351
14
submitted 3 months ago by TheHobbyist@lemmy.zip to c/privacy@lemmy.ml

Hi folks,

I'm seeing there are multiple services which externalise the task of "identity provider" (e.g. login with Facebook, google or what not).

In my case, I am curious about Tailscale, a VPN service which allows one to chose an identity provider/SSO between Google, Microsoft, Github, Apple and OIDC.

How can I find out what data is actually communicates to the identity provider? Their task should simply be to decide whether I am who I claim to be, nothing more. But I'm guessing there may be some subtleties.

In the case of Tailscale, would the identity provider know where I'm trying to connect? Or more?

Answers and insights much appreciated! The topic does not seem to have much information online.

352
42
submitted 3 months ago by Cataphract@lemmy.ml to c/privacy@lemmy.ml

Rather peeved about all of this. Been waiting for this game for ages and was excited about the F2P aspect then found out a lot of elements of the game are locked behind paywalls making the full game costing way over most AAA games. Ok, lets roll on anyways and see what the game has to offer. Then I get to the privacy policy and realize they're using anti-cheat services to monitor your game, I continued reading the user agreement and then had to find their actual privacy policy page because they have it listed under a different url then what they have posted. Some Highlights from the user agreement:

You may not host, provide or develop matchmaking services for the Product, or intercept, emulate or redirect the communication protocols used by Frost Giant in any way, for any purpose, including without limitation unauthorized play over the internet, network play (except as expressly authorized by Frost Giant), or as part of content aggregation networks.

You may not organize, promote or participate in an esports competition for the Product which has not been licensed by Frost Giant.

You may not play on another user's Account

In order to safeguard its licensing rights, when you are using the Product, Frost Giant may monitor your hardware random access memory (RAM)

You understand that the mere presence of unauthorized cheat software on your device, whether or not you use that unauthorized software while playing the Game, may result in Frost Giant exercising its full rights under this Agreement.

Acknowledgments. You acknowledge that:

  • The Game which is the object of the Alpha or Beta Test is a work in progress and may contain bugs which may cause loss of data and/or damage to your computer system;
  • You have, or will, back-up your hard drive prior to installation of the Beta;
  • You have the resources necessary to easily reinstall the operating system for the computer system that you will use to take part in the Alpha or Beta Test as well as to restore any and all data that may be lost;

It just goes on and on with some really sketchy stuff, then I get to the privacy policy:

Your contact information/identifiers, such as your name, your gamer id, mailing address, email address, employer, primary language, country, social media credentials. preferred games and date of birth. If you contact us by telephone, we will also retain your telephone number.

Your geolocation data, if your device settings allow us to collect such information.

Your account preference information, such as your contact, communication and marketing preferences.

Your device and browsing information, including non-personally identifiable information about your phone, tablet, computer or device and online browsing activity, which may be automatically collected. This may include IP addresses, unique identifiers, cookie identifiers, browser language, device and browser settings and broad location-based information, and internet service provider information. It may also include information about when and how you accessed and used our Sites, how you navigated to our Sites (such as the date and time of your visit), the links you clicked, the websites you visited before and after our Sites, and what you searched for while on our Sites.

Analytics & Interest-Based Ads. We partner with third parties (like sponsors, content providers, and analytics companies) to help us improve our Services and better understand how you interact with them, as well as to support our marketing initiatives and ad campaigns. These companies may collect info from you automatically in connection with your visit.

And the really scary part

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

  • A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
  • A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
  • Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
  • Physical location or movements.

Third party service providers. - From time to time, Frost Giant may need to transmit your personal data to vendors or service providers that enable us to market, sell, or deliver our services. These service providers may require certain personal information in order to perform specific services on our behalf, such as cloud service and data storage, beta testing, tech support to enhance game operations, chat, customer support, social login, fulfillment and shipping, email and newsletter delivery, conducting surveys, payment processing, tournament operation, anti-cheat and fraud prevention, web hosting or web analytics. Such partners include:

Steam
Epic Online Services
RallyCry
Hathora
Brevo
Eventbrite
AWS
Sentry.io 
Google
Easy Anti-Cheat 
GGWP
Untapped
Kakao Games
ModSquad

I've stopped playing previous games that use these tactics and programs because there's just too many other games that don't require these that are available. This was a game I was hoping to get back into with some RTS friends I've made along the way, Is this just the way of the world or something to avoid?

353
53
submitted 3 months ago* (last edited 3 months ago) by TheWorldRolledMe@lemmy.world to c/privacy@lemmy.ml

I've not seen this before but it was strange.

An ad loaded at the end of a video, so I paused it. What caught my eye was the background was moving when I moved my phone, which turned out to be the room I was in. The ad was overlayed on whatever my camera was looking at, but the ad appeared stretched from a single point in the middle of the screen, which was even weirder.

Edit: The ad was using the rear camera, not the front facing one.

I've looked through my phones settings and there are no options to toggle YouTube's camera access either, so I feel like it's safe to say this is being forced on users (surprise /s).

Needless to say, that app is no longer on any of my devices :)

354
62

So I've been in the rabbit hole of android privacy for some time, last I joined the GrapheneOS community but let's just say that they doesn't have a "healthy" opinion about other projects like f-droid.

So I am looking for generic communities that focus on mobile privacy that doesn't have drama or toxicity or "extreme opinions". Any suggestions? I prefer chat based communities like matrix or simplex instead of like reddit or lemmy.

355
263
submitted 3 months ago by communism@lemmy.ml to c/privacy@lemmy.ml
356
95
Death of Piped? (lemmy.world)
submitted 3 months ago by user_naa@lemmy.world to c/privacy@lemmy.ml

Last two weeks every time I use Piped I am getting error "Sign in to confirm you are not a bot". It happens on every instance and videos work very rarely. It seems like Google enforces you to log in if you try watch lot of videos from one IP. I hope this will not be end of Piped and there will be solution for this problem.

Upd. I got similar problem on Invidious recently

357
5
submitted 3 months ago* (last edited 3 months ago) by muntedcrocodile@lemm.ee to c/privacy@lemmy.ml

Do i need to wipe the private volume for the template vm if so how?

EDIT: I figured it out was because the template vm changes dont take effect until the template is shutdown. Took me way to long to figure that out.

358
84
submitted 3 months ago by bilbobaggins@lemmy.world to c/privacy@lemmy.ml

A lot of services support passkeys. Microsoft even has an option to make my account "passwordless". Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone's thoughts on passkeys. 🔑

359
128
submitted 3 months ago by sunglocto@lemmy.zip to c/privacy@lemmy.ml

Did you know? Despite claiming to block all cross-site cookies out of the box, Firefox automatically allows Google to use them in your browser should you log in to one of their services.

The browser only lets you know about this once it happens, and it's on you to notice the permissions icon appearing in the URL bar. There is a link to a paragraph on a help page explaining this behaviour, but it seemingly goes unmentioned pretty much everywhere else on the internet.

This surprised me, especially considering Firefox's stance on privacy. I was even more surprised that this is done without consent. If this is for usability, Firefox should at least warn the user before this happens.

360
119
submitted 3 months ago* (last edited 3 months ago) by ModerateImprovement@sh.itjust.works to c/privacy@lemmy.ml

I highly recommend disabling JavaScript by default in your browser and then whitelisting the websites that you use frequently and need JavaScript to function.

The privacy benefit of this is that when you read articles online or visit new websites, most of the time it will not need JavaScript to function which will stop loading a lot of ads and tracking scripts.

The security benefit here is massive, first if you visited a bad link that contains a malware that is dependent on JavaScript it would not work, secondly if you visited a link for a service that you use and JavaScript did not work there, then you can see in real time that this is a fake page and not the real websitewebsite you intended to visit.

Bonus tip: try to replace the unnecessary websites that can't work without JavaScript and you need by JavaScript free websites or open source apps.

Disclaimer: Stay cautious. This recommendation will improve your privacy and security, but it does not protect you from everything.

