Hacker News new | past | comments | ask | show | jobs | submit login
Improving your online privacy: An update (ovalerio.net)
147 points by todsacerdoti on Sept 19, 2023 | hide | past | favorite | 44 comments



The harsh reality is privacy became a commodity, and due to overabundance it is relatively cheap. Even apparent competitors sell each other marketing data in this ecosystem.

If you want to participate in the modern economy, than you need to assume there is never any isolation. Even creeps with phones will show up taking photos on private property, as some app paid them $5 to risk their lives trespassing.

Mozilla Firefox collects beacon telemetry with a UUID by default (as does most browsers). While there is a lot of community goodwill around the popular browser, most are not technically advanced enough to mitigate the dozens of defaults that do not respect user privacy.

Additionally, most modern OS are just a crude sales funnel for OEM products and services. Technically, tying and racketeering with a computer is still illegal, but cultural norms have shifted expectations on corporate conduct.

This is the modern web, and arguably it was a mistake =)


> The harsh reality is privacy became a commodity,

Yep. Almost every CMP and privacy statement accidentally confirms that:

"We value your privacy!"

Yeah you value my privacy. You want to own it.


real "to serve man" vibes



The value your privacy like the wolf values your mutton


> This is the modern web, and arguably it was a mistake

Agreed. Although I say it differently: the web is dead. It has been thoroughly transformed into a hostile place optimized for commerce and surveillance. As such, it is no longer really capable of doing the things that used to make it great.


Sir Tim Berners-Lee said the Web 'failed instead of served humanity'. He claimed to be "devastated" by abuses of the web.

I find this profoundly tragic. But also affirming that a respected source of wisdom aligns with my own "truth". So, maybe it's not too hyperbolic to say the "Web is dead" if it is dead to it's own creator.

Some of whatever it was lives on, in ideas and values of a minority. We cannot wind it back, or rebuild it on the sewer it now is. For the rest, who know no better, it is a horrible, horrible place.

What we might usefully teach children are the many other ways to use computers and the internet, as local oracles, as peer to peer technologies, through networks on other protocols.


I clicked this expecting some deep-dive ramble about moving all communications to Matrix, but this is actually a very concise and accessible guide. Now, I will admit I'm biased since I already follow all of these steps, but it seems really simple to me. In fact, the addition of the "Expected effort" bits makes me wonder if I could convince some friends to follow suit and at least switch to Firefox and DDG. OSM has proven a hard sell so far, sadly.


Regarding usage of OpenStreetMap over Google Maps - assuming we're talking mobile usage - you might give OSMAnd[0] a try. I've been using it exclusively on a Pixel loaded with GrapheneOS for a few months now. I would never consider going back to GMaps and I don't feel that I've lost anything either.

[0] - https://osmand.net/


I have not had Google Maps on my phone for a couple of years now, but I still think that GMaps is superior. Locations are more maintained, address geocoding is near perfect, it has plentiful useful reviews, and live traffic updates.

As far as location maintenance, this is obviously correlated with usage, and so I hope this will improve over time.

I see very little progress on the other three.


The big one is

> Use fake profiles / identities.

All the journos, mods, and celebs lobbying against, complaining about, and trying to eradicate anonymity/pseudonymity online are acting against your interests. I would even like to see more social norms against "namefagging."

Real names are for the most banal online activities (mostly buying stuff), for everything else there are aliases with varying levels of technical obscurity (alternative/temp email → VPN → Tor). Give them nothing, pay Mullvad the €5 privacy tax.


Not mentioned:

Removing your information from all social media / messengers : https://redact.dev (disclaimer, im on the team)

Removing your information from all databrokers https://easyoptouts.com / incogni / deleteme / optery


> Removing your information from all databrokers https://easyoptouts.com / incogni / deleteme / optery

How ironic. In order to remove my data from the internet, I first need to give my data to that random website.


I mean in a world where data collection is pretty explicitly opt-out it makes sense. They do need to know what data to remove, right?


Where is the world collectively on outlawing data brokers? If your business model revolves around selling people’s data without their consent, you’re a nuisance. Literally nobody would explicitly agree to have their data sold and used to bother them. We have plenty of laws against nuisance, because nuisance doesn’t benefit society. Why is it taking so long to ban this business model?


If you are a Californian, starting 2026 you will have a one-stop shop to opt out of all data brokers:

https://www.theregister.com/2023/09/18/california_passes_bil...


I'm thrilled. This cannot come soon enough.


Don’t get too excited. It’s a regulatory capture play by the big monopolies.

It specifically exempts vertically integrated data brokers such as Google and Facebook.

In other words, if a data broker sells your data, and it is used for an ad auction run by a third party, that’s subject to the opt out.

If google uses your data to place bids on behalf of an advertiser in an auction that google runs and then places the ads using its own infrastructure, there is no opt out requirement.

If the second scenario sounds like it is prone to auction fraud and abuse of monopoly power, that’s because it is. Take a look at today’s DOJ testimony from a former Google exec.

(To be clear, I want a stronger, ideally opt-in, bill that applies equally to that entire industry, not one that picks winners based on lobbying and campaign donations.)


> Literally nobody would explicitly agree to have their data sold and used to bother them.

I don’t think this is the case. fairly recently I’ve seen the old “if you dont want to be tracked by facebook, then dont use it!!!” take on here from people who are supposed to know better.

Maybe not explicit, but if you told them I guarantee most people do not care at all, or people would be far more upset than they currently are.


And "But I like ads that know what I want. Why would you want to see ads for things you don't want?" is hard to argue with until you realize there's no particular reason you have to see ads.

The '90s web was fine without ads, in its "pamphleteering" days when people spent an amount of money proportionate to how badly they wanted to say something, and that was it.

https://en.wikipedia.org/wiki/Pamphleteer


Probably because it doesn't work. You can remove specific information from specific websites, but most of that has been scraped and copied already. You can request that companies delete information you have already handed over to them, but you have no power to compel them to delete all the information that they learned about you by analysis of that data.

If your phone gives Google a list of your GPS coordinates over the last 30 days that's your data and you can request that Google delete it. They don't care, because they've already used that to learn where you live, how often you go to bars, where you work, how often you go to the gym, and who you've been sleeping with. That's their data, not yours.

Data brokers don't care about deleting your data. Their data about your data is what they get paid for.


Absolutely agree with the importance of removing information from data brokers (aka People Search Sites), since they are be a goldmine for bad actors.

Actually, Optery is a YC 2022 company and there are some good discussions on Optery and its competitors here on HN, ex: https://news.ycombinator.com/item?id=30605010

For those evaluating data removal services, a solid first step is to sign up for each company’s free scan and compare the results.

Full disclosure: I am on the Optery team


Has anyone experienced a drop in recruiter spam when removing your information from databrokers with those services? I have daily unsolicited recruiter emails in the last few years, and I'm not on linkedIn since 2018-ish, so I have no idea where they are getting my info from.


Does redact come with account deletion as well?


Use multiple browsers. Set your primary browser to block cookies not explicitly allowlisted.

I use Vivaldi configured thus for general browsing, have Firefox for those annoying JavaScript-backed sites that fail miserably if cookies are blocked, with a one-click button to nuke all cookies just after reading the article, and Safari for e-commerce sites where I need autocompletion of shipping address and other stickiness.


> “Delete cookies and site data when Firefox is closed“.

I have adopted this for almost a year now. Once I learned that it is possible to bypass Windows login, I thought that if the agent could get access to my browser with all cookies in, he could easily impersonate me in every possible corner of my digital life. So, no thanks. I live in a place where you can get your laptop stolen at any moment. So in my case, the perpetrator won't get much further as he won't have my password manager's master password. Local files are all inside a VeraCrypt volume so he won't have any luck finding them in readable form.

This is the bare minimum of my threat model.


You could run a portable browser in a portable sandbox stored on a VeraCrypt volume, so none of your browsing data is on disk at all.


Thank you so much for the tip. I will try that.


Happy to help! To be more specific, I recommend using sandboxie-plus in portable mode, and librewolf portable as the browser (fork of firefox that includes ublock).

Librewolf comes with an auto-updater exe which I would just rename. You can manually update it by grabbing the latest installer exe, extracting, and manually copying the librewolf folder across.

Sandboxie has a few things to configure but are mostly self-explanatory. Looking at breakout apps and file/folder permissions will be useful if you want to still be able to save to the local harddrive outside the sandbox.


I like the general recommendations here but think it really undersells how hard it is to switch in many cases - the time recommendation are comically short. Yes, going to a new site instead of a Google site might only take a minute of your time to sign up but moving all your data over and learning a new, sometimes inferior tool can take weeks.


I am really looking forward when this becomes a base topic in the elementary schools (including tips how to use mobile apps). Right now it’s self-evident that children learn using Chrome and Google


I have worked in that front 5 years ago. Schoolsec, that was our name. Our target niche was elementary schools in southeast Brazil. It didn't work. Most of the schools we spoke to didn't even understand what we were talking about, so they couldn't assess the risk and, finally, realize the value of our work.

Of course, as years pass, the need for more "digital self-defense" increases at all levels. Maybe one day we'll hear of someone who had pulled it off by presenting a great value prop for this kind of service.


Is anyone familiar with what privacy badger does over uBlock origin? Unless my information is out of date, the more extensions you have installed the more unique your fingerprint is?


Privacy Badger dev here.

I think the biggest concern is to only install extensions from developers and organizations you trust.

As for your browser fingerprint, on the one hand, the more custom your browser setup, the more you stand out. On the other hand, Privacy Badger exists to reduce pervasive, non-consensual tracking. We especially aim to block pervasive fingerprinters, along with other obnoxious types of trackers.

More about Privacy Badger below, adapted from https://privacybadger.org/#Is-Privacy-Badger-compatible-with...

While there is a lot of overlap between the various manually-edited advertising/tracker lists and Privacy Badger, unlike list-based tools, Privacy Badger automatically learns to block trackers based on their behavior. This means that Privacy Badger may learn to block trackers your list-based tool doesn’t know about.

Besides automatic learning, Privacy Badger comes with other advantages like cookie blocking, click-to-activate placeholders for potentially useful tracker widgets (video players, comments widgets, etc.), and outgoing link click tracking removal on Facebook and Google (recently updated, see https://www.eff.org/badger-link-tracking-protection-update).

Privacy Badger is also a political tool. Privacy Badger sends the Global Privacy Control signal to opt you out of data sharing and selling, and the Do Not Track signal to tell companies not to track you. If trackers ignore your wishes, Privacy Badger will learn to block them. By using Privacy Badger, you support the Electronic Frontier Foundation and help fight for a better Web for everybody.


The problem with generic advice like this is that it is invariably opinionated and unexplained.

For example, what makes Firefox, Safari, and Brave ethical browsers but Edge and Chrome not?

Firefox development has undergone plenty of unethical decisions, and I'm not sure what even a distant justification for Safari being 'ethical' would be.


Presumably, their privacy policies (it’s in the title of the article).


'Privacy' is in the title of the article, not 'privacy policies'. Reducing 'privacy' to just privacy policies is overly reductive, let alone speculative that that's what the author did. Regardless, assuming it is privacy policies, what about their privacy policies, specifically? What does Chrome's policy state that's so egregious that Safari's doesn't?


I'm always looking for guides on how to improve physical world privacy if anyone knows of any.


Your ISP will have a running log of every website you visit, and every website will have your personal identity (if they want it). Fake identies aren't especially useful if the other side can see your IP address.

Those are just a couple of examples. The OP is a list of arbitrarily selected and often not particularly valuable advice that leaves many holes. What do people see in it that they voted it to the front page?


And loose everything you gained in this article by using a standard smartphone and some very common apps.


Recommended Jitsu requires only Chrome or Chromium.

Yet, same article strongly discourages Chrome.

And Apple iOS does not have Chromium either.

:-/



jutsu websites overtly recommends Chrome or Chromium.

It is like they have an agenda.


> And Apple iOS does not have Chromium either.

Remember when Chrome (chromium) was a fork of Safari (webkit)?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: