Privacy Icon

Privacy

42 Stories
All Topics

Marko Saric plausible.io

Plausible Analytics is ready for self-hosting 👏

Listeners of The Changelog have already heard Plausible’s story. On that show we talked about self-hosting and how that was something the team was interested in, but hadn’t gotten around to it yet.

Well, now they’ve gotten around to it.

We started developing Plausible early last year, launched our SaaS business and you can now self-host Plausible on your server too! The project is battle-tested running on more than 5,000 sites and we’ve counted 180 million page views in the last three months.

Electron github.com

An open source YouTube app for privacy

FreeTube is an open source desktop YouTube player built with privacy in mind. Use YouTube without advertisements and prevent Google from tracking you with their cookies and JavaScript. Available for Windows, Mac & Linux thanks to Electron.

They also provide browser extensions for Firefox and Chrome so you can click links to YouTube videos in your browser and they’ll open in FreeTube.

Marko Saric markosaric.com

Only 9% of visitors give GDPR consent to be tracked

Marko Saric, who you may remember as the only content marketer we’ve met who runs Linux:

Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law.

I wanted to find out how many visitors would engage with a GDPR banner if it were implemented properly (not obtrusive, easy way to say “no” etc) and how many would grant consent to their information being collected and shared.

DuckDuckGo github.com

DuckDuckGo's favicon (mis)management leaks user privacy for 2+ years

Turns out DDG has been using a favicon proxy since 2018 that effectively sends all websites users visit in the app to their servers. This was first reported a year ago and shrugged off (and closed) by them because they aren’t keeping any of those requests.

At DuckDuckGo, we do not collect or share personal information. That’s our privacy policy in a nutshell. – tagawa

The issue sat dormant until it resurfaced yesterday when many other users stated their concern with the naive server-side implementation:

Yes, we already trust DDG, but only because we have to trust someone and others have proved to be untrustworthy. The issue isn’t about whether the user trusts DDG, it’s about minimizing the need for trust and maximizing the ability to verify privacy. Please consider reopening this issue. – svenssonaxel

It was suggested that this feature could/should be handled on-device and this comment on Hacker News points to Mozilla’s open source implementation that does just that. Finally, DDG’s CEO Gabriel Weinberg woke up (literally) and committed to changing the implementation.

All’s well that ends well?

The Changelog The Changelog #396

De-Google-ing your website analytics

Plausible creators Uku Täht and Marko Saric join the show to talk about their open source, privacy-friendly alternative to Google Analytics. We talk through the backstory of the project, why it’s open source, the details behind a few viral blog posts Marko shared to bring in a ton of new interest to the project, why privacy matters in web analytics, how they prioritize building new features, the technical details behind their no cookie light-weight JavaScript approach, and their thoughts on a server-side option.

Micah Lee theintercept.com

Zoom meetings aren’t end-to-end encrypted

I’m pretty sure that, given the state of the world and the focus on Zoom right now, they will rectify this, but until then…“the only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat.”

“They’re a little bit fuzzy about what’s end-to-end encrypted,” Green said of Zoom. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.”

Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.

Thomas Smith Medium

Clearview AI has a profile on me and 'it freaked me out'

Have you ever posted an image on the public internet and thought, “What if someone used this for something?” Thomas Smith did and what he discovered about Clearview AI is disturbing…

Someone really has been monitoring nearly everything you post to the public internet. And they genuinely are doing “something” with it.

The someone is Clearview AI. And the something is this: building a detailed profile about you from the photos you post online, making it searchable using only your face, and then selling it to government agencies and police departments who use it to help track you, identify your face in a crowd, and investigate you — even if you’ve been accused of no crime.

I realize that this sounds like a bunch of conspiracy theory baloney. But it’s not. Clearview AI’s tech is very real, and it’s already in use.

How do I know? Because Clearview has a profile on me. And today I got my hands on it.

YouTube Icon YouTube

Let's set up a free, personal VPN in the cloud with Algo VPN

Following up on our awesome episode of The Changelog with Algo creator Dan Guido, I thought I’d kick the tires on this Ansible-based, self-hosted VPN solution to see what it’s like to actually set it up and configure my phone to use it. This is my first video of this kind. I’d love to know what you think! How can I do this better? Do you want moar like this? Keep my day job? What?!