361
110
362
26
submitted 3 months ago by nixx1338@feddit.nl to c/privacy@lemmy.ml

Yesterday I purchased a custom .eu domain, only to find out that eurid does not redact the owner's email address. Obviously I'm not comfortable with using an actual email address on a secondary domain.

Any opinions on using an alias as the domain owner's email address? Or should I simply switch to another TLD which does support full whois privacy?

Thanks for feedback.

363
72
submitted 3 months ago by ooli@lemmy.world to c/privacy@lemmy.ml
364
48
Extreme Privacy 5th Edition (inteltechniques.com)

It seems like Michael Bazzell's new book edition was released without much fanfare. I like the reorganization but have to say there isn't a lot that is "new" for me in the first half (computer, mobile device, firewall, virtual machines)--although, full disclosure, I already had all of the topic-specific supplements for these chapters, which were released over the last year. I am just getting to chapter 20 now and found the sections on mailing addresses and trust / estate management much improved. I really hope the podcast comes back. I am curious for the thoughts of others.

365
17
Polycenric and Harbour (gitlab.futo.org)
submitted 3 months ago by trilobite@lemmy.ml to c/privacy@lemmy.ml

Hi,

anyone come across and used the Polycentric + Harbour option for managing digital ID? What do you think about it? Does it really manage IDs in a private and secure way? I came across FLUTO who seem to be great promoters of "software for the benefit of humanity" but you always wonder how much you can trust these thrid parties ... when they decide to sell your data?

366
-2
submitted 3 months ago* (last edited 3 months ago) by possiblylinux127@lemmy.zip to c/privacy@lemmy.ml

https://content.govdelivery.com/accounts/USDODDC3/bulletins/2e03518

Molly has at rest encryption with a password

367
62

A little old but interesting non the less

368
50
submitted 3 months ago by Churbleyimyam@lemm.ee to c/privacy@lemmy.ml

Does anyone have experience with a good privacy-focussed VPS provider? What do you recommend?

I've been using 1984 for quite a while and they have been solid but they have just put their prices up. It's still affordable but I thought it would be a good time to have another look at what else is out there.

369
591
submitted 3 months ago by gytrash@feddit.uk to c/privacy@lemmy.ml

"Signal is being blocked in Venezuela and Russia. The app is a popular choice for encrypted messaging and people trying to avoid government censorship, and the blocks appear to be part of a crackdown on internal dissent in both countries..."

370
123
submitted 3 months ago by gytrash@feddit.uk to c/privacy@lemmy.ml

"The United Nations approved its first international cybercrime treaty yesterday. The effort succeeded despite opposition from tech companies and human rights groups, who warn that the agreement will permit countries to expand invasive electronic surveillance in the name of criminal investigations. Experts from these organizations say that the treaty undermines the global human rights of freedom of speech and expression because it contains clauses that countries could interpret to internationally prosecute any perceived crime that takes place on a computer system..."

371
49
submitted 3 months ago* (last edited 3 months ago) by smeeps@lemmy.mtate.me.uk to c/privacy@lemmy.ml

I'm thinking of configuring a VPN in my router so that all traffic runs via Mullvad, just trying to consider if there are any downsides to this?

If I buy Mullvad via the onion site with Monero, obviously there's no link to me, and they appear to keep no logs, as has been tested. In any case I trust them to keep no logs more than my ISP and government.

I do already have ProtonVPN but it's attached to my debit card details, my email address, and name etc. No need to give them all my traffic too.

I know I can still be tracked by browser fingerprint and IP but I'll be one of many users using the same Mullvad IP and I also employ adguard DNS, anti fingerprinting on my browsers etc.

My threat model is generally removing as much passive data gathering and tracking as possible, corporate or state. My threat model does not include active investigation from the law enforcement or state

372
37

I see quite a few people claiming that Graphene OS is the only way to stay private on Android or that anything but Graphene OS is insecure. In this post, I will describe why I personally do not care for Graphene OS and some alternatives I would suggest.

First off, let's address the security features of Graphene OS. A lot of the security of Graphene OS comes from AOSP itself. In fact, AOSP has a very good track record. If you get malware on your device, you most likely can just uninstall it. For reference, here is the Android security page: https://source.android.com/docs/security/features

There are some Graphene OS unique security features. For instance, it has a hardened kernel and restricts access. I think this is actually pretty useful but I haven't seen a need for it much in the real world. The tightened permissions are nice, and I think that is the main benefit of Graphene OS over AOSP. It is also nice that device identifiers are restricted from a privacy perspective. However, from my perspective, you should not run apps that are bad for privacy. Running it in the web browser will be more secure than bare metal could ever be.

One place I strongly disagree with Graphene OS is the sandboxed Google services framework. They say having Google in a sandbox is more secure. It may be more secure, but it isn't going to be as private as MicroG. The real benefit of MicroG is that it is community-built. It isn't a black box like Google framework, and any data sent back is randomized. I think it is a mistake for Graphene OS not to have support for it, even if it is also run in a sandbox.

Another thing I have noticed is that Graphene OS prioritizes security above all else. That doesn't mean it isn't private as it itself is great for privacy. However, if you start installing privacy-compromising applications such as Gmail and Instagram, your privacy is quickly lost. The apps may not be able to compromise the OS, but for them to be used, they need permissions. To be fair, this is a problem that is not unique to Graphene OS, but I think its attempts to be closer to Google Android make it more tempting for people to stick to poor privacy choices.

I think other ROMs such as Calyx OS take the ethical component much more seriously. Unlike Graphene, it promotes F-droid and FOSS software like MicroG. Graphene purely focuses on security while Calyx OS focuses on privacy and freedom. On first setup, it offers to install privacy-friendly FOSS applications such as F-droid and the like. I realize that MicroG is not perfectly compatible, and some people need apps, but I think alternatives are going to always be better.

One of the most annoying parts about Graphene OS is the development team and some of the community. They refuse to take criticism and have been known to delete any criticism of Graphene OS. Not only that, they have a history of trying to harm any project or person they don't like.

Here is a page that isn't written by me that sums it up: https://opinionplatform.org/grapheneos/index.html I think their take is fairly extreme, but I agree with them in many ways. I also understand how upsetting it can be to be censored.

373
65
submitted 3 months ago* (last edited 3 months ago) by MediaSensationalism@lemmy.world to c/privacy@lemmy.ml
374
43
submitted 3 months ago by atek@lemm.ee to c/privacy@lemmy.ml

I know the title sounds like a paradox, but let me explain:

In Feb '21 I deleted all my Meta related accounts in a first step towards moving away from big tech. Removing whatsapp was kind of a big deal over here but I managed to get close family and friends over to Telegram and Signal and resorted to text messages with other contacts. I've been enjoying the peace and quiet but it's been a hassle for everyone around me. Invites to parties, big news or announcements always had to be relayed through somebody else. Last week a dear friend passed away and because that news had to be rleayed to me too i think its time to go back again.

And now for my question: is there a way to run whatsapp on your phone while respecting privacy? I know it sounds crazy but I was thinking there might be a way to run it in a sandbox or closed environment of some sort. Im running LineageOS on my phone and I dont mind tweakin around a bit.

Because I live in the EU i was putting my money on the DMA, it was my understanding that the DMA would make it possible to send telegram messages to whatsapp, whatsapp messages to signal and in this way get in contact with anyone on any platform you'd like. When the DMA went into action in the beginning of this year it became clear pretty soon it would only be a one way street; all messenger services would be able to contact whatsapp, because that is the biggest player. Half a year down the line and I havent been seeing any news about it anymore. Does anyone have an update? Will it ever be possible to chat crossplatform?

375
100
submitted 3 months ago by monovergent@lemmy.ml to c/privacy@lemmy.ml

Banking apps seem to be a motif among things that don't play well with privacy ROMs. My bank's website does everything I could want out of it. I think I might be ignorant to something.

  • What about banking apps is especially compelling?
  • How often do banks put must-have features behind an app?
  • And should I be concerned that banks might move away from offering services through browsers?
view more: ‹ prev next ›

Privacy

31987 readers
495 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS