that we may have Tarnsap-like storage from Apple in a few years.

Side note: I don't think Apple will ever encrypt iCloud iPhone backups because that would make it difficult to use them (how would you restore an iPhone backup to a new device if your old one was incinerated? Your private key would be gone)

Best I can tell, they already encrypt a whole load more and are ready to encrypt everything. When setting up a new iPhone, I’m asked to enter my Apple ID, password, approve via an existing device, provide 2FA and then provide the PIN or password of that existing device. After all that, access is granted. To me, this suggests they’re already encrypting in such a way that while it may be brute force-able, it’s unlikely to be data they can read by default.

>alternatives like Apple

I would never trust Apple because they have consistently lied and cheated me - For instance, they throttled the speed on my iPhone, they hid the fact that my iPhone has more probability to bend and finally, as a cherry on top, they refused to honor warranty for a design flaw of theirs.

When they realized they fault, instead of making a free replacement, they charged me $30 for it.

Given all these experienced with Apple, to my eyes, Apple is no different than Google and I wouldn't trust any word of theirs as they've consistently been exposed time and again lying to consumers. So, I don't know where you got the idea of Apple being "entitled" to be in that list, but I'd say it's the right thing that they aren't.

>pro-privacy alternatives like Apple

I don't believe this. There is no evidence to support this as Apple runs on proprietary code. And you and I don't have access to the source code, so we have no idea what's going on on their servers. Ever wondered how Apple gets its data for its Apple maps? For all you know, they could be collecting your location information to build their database. Isn't that a privacy violation? I work in the Analytics industry, inside an iPhone, using Charles proxy, you'll be able to see random requests hit Apple's servers from time to time. For all you know, this could be info about you. You can't prove it nor disprove it.

I would never dare put all my trust into a single for-profit corporation whose sole goal is to maximize revenues and has been consistently exposed for unethical practices to its customers.

So, hope that answers why Apple isn't exactly a consideration.

[1] http://bgr.com/2017/12/28/iphone-battery-apple-apology-lette...

[2] https://www.theverge.com/circuitbreaker/2018/5/24/17389220/a...

[3] https://9to5mac.com/2018/06/07/class-action-lawsuit-apple-wa...

>And you and I don't have access to the source code, so we have no idea what's going on on their servers

Consider this: for 90% of the population, that is also true of any FOSS solution. I'm tired of the "you don't have access to the source code" argument. I don't inspect the microcode that runs on my CPU - why should I trust Intel and not Apple? And for a greater portion of the population, that source code may as well be mud.

This article is about alternatives to Google on the basis of privacy. Isn't a company that doesn't base its core business model on mining your data an improvement for a vast majority of users?

> I don't inspect the microcode that runs on my CPU - why should I trust Intel and not Apple?

You shouldn't trust Intel either (see ME and all of the other negative-ring stuff that runs on their CPUs). But at the moment there isn't a strong alternative. AMD is somewhat better but still has similar issues. ARM is a mixed bag. RISC-V might save us but still isn't at the tape-out stage. OpenPOWER is possibly the only really usable option but software support is awful (if you've never had to deal with ppc64le bugs, you're lucky).

At least you have a reasonable alternative to Apple.

Even if you don't inspect it personally, there's a greater community of people who don't get their paycheck from Apple who may be looking at the code.

Regarding the Intel comparison, you have no choice but to trust them, but by using Apple products, you are trusting Intel and Apple, which is worse than just trusting Intel.

> who may be looking

may be

This is called faith

I agree, though I prefer the word trust; I think in the end most security arguments basically move trust around between entities, so I would either trust the open-source community or Apple.

In this case I decided trust the open-source community more than Apple, since the incentives of people inspecting open-source code probably align better with my own interests than the incentives of Apple.

> the incentives of people inspecting open-source code probably align better with my own interests than the incentives of Apple.

The incentives of any people are: earn enough money for a peaceful existence.

When Heartbleed happened, it turned out that only a handful of people in the entire world have the expertise to do a full audit of the OpenSSL code. And their work is ridiculously expensive. And the audit didn't happen until someone paid for it [1] (I'm not entirely sure it ever completed [2]).

People may actually have less incentives to inspect open-source code because there's always the question of life, money, time, work-life balance etc. etc.

[1] https://www.zdnet.com/article/ncc-group-to-audit-openssl-for...

[2] http://isopensslauditedyet.com

having the source code be open doesn't necessarily make it trustable, but it definitely has an added benefit. like op says, proprietary code is untrustable by design.

there is also the fact that I cannot take the code and compile it myself, proprietary solutions like the nvidia linux driver for example have given me headaches so many times, it would be nice if there was some form of entry to the code to at least get a vague idea of what the code is supposed to be doing. I basically have to pray for software to do what I want, when it doesn't the whole solution due to it's closedness/unadaptivity becomes useless to me.

> doesn't...mining your data

This is my point. You simply don't know that. You have no idea what's happening on their servers. It's all proprietary. You have absolutely no evidence to claim that.

What was the latest price of source code you inspected?

I know it's not exactly your point, but Etar is pretty nice, and apparently is cross-platform (Android & iOS - which I didn't know), and exists on F-Droid (https://f-droid.org/en/packages/ws.xsoh.etar/), Google Play (it seems somehow wrong to link to the Google Play Store given the context, but it's easy to find there anyway), and Apple's App Store (https://itunes.apple.com/us/app/etar/id1217625781?mt=8). I think OsmAnd(~) [https://f-droid.org/en/packages/net.osmand.plus/] is probably a better choice than Maps.Me.

Given that alternatives to Google products are largely services rather than software run locally on one's own machine, you're probably right about the partial orthogonality of FOSS here since it can be hard to verify that the remote server is in fact running the software it claims it is, and from a privacy-standpoint it may be somewhat irrelevant (I recall even the FSF said something of the sort).

There is a fork of maps.me on f-droid that strips out analytics/ads/proprietary bits. It's called omim (https://gitlab.com/axet/omim).

On F-Droid it's just called Maps though: https://f-droid.org/en/packages/com.github.axet.maps/

I don't see that in the article. Search, email, drive, youtube, maps all have many non-FOSS entries.

I am fairly sure that no apple product is mentioned because replacing all the hardware one has just for more privacy is likely too extreme for many. Not to mention that one of the biggest things you can do for your privacy is ad-blocking / cookie cleaning, and apple does not make it easier at all.

> biggest things you can do for your privacy is ad-blocking / cookie cleaning

Very true. But there is no problem with apple, in fact Safari is first browser that is clearing cookies - ITP(2). I use uBlock Origin on Safari and Private browsing - no cookies at all.

Firefox has been able to clear cookies like that for years without any extensions.

Firefox has an option to block all third party cookies in the manner similar to Safari 1-10's default behaviour. And like everything else, it lets you clear all cookies at once, or manually look through the cookies to clear them.

It does not have a feature analogous to safari 11+'s tracking prevention.

> It does not have a feature analogous to safari 11+'s tracking prevention.

I never said that it did... I wrote that firefox has had the ability to block cookies automatically for years, which it has had. My response was not a comparison between the browsers but a statement of one particular feature that was mentioned. I simply said that what had been stated by the gp was also available in Firefox.

When you wrote 'like that', I assumed that you meant 'like that'.

> I simply said that what had been stated by the gp was also available in Firefox.

Given that the gp referred to ITP... no, it's not.

The gp has clarified their comment, since that time. Snark is beneath you.

By the time I posted anything, the post clearly referred ITP.

You were ignoring that nine hours later.

The clarification was to add ITP.

Disqus is over that way, if you want to keep arguing without a reason and without reading what others write.

What about the tracking prevention that Private Mode has had since FF 42 or so?

Firefox’s tracking protection is the same feature as Safari’s content blockers. [the defaults differ, though], and prevents specific listed domains from loading anything. Except when it turns out blocking them breaks too much. Like Youtube embeds.

Safari’s tracking prevention applies to things that do wind up getting loaded, and limits access to their own cookies/context. [kind of like loading all those embeds in seperate private sessions, even though they're on the same page]

Usind default settings or manually?

Neither. It's an option in the preferences.

Is that option enabled in default installation of firefox? Sorry, I must have specified that in Safari ITP is enabled by default, and this is important for non-tech people.

The default is 'allow everything'

You can change a setting to block third party cookies. This gets you similar treatment of cookies as was the default in safari 1-10.

Safari 11 still blocks third party cookies by default, but has 'Intelligent Tracking Protection' as an additional filter on top of it. ITP blocks/limits certain uses of first-party cookies.

Firefox has no analogous option. Either cookies are off, or all uses of first party cookies are allowed.

No. It hasn't been enabled by default in my experience. It isn't the exact same as the Safari technology. Firefox lets you block "3rd party cookies" or "all cookies" from the privacy pane of preferences. I've always "set it and forget it". The assumption is that many tracking cookies will come from 3rd party websites.

I've been using startpage.com to search Google anonymously for the past year. Startpage proxies your query to google and back while leaving off the identifying metadata, making the query anonymous. At first you notice the slight increase in roundtrip time, but quickly get used to it. I find Google Search to have a better search engine than any alternative I've tried, so Startpage is right up my alley.

Apple is closed source, so we really don't know if they respect our privacy now, and in the future.

Also, they may work with the US government, even if they say otherwise, and people from both the US and other countries may not like that idea.

I don't disagree that Apple looks really good nowadays from a privacy perspective. They treat their customers with respect and don't sell their data.... until they do.

How can you trust a single point of failure to "do no evil"?

Apple doesn't have the data that Google et al has. All of the ML that apple does for example is done on-device or is privatized [0]. This goes for all of their services that Google has built their business off of: Messages, Siri, Maps, etc. People don't respect Apple's security because they trust Apple, they respect it because Apple has intentionally shot themselves in the foot if they wished to sell their data in the future.

[0] https://machinelearning.apple.com/2017/12/06/learning-with-p...

> Apple doesn't have the data that Google et al has.

Huh? Apple potentially has everything on the device, just as Microsoft does. Maybe they don't touch it, at least intentionally, out of respect (or just prudence). But if I recall correctly, they accidentally logged all Safari URLs for a while.

Chrome has search and url in the same bar, and therefore needs to log all urls you enter (and their metadata) for the sake of logging all searches. Absolutely benign, right?

Safari shares the same url/search bar, but I have not read their license. Would be pretty surprised if they are not logging all URLs.

iPhone also sent geolocation coordinate files to Apple, until that was discovered. As you point out, there is a lot more than just the superficial concept of privacy, such as the Prism program that had/has a pipeline into Apple data. Like any large company, there are competing forces of strategically enforcing privacy and treating data in a way that doesn't respect privacy.

Dude, google has been doing diff. privacy earlier than apple. Even now, their researchers( one of them the great Ian Goodfellow-inventor of GANs) is working on federated learning. Heck google had even open sourced their diff. privacy system. Apple just made a big deal put of it when they started diff privacy.

Well as Mark Zuckerberg put it during the congressional hearing—and this is a paraphrase—"we do not and have never sold data."

Which is true. They don't sell the data because they directly monetize it. Same with Google. Google didn't just start doing that one day, that's been their business model since they started doing ads. Apple's business model is selling users devices, which they would jeopardize if they tried to also sell their users' data.

There is a difference between privacy by charity and privacy by design

>Is Maps.Me (which uses AdSense) really better than Apple Maps?

The "Maps (F Droid)" alternative suggested before the Maps.me app is a fork of Maps.Me that doesn't include any tracker/ad. It works pretty well although I've had a few issues logging into my OSM account and it takes a little too long to navigate "up" from a place search. It also features a GPS track recording function that Maps.Me lacks (AFAIK). It's really great and deserves more contributions!

But Apple services are still not privacy focused services and for most of them, you have to use an Apple device, which is still less than 10% of PC market and less than 30% of mobile one.

> Maps.Me

Has several useful functions like being able to pre-download specific countries or parts of specific countries.

Many mapping apps work offline but the way Maps.me lets you specifically pick & choose areas = more user friendly.

It uses Openstreetmaps which I've found to work amazingly well in areas where you wouldn't expect (it has off-road trails in remote areas of Vietnam for example)

via iTunes I can also import gpx tracks (or gpx converted to kml, I forget) for things like mountainbike routes, which works super well.

It's better to host your own content if you want to have a better chance at privacy.

You are seeing a problem where there is none. Etar is just a fork of Google Calendar, and you can find it in Play Store / F-Droid (which is linked from the mentioned GitHub page).

But then you have no protection against Apple, privacy wise.

I trust nothing I can not verify...

14M Users affected by Facebook Privacy Bug that makes Posts Public

Apple is a US based company. The point of this post is to try and hurt American hegemony in tech and promote European alternatives. Europe desperately needs it given a dangerously old population and increasing irrelevance of its tech industry, with GDPR being yet another populist nail in the coffin. Method of choice is thru soft power - swaying opinions on HN, Reddit, Facebook, and other social media.

I am on linux ... just tried Apple Maps - horrid ... it fails to permit location search by zip code ... just show the globe and let me zoom around - fail ... forced me to login - fail ... unable to enter arbitrary address - talk about slurping personal data ... unbelievably evil

What are you going on about? Apple Maps does all of those things, without asking for login information.

> All they do is repackage mass corporate surveillance into convenient, free, trendy applications that suck up all your data. Your private data helps Google dominate the online advertising market.

Google has what I think are the most transparent and user friendly controls for visualizing what personal data is collected, and disabling it (most often per product, for ex. disable location history and YouTube viewing history, but enable personalized ads).

- For most of the products mentioned in the blogpost (YouTube, Search, ...), people can just go to MyActivity [0] and delete any data they want to. They can also disable data collection here. [1]

- Emails received in Gmail are no longer used for advertisement in other Google products, only used for Gmail ads, and features like searching your emails, spam prevention, parsing orders/flights/etc. to display them in the app. Also note that emails received in GSuite ("enterprise Gmail") were never parsed for these purposes. [2]

[0] https://myactivity.google.com/

[1] https://myaccount.google.com/activitycontrols

[2] https://www.nytimes.com/2017/06/23/technology/gmail-ads.html

Important disclaimer: I work at Google [but only voicing my own opinions, as it goes], and only working there because I realize they are doing all they can to respect user privacy.

1. Please ask BEFORE you collect.

2. You can't expect every user to know they are logged, or how it's affecting the user, or know how to disable/delete it, can you?

3. How can I verify that you did delete the data about me instead of just hiding from me for viewing it? Alphabet is not belong to public sector. So the simple answer is I can't. If you want me to trust you, don't use opt-out as default.

4. I'm sure you can tell the differences between those alternatives and Google products.

5. It's not that hard to respect some one's data. First, do not collect it! Second, if you have to collect it, tell the owner why! Third, delete it completely while requested.

6. Aggregated data collection and use without permissions adds potential risks to the society. (Cambridge Analytica)

Edit: And you guys are doing deep learning, that's gonna consume lot's of data. Duplex for example, you use anonymous phone call data to train it. The question is, where does that data even come from? I'd blacklist whoever collected the data, even it's collected anonymously.

> 6. Aggregated data collection and use without permissions adds potential risks to the society. (Cambridge Analytica)

Everything adds "potential risks". When you talk about risk, you have to give estimates of both the frequency and the criticity, and then compare to the potential benefits. Only then you have all the pieces to take an informed decision, according to your preferences.

How do you define benefits? Sacrifice one's privacy without his permission to make ten of others' life easier, would you call it beneficial? If so, let's rob the wealthy to aid the poor.

They can reduce the risks to a certain level if users were told how they are going to use the data and why before using it. Are they going to do that? No, because that increases the cost, which means less profit, which means shareholders won't agree.

So there comes law.

My point was : it is easy to throw a general sentence to make things look obvious and simple, but it doesn't really help the conversation. At some point, claims must be backed by data and methods.

Google has what I think is the most transparent and user friendly controls for visualizing what personal data is collected, and disabling it (most often per product, for ex. disable location history and YouTube viewing history, but enable personalized ads).

I don't think this stops Google from collecting your viewing history. If it did, Youtube recommendations wouldn't work at all, because they would know nothing about what I like or don't like. But I'm pretty sure recommendations work regardless of your settings -- meaning you're being tracked.

I happen to like the recommendations, so I don't mind this. But it's a hard problem.

The second link I posted allows you to explicitly disable search and viewing history on YouTube, which also disables recommendations (at least those based on your profile; you will still get recommendations after watching a specific video).

Fair enough, though that would require me to sign in.

Does that actually prevent the data from being stored on Google's servers? I'd like to believe that the data isn't being vacuumed up regardless of what the user says, so if you're willing to vouch for it then that would mean a lot.

How can you ever trust anyone like that ? Unless, you see the line of code that is deleting the data ?. It's kind of unfair when people on HN take Apple by their word and for Google "oh is it really deleted though" ?

If a current employee is willing to vouch for it, that carries some weight. It's a useful data point.

Because google makes its revenue from user data.

Do you have a better solution ?. No one will use the products if it costs some non-trivial amount. And no this thread doesn't represent the billions of non-US non-rich people that use Google.

When logged in I have history disabled, and YouTube being kind of usable, with a lot of stupid content promoted, but at least not too much weird fixation on things I watched 5 years ago. When logged out I get the full fixation experience where I half the suggestions are aggravatingly repetitive personalized suggestions.

That's an understandable point of view because if you perceived Google the way many of us do, it would be impossible or at least very difficult for you to work for them without strong emotional struggle.

You see, the point is that we, the users, helped to create a mammoth that has an enormous pile of sometimes very intimate data on almost anyone. This in itself is dangerous, regardless of what they do with this data - whether they share it with advertisers and other third parties, the government, NSA etc. or not. Also, the world changes fast. Owners change, governments change. Who is to blame when things end up badly? We are, because we got lured by free unlimited spam-free mailbox, free browser, cheap phone, free analytics, accurate search engine. We like these so much that we gave up critical thinking for a while. But the society as a whole is slowly waking up, hence articles like these (which is quite lacking on several points BTW.)

I don't work at Google, I live in Europe and I agree with you. So far, we didn't heard of any breach in any Google product, and the history of the different products can effectively be turned off. I remember years ago, when I started to care about data collected about me, Google was one of the first company allowing you to download a part of your data. We can see the emphasize about security on the evolution of Android APIs too (encrypted enclaves, key storages, for example). Google also contributes to open AI and ML researches. My only consumer concern is about monopoly, not about data collected on me.

> So far, we didn't heard of any breach in any Google product

A breach would be a security issue, not a privacy issue.

A security issue is where a third party accesses your data stored at Google without Google's permission.

A privacy issue is where a third party accesses your data stored at Google with Google's permission but without your permission.

I don’t think those definitions are at all canonical, but are you actually suggesting that Google may have a “privacy issue” per your definition? Even if you assume they’re a bad actor, it’s hard to imagine a rationale for them to let a third party have a go at the data.

> are you actually suggesting that Google may have a “privacy issue” per your definition?

Until the GDPR started being enforced, I think it was common practice to collect and sell data without the user's full knowledge and consent. It's a huge change in mindset having to know and explain what they're doing.

Even when not signed in, YouTube remembers the sort of video you've watched and suggests similar ones; I didn't explicitly consent to this, and they didn't tell me clearly what data they were collecting. I'm a former Gmail user; I didn't explicitly consent to Google analysing the contents of my email messages; I think a typical person would not expect that.

If something “feels creepy”, it's probably a privacy breach.

Maybe Google think they have the user's permission. It may be an honest misunderstanding. I'm not saying they're malicious; but I think they have very little incentive to really care about privacy, because their users don't demand it. Third parties will pay for user data.

Also, I think you should be able to choose who you trust. You shouldn't be obliged to trust Google (or Microsoft or whoever); I would see that as a monopoly.

Thank you for stating better definitions. From my point of view, Google solves both issues so far. Allowing you to turn off history solves the privacy issues and there isn't any known technical breach so far, which leads me to think they correctly handle the security issue.

How do I view the data Google has collected on me if I do not have a Google account?

The unavoidable suggested answers in gmail make my skin crawl. I dont want it and i dont want to be reminded that you can read my emails despite my consent for it

I guess it's a good reminder that i need to change services

How can an email service work without "reading" your email? Emails need to be indexed to be searcheable etc.

It does not need to read the body of email in order to work. It can index just the header(to, date, subject) or you can use a program on your computer locally to keep your emails and index&search them.

> It does not need to read the body of email in order to work. It can index just the header(to, date, subject) The header is still personal data. Using the header but avoiding the body does not make much sense.

Again, "reading" emails seems to be an arbitrary distinction. Your emails are stored and served to you, so they are read by HTTP servers, by your browser, by many things. The real issue is the use that is made of those readers: an index that allows you to search your emails more efficiently does not seem to be nefarious, but I definitely agree that other nefarious uses are possible (say some company that would use emails to target people in debt or something like that), just not the case with Gmail.

> You can use a program on your computer locally to keep your emails and index&search them.

Right, but then it's not Gmail anymore, that's just an IMAP mail server with Thunderbird. Gmail started as a smart webmail; being able to quickly search your emails from anywhere, without a desktop client, without fetching thousands of emails before you could perform a search.

This is all fine and well, but to be honest, I like how Google integrates all the different products. I get a better experience when search is customized to what is in my email, especially when I search for flight info and it tells me about flights I already have booked, or better yet, flights my in-laws are on that they forwarded to me and I'm now tracking to go pick them up.

Sometimes the ads it gives me are so relevant I actually click on them and I'm glad I did!

I just have a better experience where I'm constantly delighted by Google anticipating what I want because it knows so much about me.

I should be paranoid, I know, but I just like the convenience so much.

Well, most people are boring and don't rock the boat.

Things can get tricky if they pop up (thorough bad luck or as a consequence of their actions) on the radar of someone that wants to make their life miserable or if they bother someone with power.

Otherwise I assume you're well off financially by now, so getting screwed on insurance should be a non-issue. Discrimination is likewise a non-issue.

In general money helps and being a US citizen, straight, not muslim, healthy, male etc also helps.

While all these things help, I still think it's true that for 99.9% of people, nothing really bad will happen because of info that Google collects. I mean, as terrible as "getting on the radar of someone that wants to make [your] life miserable" is, it's a relatively rare occurrence, and I doubt that Google is really making it that much worse (if at all).

Disclaimer - would be happy to be proved wrong if you want to provide contrary evidence...

Disadvantages as a consequence of being spied on by the "googles" of the world are difficult to prove, because of information asymmetry:

* were you denied entry in a country because the agent had a bad day or because of something you wrote on twitter?

* did your insurance rates increase because of a market adjustment, or because of something your car mechanic or car manufacturer shared with the insurer?

* were you denied that job because they found a better candidate or because they found some thought crimes on your social media?

* were you stopped by the police for a random check or because the cameras matched your face to suspicios online purchases?

* did you lose your global entry access because you're a threat to national security or because you accidentally ordered a fake bag on Amazon that you never even received?

* were you passed for promotion because you're not good enough or because your employer found out through LinkedIn that you were looking for another job last year?

In a world increasingly controlled by algorithms and data, you won't even know when you are being harmed.

Look, I semi-agree in the abstract. It is difficult to prove in the individual case. In the aggregate, it's not impossible to prove, if still a bit hard - this is what economics/sociology research does, and a lot of governments have statistics/open access/FOIA/etc. So we can know how often these things happen.

Specifically to the things you list - again, I don't have statistics here, but based on my gut feeling - most of them barely affect anyone. Do you really think a large amount of people are barred entry into a country because they wrote something on Twitter? I'd imagine this almost never happens, at least today.

And btw, I kind of disagree with at least some of your items, like "were you passed for promotion because you're not good enough or because your employer found out through LinkedIn that you were looking for another job last year?". This is not what we were talking about, a case in which "Google" spies on you. This is your employer "spying" on you through your (supposedly public-enough) actions on social media. Changing the place you are looking for a job for from LinkedIn to "NewLinkedIn" won't make any difference for something like this, and is not the fault or responsibility of the company.

The negative consequences will never affect most people, just those that have bad luck or have upset someone in power. Kinda like how only some journalists commit suicide by shooting themselves 5 times in the head in Russia.

It's impossible for us to know what's happening, baring various leaks. Given the last decade my gut feeling is that if it's not happening, someone's at least thinking about how to implement it.

Re LinkedIn: I didn't mean good old social network stalking. There's nothing stopping LinkedIn from offering this as a sevice to companies. They already allow recruiters and paying members more privileges.

Am I really the only person who creates and uses new accounts for every online site/service every few months? Different email addresses (on my own domain) too or mailinator for the sign ups, using tor on occasion in case they want to note the country/IP I'm signing up from.

I've noticed that lot of websites nowadays don't allow mailinator. What do you use then?

Android has over 2 billion users. 0.01% of that is still 2 million humans.

Then this list is probably not for you.

Stockholm syndrome... :)

The worst thing, the absolute worst thing is, you know all that but you have gotten so used to the way Google services work, that you simply have a hard time to switch.

E.g. thank to Gmail I rarely use an email application on my computer and use webmail. When I tried out Posteo it was extremely annoying that it logged me out every few minutes and I couldn't get my email. They said this couldn't be changed.

Google really did an excellent job of supply me with services which I want to use. Not just tools which are working well.

BTW, Google doesn't use all its services to sell or personalise ads. Which doesn't mean they don't use them to learn more about you which in turn is used to improve the services so that you them even more.

So as much as I wish I could restore my privacy by leaving Google, I think Google knows me too well that I won't for now.

I haven’t found a replacement for Gmail yet. I’ve tried fastmail and ProtonMail but both have limitations.

From a search engine perspective I’ve switched to DuckDuckGo and I’m impressed with how good it has gotten.

With maps I’ve tried various solutions including mapquest, Microsoft, and Apple but nothing comes close to Google Maps.

> From a search engine perspective I’ve switched to DuckDuckGo and I’m impressed with how good it has gotten.

I switched to DDG over a year ago and it works great for things that are simple lookups to Wikipedia, IMDB etc. When I have an arcane Windows bug, I end up using "G!". Also DDG isn't that great for latest News but the Image search is pretty good.

I set DDG as the default search on my non-techie wife's new PC earlier this year and she has not once complained about the search qualify.

I use it for python related development queries and it satisfies 95% of them these days. It was unusable two years ago. Things have changed.

I second those asking what limitations you ran into (specifically with FastMail, since I have more chance of being able to fix those than the limitations with Protonmail - though I'd love to know both!)

If it's "costs money", we're not planning to change that! We (FastMail) are proudly a paid-only service.

Fastmail limitations are:

When I signed up in 2016 (I’m still a customer btw) it was a big pain to get my custom domain added after paying for an account. I had to contact support for assistance. I somehow have to have two accounts for my plan but only one has a mailbox. Crazy bad experience here.

The amount of space we get for mail is low for the fee. I pay around $12/year in additional fees with Google for another 70GB of space outside of the 30GB they give for the base plan. Fastmail was pricier last I checked.

There is zero quality collaboration option for me. Even if you added one the fact that anyone who wants to collaborate would have to have a paid account with me creates a barrier for me to even try and use it for anything but just email.

The spam filter is about 30% as accurate as Gmail. I try and train it but don’t have time to always be doing that.

The mobile app on ios doesn’t remember me. It doesn’t even have an option to remember me. What a pain, I hardly even bother to use it because of that.

That all said. I like some things about fastmail:

The web interface is fast.

The admin features are robust and easy for adding aliases and new custom domains.

The fact you are pushing to make the world a better place for email is why I keep paying for the service.

What you are doing is hard. Your competitors are massive and well established. I hope you continue to make progress.

The biggest thing I've been missing since I started using FastMail is labels. My workflow in GMail used labels pretty heavily, and I've been able to get pretty close using saved searches and folders, but it's not quite the same.

Right, hopefully when JMAP arrives (soon!) you'll be able to use that nicely. It will give label-style handling by allowing the same message to exist in multiple folders.

Kinda hijacking this. When using FastMail with a custom domain can I setup a catch all address and then have each different address somehow tagged? It would be nice to be able to have proper unique email addresses for each service so I know where spam ends up coming from.

You can create an * alias in FastMail which will act as catch-all address. The received email will retain the original To: field so you can use rules to match them.

Can you elaborate on the limitations you experienced with fastmail and protonmail?

I have used Fastmail for years with a custom domain without a single problem. Amazingly great communications from the company too. Highly recommended but not free. (Less than $2/month though - so almost free.)

I’m doing this in the coming days — setting my custom domain with Fastmail. I’m planning on making that my main email and trying my best to unsubscribe from things on my Gmail account and move accounts over from Gmail to Fastmail until I think for certain I could delete my Google account entirely with no harm.

Then again, I rarely have and like having subscriptions these days because of minimalism but I suppose this is a good trade off for my entire lifetime.

On a different note, does anyone know how GoDaddy is in terms of privacy? Is there a better domain registrar out there?

Edit: Just realized I’m using Google’s Project Fi on my iPhone SE, with Hangouts.

I generally don't trust GoDaddy, but I don't see how they could violate your privacy. From what I can tell, the worst they could do would be to log DNS queries. If you have a server with a static IP, you can always serve DNS yourself.

Out of curiosity, what domain registar do you use? With GoDaddy, I pay $14.99/yearly for .COM Domain Renewal and $9.99/yearly for Private Domain Registration Renewal. It seems a bit price-y but I'm completely unaware of other competitor's prices.