The Changelog The Changelog #377

Meet Algo, your personal VPN in the cloud

The commercial VPN industry is a minefield to navigate and many open source solutions are a pain to use or ill-suited for the task. Algo VPN, on the other hand, is a self-hosted personal VPN designed for ease of deployment and security. It uses the securest industry standards, builds on rock-solid solutions like WireGuard and Ansible, and runs on an ever-growing list of cloud hosting providers.

On this episode Dan Guido –CEO of security firm Trail of Bits and Algo’s creator– joins Jerod to discuss the project in depth.

Go github.com

Simple web statistics. No tracking of personal data

GoatCounter is a web analytics platform, roughly similar to Google Analytics or Matomo. It aims to give meaningful privacy-friendly web analytics for business purposes, while still staying usable for non-technical users to use on personal websites. The choices that currently exist are between freely hosted but with problematic privacy (e.g. Google Analytics), hosting your own complex software or paying $19/month (e.g. Matomo), or extremely simplistic “vanity statistics”.

There’s a free hosted offering for non-commercial use. For those running businesses, self-host the thing. Live demo here.

Google github.com

Cutting Google out of your life

If you’re concerned with the amount of data Google has on you, this list of alternative browsers, web apps, operating systems, and hardware may help you ween yourself from the company. Looking at this list, it’s amazing just how much value Google offers in trade for our data. A note from the author:

It’s a shame that Google, with their immense resources, power, and influence, don’t see the benefits of helping people secure themselves online. Instead, they force people like us to scour the web for alternatives and convince our friends and family to do the same, while they sell off our data to the highest bidder.

Julia Evans jvns.ca

How tracking pixels work

A fun, quick dive into Facebook’s tracking pixel and how it does its thing:

I think it’s fun to see how cookies / tracking pixels are used to track you in practice, even if it’s kinda creepy! I sort of knew how this worked before but I’d never actually looked at the cookies on a tracking pixel myself or what kind of information it was sending in its query parameters exactly.

Creepy, indeed. Our browsers are the last line of defense against such creepiness. Choose yours wisely.

EFF Icon EFF

It's official: EFF's Certbot goes 1.0

Certbot was first released in 2015, and since then it has helped more than two million website administrators enable HTTPS by automatically deploying Let’s Encrypt certificates. Let’s Encrypt is a free certificate authority that EFF helped launch in 2015, now run for the public’s benefit through the Internet Security Research Group (ISRG).

A lot of progress has been made since we first talked about Let’s Encrypt on The Changelog.

Culture blog.acolyer.org

Local-first software: you own your data, in spite of the cloud

Watch out! If you start reading this paper you could be lost for hours following all the interesting links and ideas, and end up even more dissatisfied than you already are with the state of software today. You might also be inspired to help work towards a better future. I’m all in :).

I co-sign that sentiment. When the author says “this paper” they are referring to this paper which they are about to summarize. If you haven’t considered local-first software before, you should know that there are seven key properties to it, which are described in detail in the paper and in brief in the summary.

Cloud blog.trailofbits.com

Algo – your personal VPN in the cloud

The linked article is an excellent introduction to Algo, which is effectively a set of Ansible scripts that set up a Wireguard and IPSEC VPN for you.

Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need. And it’s free.

For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.

Algo’s list of features (and anti-features) is compelling and most VPN services are terrible. 👀

Security github.com

A dead simple VPN

Works out of the box. No lousy documentation to read. No configuration file. No post-configuration. Run a single-line command on the server, a similar one on the client and you’re done. No firewall and routing rules to manually mess with.

This looks like a nice alternative to the many vpn-as-a-service offerings out there if you’re up for hosting it yourself.

Cory Doctorow EFF

Adblocking: how about nah?

Cory Doctorow, writing for EFF about the history and present of adblocking:

The rise and rise of ad-blockers (and ad-blocker-blocker-blockers) is without parallel: 26% of Internet users are now blocking ads, and the figure is rising. It’s been called the biggest boycott in human history. It’s also something we’ve seen before, in the earliest days of the Web, when pop-up ads ruled the world (wide web), and users went to war against them.

Fascinating. I’d never heard of adversarial interoperability before.

Wired Icon Wired

The clever cryptography behind Apple's 'Find My' feature

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline, allowing nearby Apple devices to relay their location to the cloud… it turns out that Apple’s elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

WIRED with a fascinating explanation of an utterly fascinating scheme.

0:00 / 0:00