I don’t think any typical internet user would accept Tor’s latency. User behavior has indicated again and again that convenience and frictionless-ness is the overriding priority for the majority. I appreciate the work done by the Tor community, but I also think we need to be realistic about what the threat model is and what viable solutions are on the table:
* If you’re concerned about the MAANGs of the world hoovering data for targeted adverts I think you’d get far more traction with aggressive privacy legislation and brutal oversight, or (and I recognize this is extreme) straight nationalization of some of their products with a mandate to operate them in the public interest like PBS or the Beeb
* If you’re concerned about an authoritarian state actor Tor was pwned years ago. TBH I think trying to win against ex. US TLAs in straight cryptography or protocol supremacy is kind of a fools errand (you’re ultimately going to get clobbered purely on the resource differential) and that the best bet is security through obscurity.
Just my 2c, maybe overly fatalistic so curious about counter views
If everyone used it wouldn't latency go down (more nearby nodes), or is it that for privacy via timing attacks they don't preference nearby nodes and/or they add artificial delays?
I might misunderstand how Tor works, but unless you are a relay I don’t think you participate in routing. Unlike BitTorrent, clients don’t automatically contribute resources back to the network.
That’s a good question, tbh I have no idea. Yeah presumably if the user base increased then the number of nodes would also grow, but definitely unclear to me what level of latency (if any) is required for privacy
I used it plenty at the University to access research articles (sci hub). There are other use cases that go beyond the usual stuff that government try to monitor by serving exit nodes, or doing correlation attacks. Anyway, even if you were a terrorist, using your would be better than not using it. There are probably other solutions that they implement, sure.
If you're not doing anything that affects national security they won't bother burning that capability on you. They save action only for those they can take action against in a clandestine way (so the fact they can crack Tor is not on public record), or against someone so dangerous they need to act quickly for national security reasons (and a government acting quickly with overwhelming force is hard to keep secret).
Lately, it's been surreptitiously fingerprinting or exploiting their Firefox fork, timing attacks (if you can see metadata all of the packets in the country or world, they can take as many hops as you choose, someone and or something can still easily line them up),
or other op-sec screwups (controversial, because what is reporterd as fatal OpSec flaws can just as easily be parallel construction finding something that would look or sound blatantly obvious in retrospect).
> If you’re concerned about an authoritarian state actor Tor was pwned years ago.
I mean.. wasn't it created by a department of the US Navy? What did everyone expect? The "white label" slapped on it years ago was that this was meant to help "Iranian dissidents" share information on the web.
The utility of this network to everyday people was never going to exist.
I haven't used TOR recently but from my memory one of the biggest issues with is was speed. Yes you get anonymity but websites also load 2-3x slower because they have to go through all the nodes on the network. The people that care about privacy at the expense of speed already use TOR, and for everyone else it's going to be a very hard sell.
In my experience, TOR's been fine for latency, but the problem I've been having is getting stuck in an infinite loop of Cloudflare "Checking if the site connection is secure."
There just isnt enough exit nodes that cloud providers have opted to either blacklist, or heavily deprioritize those nodes' traffic.
I'd want to see every computer connected to the internet turn into an exit node! It makes it infeasible to block those IPs, and also prevents people from being charged a crime for such traffic.
> prevents people from being charged a crime for such traffic.
Depending on the jurisdiction, this may not be true. In any case it could cause punishment by forcing the exit node operator to get the runaround of the legal system.
Also it is conceivable that governments would update laws to make it illegal, if there was such an impact to NSA data collection to warrant it.
It's a nice thought and running an exit node is on my short term to do list, but I also recognize the costs associated with it and what it may mean for my family.
Yep. Decentralization entails degraded service, almost as a thermodynamic principle. It's the "eating your vegetables" of technology; even if you think people should, you can guess how many actually do.
Why do you believe decentralization is responsible for TOR’s speed? Decentralization often improves speed by routing around traffic, and the regular non-TOR internet is decentralized. BitTorrent is often faster than regular internet due to its additional decentralization of the data. I suspect TOR is slow due to intentionally long and twisty routes, added encryption, extra hops that require more processing, low numbers of exit nodes, and limited bandwidth at the exit nodes. In a way, the speed is probably partly a byproduct of TOR accidentally centralizing traffic at the scarce exit nodes.
All this stuff is on the Internet, so the Internet's decentralization is a floor that we can build further decentralization on top of.
But wouldn't a hypothetical direct data link to somewhere be faster than using the Internet to get there?
It'd be more brittle, yes. It can go down with little fault tolerance; it can't serve someone else; it can be trivially MITM'd. These are the downsides of centralization and the upsides of decentralization.
> BitTorrent is often faster than regular internet
I torrent a lot, and one thing that doesn't come to mind is "fast".
You can stream 4K movies on Netflix. I'm betting you can't do that as well with a torrent...
> I suspect TOR is slow due to intentionally long and twisty routes, added encryption, extra hops that require more processing, low numbers of exit nodes, and limited bandwidth at the exit nodes. In a way, the speed is probably partly a byproduct of TOR accidentally centralizing traffic at the scarce exit nodes.
Like with torrenting or Bitcoin or PeerTube or whatever, you've listed a bunch of extra complexity that's all corollary to the thing being decentralized and necessarily making it slower. :p
A lot more has to happen to solve a harder coordination problem. You end up using random, non-industrial grade relays. It's more complex, and it's going to be slower.
What does that buy you though? Resilience, like if a relay goes down. Flexibility, like if you wanna use a different relay to circumvent a geolock. Privacy, in that it's much harder for an adversary to monitor you. There's no free lunch for those things, though, tragically, and they're secondary/tertiary on many people's priority list.
> You can stream 4K movies on Netflix. I'm betting you can't do that as well with a torrent...
Depends on the torrent. Any popular "Linux ISO" can easily saturate my 1400mbps download speed so I download the UHD bluray remux whenever it's available. Videos encoded at 100mbps look at a lot better on a high dpi display compared to Netflix's 10mbps "4K" and also doesn't limit you to clients that support DRM.
The UX isn't great, but if you select the "Download in sequential order" option you can start watching a torrent in 5 seconds while it downloads in the background
Bittorrent is fast because it can saturate your connection by downloading chunks from multiple connections the same way things like “axel” (wget alternative) and Download Accelerator apps accomplish it over http.
There isn’t an interesting statement on Bittorrent vs internet here. Browsers just don’t make this optimization themselves, probably because most files are small, but also out of respect for the single origin server.
But TOR isn’t really any more decentralized than the internet; and it might even be less decentralized due to exit node contention. Decentralization does not seem to have anything to do with TOR’s relatively slow speed, nor does decentralization seem to have any “thermodynamic principle” of slowing things down, right? The extra complexity of TOR is precisely the thing slowing it down, by design. (Well one of the things, scarce bandwidth is another - there have always been calls & pleas for more participation in order to increase the network’s bandwidth & capacity.)
We can’t exactly compare Netflix to an unnamed slow torrent of your choice in any fair or reasonable way given that Netflix is something like 15% of all internet traffic and is heavily optimized. The fair comparison is using BitTorrent to download a file compared to a direct http or ftp download from the original source/host - and for that BitTorrent usually wins handily in my experience. Plus I’ve definitely seen some popular torrents download much faster than anything Netflix has ever served me, in terms of bytes per second.
Not decentralization, but anonymous decentralization that involves indirect routing. Decentralization can actually offset that anonymity tax somewhat by the fact that you might have multiple sources that you can request data from in parallel.
Ironically, once I cut all vegetable and, in fact, all plant-based calories, out of my diet, I experience dramatic health and fitness benefits. I expect in this case the conventional wisdom is also exactly backwards and in fact transparency is more important than privacy.
Latency is bad, throughput is pretty decent. Unfortunately this is a side effect of it's routing system (routing through 3 random nodes around the world).
Latency is actually pretty reasonable once you're connected. Connection times are where most people really feel the slowness with Tor. For example, chat and SPA's are pretty snappy over Tor.
I think it's heavily dependant on the site you're using. Loading this page in Firefox on android with a pretty crappy connection took ~2 seconds. In the Tor browser it was ~6seconds
Definitely slower and this is a pretty minimal page, but I've got a hunch it really starts to choke when a page is loading a ton of different css/js assets at load
What's still often slow in Tor is making initial connections to hidden (onion) services. Last year during a DDoS attack on Tor this was unreasonably slow and took minutes or more, at which point sites just appeared broken. Once connected, though, it would still work pretty well. So if your experience is using Tor to access onion services you might have an inflated idea of its slowness for normal purposes.
Visits to normal websites were only somewhat affected and were still pretty reliable.
I don't think they are subjective at all. Tor is inherently slow based on how it works. It has gotten faster since inception but even in last year or two it is a multiple slower. Until that is non-existent adoption will be challenging at best.
What I’m saying is that Tor used to be, many years ago, annoyingly slow, sometimes even excruciatingly so. But today I don’t even notice that I’m using Tor. It might be “a multiple” slower, but I don’t notice it, is my point.
There is no anonymity with tor if there is logging. There is only Obfuscation for most use cases. The latency makes is also have poor appeal. An untrusted internet or a hostile network isn’t going to change because there is a pretext of anonymity. I personally think highly trusted peers are the only solution.
I can't decide if it would be easier to convince people of the benefit of extra steps/slow internet/privacy protections, or to reflexively engage their skepticism/critical thinking muscles upon hearing Save-The-Children-and-Stop-The-Terrorists rhetoric.
As it stands, it seems most people (of a certain race and class, anyway) feel more threatened by vague stories of child abductors in white vans at WalMart[1,2] or terrorists (c. 2000's generally) than being randomly victimized by our j̶u̶s̶t̶i̶c̶e̶ legal system.
Nothing to hide, nothing to fear, as they say. Abstract thought and generalization are hard, I guess.
Tor doesn’t deliver any of those things. It’s a tool developed for spies that is mostly used to facilitate grifts and move contraband.
I’m not worried about clowns in white vans or terrorists. If you want protection from the government, you need to advocate for protection under the law. Journalists, NGO workers, etc have to figure out how to manage risk and may need to self-censor to avoid those risks. Tor won’t protect you if you irritate MBS.
There is active targeted surveillance by a nation state. Tor is not going to help you. No crypto or tech alone will help you, you’ll need to develop extreme opsec practices to stand even a remote chance against a well funded and well equipped adversary focusing on targeting you.
Then there is passive mass surveillance, i.e. the presidential surveillance program, which Tor/VPNs/HTTPS etc will absolutely help with.
Tor/VPNs/HTTPS is a pretty broad spectrum of protections. Everyone on the web now pretty much uses HTTPS all the time. Most people don't use a VPN but I imagine most HN users do or at least know how. Very few people use Tor. What benefits do VPNs bring over just HTTPS? What benefits does Tor bring over VPNs? And do any of these actually solve anything if you continue to use Google, Meta or similar services?
If a few people collude to secure moderator positions at different sites and each gains access to IP logs (or someone just bruteforces/exploits the site and dumps logs), anybody can be outed across those sites-- the adversary has effectively compromised the server and can map page accesses directly to your IP.
They don't break HTTPS, they break the weaker link-- the trust of the server owner.
The next step is gaining access to the VPN provider's logs (they don't keep any, right? Right?). They all keep logs. Even if they say they don't, assume they do. Nobody is held accountable for lying about it.
Again, not breaking HTTPS, but breaking the weaker link-- an unscrupulous VPN owner already exploiting the trust of you, the customer.
Tor is the only "safe" way to be anonymous, but even that is dead through fingerprinting, gatekeeping and forced Javascript enabling.
I'm not sure what deliverables you're referring to, but if it's not useful for shielding one's identity from prosecutors/persecutors, why would spies, grifters, traffickers, terrorists, child abusers, and puppy-kickers make such extensive use of it?
If the actual police and not counter-intelligence agencies were actually intercepting all traffic, use of tor would automatically attract attention to you.
"reflexively engage their skepticism/critical thinking muscles upon hearing Save-The-Children-and-Stop-The-Terrorists rhetoric"
Not part of human nature. Save the children/Rethoric is embedded. Reflexive thinking has variying energy requirements and for most requires external kickstart, when possible at all
Forcing tor in all new network adapters is more feasible, which is saying much.
> Not part of human nature. Save the children/Rethoric is embedded.
This is ahistorical. Childrens' rights are a late-19th Century creation. We have become child worshipers, we are not naturally child worshipers.
There's a quasi-Christian doctrine that states that children are born virtually unstained, and that being unstained makes you more deserving of life. As you grow older, you are stained by the demands of the world, which makes you less deserving of life. However, the idea that a child's life is more important than an adult's life would seem moronic to people much before the 20th Century. It just takes 6 years to make a 5 year-old. It takes 51 years to make a 50 year-old. 5 year olds know almost nothing, and need to be taken care of. Every 50 year-old has a bunch of knowledge that can't be recovered, and generally can take care of themselves.
You know we used to send them into the mines... and we used to value them because of how deeply they could get their little hands into factory machinery.
I got out of academic fingerprinting research when I realized I was on the wrong side of the discussion. I’ve just never seen or heard of privacy violations that particularly bothered me.
I too have never experienced a violation of privacy which had a significant observable impact on my life. You and I have been fortunate in this respect.
Some people are literally targeted for harassment and murder because of some aspect of their identity, journalism, or activism. This isn't a hypothetical.
Tl;Dr the dissident Khashoggi was infected with NSO malware before he was murdered by the Saudi government. That's a pretty clear violation of privacy in service of something I would guess you disagree with.
This story isn't an anomaly, I think if you looked into this further you would find innumerable privacy violations which bother you.
If you would like to elaborate, or if there's an article you think I should read (or podcast, video, etc), then I'm listening. I'm open to feedback but this is too vague for me to do much with.
Alright. I'm not gunnuh buy that without a citation. You have no obligation to provide me with one, but finding one on my own is going to be at the bottom of my priorities.
"Not long after the Saudi journalist was killed at the Saudi consulate in Istanbul, the CIA assessed with high confidence that MBS had personally ordered the killing, but intelligence officials never spoke publicly or presented evidence."
How many journalists get their deaths investigated at all, let alone laid at the door of a...whatever you want to call their government, and what it is to the US'.
Sure, I considered similar notions, but I edited them out because they didn't seem compatible with assuming good faith (and made it a lot easier to not include swipes).
No one is obliged to change your mind (indeed, you are the only person who can possibly do that [the comment was later edited from 'change' to 'open', which I think is more reasonable]), and seeing as you more or less did argue for this position, I don't think you should complain.
That's your view of human rights...? Well okay, I guess you and I will never see eye to eye.
> You suggest I “look into it further” as if I didn’t just say I was a privacy researcher.
I was responding to your statement, not your credentials. I don't say this to insult you, only to explain because you seem to want an explanation, but your statement was ignorant and lacking nuance. (Your statement, not you personally.)
Would be nice if I could respond to all of you in one place, because y’all are more or less saying the same thing.
In don’t appreciate the personal attacks on my character. It’s really a testament to my point, though. The internet is private enough that you feel comfortable commenting fighting words from behind a keyboard. Hypocrites the lot of you.
It’s perfectly reasonable to say that I have no moral commitment to improving the online privacy situation in light of your given example. State actors in Saudi Arabia are so far removed from a typical citizen that they’re completely irrelevant to the discussion.
Can you please not post in the flamewar style to HN? It sounds like you have a lot of experience in this area and have substantive points to make, but you've been making them in an inflammatory way that is guaranteed to worsen the discussion. We're trying to go in the opposite direction here.
> The internet is private enough that you feel comfortable commenting fighting words from behind a keyboard.
With respect, nothing said by maxbond in this thread is what I would consider to be fighting words. If someone was talking face-to-face to me and dismissed human rights violations in Saudi Arabia by saying "f** around and find out", I'd feel extremely comfortable saying to them, "if that's your view of human rights we might not be able to see eye to eye."
Privacy violations in the US itself leading to human rights violations and attacks from the government are common. Since you are a privacy researcher, you should be aware of this stuff already. I don't want to insult you by suggesting you're not. However, if I assume you are aware of how online tracking has been used in the US proper to target marginalized groups, prosecute cross-state abortions, and dox and harass activists -- then the only conclusion I can draw is that you're aware of it and don't think it changes anything about your position.
In which case, if that's your view of human rights we might not ever be able to see eye to eye on this.
If you peruse down the flagged comment nearby you’ll see maxbond backhandedly agree that I only care about myself. I’m not one to punch people in the face, but that’s grounds to be punched in the face in any bar.
That being said, it’s perfectly reasonable not to see eye to eye regarding privacy, which is effectively what I said that started this entire thread. I personally don’t think that online privacy is the front on which discussions about abortion legislation should take place. Even Google, manufacturing Chromium, takes privacy into account to a reasonable extent [0], and I personally feel that it is enough.
[0] For example, if your machine has more than 16Gb of RAM, Chromium only reports 16 because there’s no browser application that needs to know you have more than 16, and it would instantly make your device fingerprint unique.
If your first instinct upon hearing that you're self-centered is to maim the other person, you might be proving their point.
Kashoggi was a US citizen lured to his death by a foreign regime -- not seeing eye to eye on privacy is one thing but imo it's strange to hand wave the incident away because the average person is unlikely to end up in the exact same situation. People are stalked by their employers, exes, strangers, etc every day -- deep privacy absolutely can be valuable to the average person.
> Since when has someone’s internet browsing been affected by a stalker?
I'm sorry, but you are (were) a privacy researcher though. You should know already that internet browsing can be influenced by and can contribute to stalking/doxing attempts.
You seem to react negatively when directed towards research topics above, so I'm not sure how to respond to this in a way that you won't find insulting. I have to again assume that you were a privacy researcher. If so, you should already understand that browser surveillance is absolutely possible without malware or hardware access -- at the government level, and at the corporate level, and even sometimes at the individual level.
So I'm at a loss about how you would (I assume mistakenly) make such an obviously false claim.
Once again straight up incorrect, I am not talking about ISPs. You can track browsing and use browsing to help with stalking/doxing without ever getting an ISP involved. Quite frankly, I'm not sure what to conclude from this other than that you may not know as much about how modern Internet tracking works as you think you do.
> I’m not one to punch people in the face, but that’s grounds to be punched in the face in any bar.
This conversation is getting a little weird, but I feel like I should just kind of generally say, that would not be in any way an appropriate or reasonable reaction to being called self-centered. In general assault is not a reasonable reaction to insults period, but it's even less of a reasonable reaction to a passing insult that's as mild as "you only care about yourself."
Well, your discomfort makes it clear you’re not American poor. Verbal confrontations, even disagreements led along insults, are enough to get shot where I’m from. Obviously nothing about that is a good thing.
My point is that the internet is already an extremely private place. I started this in reply to someone proposing privacy evangelism in the wake of ignorant sheeple, and that’s stupid and insulting.
> Well, your discomfort makes it clear you’re not American poor. Verbal confrontations, even disagreements led along insults, are enough to get shot where I’m from.
Okay that is a very weird response.
I feel like I need to state that shooting someone over a verbal disagreement is obviously wrong and obviously would be inappropriate and would obviously reflect negatively on the moral standards and character of the person doing the shooting, and it would obviously be appropriate to view someone who was willing to shoot someone over a passing insult negatively or at the very least to say they may have some issues.
And I don't like the vague insinuation here that lower-income Americans are inherently violent or that crime/violence within lower-income communities is culturally motivated.
> My point is that the internet is already an extremely private place.
Saying that you don't see a set of privacy violations as relevant or worth caring about is a lot different than saying that the Internet is private. The Internet is not private and you're not denying in any of these threads that the privacy violations people are bringing up exist -- you're saying they don't matter and that the Internet is private enough. Be careful not to confuse your personal standards about how private the Internet should be with more neutral descriptions about what risks do or don't exist online.
> and that’s stupid and insulting.
Be careful, I've been told that's apparently fighting words ;)
You do seem to make a lot of casual assumptions for someone who gets offended by even just the implication that they might not be completely up-to-date on examples of privacy violations in the US, don't you? ;)
> Your comments about violence in America are generally naive.
I think I might be wasting my time at this point, but I feel the need to point out once again that older and elderly Americans don't just shoot each other over casual insults, and that would still be super-illegal and super-immoral and it would still be appropriate to morally condemn someone who felt like that was a normal thing even if they were 80.
There is not a way of phrasing this where "you think that I'm self-centered, well people have been killed for less" is a normal thing to say. That is not a normal thing for anybody to say even if they're in their 60s.
I'm sorry you feel I've attacked your character. That wasn't my intention. If I've misread or misjudged you, please do correct me, and I'll add a correction to each of the comments I've made in this thread. This offer does not expire, if you correct me tomorrow or next week or something I'll still get the comments fixed (at least, as long as I see it).
I'm genuinely sorry that you feel frustrated and insulted. Hope you have a good rest of your day.
I started getting a PhD in device fingerprinting and quit when it became apparent that my views were relatively far removed from most people in the field.
I’m trying to say that the current privacy situation is good enough. The status quo can’t be abused such that money can be made.
Does it cause you to feel any doubt that the vast majority of the professionals in that field disagree with that conclusion? I mean, you're saying that the majority of privacy researchers who are studying this topic view the current state of Internet privacy as a problem, and it's such a large majority that you felt like sticking around in the field would not be worth your time. Are all of those researchers wrong?
It was on completely ideological grounds that we differed. (Which is also against the HN rules to argue about.)
I was attracted to the industry effectively to verify authentication through device fingerprinting. Others, en masse, are drawn because they don’t like the current privacy situation. Can you imagine someone being attracted to marine biology that didn’t like fish?
It’s perfectly reasonable to say that, yes, I disagree with the majority of the field. In this instance, “I don’t like fish.”
The closest thing this entire thread has given as evidence of overfishing is that a journalist was killed for meddling in government affairs, which has nothing to do with overfishing.
Segments of the world with different ideological views represented by their governments.
If the behavior was blatantly unethical, which I don’t think it is, it would be illegal everywhere. Just because my opinion is different than the popular opinion doesn’t make it anti-vax. Grow up and open your mind.
The Cambridge Analytica scandal was prosecuted under the current privacy situation. My ire with the level-0 comment was in it stating that the current situation doesn’t work. Also downloading random apps off Facebook is hardly behavior that a privacy conscious person would take. Not to mention that the use of the data, unless I’m missing something, did no more than make people uncomfortable.
People who are generally ambivalent on TOR are the ones that we need to convert. I believe the message needs to be that anonymity is not only desirable but mandatory as well, especially because of the rise of platforms that literally track each and every possible metric about your daily life and habits. Besides, even if someone says that TOR is used for illegal purposes, we all need to remind them that legality is distinct from morality and is always defined by those currently in power.
"Tor is only used for illegal purposes" is as valid as saying "only criminals use cash so they can buy things without a digital trail." I pay cash -- and refuse to use affinity/shopper cards because I would rather pay for my privacy which is worth more to me than 4 cents/gallon off on gasoline.
> worth more to me than 4 cents/gallon off on gasoline.
The stores are getting wiser about this. My local Fred Meyer (a Kroger brand now) has a fuel rewards program -- for every $100 you spend, you get 10 cents off per gallon on your next fillup. Given how expensive groceries are, a lot of people are saving more like 50 cents per gallon, not 4.
They've also started doing instant discounts at the register, which was something that Safeway aggressively did from the beginning. FM isn't quite that aggressive yet, but when I scan the shopper card just before paying, it isn't unusual for it to knock $20-30 off a $150 purchase.
If it really were just 4 cents a gallon, I expect less people would bother. But it's not. The stores are steadily increasing the penalty for shopping without a loyalty card.
> They've also started doing instant discounts at the register, which was something that Safeway aggressively did from the beginning. FM isn't quite that aggressive yet, but when I scan the shopper card just before paying, it isn't unusual for it to knock $20-30 off a $150 purchase.
It's a shitty psychological trick that Fred Meyer pulled off.
People think shopper cards save money, and while it's technically true, it's the wrong framing of what's happening. What's really happening is that the store requires the card to get sale prices.
In other words, Fred Meyer creating the shopper card did not create additional savings. It just started gatekeeping sales behind data collection.
But they'll always give you a new card. You can sign up for a new loyalty program id every time you checkout. But then again... If you don't pay by cash it won't matter as they'll link the sales by your payment method and bridge the multiple loyalties.
Also if they were thinking they could have bluetooth beacons at the registers to track cash users that have bluetooth enabled.
Also they have cameras looking at every checkout line. They implemented them originally to observe when lines got too backed up so they could automate sending out more cashiers. They could move to facial recognition of they really wanted. Not sure if they do that now.
Yeah. Or here's another way to frame that: stores started punishing you for not providing your information by giving you higher prices.
Or another one: when you use a savings card, you trade some of your data for a couple bucks off.
(While on that note: in many countries – pretty much everywhere I've been, actually – you can just get a new savings card every couple months, or get a few and round-robin them and replace every couple months etc. Just fill out the sign up form with some garbage data and you're good to go.)
I've yet to see an actual detailed argument on how the data collected helps them; the only thing I've ever seen was the creepy "target knows you're pregnant" - but most grocery store chains send me the exact same ads as everyone else, and nothing is personalized or targeted.
So what are they doing with the loyalty card data? Nothing? Is it all just a mental trick to get me not to go elsewhere?
I was just in Safeway (a former Albertson's if it matters) yesterday. I bought a couple of items but bypassed the scanning of a shopper card/entering a phone number. The self-checkout knocked the prices down to the reward card level anyway. I can only assume they've linked my payment method to a reward card in the past. That or they are no longer requiring rewards cards to get the discounts.
Since the register already priced my bill higher at the time I swiped my card and then dropped the price, I have to assume it's the former.
When you make less than $15 an hour like a lot of Americans that can be quite a bit of money. Especially since a lot of older cars that they would be more likely to drive are probably less fuel efficient and have larger tanks.
Cash is still king in Germany, and it always weirds tourists out. Personally I think it's great, and just like you do much of my shopping in cash because I don't want my bank knowing everything about my diet etc.
> Cash is still king in Germany, and it always weirds tourists out.
I love it. I drove to Germany to have the maintenance done, change the tires and renew the extended manufacturer warranty for two years on my german car (extended warranty which I need to pay for) and it was a hefty bill. I pulled a bit more than 3 000 EUR in cash and they were just used to it. As in: a totally normal occurrence.
I did it basically to test if it was true that cash was king in Germany: I had credit and debit cards in backup just in case. But cash just worked.
Cash is fighting back in the USA, lots of restaurants and even shops (including mechanics, etc) have a surcharge for credit cards now, but if you pay cash or debit (or even check at some of them) - no surcharge.
The concert venue I went to last weekend is cards only now. There seems to be a bifurcation in the market where some vendors take cards grudgingly and others want nothing to do with cash.
There certainly is - the smaller vendors are trying to avoid raising prices as best they can whilst the big ones are trying to reduce cash handling costs.
I was there a few weeks ago and cash-only places were still very common, I'd say at least 10x as common as Germany at the end of COVID. (Though granted, some places might only take EC-Karte)
We were hitting cash only places all the time there, whereas in Germany I found that cash only became rare during the pandemic.
Hell, even recharging the IC cards in Japan had to be done using cash at a machine. Why can't you use a debit card? Who knows.
Could you unpack it? Of course if I steal your cash I would be guilty etc, how does that make OK not accepting currency that is legal tender in country?
Various laws may exist elsewhere enforcing a requirement to accept cash (or not, depending on the jurisdiction). But an appeal to "legal tender" isn't going to cut it. Legal tender for what? For debt.
You may be misinterpreting a technical term. "Debt" is everything in economy. You make me a coffee, I am in debt to you for $1, take my note if you accept legal tender. Which I assumed you must if you are a legal business.
That only applies if you've already entered into a contract at that point – that's certainly true anywhere you'll only have to pay after having already been furnished with the desired goods and/or services [1], like in restaurants and cafés with table service, gas stations (depending on local traditions), etc. etc.
In most other regular shops on the other hand, you'll only enter into the actual contract the moment you pay for the goods, so unless your jurisdiction has a specific law mandating the acceptance of cash in that kind of situation (like e.g. New York city I think?), the merchant is perfectly free to simply refuse entering into a contract with you.
[1] With the caveat that depending on the jurisdiction the shop owner may fully legally put up a sign along the lines of "No cash payment" and in that case it's you who are in breach of contract in the first point. Maybe if you then get sued for non-payment you can pay cash through the court system, but that certainly wouldn't be a pleasant way of paying by cash.
What you write is exactly what baffles me. You think I'm baffled because I don't understand how it works but it seems that I do, and that you don't seem to realize that it works in baffling ways makes it more depressing. There's debt being created by service or product changing hands but you just put up a sign and refuse accepting legal tender to pay that debt? What?
> There's debt being created by service or product changing hands but you just put up a sign and refuse accepting legal tender to pay that debt?
Yes, but the interpretation is that you picking up a bottle of milk or whatever in a supermarket or elsewhere doesn't yet make a contract and that the goods haven't actually legally changed hands at that point.
It's only when you're presenting your chosen goods at the register that you're legally making an offer to buy those goods, and unless there's a law specifically mandating cash acceptance for shops, the merchant (as represented by the cashier or a self-service checkout machine) is free to simply refuse your contract offer. And because in that case no contract was ever successfully made, there's no debt, either, and the concept of legal tender doesn't even enter into it…
I find it odd to phrase it as "move on" given the direction much of the rest of the world is headed. Anytime things become digitized, the centuries of civil and social rights, rights which people fought and died for, end up getting completely thrown to the wayside. The exact same would happen to money.
In some ways we're already seeing the foreshadowing of this in some of the previously most liberal places on Earth, like Canada. Even if one may not agree with what the truckers were protesting about, it seems unconscionable to freeze people's bank accounts as punishment for engaging in, or supporting, a completely and genuinely peaceful protest. [1]
People got their bank accounts frozen because they contributed to fundraisers for the trucker protest. If they could contribute to the protesters using a more private method of payment, they wouldn't be subject to these authoritarian retributions from the government.
In the 1930s, "Progress" was the replacement of a relatively free society with Nazi authoritarianism. In the 1940s, "Progress" (for half of the country) was the replacement of Nazi authoritarianism, where the secret police mostly targeted ethnic/political/sexual minorities, with Soviet authoritarianism, where the secret police targeted literally everyone and everything. So perhaps that is an object lesson in the value of not "moving on" from a relatively good situation
> I believe the message needs to be that anonymity is not only desirable but mandatory as well, especially because of the rise of platforms that literally track each and every possible metric about your daily life and habits
Normal people don’t care if their metrics are being tracked - that is happening to practically everybody all day every day, and very few people are experiencing any direct and measurable negative consequences. In their defence, why should they weigh the hypothetical-risk above the real-benefits of giving up privacy (ie, convenience and price)?
I believe if the message of privacy advocates is to have any effect at all on normal people, we really need to start focussing on things that normal people care about, not hypothetical and philosophical arguments
It's a frog in a steadily boiling water problem. People not caring about their privacy enables certain actors to increasingly encroach it and then suddenly you find that these actors know everything there is to know about you including what you buy, eat, use, discard etc. This is not just a hypothetical scenario. For instance, look at any digitally capable dictatorial regime. No one now has the power to speak up in these regimes because everything they say is tracked and can be traced back to them and they themselves gave the regime this power happily in the past.
Anonymity is one of those things that if you do not fight consistently for, will be eventually taken away from you. I fail to envision a society where anonymity doesn't really matter for most people because as long as there is a society, it'll imply there is a control structure. And as long as there is a control structure, it'll keep on dictating what you can and cannot do. Unless you unreasonably assume that such a structure will always, without a fail, be perfectly correct, in the event that you disagree with it, you're certain to be in trouble.
I'd like to reiterate once again, there is a distinction between morality and legality. For instance, it's never immoral to bring wrongdoings to light, and yet, it's horrendously illegal to expose classified government secrets, even if they are terrible.
People's data is being farmed and their identity leaked and sold on the dark web, and they're probably not educated enough to care. That's what you want to preserve?
No, they and other large vendors are just selling data that enables that. The fraudsters couldn't work without the industrial torrent of personal data that is an object of avid commerce.
It weirds me out any time I open YouTube on the TV and the first thing I see is an ad related to some recent online purchase, however obscure.
No, criminals are. Criminals will also break into your home and steal your stuff, or break into your car and drive away, or pick your wallet right out of your pocket.
The existence of crime is not an example of the need for anonymity.
As an exercise, I've been using Tor Browser as a daily driver on my personal laptop, and ended up with a 3-browsers approach:
* Firefox ESR -- For sites that are necessarily linked to my identity, such as HN and shopping. Sometimes this also gets sites that don't have to be linked to me, such as if I'm too lazy to copy&paste a link from HN into Tor Browser. (Keyboard switching/starting: Mod+F)
* Tor Browser -- Almost everything else. This is the bulk of my traffic, and innocuous, not "he just switched to Tor Browser, so must be doing something interesting". (Keyboard switching/starting: Mod+W)
* Chromium -- This is my total subjugation browser, used when more-private&secure options fail for something I really need/want to access. No ad blockers, but some awful DRM enabled. Current used only for one obnoxious video streaming service. I would like to get rid of this browser entirely. (Keyboard starting intentionally discouraging: Mod+P C H R O M Enter)
My vintage laptop can handle all 3 at once, just fine. Though I usually make them short-lived -- to reduce clutter, free compute resources, and clear trackers.
That's the personal laptop. My work laptops will partition browser use differently, such as for whatever the current Web development needs, and keeping all-day corporate SaaSes (e.g., GitLab, and mandated Web apps) open in one browser, while making another browser for short-lived public Web browsing sessions.
There's also a place for Tor Browser on the work laptop, for public browsing about topics that you don't want to hypothetically leak to competitors, but some companies will flip out if they detect Tor on the corporate network.
If we all use it, it will slow to a crawl. Even more than now.
Nobody that’s not halfway suicidal is running exit nodes on their home machines (I won’t, I don’t want police knocking on my door).
And just for the onionspace… yeah I saw some bad stuff there. After what I saw I don’t think anonymity is a good idea. There is darkness inside people that lack of rules, lack of order, lack of accountability brings out.
>yeah I saw some bad stuff there. After what I saw I don’t think anonymity is a good idea
This is a somewhat one-sided way of thinking.
Tor is a tool that can be used for useful things as well as misused for bad things (like a knife or a truck). Now, leaving aside the fact that websites related to credit card fraud, child pornography, and terrorism also have a large presence on the Clearweb.
Also, I'd like to note that Instagram is a global hub for human trafficking, and the moderators' stories don't sound any more innocuous than the Onion stories.
I use Tor daily and abide by the law, but don't want to miss the anonymity or pseudonymity of a Whonix VM and a Tails session.
Since I've been hosting Tor Nodes since I was 14, I don't have to worry about showing up on blacklists of 3-letter organizations, since I've been on top for over a decade anyway.
> Since I've been hosting Tor Nodes since I was 14
Honest question: why do people host exit nodes when they aren't 14 anymore?
Given how dangerous it is to host one, and how little personal benefit one gets from it, I kinda assumed most exit nodes are hosted by three-letter agencies from various countries. Is that so? If not, how so?
Why exactly are you trying to compare mustard gas to Tor? I'm kind of lost here.
But anyway, to answer your question: mustard gas is not one thing, it's a class of chemicals. But one of them became the first ever chemotherapy drugs, Mustine:
And in the end it can't circumvent stuff like the great firewall of China.
In the end Toe is just a legacy project from the CIA/NSA that has outlived it's usefulness. The NSA has certainly redteamed all the ways to take it down or uncloak users, if needs be, so it's not even a tool against a potential fall into dictatorship of the USA.
> And in the end it can't circumvent stuff like the great firewall of China.
Actually, this isn't true: Tor with private Snowflake bridges can be very effective against the Great Firewall. I'm an activist who works in this area and I've spoken with activists who were using it as recently as this year.
The issue is scaling bridge discovery, since any automated bridge discovery mechanism rapidly exposes available bridges to a determined censor. But any team doing high profile, notable, or sensitive work can find an individual or organization outside China to provide them with private bridges. So Tor is one effective option now for key activists in China, just not a mass-scale solution for everyone.
for anonymity, yes (if using a "private" snowflake). for daily use or basic firewall circumvention, not really. as others have mentioned, it is more convenient and faster to just use shadowsocks to a digital ocean droplet or other vm.
Tor is a meme in 2023. Even advocates for it seem to believe it's only really good for circumvention, which is the totally wrong way to look at it. Having a built-in outproxy to the web is probably it's greatest flaw, not its strength. Why? Because there's nothing stopping anyone from setting up exit nodes and analyzing the traffic. The open web itself is a vulnerability. Being an anonymizer for the web also encourages people to not contribute energy to "hidden services" but to the non-hidden web, which is self defeating.
And as others have pointed out, Tor wouldn't scale if everyone was using it. Contrast this with I2P which not only would scale but become more resistant to DDOS attacks with the more nodes on the network. Unlike For, I2P has no distinction between nodes, mostly because it's not designed to be an outproxy. But no, let's keep insisting that everyone use a deep state tool with chronic flaws because reasons. /s
> And as others have pointed out, Tor wouldn't scale if everyone was using it. Contrast this with I2P which not only would scale but become more resistant to DDOS attacks with the more nodes on the network.
One objection a lot of people in this thread have to using Tor is the (misconception) that they'll be relaying Tor traffic. (It doesn't work this way in Tor.) But what you're saying is that i2p will scale because this is the default behavior in i2p. But is that what people want?
Also, hidden services have been harder for Tor to scale than exit nodes, at least in the past few years. I don't think this is the result of the fact that Tor provides exit nodes. I think it's just a result of the onion service connection process being a series of fragile steps.
I do agree that supporting traffic to the web results in the Tor dev team prioritizing this use case over traffic to hidden services, but that's understandable given that it's the vast majority of their traffic and usage.
>Because there's nothing stopping anyone from setting up exit nodes and analyzing the traffic.
This should be assumed. So what?
In 2023, almost every website supports https and unencrypted traffic is the exception, not the rule. So if someone sets up an exit node, they can only collect metadata from a few circuits from a competent user. Of course, this becomes a problem when someone sets up hundreds or thousands of nodes, but that - including statistical analysis or the use of 0-days - can only be done by a small minority.
It's certainly an interesting mindset: "I'd rather live in a neighborhood where the HOA is run by psychopathic busybodies, even if it means I have to become a pod person!"
>I have yet to find something which lets you get a good peek at that data. Does anyone know of anything?
You don't need Tor to avoid advertisers. Blocking all cookies and browsing in private mode will get you 99% of the way there. Throw in an ad-blocking VPN and there's basically nothing anyone can know about you that you aren't explicitly sharing.
This is not really true, because of how centralized the web is. From Google fonts to jquery and the million in between endpoints, most sites you visit are going to be reporting you to Google. Logging into a single identity verifying site or even just viewing a distinct set of sites can all work as instant deanonymizers.
A VPN that has multiple users using the same IP simultaneously can help on this front, but I don't know how common this is? Basically emulating how Tor exit nodes work. Though even that is also almost certainly possible to break.
I am off facebook. I think they are not the bulk of the problem anyways.
You can see something similar with your Google ads profile, but only if you have personalized ads on. (I am sure they still have the profile on you, you just can't view it)
I was pleasantly surprised to find Tor mode in Brave browser. I was looking for private browsing mode and it was right there. It was pretty darn fast and usable too. I honestly hope this feature and browser get more uptake
- Part of the protection Tor provides is due to having the single browser made specifically for Tor. Nearly everyone uses it; this gives you a sufficiently large crowd to blend into. There are fingerprintable clusters inside this crowd, but at least they are still large enough. By using any other browser, you make yourself stand out and even diminish the anonymity of the whole network a tiny bit. This can become a problem if enough people are using custom browsers. Brave in particular is also not restricted enough by default (no JS etc). Default settings for everyone matter.
- Brave's Tor feature wasn't thoroughly tested in real situations. AFAIK they had issues with it, and also warned users not to rely on it as it's not complete.
> Brave in particular is also not restricted enough by default
While I'm in agreeance with everything you've said it should be pointed out that Tor Browser doesn't ship with JS disabled either, it simply breaks so much of the web that they've concluded it's not reasonable for a browser to do by default if they want to attract new users.
If you mean Tor Browser then of course, as it's the only widely used browser in the Tor network. It's still the most tested option, and is paired with reference Tor implementation, which is more complete than Brave's.
Brave has loads of good features Chrome doesn't but people are put off by it because "muh crypto integration", which can be disabled permanently in settings.
The crypto integration is an indication of a compromised vision and a lack of judgment. If the dev is willing to shove that in, what else is in there that I’m not aware of?
Brave's completely open source. [1] I'm not using this as a 'go look at their source code' type meme, because obviously you won't. It's absolutely massive and one man auditing the code alone, just to see if he might want to use the browser, is absurd. But at the same time Brave attracts higher information users that are going to be disproportionately more interested in security, privacy, and so on. And there are a lot of people regularly poking through the source code, as well as contributing to improvements in it.
So I think the answer to question is - absolutely nothing. The very few missteps Brave has made get broadcast from the ends of the world. The fact the biggest thing people can find to complain about it is some crypto stuff, which is opt-in and easily completely disabled, or an autocomplete tagging a referrer - that was patched out in less than 24 hours, is strongly indicative of the quality and integrity of the browser.
> or an autocomplete tagging a referrer - that was patched out in less than 24 hours
That functionality (which would modify some literal URLs typed in by users, not just make autocomplete suggestions!) was present in the source repository for roughly a month and a half until it was disabled by default, and remained present as an option for over a year after that.
If you can agree that moving away from a purely ad-supported internet is a good thing, then micro-payments are a strong alternative, and internet-native money at the protocol level is a technically appropriate solution.
Can you imagine google chrome bringing Tor integration into their browser? Why not?
This is misleading. Brave had added items such as cryptocoin affiliate "cards" on the new tab page even for users who have had every cryptocoin aspect disabled.
Further, there is no way to pre-emptively disable the cryptocoin elements on new profiles on the same Brave installation.
They also started selling people's copyrighted website data to ai companies via a new api recently, explicitly "granting" a license to use it for ai training, without the copyright owners (ie, independent bloggers) permission
Yeah, to me it seems like a skeevy browser for people without the IQ to use Firefox with good add-ons like uBlock Origin and not be put off by crypto integration.
FF is pretty crap these days (as a lifelong FF fanboy). I'd hesitate to use it except for HN where its low speed and security are part of the experience.
I don't understand comments like this. Chromium grinds to a crawl and even locks up with more than a handful of tabs, and its developers are deliberately adding new security vulnerabilities.
The review process for new web APIs in general is pretty shoddy and not terribly concerned with security (eg Canvas). However I was specifically referencing this of the past few days: https://news.ycombinator.com/item?id=36910978
Agree, my IQ is too low to catch up with amount of changes to omnibar look, addition of cool color schemes or preinstalled extensions to advertise a TV show
I wouldn't be surprised if the author, and a large segment of HNers agreeing with her, did a swift about-face when they realized that Tor also provides an end-run around the internet backbone black-holing of IPs that some Tier 1 ISPs did to KiwiFarms last year, during the height of the campaign to deplatform it. More people using Tor in general means more people having the means and know-how to evade censorship, and we can't have that, can we?
I don't think anyone would be surprised - what you're describing is pretty obvious to anyone who has ever looked into Tor for more than .1 seconds. It's also pretty well understood that when restrictions can be evaded it will be used for both good & bad purposes, that's just the nature of it.
That accusation has been repeatedly debunked. Also, on a more positive note, amongst all the gossiping and somewhat rude behaviour, they've documented a significant amount of illegal activity by others. In particular, how certain individuals of gender have been grooming children and committing sex crimes - which is why these creeps tried so hard to take Kiwifarms offline. And ultimately failed, as it's still up and running, even on the clearnet.
Not even wikipedia own founder believes on it anymore. It's essentially useless for anything political related because you already know that they will be heavily biased in favor of a given side...
Actually wouldn't a move to Tor completely destroy the ability to effectively moderate any sort of community since you have no way of banning spammers/bots? Even a "lawless" place like 8chan or Kiwifarms will have trouble holding discussions if all their forums are filled with copy-pasted CP from some random botnet
To be honest despite agreeing with many arguments around privacy, they're not quite compelling enough to convince me to adopt Tor's approach to it which in my mind is akin to hiding in a bin.
Sure, you're hidden, but you're also in with a lot of stuff you don't want to be in with and that can come with legal liabilities and ethical issues that I don't feel qualified to mitigate. And as other people have pointed out maybe the government or your least favourite company actually has a camera in the bin you chose to hide in.
A common misconception about Tor is that by using Tor as an end user you are also hosting and relaying stuff on the Tor network for other users.
This is not the case, unless you explicitly set up a relay node or volunteer to run a Snowflake bridge.
True, you're mixed in with other users from the point of view of websites that might treat you as spam, say. But you aren't taking on any liability unless you run an exit node, and even that is fairly well-established as safe in at least some jurisdictions.
I think even as a user, the risk then is that law enforcement agencies want to unmask/correlate users which leads to the possibility of them screwing that up and conflating people's identities. Arguably this is more of an issue with trust in those performing/acting on the analysis but on an individual level still factors into the "do I want to use tor?" mental model.
Couldn't you make the same argument about https requests over the clear net? You're request is being processed by intermediaries through your isp which three letter agencies could incorrectly correlate with you.
I know there are deep fundamental technical differences, but I could see an outcome where the end result is the same across both services. I'm not trying to justify to use tor as well, just that I don't think the argument of guilt through incorrect association is solved by not using tor.
Well, you are _absolutely_ taking on the potential liability implicit in becoming a person of interest in any case involving the exchange of materials that you are facilitating.
You may not _lose_ but you may find yourself with your life seriously disrupted.
You're not more "in the bin" as with some fellow knife users who stick them into humans - or a better parallel, recent community favourite Mastodon, which, according to it's federated nature, has also a massive CSAM problem(1). In the digital world, either you have complete freedom (also meaning choose your own server/fellow bin companions) or complete censorship - not much in between.
> You're not more "in the bin" as with some fellow knife users who stick them into humans
Except that the law has come to terms (outside the UK) with the possibility of peaceful knife ownership, whereas the law around Tor and such things is still in the "probably non-technically savvy judge has heard scary terms around Tor and wants to be on the safe side" stage.
There are many places outside of UK that don't allow to carry knives with certain features (e.g. fixed blade or assisted opening) or with blade length above a certain limit. In US, this is often covered by municipal bylaws.
the csam problem is a fediverse problem. not just a mastondon problem, let me just say i am one of the most vocal critics of mastodon after running an instance for 5 years and running. but its unfair to call it a mastodon problem, mastodon is just a fediverse client. the csam can come from any fediverse peer.
but it is indeed a problem, and mastodon mirrors all remote content that is in your federation network and now you have csam splattered across the connections of mastos w only blacklists if entire instances to recourse.
its a bad approach but they've buried head in the sand years ago. things like pleroma do not do this by default
False. Mastodon blocks those CSAM instances (speccially the Japanese ones) in masse. It's the opposite of you say. Twitter and FB have a harder problem on that because they are single-net based.
What do you mean by "specifically the Japanse ones"? Is CSAM more prevalent there or is something along the lines of having more loli content posted there which fals under child pornography laws in certain countries?
Pavoo. It didn't have art related CSAM, which in the end there are just drawings, but real people CSAM. Not porn, just top nudes which in Japan they have an ambiguous stance. Thus, blocking pavoo.net on every Mastodon instance was almost mandatory to keep your sanity in good levels.
On Japan and nudity, I know some of it it's being used not as sexualization, but as a hard prank (Takeshi's Castle, hidden camera pranks on toilets with falling walls, nudity jokes at Doraemon/Crayon Shin Chan, Dragon Ball and Bulma...), but for sure in this case didn't have an intention to ridicule anyone.
Akibahara had a mall where on a single flat there were magazines were displaying illegal nudity as if they were used as a sports magazine or something like that. Creepy stuff. It seems the Japanese people are sexually represend in their teens so they can hyperfocus at school over anything else but then this creates "sexually disabled" adults with lots of troubles on relationships and a hard lack of teenage discoveries.
In the case of Tor, the government you're trying to hide from actually made the bins and handed them out all over the world so that CIA agents would have somewhere to dead-drop files in.
For perspective, the same entity, Open Tech Fund (OTF), has funded many projects in the tools-for-activists space, including Signal, NoScript, Wireguard, Tails, Mediawiki, OpenVPN, Filezilla, Psiphon, Tahoe-LAFS, Briar, Lantern, and Qubes.[1]
Quite a lot of serious projects in this space are US-government funded.
OTF does somewhat focus on needs in regions that are geopolitical priorities for the US, but since most of these projects (like Signal or Wireguard) are building general purpose tools, it seems pretty good for the world overall and not nefarious. Germany recently started a similar fund and hopefully more countries will too! [2]
(I know people involved in both OTF and Sovereign Tech Fund I work with a user researcher who's funded by a small grant from OTF on my project Quiet.[3])
One funny historical note is that OTF grew out of Radio Free Asia, a program started after the Tiananmen Square massacre to broadcast AM, satellite and shortwave pro-democracy propaganda in Mandarin into China.[4] So the mission of funding general purpose anti-censorship and privacy tools kinda makes sense!
If privacy is really private, and not merely a promise from a benevolent entity they won't look at your details, not that they can't, then you will always find in your company those who need privacy because they are hiding from all of society that hate them. Even if we were to go 100,000 years into the future where morals are entirely different and alien to modern day ones, if privacy exists at all, you'll find it most popular among those whose behaviors are the most morally repugnant to the futuristic society.
Privacy is good even when you have nothing to hide, but it is imperative for those who do need to be hidden. The ethical issues I generally see people concerned with are ethical issues with privacy itself, not a specific implementation.
There's also a very long history of ideas that were fundamental to scientific and societal progress being morally repugnant to a majority, initially.
Heliocentrism, democracy, etc.
Without some degree of freedom to violate the majority's morality (or even one's parents' morality!) without judgement, we should expect society to stagnate due to arbitrary lock-in of the status quo on any sufficiently controversial issue.
Privacy is great because it lets groups violate the majority's morality invisibly, without flagrantly disrupting the sense the majority has of there being a moral order.
Privacy gives you the upside of social innovation without the downside of a generalized, diminished belief in the morality of others (which can be a downward spiral for societal self-organization.)
Imagine if I was under investigation for drug trafficking, or tax fraud, or whatever have you. “He had Tor on his computer to access the Dark Web” is extremely strong jury bait even though it doesn’t intrinsically mean anything. The government might not be able to prove what, if anything, I did - but I'll still probably look pretty dang guilty just for having it.
The other downside would be how trying to be secret can shine a spotlight - kind of like the bomb threat at that school (I’m forgetting the name). The student used Tor, but was quickly identified… because nobody else on the school network used Tor. (Make no mistake - I’m glad the student was caught - I’m just taking about how trying to increase your privacy can backfire.)
> I'm not sure it would that's like going "he owns a car he could have used it to speed"
I think these and other rebuttals fall into the category of completely logical arguments that should, but won't, convince a non-tech-savvy judge or jury.
True but we're talking about juries who are essentially random members of the public and are far from guaranteed to spot a fallacy or buy that it is a fallacy even when pointed out. I think a big difference to them could be how cars are socially normalised but tor is not. There's a good chunk of the population who would hear the car version and think "that's ridiculous, I drive a car!" but hear the tor version and think "that's a strange and alien thing to me, definitely something a suspicious person would do".
> True but we're talking about juries who are essentially random members of the public and are far from guaranteed to spot a fallacy or buy that it is a fallacy even when pointed out.
In the US, at least, juries are generally less sophisticated than a random sample of the general public; anyone who displays significant world knowledge or critical thinking during jury selection will be removed.
This is not actually true. Lawyers prefer jurors with critical thinking skills because it means they can be reasoned to; jurors without critical thinking skills are unpredictable wildcards.
Most jurors are gainfully employed in stable jobs, or were but are now retired, and care enough about their civic responsibilities not to try to get out of jury duty.
Lawyers for one side will have a preference for certain jurors; the other side's lawyers might like a few wild-cards (as to increase the chance of a hung jury).
Usually people "too knowledgeable" get bumped from the pool.
the other side's lawyers might like a few wild-cards (as to increase the chance of a hung jury).
No, never. The defense never wants a hung jury, because the prosecution will just get another chance to have another jury trial, with a new jury, but having learned from the failure of the first trial. The defense always wants finality.
Prosecutions don't want hung juries either, because there is always the risk that the judge will either dismiss the charges (if more than half of the jury leaned toward the defense) or pressure prosecutors to offer a better plea deal to avoid wasting time on a new trial.
Usually people "too knowledgeable" get bumped from the pool
If by that you mean people who know too much about the case already, then yes, because the defendant deserves a fair trial. If you mean people who are "too knowledgeable" in general, then no, unless it's clear that they're going to take this "knowledge" and rely on that "knowledge" instead of what is presented to them in court. Lawyers generally try to exclude tech bros, because they think they know everything about criminal law based on watching a few episodes of Law & Order and CSI.
I can understand that argument due to the nature of Tor, but if you use it as a communication medium only, how is different from using non-Tor internet or a cell phone. Yet, no one seems to argue that you are one of those nefarious internet or cell phone user. I think the argument is solid. The fact that is is not commonly used makes it a niche application. If it was more widely adopted, all those 'bad things' would likely be on par with regular phone/net issues in terms of volume.
I run a service that scans and documents hidden services. I've actively contributed to the security of the Tor ecosystem by reporting vulnerabilities that would result in de-anonymization. I can say with pretty good authority that most hidden services are deserving of the 'shadowy' label. I agree that the only way to change this is to have other non-shadowy services and uses, but it's a hard sell.
How do you convince a company to intentionally stand up an onion site that provides any real value? You lose the ability to apply some defensive controls to thwart attack, you're associating your brand with something identified as 'shadowy', and most customers won't use Tor or even understand what an onion site is. If a company is unwilling to justify the effort or take the chance on standing up a hidden service, why would they be willing to take a similar risk of abuse by allowing traffic sourced from the Tor network?
Well, exit nodes aren't used for hidden services. I either discover them from when people give them to me when searching the site, http referrers, a crawler, or through other means of disclosure.
Sounds like it should be illegal. That said, changing my User Agent to IE+Win7 changed the identifier for me. Looks like Firefox's "resist fingerprinting" setting also works. I wish there was a separare setting for private browsing.
That said, that was enlightening, thank you for pointing this out. It's disgusting that there are companies selling this.
This is the "workaround" now that websites aren't given free range access to your cookie jar. They make a unique identifier out of a range of info like OS, browser, screen size, whatever seemingly harmless info they can get.
This one overestimates uniqueness because it doesn't consider stability (e.g. it uses your current battery charge level as a uniqueness measure, which is obviously not stable minute-to-minute let alone day-to-day).
Consistent visitor ID over months or years, even as browsers are upgraded.
This advertisement implies some things that could potentially be illegal, but I don't think that practice is by itself. Stalking as a service really gives Saas a new meaning .
Does anybody use Tor for everything? I'd be interested in hearing their experience if so. There are sites that I have been unable to get working in tor, usually due to the browser. Some services actively block it. There's also a performance hit.
Also, while you should always assume your traffic is open to inspection/modification before it reaches its destination, this is more likely to happen with tor, not less likely. The Tor browser does help here, by not easily allowing obvious mistakes like using http.
I use Tor for everything that doesn't require identification, and I use very few of those services. For example, this HN account and the email for it have never been used without connecting through Tor. Feel free to ask me anything.
>There are sites that I have been unable to get working
This happens, most of the time because of Cloudflare. A solution is to get a new Tor circuit 3-5 times, and then the page will load. If a site simply won't work, like Meta platforms I won't use them. Using alternative front-ends[1] makes most sites that usually wouldn't work, work as well.
>The Tor browser does help here, by not easily allowing obvious mistakes like using http.
This is false, HTTPS only is enabled by default in Tor Browser. It's common knowledge for everyone including users of Google Chrome and Firefox to not use HTTP sites.
I use it for just about everything except for things tied to IRL identities. (short-lived usage like making a search request, to persistent identities like this)
Some services block Tor. Sometimes they can be bypassed by pressing "New Tor circuit for this site" a few times, sometimes they cannot. Some of the methods listed here [0] can help (though I wouldn't log into any accounts using this as TLS isn't being terminated at your machine).
Some features don't work in Tor Browser, off the top off my head, sites using AudioContext, Webauthn, Webassembly. (webassembly can be a pain due to some encrypted paste bin sites using it).
I run multiple instances of Tor Browser (separated with Linux namespaces, particularly netns because Tor Browser will fail to load if an existing Tor service is running at port 9150) so that I can multitask between for example posting this on HN and random browsing in another instance. That also helps with the webassembly thing as I run a script to spin up a temporary instance of Tor Browser, enable webassembly in about:config, and load the failing page.
For the sites that block Tor that I need to login to or that don't work with the ad-hoc methods listed above, I will fallback to using a VPN + an about:config-modified version of Tor Browser that has the Tor proxy disabled. Mullvad Browser can also be used as an alternative.
I also use it outside of TB for IRC among other things. You have to be careful as there is no uniform configuration for everyone like TB.
I use Tor occasionally to see what's going on in the flip side of the net and to contribute to routing, but honestly you aren't going to convince anyone who isn't ideologically inclined to support it. It doesn't help that Tor itself is full of scams and dark markets selling who knows what. It seems to have gotten better over the years, but normal people aren't going to put up with that. Nobody wants to see that stuff.
If you use a Tor browser you see the same web as with your "normal" browser. You'd need to actively search for dark web and shady markets (and no you can't just google that up either, you'd need to lurk much deeper). It's not possible, never was, to "accidentally" see that stuff if you use web the way you did it before Tor.
Yes. I don't get ambushed by illegal content, as most of my surfing with Tor is for browsing the clearnet, (which is fairly innocuous and more sanitized than the dark web). I do use the 'real world' onions[0] to read The New York Times, etc
>Tor itself is full of scams and dark markets selling who knows what.
Did you forget to read the article? They make the point that this is not the case. Tor Browser can be used to access most of the web besides aggressively anti-privacy platforms like Meta.
If you choose to go on a "Dark Web Search Engine" and that's what you find, that's entirely your decision and not something you would stumble upon.
>but normal people aren't going to put up with that. Nobody wants to see that stuff.
They would never see that stuff by accident, as they never do right now.
Are there any app that uses the Tor network and existing hidden protocols to provide anonymous chat?
This could be an alternative to some of the instant messaging systems that provide privacy but not anonymity.
I know that some chat messaging systems can use Tor as the transport, but they have problems of their own.
What I'm thinking about is something along the lines that each user app hosts a hidden service that receives messages through a standard HTTP API. Users need to hand their hidden service address to friends. The protocol itself already handles payload encryption and routing but messages could be further encrypted at the app level before being sent (using the other user's public key once an initial exchange has been done).
Granted, sending a message would require all parties to be online at the same time, but there could be a set of relay servers to hold messages until they get fetched.
I'm sure there are lots of hairy issues to take into account, but I would expect the existing protocol to mitigate some of these compared to a ground-up approach (like Session is doing). Tor is fairly mature and, despite all attacks on its infrastructure and protocol, it is still standing.
I'm also wondering if such a messaging system couldn't be useful for some IoT types of scenarios, as it would protect the location and communication of the source of the data, so the devices could not be easily physically found and hacked.
None of this would be useful for high-bandwidth real-time data, but you can get reasonable latencies and traffic sent this way.
> Granted, sending a message would require all parties to be online at the same time, but there could be a set of relay servers to hold messages until they get fetched.
We actually do a bit better than this! We use a gossip network (libp2p gossipsub) so all peers don't have to connect directly, and a CRDT over a private IPFS network so that everyone in a community eventually syncs all messages. As long as there's a continuity of online peers, the availability of messages is the same as a central server, and with a few Android users in the mix it's pretty easy to get to that level of continuity.
(The battery impact of staying connected all the time on Android isn't as bad as you'd think, and we haven't even begun to optimize it.)
And yes, it builds on the maturity of Tor rather than trying to roll its own onion routing layer as Session is doing. Quiet is still a work in progress, but we've been dogfooding the desktop app for over a yearn now as our main team chat, and the Android app for a little less than that. We're working on iOS now, which is... tricky. But we're hopeful.
With i2pd you can set up Web, IRC, Mail and NNTP proxies against retroBBS and chat with people at acceptable speeds. Also, to talk on actual daily lives beyond propaganada with Ukrainians and Russians.
Ironically, anonimity here stops terror and helps innocent people. Any terror.
I believe Tor is underrated in P2P systems. Many networks consider NAT traversal mostly (or partially) unsolved. Routing between nodes over Tor immediately solves your NAT traversal problems allowing any device to tunnel to any device (at the expense of latency).
Reaction: Sounds nice...but the author seems oblivious to the motivations and technical skill levels of >95% of web users. And to TOR's (in)ability to grow its infrastructure, to support anything resembling the traffic that would result from anything resembling a "we all use it" scenario.
I very rarely use Tor because using Tor without being an exit node just slows it down for everyone else using it and running an exit node means CSAM passing through your router sooner or later which I find unacceptable. Most of my privacy needs are met by a commercial VPN.
Here's a novel thought: take the money you give to the commercial VPN provider and donate it to Tor instead. They can spend it on running more exit nodes themselves, which fixes both the issues you say you have with it.
It would make up for it, but not fix it. The network would still be faster without my traffic. Plus, torrenting hundreds of gigabytes of data over Tor would be rather abusive.
In that case, donate them money and don't use it? I'm not sure how this private VPN you're using is any better - it too would be faster without your traffic. They spend your money on the same thing the Tor project could spend it on.
We agree it would be a very bad fit to use the torrent protocol over Tor, a seedbox would be better for your purposes.
The Tor Project is a non-profit and the Tor service is used not just by criminals but people under repressive regimes around the world, and there are no real alternatives to it. My VPN provider is a for-profit company and its users are free to choose another company.
a seedbox would be better for your purposes.
A seedbox would suit my torrenting needs but it doesn't fulfil the additional roles of bypassing video stream throttling on my mobile network or letting my overseas friends bypass network censorship.
> the more people that use it, the more secure it gets, according to Patil. If only certain sensitive groups use it, it’ll be easier to deanonymize and ultimately track down identities.
Tor gained a lot of popularity after the Snowden revelations. We would need several Snowden-like leaks over the coming years to ramp Tor usage up substantially. And then there's no way of knowing how Tor would scale to support a new influx of users, year-on-year.
But I agree with Patil, the more people that use it, the better. If we could just shake the stigma that Tor = crimeware then that would be great.
Please don't. If now suddenly everyone would use TOR then we would get something a lot worse than Google's Web Environment Integrity, let me explain why. As someone being on the other side of things (running different services for years) thank god that all users are not using TOR.
99% of all attacks, spam, password brute forcing etc came from TOR on many services I worked on throughout the years. Eliminating that traffic or adding additional checks and hops for traffic from TOR solves a lot of issues for many services.
I recommend against using Tor, simply because of exit node hostility and targeted intrusions when you use Tor. Intel agencies also run the majority of relays last I heard of this subject. Perhaps if exit node operators were publicly listed and vetted humans and most relay's owners volunteered who they are and validate that with the project, I could trust it more.
IMHO, financial incentives for relay and exit operators is the best way to make sure more people without ulterior motives participate.
Lets not forget personal services! You can setup sshd on a box behind NAT as a hidden service. It'll disconnect more than you like but screen or tmux can help with that.
Adoption is gonna be difficult. Many users don't care that much about privacy in general. So getting them to change their habits is a tall order. Furthermore, a lot of sites see TOR as suspicious and make the effort to block it/put them through captcha hell. I don't see a critical mass of users dropping convenience for the sake of something they don't really care about anytime soon.
There is a cultural factor also - Tor, like most American BigTech, tries to sell us the idea of "trust the network" over any government as "governments cannot be trusted". Yes, governments cannot be trusted but what is worse is if we lose faith in democracy and give in to the idea that some corporate overlord or a foreign network will do a better job of protecting our rights. It's a ridiculous idea that only Americans seem to buy, while the rest of the world are actually enforcing the protections of their rights through democratic means (demanding regulations and legislation).
Personally for me it is about the traffic that may be routed through my computer by the Tor network - I definitely do not want child porn, drugs or terrorist related site transactions packets to even touch my computer. It maybe a rare occurrence, but I want certainty. If we could control the traffic that is allowed on our network / computer, I'd be a more willing user of Tor. (A use case example would be to allow a Tor user to create a white list of onion sites from which they would be willing to accept traffic).
I agree. The certainty is reassuring. I also would never want my computer to touch even the most remotely objectionable material. I've contemplated running a Lemmy instance before, but the concerns you've brought forth are the main contributing factors in my decision to not do so.
Not only that, but TOR is something that becomes more private the more someone uses it. Iirc it's really easy to distinguish TOR packets from regular packets. Combine that with how few people use TOR, you're job of narrowing down who's abusing it becomes much easier.
Finally, just running an exit node opens one up to many legal liabilities. It's not something that's worth the effort, but it's strength comes from many people running one.
By running a Tor node, one helps dissidents / spy assets in Russia get information / communicate with handlers in Ukraine, USA, etc. -- Which is the reason for Tor's existence in the first place. If one is into supporting that kind of thing of course, but defense of Ukraine seems pretty popular in the US
It's not even a secret, look at the Tor Project's funding sources (public tax record). State Dept & DoD were their primary funders last time I checked.
Hypothetically, if the USG wanted to produce "official" backdoored TOR clients (e.g. only served as prebuilt downloads to IPs geolocated in Iran, etc to make detection difficult), they are in an excellent position to influence that work. And as the story of Julian Assange makes clear, that should concern anyone who purports to care about privacy, human rights, etc.
The internet has become progressively worse with the invention of smartphones and lowering the barrier of access for the common people, I would not like to see the same happen to Tor. If the long winded forum discussions and info sharing turns into Facebook tier posting I'll become depressed.
A long time ago ... I recall certain sites and services (like a MUD I tried to join) would not allow you to make an account if you were from AOL. I forget if it was just by email address or if they actually checked the IP address.
Would love a reputation service that correlates IPs and/or email addresses to the amount time users spend on Facebook. I'm sure this data is out there and purchaseable, to be honest.
This right here… when the government can just run exit nodes and case after case comes out about the government capturing data from a tor node they operated, that problem needs solved first.
Honestly though, Tor is not the solution for a lot of people. If you're just going for good enough there are other alternatives, if you're already under heat from a big enough actor you are screwed whatever you use.
I have had a plan on my list for years now, to write a medium for IoT devices, that would route all traffic through TOR as a layer of security, while it would also help the TOR network with a lot of fuzzing traffic.
Tor doesn't want people using it for building normal communities. Their treatment of tor v2 and the wiping away of all those links, indices, and sites shows this. Yes, 1 year of warning that all of .onion domains were going away was given, thanks The Tor Project. But why bother building a community on an onion domain when they're only treated as temporary and transient identifiers by the tor project?
No, I tried building normal websites and community on tor for 10 years. Then the tor porject wiped it out for potential future security. They will always prioritize the needs of the people who really need privacy over us. And that's fine. But I will not make the mistake of building on tor again.
According to Tor Project, v2 onion services were "fundamentally insecure" [1]. It sucks that you lost your URL, but wasn't redirection an option?
Tor definitely has a commitment to people building communities using hidden services, but they also have a commitment to your community members' expectations of security, no?
You can't redirect clients that cannot even parse your domain name. I can't update the links in all the indices and search engines built the last decade. I can't change the links to my .onion site on other people's sites. No, most .onion domains just went away, poof, inaccessible and sit unvisited while the remaining tor v2 infrastructure goes unused because the tor project clients dropped support. There's more to a web than any single site. And that web of interconnected links was destroyed with no recourse.
As for fundementally insecure, yeah, in a few years maybe by spending $10k you could brute force a hash and take over a domain. So they killed it entirely to protect the people that need absolute privacy and security. They could've left v2 alongside v3 and let people choose but the tor project considers that too risky for their prized use case.
Those of us just using tor for owning our own domains were not important in comparison. That "not being important" will continue. Shadowy users are what tor cares about. Not open communities. Tor is great for pseudo-privacy. It is not great for people wanting to make normal sites on it.
Associated advertising by source IP address. Happens all the time, I see ads pop up on my wife's computer that are definitely meant for me, and based on searches she would never think of.
> but I don't want to get anywhere near illegal stuff.
Then you should probably stop using the web altogether.
I'm seriously confused how using Tor places you closer to "illegal stuff" then browsing as you do? Could you clarify?
Even if we're going to draw the distinction between .onion sites and the plain web (and there's nothing about Tor that requires you to visit or interact with .onion sites) I'm nearly certain that there are many orders of magnitude more "illegal stuff" being shared on traditional websites than the "dark web". Plenty of drugs are purchased through Venmo, and Tumblr and Twitter have had pretty high incidents of child exploitation materials being shared on there (and, despite having been a heavy user of those sites at some point, never came across any content close to that).
My experience has been that, barring 4chan 10 years ago, it is extremely rare that you'll ever come across any "illegal stuff" unless you are looking for it.
I was talking about running an exit node. In an ideal world everyone could run an exit node and help others to bypass censorship. Unfortunately sooner or later some sick fuck would abuse it to post CSAM or hack something. And then good luck explaining the cops that it wasn't you.
I've been on the Internet for 25 years and only got robbed once, and even then, the credit card charges were reversed so it didn't cost me anything other than the annoyance of updating some accounts once I got my new credit card number.
Just as with political philosophies like anarchism or communism, if your Great Idea depends on everybody else adopting it to be successful, then it's going to fail.
Right now it has a shadowy reputation because the only people who require that feature are criminals. A few of those are committing crimes against unjust laws, but they are badly outnumbered by widely-disapproved-of behavior.
The anonymity comes with a cost. Tracking makes for a smoother web experience for most people.
So it's a hard sell to say, "Hey, you should do this thing that makes your life harder, in order to help disguise criminals". There's good reason to think that ordinary people should take better care of their privacy, even if they don't realize it, but I don't think that they're itching to apply a technology that has a "shadowy reputation" for a reason.
If everything is cost-benefit right down to atoms and energy, damn any principles, then what's the point? I'd rather take a stand for my privacy than make my life inconsequentially easier by assisting yet another questionable online service with tracking info. I highly doubt that info is as ubiquitously necessary as is asserted.
I agree that most people don't care, but "Tracking makes for a smoother web experience for most people" is just nonsense - tracking slows down almost every single web page that uses it!
Can you please explain how is tracking making a smoother web experience for me? I mean really, what context am I missing here, that I can't grasp your statement?
Also not having to constantly perform CAPTCHAs. A lot of web sites are happy to provide service for free, but don't want it bombarded with bots. They can record you to ascertain that you behave like a human, at a cost to privacy. Faced with privacy-preserving tools like TOR, they revert to inconveniences like CAPTCHA.
Tor is not what I want. Humans are, by and large, not equipped to handle anonymity while maintaining ethical behavior. We thrive in accountable communities. Even with pseudo-anonymity, there’s still a karma or reputation to think of! I will feel bad as this post gets modded down.
I think all communication and activity should be anonymous to companies, somewhat visible to your inner circle, and able to be exposed to authorities only when they have something akin to a warrant. That sounds hard to achieve in practice, but Tor is not the answer to any of it.
That’s your problem. If you believe all communication and activity should be anonymous to companies, why would you willingly hand over your information to those companies?
You say it’s hard to achieve in practice, but the easiest thing you can do to prevent companies having access to your data is to not give it to them.
I think legislators should regulate to make illegal the data-tracking big companies perform. And I think the legislation should give ownership of all data collected about an individual to the individual.
In the government space, I think permission should be required from the individual to share information between departments, and the data to again be owned by the individual.
How does Tor do anything meaningful about allowing me to both participate in society, and preserve my privacy and data ownership? This is not a technology problem.
>How does Tor do anything meaningful about allowing me to both participate in society, and preserve my privacy and data ownership? This is not a technology problem.
I can't speak for your specific situation, but I'll give you an example. In Australia we have mandatory data retention laws. If you don't think private companies (that are exposed to data breaches [1]) should have access to your activity then Tor is the solution to that. That's a more practical solution than waiting for legislation which may never come.
> You can turn Javascript off just like in normal Firefox.
So you agree that Tor is not the answer to preventing corporate invasion of privacy. As I said, Tor isn’t the answer to any of the true challenges. Balancing accountability and privacy. Allowing law enforcement to be effective. Preventing large corporations from abusing tracking.
Those things do actually matter, but they aren’t technical problems inherently, they’re people problems. Technology comes into the mix as part of the solution, but Tor does not factor.
Practically everything I do on the web involves authentication and a login and an identity. They're all US-based services. It's stuff that I use to manage my household, and finances. It's also social media stuff; some of it's pseudonymous, but I've got Facebook too.
These services factor in security hints such as device fingerprinting, and a consistent local IP address that belongs to an ISP account I pay for. That's as safe as it gets in this modern digital jungle.
I also use Chrome. I don't use Firefox. Don't try to get me using Firefox; it's incompatible with my workflow. I don't even have it installed to debug website errors. I also own a Chromebook and I do a lot on the Chromebook. 100% of my employment relies on it, and 20% of my personal use is there, too. TOR isn't compatible with ChromeOS (prove me wrong.)
The #1 error of TOR users is that they eventually reveal themselves online, by authenticating to some service, or by going to haunt specific websites or URLs they like. This is similar to people in Witness Protection or abuse victims who run away: they eventually contact family or friends and reveal personal details, and then they're re-victimized.
A simple article on Chrome Unboxed suggests you can install Tor browser and have it work. I think there is less issues with TOR and more issues with you fundamentally not caring about privacy. Like most of the internet.
That's it? Privacy is just the lack of tracking? There are no other components to a private life?
Tracked by whom? Anyone? Is it OK if your parents track you? Does your government have a direct involvement in, say, public city streets?
Is this about technological tracking? What if you walk through a forest, and some stranger comes up behind your path, and uses natural evidence to find out something about you, and which way you went? How would you prevent that?
Not trying to prove you wrong on this one, just a Chromebook fan myself. Have you tried/do you consider app support on Crostini/Linux? I haven't tested it, so unsure if it works, but all of the Linux programs I've installed have ran fine on a Chromebook.
It's just amazing to see the tech support bros come out and I've got at least six replies telling me how I can use Tor when my OP listed fewer than half the reasons I won't use it, but tech support comes out and asks me if I tried rebooting my ideology and upgrading my politics to the latest.
Sure, it's easiest if you stay on the happy path. You'll only regret that if you or what you want to do online falls out of favor of whomever is in power.
* If you’re concerned about the MAANGs of the world hoovering data for targeted adverts I think you’d get far more traction with aggressive privacy legislation and brutal oversight, or (and I recognize this is extreme) straight nationalization of some of their products with a mandate to operate them in the public interest like PBS or the Beeb
* If you’re concerned about an authoritarian state actor Tor was pwned years ago. TBH I think trying to win against ex. US TLAs in straight cryptography or protocol supremacy is kind of a fools errand (you’re ultimately going to get clobbered purely on the resource differential) and that the best bet is security through obscurity.
Just my 2c, maybe overly fatalistic so curious about counter views