I use Namecheap, but it's not the cheapest. A couple months ago on a thread here in HN a bunch of people were recommending Porkbun, which seems quite cheap (~$9/year with free private domain), but I've never used them.

I think half of my comments on hacker news are how much I love Fastmail, which I've used for email, calendar, and contacts for a decade now.

Haha, I just came here to post how could they write that article without mentioning Fastmail.

I need to use my account more, though. So helplessly locked into my Google account for sign ups everywhere.

Perhaps I ought to read that "The Psychology of Dread Tasks" article that is also trending now.

Aww, shucks :) Thanks.

Does Fastmail have decent search that works on mobile? Gmail’s search is just too good. I’m currently using mailbox.org but it’s impossible to search for old emails that are not already downloaded to your phone. The only way is the use web interface and it’s annoying as hell.

Yes, the same search is available in either our app or from any web brower on mobile. We use the Xapian search engine.

It looks much the same either in brower or app. Here's what it looks like on my phone:


They have a hybrid mobile app, it's not as smooth as a native one could be, but as far as I'm concerned search works perfectly.

Are you sure about that price? It looks like it’s $50 per year allowing for custom domain, $30 without.

I paid $117 for the 3-year plan with custom domain (and that price is discounted slightly from the normal 3-year price), which comes out to $3.25 per month. So, definitely not under 2 dollars, but easily under 4.

Ah I see, it doesn’t look like there’s a 3 year option anymore. Thanks for the info!

I just logged in to check and the option is not gone:


Thanks again!

I don’t yet have an account, so was going off the pricing listed on their website. Good to know there are more options.

I don't think this pricing is active per https://www.fastmail.com/help/account/member.html

I signed up and I only see the same plans as on the pricing page

I too feel like I am ingested, rather than served. You may want to take things more in your own hands, requires more upkeep: https://github.com/mail-in-a-box/mailinabox

I'm definitely on the hunt for a Gmail replacement, considering I have been hearing things such as a snapchat-esque disappearing emails, unprintable emails, and other similar stupid ideas. I decide what to do with emails and other data sent to me thank you.

Using another service won't help you; when someone uses those features, Gmail only sends an email with a link to see the actual message: https://techcrunch.com/wp-content/uploads/2018/04/rgmail1.pn...

>When I tried out Posteo it was extremely annoying that it logged me out every few minutes

I haven't encountered this with my personal email server nor heard of it from anyone else. I think this might just be an issue with Posteo.

It's easier if you don't try to move all at once. Spend some time looking at different email options and move that. Do calendar later. Get rid of Google Apps on your Android later still. Gradual change is much easier.

Posteo is very aggressive on privacy, reducing exposure, and keeping information safer. So a shorter webmail session timeout may be related to this. Depending on the use case, if this were the only issue with Posteo, the GP could’ve used Firefox with one of the many tab reload or tab refresh extensions to keep the logged in session alive.

Posteo doesn't allow custom domains (a no go) and lies about why they don't.

What's the real reason they don't allow custom domains in your opinion? Why do you say they are lying?

Their support replied with a mumbo-jumbo of techno-babble why it's not possible.

Of course it's possible.

The reason is clear: lock-in.

People are reluctant to change providers if they lose their mail address.

The FAQ (https://posteo.de/en/site/faq) says the do it because a domain has personay identifying information in WHOIS and they would need to store it.

I think for .de domains, you are required to have your personal address in WHOIS if you are not a company.

That's a new claim, and it's also obvious bullshit.

First, I may be okay with it. And why would Posteo store WHOIS data? Unless they want to be a domain reseller, which is not what I asked them about.

Second, there are other TLDs.

I still insist that they do it because of lock-in and that they lie about it.

They wouldn't store whois data of course, but the domain needs to be stored at it can then be used to look it up.

I think mailbox.org supports custom domains and is similar in other respects.

That's a stupid excuse.

They should stop storing the mails themselves, they are full of private information. /s

AFAIK the GDPR explicitly mandates registrar to hide personal information.

Yes. Since May 25, the whois for .de is limited to technical information like DNS server or DNS key.

> use webmail ... Posteo logged me out every few minutes

Lets me assume, that you're always logged in. Google thanks you for that, much easier to link this browser's history and searches to your account.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact