> Server Logs
> Like all web services, our servers may log:
> IP addresses of visitors
> Request timestamps
> User agent strings
> These logs are used for security and debugging purposes and are not linked to your account.
Shouldn't you have spent some time to think through basic things like this before trying to write an opinion piece on anonymity? Certainly it shows a lack of depth of understanding.
The privacy crowd seems to be incapable of grey areas. Are all these the same thing? Are they all the same severity of problem?
- A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties.
- A government website uses a standard framework and that framework loads a google subdomain. In principle, Google could use this to track you but there's no evidence that this actually happens.
- A website tracks user sessions so they can improve UI but don't sell that data to 3rd parties.
- A website has many 3rd party domains, many of which are tracking domains.
- Facebook knows exactly who you are and sells your information to real-time-bidding ad services.
- Your cell phone's 3G connection must in principle triangulate you for the cell phone to function, but the resolution here is fuzzy.
- You use Android and even when your GPS is turned "off" Google is still getting extremely high resolution of your location at all times and absolutely using that information to target you.
A LOT of the privacy folks would put all those examples in the same category, and it absolutely drives me up a wall. It's purity-seeking at the expense of any meaningful distinction, or any meaningful investigation that actually allows uses to make informed decisions about their privacy.
They belong in the same category: the end user has zero agency over how their privacy is impacted, and is at the whim of the wishes/agency of whoever is serving content to them.
Whether the one serving the content is exploiting data at the present moment has very little relevance. Because the end user has no means to assert whether it is happening or not.
You disagree and yet you agreed 100% and made the change. I thought the point the preceding parent comment is making is that you should have thought of that beforehand. Yet you seemed to already come to a judgement about it yet then quickly agreed to reverse yourself.
Sounds like a clear "lack of a depth of understanding" to me.
Fwiw, zero logs in that context is usually in the relation to requests through the VPN, whereas this discussion is about requests on their homepage? Or did I misunderstand something here?
I have a static IP address; and most connections tend to have long-lived leases anyways. It can easily be used to identify me, even if you don't explicitly tie it to my account.
If the authorities come to TFA site with demands, they can't do anything about what CF is doing. All they can do is turn over what they have, and/or prove they don't have what is being asked of them. What some 3rd party does is not germane at all.
Does CF matter, when intermediate ISPs are collecting IP address and DNS query activity and can be subpoenaed?
The answer to both this and parent is yes: partial privacy improvements are still improvements. There are two big reasons for this and many smaller reasons as well:
First, legal actors prioritize who to take action against; some cases are “worth seeing if $law-enforcement-agency can get logs from self-hosted or colo’d servers with minimal legal trouble” but not “worth subpoenaing cloudflare/a vpn provider/ISP for logs that turned out not to be stored on the servers that received the traffic“.
Second, illegal actors are a lot more likely to break into your servers and be able to see traffic information than they are to be able to break into cloudflare/vpn/ISP infrastructure. Sure, most attackers aren’t interested in logs. But many of the kind of websites whose logs law enforcement is interested in are also interesting to blackmailers.
Your browser knows more about you than you do. When accessing a website, anonymous or not, it sends a fingerprint so to speak to that site and its ad network. It’s there that your anonymity ceases and you are identified, classified, segmented, and fed more “How to stay safe online” ads. There’s no escaping it. Chromium is not to be trusted.
in 2025, can small and medium businesses afford to be exposed to the world wild web? You don't need to be a major site these days to be DDosed on the regular
Baseless fear mongering. I've had webservers raw-dogging the Internet for about 25 years. Nothing of any consequence has happened. Hasn't happened to anyone I know, either. Anecdata yes, but people are making it sound like running a webserver is like connecting a Windows XP machine to the internet - instant pwnage. It isn't.
I've been DDoS'ed exactly once. In 2003 I got into a pointless internet argument on IRC, and my home connection got hammered, which of course made me lose the argument by default. I activated my backup ISDN, so my Diablo 2 game was barely interrupted.
I've periodically removed Cloudflare because of issues with reissuing SSL certs, Cloudflare being down, and other reasons, and haven't noticed any problems.
The biggest benefit I get from Cloudflare is blocking scraper robots, which I've just been too lazy to figure out how to do myself.
Despite what Cloudflare wants you to think, yes, yes they can.
Also you can sue whoever DDoSes you and put them in jail. It's easier than it used to be, since the internet is heavily surveilled now. The malicious actors with really good anonymity aren't wasting it attacking a nobody.
I don't know either, but I would guess there are no laws that says internet service operators must log anything.
But, banks and financial services now must obey "know your customer" laws so it's not beyond imagination that similar laws could be applied to websites and ISPs operating in a particular country.
In most countries the law doesn't say you have to log everything about your users, but it does say that if you log it and the police ask for it then you have to give the data to them.
That's why companies that actually care about privacy (I think there are only two - Mullvad and Signal?) make a point of not ever capturing the data to begin with, and deleting what they do capture as soon as possible.
I initially liked the sentiment but the offering doesn’t appear to add up. Unfortunately the real private cloud, if it exists, is bare metal and can’t really be sold as a subscription.
In many ways, we're past the point of no return. So-called ubiquitous technical surveillance is largely the norm, often encroaching by design beyond the boundaries of expected decency.
Informational terrorism, a dysphemism that describes the manner by which certain data is abused to "re-rank content" for a "personalized experience," is encoded into the DNA of certain large tech companies.
The ideal would have been a security-first (privacy-first) industry and supply chain. The ideal never was going to happen, anymore than the early educational ideals of the television industry.
Ergo we are not past the point of no return. That point never existed. We are right where we should expect to be, with most people victimised by the industry and the supply chain, and with a small percentage of people working in security/privacy education to mitigate unsafe practices.
Seatbelts and airbags exist. Smoking is banned in many public settings. It took a senseless amount of carnage to achieve these measures.
We just haven't achieved the requisite amount of privacy carnage. Yet.
Yes. The only question left is when does the terror begin? And it will--it will be our own governments clamping down on all of us. The digital norm globally will be China under the CCP. That is the future for all of us unless we turn it off, but we won't because humans are stupid.
This is largely the attitude that led to this in the first place. This is about failures of messaging, campaigning, and organising. It is a lack of democratic engagement that directly stems from the idea of individual choice being supreme over everything.
Speaking of mullvad. I recently learned about mullvad browser, which is basically tor browser minus connecting via the your network. This is interesting because the tor project has put the most effort into fingerprinting resistance. If you care about privacy and you have a customized browser, you're likely uniquely finger printable [1]. If you don't want to connect via tor, there's no excuse not to use the mullvad browser. (Doesn't require you to use mullvad VPN; comes with the mullvad plugin, disabled by default, to optionally use mullvad encrypted DNS. Last point, I wrote to the tor project and asked "is it possible to use tor browser minus tor network", and they responded "that's the mullvad browser", so this isn't just my recommendation)
Unlinking one's identity from one's activity is only getting harder as surveillance gets more and more pervasive. Effective OPSEC essentially turns one's life into a living hell and it's only getting hotter with time.
I know it’s a different context, but with this catchy title, I can’t resist pointing out that anonymity also doesn’t mean anything.
You can have cryptocurrencies in your wallet, (on most chains) you are anonymous but have no privacy, your transaction history can be accessed by anyone.
It’s all fine and dandy, you can enjoy your anonymity, about as long as you make your first transaction.
You might be anonymous, but basically you hand over your full transaction history and balance anytime you pay for a coffee or tshirt.
The term pseudonymous should be more popular. A crypto id is a pseudonym, right? In the sense that it is a consistent identity you have, just, not one that is initially tied to the identity you were born with.
Social media handles are usually pseudonymous at most.
I wonder where the figure of anonymity is. With writing style analysis, correlating pseudonyms is probably pretty easy these days. Maybe we’ll all start writing our ideas into LLMs and have them do the talking…
And if you simply have multiple wallets and try and maintain the appearance of being disconnected, can you move funds between them without establishing a connection that unmasks you?
well the idea is to obscure it to someone looking from the outside, give enough information it can still be traced - but that's usually only possible by infosec agencies which is typically what they have access to already with normal banks.
to clarify: it can be hard to prove that two crypto addresses are the same people
There's a whole industry of commercially available products that analyze blockchains transactions for the purpose of tracing them. Anyone can simply buy these services. It is functionally accurate enough to find and prosecute criminals.
> It is functionally accurate enough to find and prosecute criminals.
Is that a high bar? I mean, you could have said that about forensic fiber analysis—and then it was revealed that the entire history of the field was just expert witnesses lying their asses off for whatever conclusion law enforcement wanted. It turns out that to prosecute criminals, being complex enough that expert witnesses can provide a smoke screen to rationalize law enforcement targeting that is actually based on prejudice and not concrete facts can be sufficient.
Nobody is being prosecuted on the basis of blockchain analysis data alone -- what I mean is that the data is good enough that that it provides information valuable enough to find the criminal in meatspace with the related physical evidence.
e.g. police look for online drug dealer with blockchain data, get warrant, bust down door, find big pile of drugs.
The point being, the data might not be "proof" on its own but it absolutely illustrates that there is no privacy on public ledgers.
depends on the wallets you use and what you do with them, being able to identify criminals is honestly a plus and if you really wanted to you could make their job *really* hard if you wanted to truly hide from an abusive government. Not being able to hide huge transactions in the millions / billions is honestly a good thing. Imagine the transparency we could get if all governments used crypto currencies instead of the walled garden that is SWIFT.
Let’s say you need three transactions a week, that’s 150 a year. How do you get the right amount of funds into these wallets? How will you get your money out? How will they not be able to track you anyway? As far as I know, you just make the identifiable wallets one hop away.
Again, I’m assuming traditional “old school” non-privacy cryptocurrencies.
There are tumbling services, where you for a fee can mix upp your transaction with lots of other users transactions to make it less obvious you where the one that transfered the credit to your burner wallet.
Kepp in mind, tumblers have also been found to keep logs that ended upp in law enforcement.
Well by design you receive crypto currency in different wallets to begin with and what funds to use, well that's simple - whatever wallet has enough cryptocurrency to cover the transaction.
Any business that isn’t willing to be as anonymous as Mullvad, I assume has a compromised business model that I don’t really like. Assuming there aren’t obvious reasons for needing the data, like tax filing, or various regulatory requirements.
I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so. It also means they can avoid all the lawyers writing complicated and confusing privacy policies, or cookie approval pop-ups.
What I'd really like to see is more honesty: "we store X because feature Y needs it, here's the risk we're accepting," instead of pretending every service needs emails, analytics, and cookies by default
> I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so.
They're OK with the liability exactly because of this very sentence. As you said, there's so many data breaches... so where are the company-ending fines and managers/execs going to prison?
Here in Japan the government cracks down on it hard. There are fines for every n users exposed and in extreme cases a company can be forced to stop trading for a period of days or weeks. Companies are so scared of this happening to them that a significant portion of orientation for new employees is spent on it. I don't have stats on how effective it is, but I do know that the public is less willing to accept it as they tend to elsewhere.
Is this true? KADOKAWA had a massive hack last year that leaked a large amount of sensitive user data and as far as I know has faced no legal repercussions. Obviously they took a decent financial and reputational hit, but that was just an effect of the hack itself, not any government intervention.
Up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements such as controller and processor obligations, security of processing, record-keeping, and breach notification duties.
Up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements of basic principles for processing, data subjects’ rights, and unlawful transfers of personal data to third countries or international organisations.
Sure, in principle. Have you heard of any company that suffered any significant hardship (say, stock price plummeting, personnel reductions, bankruptcy) because of one of these fines?
Infra engineer here. The obvious reasons for needing the data is debugging. I collect logs, metrics, traces, and errors from everywhere, including clients. All of these come with identifying information including the associated user. From the perspective of this thread this is a huge amount of data although it's pretty modest compared to the wider industry.
This data is the tool we have to identify and fix bugs. It is considered a failing on our end if a user has to report an issue to us. Mullvad is in an ideal situation to not need this data because their customers are technical, identical, and stateless.
It's not my department but I think we would get laughed out of the room if we told our users that we couldn't do password resets or support SSO let alone the whole forgetting your 'credential' means losing all your data thing.
> Mullvad is in an ideal situation to not need this data because their customers are technical, identical, and stateless.
A lot of companies could be in similar situations, but choose not to be.
All of retail, for example. Target does significant amounts of data collection to track their customers. This is a choice. They could let users simply buy things, pay for them, and store nothing. This used to be the business model. For online orders, they could purge everything after the return window passed. The order data shouldn’t be needed after that. For brick and mortar, it should be a very straightforward business. However, I’m routinely asked for my zip code or phone number when I check out at stores. Loyalty cards are also a way to incentivize customers to give up this data (https://xkcd.com/2006/).
TVs are another big one. They are all “smart” now, and collect significant amounts of data. I don’t know anyone who would be upset with a simple screen that just let you change inputs and brightness settings, and let people plug stuff into it. Nothing needs to be collected or phone home.
A lot of the logs that are collected in the name of troubleshooting and bug fixing exist because the products are over-complicated or not thoroughly tested before release. The ability to update things later lowers the bar for release and gives a pass for adding all this complexity that users don’t really want. There is a lot of complexity in the smart TV that they might want logs for, but none of it improves the user experience, it’s all in support of the real business model that’s hidden from the user.
I wish I had a list, as you said, they are in short supply. If there is a site out there that catalogs simple straightforward business that don’t compromise a customers ability to be anonymous, I’d like it very much.
A HN user posted about a site they made for faxing documents the other day. It’s a good example of how I think most things should be setup in many cases. You pay a fee and it sends a fax, that is very simple to understand. There are no accounts and the documents are only stored long enough to fulfill the service.
You can imagine how most “modern” sites would handle faxing. Make an account, link a credit card, provide your address to validate the credit card. Then store all the faxes that were sent, claiming it’s for easy reference. Meanwhile it’s running OCR on them in the background to build a profile with a wealth of personal data. After all, people don’t tend to fax trivial things. In addition to the profits from the user, they are making a killing on selling data to advertisers… but those details are hidden away in legalese of the fine print in a policy no one actually reads.
Thank you, op, for bringing sanity to this whole thing.
Relatedly, this is why I think every "new" social media service that isn't Mastodon is barking up the most wrong tree with "take everything with you," you're essentially helping to build an even harder to erase social history.
Mastodon's individual server model, like email's, is better PRECISELY because each node is a point of "failure." That makes erasure easier. Which is good.
Isn't the actual difference between privacy and anonimity that one indicates that the company knows who you are, but ensures this stays "private", and the other is about not knowing who you are?
Like security, the Internet doesn't tolerate half measures. You either have perfect privacy or none.
A lot of our intuitions about both are based on obscurity: nobody is interested enough to devote their lives to you. That's not the case any more. You are exposed to every person on the planet, and they have the tools to automate attacks on every single person.
That's not to say "give up", but we need to find a new understanding of how our lives work. It's like we're all hunter-gatherers who find ourselves instantly in the largest and fastest city, with nobody to teach us the ropes.
What scares me is that the more privacy oriented you are, the easier you are to fingerprint. At what point does privacy mean blending in with the crowd and not sticking out?
You're thinking about browser fingerprinting (client-side), but my post is about service-level anonymity (server-side).
Browser fingerprinting: "Your unique combination of extensions/settings makes you identifiable among other users."
Service anonymity: "There are no other users to compare you against because we don't collect identifying data."
When you sign up with just a random 32-char string, there's nothing to fingerprint. No email to correlate. No IP logs to analyze. No usage patterns to build a profile from.
Fingerprinting matters when services collect behavioral data. We architected our way out of having that data to begin with.
>When you sign up with just a random 32-char string...
There's STILL a browser fingerprint, IP logs to analyze, usage patterns to build a profile from. You may claim you don't collect it, but users need to take your word for it. This is just pseudonymity, which (as many BTC users found out) only gets you halfway there. Real anonymity is way harder, often impossible.
Don't get me wrong, it's good to see organisations that care about privacy and in fact this blog post encouraged me to consider your services in the future. We have some use cases for that at work.
Though by using cloudflare you're NOT putting your money where your mouth is.
I was going to say making the platform open source might solve this problem, but then users would have to trust that we are actually running the open source version and not some fork with logging and tracking. This would be an interesting problem / paradox to try to crack.
But you are 100% right, I will look into alternatives for Cloudflare, which we are using because it seems like the cloud hosting industry LOVES to DDoS new players.
TBH most of those problems are solved by using tor browser. Depending on how much you care: 1. make it possible to use your service with Tor browser, 2. create an .onion site 3. delete your clearnet presence and use only tor.
Without (1), people who really care about anonymity won't even care about you (tor is table stakes). (3) is a really strong vote for anonymity, but don't expect many customers that way.
With open source software + reproducible system image builds + TPM + secure boot + remote attestation you could technically achieve some level of certainty that the server is running the software that you expect, but that's not enough.
The operator can passively log the network traffic which allows for de-anonymization and you would need to design your application-layer such that the operator couldn't selectively route your traffic to a non-compliant server.
I wonder if it would be possible to allow people to ssh into the edge servers with enough access to verify no access logs are stored but not enough to cause any problems. Admit i have not thought it through but would be cool having people verify the live environment while running.
You can't really verify anything in this way. SSH is just a protocol, you're trusting the SSH server to give you a shell inside the real production environment instead of giving you a shell inside some elaborate simulation of a production environment. It's about as trustworthy as a policy page saying "we don't keep logs".
> At what point does privacy mean blending in with the crowd and not sticking out?
It's basically rule number one. Tor is all about making all users look like the same user. The so called anonymity set. They all look the same, so you can't tell them apart from each other.
I read here that most of the Tor exit nodes are operated by governments and governments are using parallel construction to keep that information out of legal documents.
Well, yes. They control ISPs and exit nodes, therefore they can correlate entries into and exits out of the Tor network, narrowing down candidate lists until only one user remains. Essentially a nation scale version of the Harvard bomb threat correlation:
As noted in the article, it wasn't the failure of Tor that led to arrest, it was poor OPSEC. Failure to cover, failure to conceal and failure to compartment.
Blending in with the crowd doesn't work. If you use Chrome on Windows you're part of a very large group and "don't stick out". But it's also very easy to fingerprint so you're also part of the "theturtletalks" group with the size of one.
"...the only person on the whole campus connecting to Tor."
Talk about doubly stupid, first sending the threat, second using Tor on campus. I often wonder what goes (or doesn't go) through the mind of such people.
There were 4 people, but he confessed when questioned.
I guess the lesson there is that if you don't want to be convicted of a crime, don't confess to a crime? They won't give you a lighter sentence for confessing.
> I guess the lesson there is that if you don't want to be convicted of a crime, don't confess to a crime? They won't give you a lighter sentence for confessing.
Ever hear of moral integrity?
Unless the penalty is unjust (say, execution for a minor crime), a just man will confess and accept his punishment as right as just. He himself will want justice to be done and will want to pay for his crime.
A remorseful murderer knows he deserves death. He might ask for mercy, but failing that, he will accept the penalty with dignity and grace.
This is the kind of value a population can collectively hold until they look around and see the culture doesn't value it anymore. Moral integrity stopped being a cultural value that mattered here before I was even born, if it ever really did matter for anyone except the "common" man.
Honestly, I don't care about what the culture does. I act with integrity because of my values and who I want to be, not because I'm under any illusions about how many of my peers will do the same. It is, in my opinion, the only way to live well.
@ybceo As long as you use Cloudflare to verify users [fingerprints] and traffic between users and your service is decrypted at Cloudflare side, I am afraid it difficult to take these anonymity claims seriously.
Please do not to rely on fingerprinters or CDNs that does TLS-termination for you.
"Please unblock challenges.cloudflare.com to proceed."
talk about anonymity but uses cloudflare. you threw away your tls and allow cloudflare to sit in the middle of the user and your web page. you're a hypocrite.
There is no such thing as anonymity. With the number of bits required to ID a person and the fact that you are leaking such bits all the time you can simply forget about anonymity.
Many people online seem to think that they are anonymous and so were emboldened to do stuff that they might not have done if they had realized this. They continued to feel extremely good at this right up until the knock on the door.
Stop with that doom and gloom. You can absolutely be anonymous online if you want to and have some basic technical knowledge (every HN reader does).
I could try to prove it to you, but the only proof you need is that cybercrime exists and millions (or tens of millions) of dollars are stolen every day. If anonymity didn't exist it would be easy to stop this, wouldn't it?
Most UK and Australian writers would spell it "realised" so there's a bit right there.
Even if you include no personal information, there is information in writing style.
Stylometry is the study of this. Yes, there's also adversarial stylometry - distorting your writing style to fool an analysis. It's probably effective now, but that could change overnight and every archived post that every OSINT organisation has collected is deanomynised.
Yeah you can say "I change my style". But there's some bits that don't have false positives. If I EVER say "praise the omminsiah" I'm definetly au fait in 40k memes. If I ever say au fait I'm a person who has at least a rough idea of what it means. There's no false positive here, so if you can just find about 29 undeniable uncorrelated bits that are known to not have false positives ... a more advanced analysis could exploit this in a more continuous way (e.g. the likelihood of it being a false positive). I should shut up now.
It's as old as history. In the days super-abbreviated telegrams (words were costly) you could even get two for the price of one--the author and the Morse code operator who actually sent the telegram. He could be recognized by his Morse fist, other Morse operators on the network would recognize him by the style of his sending even though they were only listening to dots and dashes,
Well there's anonymity from authorities, and there's anonymity from garden variety lunatics.
There exists a grey area between not getting away with nefarious activities, and not having your life ruined by a lynch mob because you didn't approve their preferred CoC on a hobby project or some other perceived injustice.
This seems like the wrong end of the system to fix the problem. Someone saying "we don't log your IP address" isn't something you can easily verify, so the promise doesn't mean much because if they suck they're just going to lie about it.
What you need instead is to make it easy and common for people to use browsers that resist fingerprinting, VPNs/Tor, custom email addresses per-account, etc. Because then instead of claiming to not log your information, they simply do not have it.
The biggest thing we need is a better way to pay someone over the internet without them knowing who you are.
"The biggest thing we need is a better way to pay someone over the internet without them knowing who you are."
I've been saying that for years. Buy a prepaid card for cash at say the supermarket with xyz value on it and a unique email address included (an anonymous debit card with email). That is every new card you buy would have a different disposable email address that would expire when the card is empty.
Such a scheme could also be used to donate micro payments to opensource projects, ad-free Youtubers, etc. and do so anonymously. Moreover, it would make payments easier thus overcome the "requires effort to do" resistance when it comes to donating. Making donating super easy would I reckon greatly increase the income for all those on the receiving end.
However I can't see it happening, governments would outlaw it claiming it'd be used to transfer money for nefarious purposes, money laundering etc.
The major reason I don't donate to good/charitable causes is that I cannot do so anonymously.
Isn't that pretty much table stakes for being a cryptocurrency? Run a node (they're all open source), publish your address, and you're all set up to receive payments in that currency.
Every one I've tried "just works". The trick is getting people to join you.
> Every one I've tried "just works". The trick is getting people to join you.
As the other comment pointed out, if it's easy enough, that problem will take care of itself. I would also add "lightweight", cloning the entire block is not something everyone would do.
True. For 99% of the people mining it yourself of demanding getting paid in crypto is not viable. That means you go to an exchange, and all you do is then logged at this government regulated exchange.
I suppose you could engage in some cloak and dagger exchange at night, but again, the 99% won't do that. The ones who do, are most likely capable of setting up their own services, anonymously, so they don't need to have a commercial, for-profit as their middleman.
Sadly, everybody using a browser from a massive ad company and an idp (not to mention a company with an interest in crawling the entire web for AI at the same time site owners are dealing with better scrapers) means the entire web will be login-only over time.
We're quite a few years into this period of technology. At a certain point, these "AI is going to kill the web!" predictions either need to come true or just be dismissed as false.
I don't see how those points bolster your conclusion. These pressures predate AI by over a decade and haven't forced a significant tidal change in the way the internet is used.
> Stripe customer ID and payment method ID
Wouldnt this information allow for the authorities to just go to Stripe and ask the relevant information there? Sure, you don't store exact personally identifying info, but you store a breadcrumb that can lead whoever has the power to request that information to trace back to the end user
> And for those who need traditional payments? We support Stripe. Because pragmatism matters. But we don't pretend that credit card payments are anonymous. We're honest about the trade-offs.
I think this paragraph is clear enough about that?
>Here's how the average "privacy-focused" service actually works:
> ...
>5. Confirm identity for "fraud prevention" (now we have your ID)
I can't tell whether OP is being hyperbolic but it's certainly not representative of the average "privacy-focused" service I've came across. The typical service only asks for an email and maybe billing information (can be prepaid card or crypto). The only exception is protonmail, which might require SMS verification[1], but given the problem of email spam I'm sympathetic, and it's bypassble by paying. It's certainly not the "average" service, and no service asked to "Confirm identity".
According to article, the whole authorization system is flawed. But we haven’t invent a new one and the one we’ve got never meant to be private, it is just a way to separate users from each other. We need something unique, a "primary key" for our DB, and that’s email or phone or username that has to be stored somewhere. A server, someone else’s computer, call it what you want. It has good privacy between users, but the admin can see everything, because otherwise management of the service would be impossible.
There is no anonymity, there is always someone you have to trust in the chain of WAN networking (DNS,ISP,VPN). If you want anonymity and privacy, you selfhost (examining the code is also a prerequisite). There is no other way to do it.
> but the admin can see everything, because otherwise management of the service would be impossible.
It depends on what service you’re offering. There are many cases where you can have end-to-end encryption so that you can know who your users are, host their data but cannot do anything with it.
> If you use our servers for illegal activity, law enforcement can still investigate. They just can't start with "who owns this account" because we can't answer that question.
You're going to have a tussle with law enforcement, and you're going to lose. Your service will last < 2 years because you will not be able to afford the lawyers you need to defend against even one muscle move by the government.
Why? That's kind of the whole point of this: they can cooperate entirely and give them everything they have. You think they'll get into legal trouble because they aren't gathering data?
There are a number of companies/products that operate under this principle (mullvad and signal come to mind). Are you saying all of those are futile and misleading? Or are you saying that you expect they all have significant money and legal teams to defend against a crooked cop's thirst for vengeance for not responding the way they wanted during an investigation?
Even if you don't want to live entirely on the anonymous web, it's useful to see how many products claim privacy while being structurally incapable of delivering it
The problem with this in our current society is that staying anonymous becomes your whole identity. I have a friend who for the longest time didn’t use Venmo, Uber, etc. because of privacy reasons, but the lifestyle was just not sustainable. Ultimately convenience killed privacy.
So my understanding is, what Mullvad is to VPNs, and what Tarsnap is to S3 (kinda), Servury is to entire VMs. It's a prepaid model, you get an account identifier, and that's basically it.
This is very cool. I have wondered for a very long time why such a site does not exist. What pops to mind is that you could get better unit economics reselling really small VMs to the privacy obsessed. I know some netizens who would pay a dollar a month for, say, a tiny NetBSD VM and 64 MB of RAM to serve their tiny static demoscene website of yore. There are some real wizards of there.
Not sure if that's in your roadmap but definitely something to consider in this space.
I’m fine with no account recovery but they would definitely need a major warning about that at sign up time so users can take extra care to save their info.
One difference with Mullvad is VPN traffic is ephemeral. Here, a VPS has a persistent disk attached, that could contain identifying information (if it is necessary to do useful work).
And, also not very funny, those corps never tell in advance which data they "require". They grab my mail on "the first page" of the registration form. Then, on "the second page", they ask for my phone and my address. Should I decide to agree to this, they will finally tell me on "the third page", that they only support credit card, no PayPal, no direct payment via Bank ...
It's a bit ironic the page is protected by Cloudflare. So, all of our traffic is going through some other company to log and track before it gets to you, eh?
What I was wondering after reading the article: How does Mulvad actually decouple banking data from the account ID? Or is it as simple as verify transaction once but never log?
So there's no subscription thing going on, you just manually pay invoices?
I once spent an entire year issuing chargebacks on AWS charges coming from god knows what AWS account. Most likely some client project I forgot about and didn't have the login to anymore, who knows. Makes me think about that - for a service where you can't login if you lose the credentials, how do you cancel a subscription? In my case I had to eventually just cancel the credit card and get a new number.
No subscription. It’s pay as you go. You top up $X and you get X months. That’s it. If your month expires, it expires. Just top off and you’re good to go.
I would much rather have privacy with e2e encryption than have anonymity. The way that works is a direct connection between two parties without use of a central server, like webRTC.
I don’t know what’s wrong with these comments. This is the kind of smart design we want to see and everyone is doing nitpicking.
Can we have just better things or are we going to reject everything that’s not perfect and by doing so concede the whole point and just give up?
Well done OP for the right approach and your business. This has always been my design (when possible) to approach data security. When you don’t have data you don’t have to worry about its security.
tl;dr
“Privacy” = the data is private i.e. only on your devices. Or if the raw data is public but encrypted and the key is private, I think that qualifies.
“Anonymity” = the data is public but not linked to its owner’s identity.
If you’re sharing your data with a website (e.g. storing it unencrypted), but they promise not to leak it, the data is only “private” between you and them…which doesn’t mean much, because they may not (and sometimes cannot) keep that promise. But if the website doesn’t attribute the data except to a randomly-generated identifier (or e.g. RSA public key), the data is anonymous. That’s the article.
Although a server does provide real privacy if it stores user data encrypted and doesn’t store the key, and you can verify this if you have the client’s unobfuscated source.
Also note that anonymity is less secure than privacy because the information provides clues to the owner. e.g. if it’s a detailed report on a niche topic with a specific bias and one person is known to be super interested in that topic with that bias, or if it contains parts of the owner’s PII. But it’s much better than nothing.
Europe is currently being tormented by this exact contradiction: on one hand, it has the GDPR—the world's strictest privacy law, supposedly protecting personal data; on the other, a flood of new regulations under the banners of "child safety," "counter-terrorism," and "anti-money laundering" are systematically strangling real anonymity.
I agree, privacy still means a lot. It's a term that's been co-opted by the large tech companies which operate with impunity. It will has meaning that cannot change.
The post also misunderstands privacy
> Privacy is when they promise to protect your data.
Privacy is about you controlling your data. Promises are simply social contracts.
Exactly. I run sans JS by default. At least this warns me to either avoid the site or to take the risk (browser button--red for JS block, green unblock).
it's 2025. chances are you had peeps in class/uni who are now in the Stasi networks of informants and/or in some more or less obscure agency or more or less related private company so your anonymity only works from birth and even then only if you are lucky or your family "gets it" and has resources and brains beyond.
some people believe supply chain attacks are rare and hard to pull off and expensive and only valuable in extreme cases but if you ever worked at a local delivery service or pharmacy or something other where people and the necessary machines are being aggregated in some basements or even backrooms for all use cases from all times for wholesale forgery and fiddling with people, you know that the situation is ugly, not bad. throw in the many coders, network engineers and hardware specialists with ties to above entities and bombaclat, Jahmunkey, we fucked!
"privacy" or not sharing your space with a creepy room mate, and reading the internet without adds ar3 parallel
running three flavors of the same off brand browser, each optimised for different segments of online content is what seems to be the minimum.
they are so desperate to sell me something,
(a truck) that it's wild, as it is one of the few monitisable things I consistently look for (parts, service procedures), the ,
pause, when I do certain searches gives me time to predict that yes, the machinery is grinding hard, and will ,shortly, triumphantly, produce, a ,truck.
anonymity in your product could be a sensible design choice that your customers could value. fine. go nuts.
but in general? hard disagree. anonymity is fragile and can't be guaranteed, privacy is a legal obligation which can actually be enforced if push comes to shove.
also that page reads like slop : it's not X, it's Y. blah blah blah. this is a marketing piece trying to go viral.
How tf are you supposed to provide working authentication without storing the email somewhere? Should i just disable password resets and tell the users to fuck off if they forget theirs? Cant even use passkeys as they make users identifiable too.
How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.
A passkey is always one per site. Emails tend to be naturally reused, unless the visitor uses a paid aliasing service (plus trick is trivial to canonize, having a dozen mailboxes on a self-hosted email still associates them with each other, because there's no anonymity set to speak of, and major email providers like Gmail won't let you register an account today without a phone number, credit card, or passport).
Users need to have hard memorization or record of a paraphrase, same as a crypto wallet. Or just use web3 for auth, that can work well if users have decent opsec.
The battle on privacy/anonymity/whatever is lost. Get over it. What we need is a new social paradigm where everyone is happy despite the lack of privacy.
Please provide your full legal name (include any other names you go by), occupation and place of employment, phone number[s], email address[es], usernames on other social media accounts, eye color, height, weight, list of any health conditions. That's just to start, then we can start going over more info.
Yes, exactly, that's what I'm talking about. Imagine a world where it's completely acceptable to post poop on Instagram, and people who don't want to look at it simply tick "don't display poop". The thing is, the "if you have nothing to hide then you have nothing to fear" argument IS true, under assumption that others would be understanding and compassionate to your intentions. Which is exactly the opposite of the legal/societal system we currently have.
What I'm trying to say is that the core issue is "people aren't trustworthy" and "we need privacy" is a bandaid on the former problem. If we manage to create a society where people are trustworthy, the need of privacy will disappear.
The core problem is that people have (and will always have) divergent goals, and a large subset of people see no problem in using coercive and even violent means to ensure that their own “team” wins. This is human nature and cannot be remedied.
Then the government is overturned by a totalitarian clique that declares displaying poop punishable by death, and this includes any past display of poop. Suddenly you find yourself here
At first I thought it was a blog. No, this is a company. So, their privacy page (https://servury.com/privacy/):
> Server Logs > Like all web services, our servers may log: > IP addresses of visitors > Request timestamps > User agent strings > These logs are used for security and debugging purposes and are not linked to your account.
That's already a huge breach in comparison to mullvad privacy page. (https://mullvad.net/en/help/no-logging-data-policy)
I agree 100%. I went ahead and disabled all logging in Apache just now. Will update the privacy page to reflect this within the hour.
Shouldn't you have spent some time to think through basic things like this before trying to write an opinion piece on anonymity? Certainly it shows a lack of depth of understanding.
We all mess up and miss things, op has shown maturity enough to admit to their mistakes and improve from them.
My takeaway from this thread is an increased amount of trust in OP. Not because they made a mistake, but because of how they handled it. Well done OP!
The privacy crowd seems to be incapable of grey areas. Are all these the same thing? Are they all the same severity of problem?
A LOT of the privacy folks would put all those examples in the same category, and it absolutely drives me up a wall. It's purity-seeking at the expense of any meaningful distinction, or any meaningful investigation that actually allows uses to make informed decisions about their privacy.> - A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties.
Even if this sounds innocent, these must be turned over if you are provided a warrant or subpoena (which ever would be appropriate, IANAL).
They belong in the same category: the end user has zero agency over how their privacy is impacted, and is at the whim of the wishes/agency of whoever is serving content to them.
Whether the one serving the content is exploiting data at the present moment has very little relevance. Because the end user has no means to assert whether it is happening or not.
I disagree. Like I said earlier :
Web server logs were not tied to user credentials in any way, they were used for debugging purposes and could not have been used to identify users.
You disagree and yet you agreed 100% and made the change. I thought the point the preceding parent comment is making is that you should have thought of that beforehand. Yet you seemed to already come to a judgement about it yet then quickly agreed to reverse yourself.
Sounds like a clear "lack of a depth of understanding" to me.
From your faq: "We maintain zero logs of your activities. We don't track IP addresses, …"
Front page says "zero logs"
Some logs, including specifically datapoints you have promised not to log, but you mean well (?) is pretty different from zero logs
Fwiw, zero logs in that context is usually in the relation to requests through the VPN, whereas this discussion is about requests on their homepage? Or did I misunderstand something here?
I have a static IP address; and most connections tend to have long-lived leases anyways. It can easily be used to identify me, even if you don't explicitly tie it to my account.
Does it matter, when CF is collecting all that already before people even reach your site?
If the authorities come to TFA site with demands, they can't do anything about what CF is doing. All they can do is turn over what they have, and/or prove they don't have what is being asked of them. What some 3rd party does is not germane at all.
Does CF matter, when intermediate ISPs are collecting IP address and DNS query activity and can be subpoenaed?
The answer to both this and parent is yes: partial privacy improvements are still improvements. There are two big reasons for this and many smaller reasons as well:
First, legal actors prioritize who to take action against; some cases are “worth seeing if $law-enforcement-agency can get logs from self-hosted or colo’d servers with minimal legal trouble” but not “worth subpoenaing cloudflare/a vpn provider/ISP for logs that turned out not to be stored on the servers that received the traffic“.
Second, illegal actors are a lot more likely to break into your servers and be able to see traffic information than they are to be able to break into cloudflare/vpn/ISP infrastructure. Sure, most attackers aren’t interested in logs. But many of the kind of websites whose logs law enforcement is interested in are also interesting to blackmailers.
The whole thing is behind cloudflare!
Anonymity is responsibility of a visitor in any case. If the visitor's anonymity depends on some website not storing logs, the visitor lost already.
Your browser knows more about you than you do. When accessing a website, anonymous or not, it sends a fingerprint so to speak to that site and its ad network. It’s there that your anonymity ceases and you are identified, classified, segmented, and fed more “How to stay safe online” ads. There’s no escaping it. Chromium is not to be trusted.
in 2025, can small and medium businesses afford to be exposed to the world wild web? You don't need to be a major site these days to be DDosed on the regular
Who gets ddosed on the regular? Spam is a regular problem, but I have never encountered a ddos on a business website.
Baseless fear mongering. I've had webservers raw-dogging the Internet for about 25 years. Nothing of any consequence has happened. Hasn't happened to anyone I know, either. Anecdata yes, but people are making it sound like running a webserver is like connecting a Windows XP machine to the internet - instant pwnage. It isn't.
I've been DDoS'ed exactly once. In 2003 I got into a pointless internet argument on IRC, and my home connection got hammered, which of course made me lose the argument by default. I activated my backup ISDN, so my Diablo 2 game was barely interrupted.
>I've had webservers
But have those webservers supported a small or medium-sized business?
Mine do, although I do use Cloudflare.
I've periodically removed Cloudflare because of issues with reissuing SSL certs, Cloudflare being down, and other reasons, and haven't noticed any problems.
The biggest benefit I get from Cloudflare is blocking scraper robots, which I've just been too lazy to figure out how to do myself.
Mine did. Mine do. Never a problem. Not once.
Despite what Cloudflare wants you to think, yes, yes they can.
Also you can sue whoever DDoSes you and put them in jail. It's easier than it used to be, since the internet is heavily surveilled now. The malicious actors with really good anonymity aren't wasting it attacking a nobody.
Are you allowed to do that in US? I see the company is located in the USA, can companies disable logging just like that?
(Asking because I really don't know)
I don't know either, but I would guess there are no laws that says internet service operators must log anything.
But, banks and financial services now must obey "know your customer" laws so it's not beyond imagination that similar laws could be applied to websites and ISPs operating in a particular country.
In most countries the law doesn't say you have to log everything about your users, but it does say that if you log it and the police ask for it then you have to give the data to them.
I think you mean if a court asks for it. And they have to ask for something you actually have
That's why companies that actually care about privacy (I think there are only two - Mullvad and Signal?) make a point of not ever capturing the data to begin with, and deleting what they do capture as soon as possible.
I initially liked the sentiment but the offering doesn’t appear to add up. Unfortunately the real private cloud, if it exists, is bare metal and can’t really be sold as a subscription.
> That's already a huge breach in comparison to mullvad privacy page.
And the "3 data points, that's it" of the blog post
Those data points refer to what is stored in the database and is tied to your 32 character credential.
Web server logs were not tied to user credentials in any way.
IPs are PII. They can be tied to an identity.
Even user agents are often specific enough to be considered PII.
I mean technically yes but I find THAT kind of logging utterly benign.
They're good enough for fingerprinting and matching against other logs.
Also:
> // What we DON'T collect:
> - IP addresses (not logged, not stored, not tracked)
> - Usage patterns (no analytics, no telemetry, nothing)
> - Device fingerprints (your browser, your business)
so, I've read one blog from this company, and already they're lying or incompetent
i hate to point it out, but that was written by an llm that probably wasn't prompted precisely enough to not make up comforting thoughts like that
Indeed, the whole thing reads like it was written by an LLM.
In many ways, we're past the point of no return. So-called ubiquitous technical surveillance is largely the norm, often encroaching by design beyond the boundaries of expected decency.
Informational terrorism, a dysphemism that describes the manner by which certain data is abused to "re-rank content" for a "personalized experience," is encoded into the DNA of certain large tech companies.
> we're past the point of no return
The ideal would have been a security-first (privacy-first) industry and supply chain. The ideal never was going to happen, anymore than the early educational ideals of the television industry.
Ergo we are not past the point of no return. That point never existed. We are right where we should expect to be, with most people victimised by the industry and the supply chain, and with a small percentage of people working in security/privacy education to mitigate unsafe practices.
Seatbelts and airbags exist. Smoking is banned in many public settings. It took a senseless amount of carnage to achieve these measures.
We just haven't achieved the requisite amount of privacy carnage. Yet.
Yes. The only question left is when does the terror begin? And it will--it will be our own governments clamping down on all of us. The digital norm globally will be China under the CCP. That is the future for all of us unless we turn it off, but we won't because humans are stupid.
The terrorism is already occurring, it's merely exported to other people
Eh, defeatist attitude. It isn't that hard to anonymize and obfuscate your data.
The issue is everyone is willing to trade convenience for security.
The point of no return is an individual choice.
This doesn't reflect the current reality. Tech companies acquire questionable third-party data without consent and exploit it however they see fit.
> The point of no return is an individual choice.
This is largely the attitude that led to this in the first place. This is about failures of messaging, campaigning, and organising. It is a lack of democratic engagement that directly stems from the idea of individual choice being supreme over everything.
Speaking of mullvad. I recently learned about mullvad browser, which is basically tor browser minus connecting via the your network. This is interesting because the tor project has put the most effort into fingerprinting resistance. If you care about privacy and you have a customized browser, you're likely uniquely finger printable [1]. If you don't want to connect via tor, there's no excuse not to use the mullvad browser. (Doesn't require you to use mullvad VPN; comes with the mullvad plugin, disabled by default, to optionally use mullvad encrypted DNS. Last point, I wrote to the tor project and asked "is it possible to use tor browser minus tor network", and they responded "that's the mullvad browser", so this isn't just my recommendation)
[1] https://coveryourtracks.eff.org
Most people fixate on network-level anonymity and completely underestimate how badly a "tuned" browser leaks identity
People also tend to have very poor OPSEC which undermines their efforts in spite of the tools they used.
https://grugq.github.io/blog/2013/11/06/required-reading/
Unlinking one's identity from one's activity is only getting harder as surveillance gets more and more pervasive. Effective OPSEC essentially turns one's life into a living hell and it's only getting hotter with time.
Fun fact, mullvad browser is created by Tor in collaboration with them.
I know it’s a different context, but with this catchy title, I can’t resist pointing out that anonymity also doesn’t mean anything.
You can have cryptocurrencies in your wallet, (on most chains) you are anonymous but have no privacy, your transaction history can be accessed by anyone.
It’s all fine and dandy, you can enjoy your anonymity, about as long as you make your first transaction.
You might be anonymous, but basically you hand over your full transaction history and balance anytime you pay for a coffee or tshirt.
The term pseudonymous should be more popular. A crypto id is a pseudonym, right? In the sense that it is a consistent identity you have, just, not one that is initially tied to the identity you were born with.
Social media handles are usually pseudonymous at most.
I wonder where the figure of anonymity is. With writing style analysis, correlating pseudonyms is probably pretty easy these days. Maybe we’ll all start writing our ideas into LLMs and have them do the talking…
you typically don't have one wallet and you (should at least attempt to) never reuse them either.
Do you mean a wallet per transaction?
And if you simply have multiple wallets and try and maintain the appearance of being disconnected, can you move funds between them without establishing a connection that unmasks you?
well the idea is to obscure it to someone looking from the outside, give enough information it can still be traced - but that's usually only possible by infosec agencies which is typically what they have access to already with normal banks.
to clarify: it can be hard to prove that two crypto addresses are the same people
There's a whole industry of commercially available products that analyze blockchains transactions for the purpose of tracing them. Anyone can simply buy these services. It is functionally accurate enough to find and prosecute criminals.
> It is functionally accurate enough to find and prosecute criminals.
Is that a high bar? I mean, you could have said that about forensic fiber analysis—and then it was revealed that the entire history of the field was just expert witnesses lying their asses off for whatever conclusion law enforcement wanted. It turns out that to prosecute criminals, being complex enough that expert witnesses can provide a smoke screen to rationalize law enforcement targeting that is actually based on prejudice and not concrete facts can be sufficient.
Nobody is being prosecuted on the basis of blockchain analysis data alone -- what I mean is that the data is good enough that that it provides information valuable enough to find the criminal in meatspace with the related physical evidence.
e.g. police look for online drug dealer with blockchain data, get warrant, bust down door, find big pile of drugs.
The point being, the data might not be "proof" on its own but it absolutely illustrates that there is no privacy on public ledgers.
depends on the wallets you use and what you do with them, being able to identify criminals is honestly a plus and if you really wanted to you could make their job *really* hard if you wanted to truly hide from an abusive government. Not being able to hide huge transactions in the millions / billions is honestly a good thing. Imagine the transparency we could get if all governments used crypto currencies instead of the walled garden that is SWIFT.
Let’s say you need three transactions a week, that’s 150 a year. How do you get the right amount of funds into these wallets? How will you get your money out? How will they not be able to track you anyway? As far as I know, you just make the identifiable wallets one hop away.
Again, I’m assuming traditional “old school” non-privacy cryptocurrencies.
There are tumbling services, where you for a fee can mix upp your transaction with lots of other users transactions to make it less obvious you where the one that transfered the credit to your burner wallet.
Kepp in mind, tumblers have also been found to keep logs that ended upp in law enforcement.
Well by design you receive crypto currency in different wallets to begin with and what funds to use, well that's simple - whatever wallet has enough cryptocurrency to cover the transaction.
Any business that isn’t willing to be as anonymous as Mullvad, I assume has a compromised business model that I don’t really like. Assuming there aren’t obvious reasons for needing the data, like tax filing, or various regulatory requirements.
I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so. It also means they can avoid all the lawyers writing complicated and confusing privacy policies, or cookie approval pop-ups.
What I'd really like to see is more honesty: "we store X because feature Y needs it, here's the risk we're accepting," instead of pretending every service needs emails, analytics, and cookies by default
> I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so.
They're OK with the liability exactly because of this very sentence. As you said, there's so many data breaches... so where are the company-ending fines and managers/execs going to prison?
Here in Japan the government cracks down on it hard. There are fines for every n users exposed and in extreme cases a company can be forced to stop trading for a period of days or weeks. Companies are so scared of this happening to them that a significant portion of orientation for new employees is spent on it. I don't have stats on how effective it is, but I do know that the public is less willing to accept it as they tend to elsewhere.
Is this true? KADOKAWA had a massive hack last year that leaked a large amount of sensitive user data and as far as I know has faced no legal repercussions. Obviously they took a decent financial and reputational hit, but that was just an effect of the hack itself, not any government intervention.
Wow good for them. I wish we took it that seriously in North America.
GDPR has fines:
Up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements such as controller and processor obligations, security of processing, record-keeping, and breach notification duties.
Up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements of basic principles for processing, data subjects’ rights, and unlawful transfers of personal data to third countries or international organisations.
Sure, in principle. Have you heard of any company that suffered any significant hardship (say, stock price plummeting, personnel reductions, bankruptcy) because of one of these fines?
Specific to the UK, there's a list of enforcement actions that the Information Commissioners Office (ICO) have taken:
https://ico.org.uk/action-weve-taken/enforcement/
Some went to prison, some were fined £14M and it's a mixture of small fry and big fry.
These fines aren’t something you’re responsible for paying by merely being breached. These are imposed for misconduct in data handling.
It’s not very hard to handle customer data in a legally compliant way, that’s why you don’t see companies deciding against retaining data.
You can do everything right and still have a data breach, and in that case nobody is fining you.
Infra engineer here. The obvious reasons for needing the data is debugging. I collect logs, metrics, traces, and errors from everywhere, including clients. All of these come with identifying information including the associated user. From the perspective of this thread this is a huge amount of data although it's pretty modest compared to the wider industry.
This data is the tool we have to identify and fix bugs. It is considered a failing on our end if a user has to report an issue to us. Mullvad is in an ideal situation to not need this data because their customers are technical, identical, and stateless.
It's not my department but I think we would get laughed out of the room if we told our users that we couldn't do password resets or support SSO let alone the whole forgetting your 'credential' means losing all your data thing.
> Mullvad is in an ideal situation to not need this data because their customers are technical, identical, and stateless.
A lot of companies could be in similar situations, but choose not to be.
All of retail, for example. Target does significant amounts of data collection to track their customers. This is a choice. They could let users simply buy things, pay for them, and store nothing. This used to be the business model. For online orders, they could purge everything after the return window passed. The order data shouldn’t be needed after that. For brick and mortar, it should be a very straightforward business. However, I’m routinely asked for my zip code or phone number when I check out at stores. Loyalty cards are also a way to incentivize customers to give up this data (https://xkcd.com/2006/).
TVs are another big one. They are all “smart” now, and collect significant amounts of data. I don’t know anyone who would be upset with a simple screen that just let you change inputs and brightness settings, and let people plug stuff into it. Nothing needs to be collected or phone home.
A lot of the logs that are collected in the name of troubleshooting and bug fixing exist because the products are over-complicated or not thoroughly tested before release. The ability to update things later lowers the bar for release and gives a pass for adding all this complexity that users don’t really want. There is a lot of complexity in the smart TV that they might want logs for, but none of it improves the user experience, it’s all in support of the real business model that’s hidden from the user.
>Any business that isn’t willing to be as anonymous as Mullvad, I assume has a compromised business model that I don’t really like
Well, that's like 99% of the businesses out there. Mind listing of some of the businesses you like aside from obvious mullvad?
I wish I had a list, as you said, they are in short supply. If there is a site out there that catalogs simple straightforward business that don’t compromise a customers ability to be anonymous, I’d like it very much.
A HN user posted about a site they made for faxing documents the other day. It’s a good example of how I think most things should be setup in many cases. You pay a fee and it sends a fax, that is very simple to understand. There are no accounts and the documents are only stored long enough to fulfill the service.
https://news.ycombinator.com/item?id=46310161
You can imagine how most “modern” sites would handle faxing. Make an account, link a credit card, provide your address to validate the credit card. Then store all the faxes that were sent, claiming it’s for easy reference. Meanwhile it’s running OCR on them in the background to build a profile with a wealth of personal data. After all, people don’t tend to fax trivial things. In addition to the profits from the user, they are making a killing on selling data to advertisers… but those details are hidden away in legalese of the fine print in a policy no one actually reads.
Thank you, op, for bringing sanity to this whole thing.
Relatedly, this is why I think every "new" social media service that isn't Mastodon is barking up the most wrong tree with "take everything with you," you're essentially helping to build an even harder to erase social history.
Mastodon's individual server model, like email's, is better PRECISELY because each node is a point of "failure." That makes erasure easier. Which is good.
No one owning your data isn't any better than everyone owning your data.
That's not true. Mastodon replicates all your posts to a bunch of other servers you don't control by design, which makes them harder to erase.
It's no worse than normal internet publishing, but it doesn't magically solve the erasure question.
Isn't the actual difference between privacy and anonimity that one indicates that the company knows who you are, but ensures this stays "private", and the other is about not knowing who you are?
Yes. Privacy and anonymity are both useful in different contexts. This article is just an ad for a service.
Like security, the Internet doesn't tolerate half measures. You either have perfect privacy or none.
A lot of our intuitions about both are based on obscurity: nobody is interested enough to devote their lives to you. That's not the case any more. You are exposed to every person on the planet, and they have the tools to automate attacks on every single person.
That's not to say "give up", but we need to find a new understanding of how our lives work. It's like we're all hunter-gatherers who find ourselves instantly in the largest and fastest city, with nobody to teach us the ropes.
Which is kinda interesting because the only people I know without any internet presence are very old or, working for intelligence services.
What scares me is that the more privacy oriented you are, the easier you are to fingerprint. At what point does privacy mean blending in with the crowd and not sticking out?
You're thinking about browser fingerprinting (client-side), but my post is about service-level anonymity (server-side).
Browser fingerprinting: "Your unique combination of extensions/settings makes you identifiable among other users."
Service anonymity: "There are no other users to compare you against because we don't collect identifying data."
When you sign up with just a random 32-char string, there's nothing to fingerprint. No email to correlate. No IP logs to analyze. No usage patterns to build a profile from.
Fingerprinting matters when services collect behavioral data. We architected our way out of having that data to begin with.
>When you sign up with just a random 32-char string...
There's STILL a browser fingerprint, IP logs to analyze, usage patterns to build a profile from. You may claim you don't collect it, but users need to take your word for it. This is just pseudonymity, which (as many BTC users found out) only gets you halfway there. Real anonymity is way harder, often impossible.
Don't get me wrong, it's good to see organisations that care about privacy and in fact this blog post encouraged me to consider your services in the future. We have some use cases for that at work.
Though by using cloudflare you're NOT putting your money where your mouth is.
I was going to say making the platform open source might solve this problem, but then users would have to trust that we are actually running the open source version and not some fork with logging and tracking. This would be an interesting problem / paradox to try to crack.
But you are 100% right, I will look into alternatives for Cloudflare, which we are using because it seems like the cloud hosting industry LOVES to DDoS new players.
TBH most of those problems are solved by using tor browser. Depending on how much you care: 1. make it possible to use your service with Tor browser, 2. create an .onion site 3. delete your clearnet presence and use only tor.
Without (1), people who really care about anonymity won't even care about you (tor is table stakes). (3) is a really strong vote for anonymity, but don't expect many customers that way.
With open source software + reproducible system image builds + TPM + secure boot + remote attestation you could technically achieve some level of certainty that the server is running the software that you expect, but that's not enough.
The operator can passively log the network traffic which allows for de-anonymization and you would need to design your application-layer such that the operator couldn't selectively route your traffic to a non-compliant server.
I wonder if it would be possible to allow people to ssh into the edge servers with enough access to verify no access logs are stored but not enough to cause any problems. Admit i have not thought it through but would be cool having people verify the live environment while running.
You can't really verify anything in this way. SSH is just a protocol, you're trusting the SSH server to give you a shell inside the real production environment instead of giving you a shell inside some elaborate simulation of a production environment. It's about as trustworthy as a policy page saying "we don't keep logs".
There are self-hostable solutions for DDoS protection, try Anubis for example.
> At what point does privacy mean blending in with the crowd and not sticking out?
It's basically rule number one. Tor is all about making all users look like the same user. The so called anonymity set. They all look the same, so you can't tell them apart from each other.
It's also part of the rules of proper OPSEC.
https://en.wikipedia.org/wiki/The_Moscow_rules
> Do not look back; you are never completely alone.
> Go with the flow, blend in.
> Vary your pattern and stay within your cover.
I read here that most of the Tor exit nodes are operated by governments and governments are using parallel construction to keep that information out of legal documents.
Well, yes. They control ISPs and exit nodes, therefore they can correlate entries into and exits out of the Tor network, narrowing down candidate lists until only one user remains. Essentially a nation scale version of the Harvard bomb threat correlation:
https://buttondown.com/grugq/archive/bad-opsec-considered-ha...
As noted in the article, it wasn't the failure of Tor that led to arrest, it was poor OPSEC. Failure to cover, failure to conceal and failure to compartment.
Blending in with the crowd doesn't work. If you use Chrome on Windows you're part of a very large group and "don't stick out". But it's also very easy to fingerprint so you're also part of the "theturtletalks" group with the size of one.
Not necessarily
https://news.ycombinator.com/item?id=46334951
There's a point where "privacy" flips into distinctiveness
Reminds me of this guy who used Tor to send a fake bomb threat to his school but he was the only person on the whole campus connecting to Tor.
"...the only person on the whole campus connecting to Tor."
Talk about doubly stupid, first sending the threat, second using Tor on campus. I often wonder what goes (or doesn't go) through the mind of such people.
There were 4 people, but he confessed when questioned.
I guess the lesson there is that if you don't want to be convicted of a crime, don't confess to a crime? They won't give you a lighter sentence for confessing.
> I guess the lesson there is that if you don't want to be convicted of a crime, don't confess to a crime? They won't give you a lighter sentence for confessing.
Ever hear of moral integrity?
Unless the penalty is unjust (say, execution for a minor crime), a just man will confess and accept his punishment as right as just. He himself will want justice to be done and will want to pay for his crime.
A remorseful murderer knows he deserves death. He might ask for mercy, but failing that, he will accept the penalty with dignity and grace.
This is the kind of value a population can collectively hold until they look around and see the culture doesn't value it anymore. Moral integrity stopped being a cultural value that mattered here before I was even born, if it ever really did matter for anyone except the "common" man.
Honestly, I don't care about what the culture does. I act with integrity because of my values and who I want to be, not because I'm under any illusions about how many of my peers will do the same. It is, in my opinion, the only way to live well.
Whatever you smoke, share it.
@ybceo As long as you use Cloudflare to verify users [fingerprints] and traffic between users and your service is decrypted at Cloudflare side, I am afraid it difficult to take these anonymity claims seriously.
Please do not to rely on fingerprinters or CDNs that does TLS-termination for you.
"Please unblock challenges.cloudflare.com to proceed."
talk about anonymity but uses cloudflare. you threw away your tls and allow cloudflare to sit in the middle of the user and your web page. you're a hypocrite.
Hypocrisy is a moral failing but also a somewhat pedantic one -- has this person condemned these activities or merely lamented them?
There is no such thing as anonymity. With the number of bits required to ID a person and the fact that you are leaking such bits all the time you can simply forget about anonymity.
Many people online seem to think that they are anonymous and so were emboldened to do stuff that they might not have done if they had realized this. They continued to feel extremely good at this right up until the knock on the door.
Stop with that doom and gloom. You can absolutely be anonymous online if you want to and have some basic technical knowledge (every HN reader does).
I could try to prove it to you, but the only proof you need is that cybercrime exists and millions (or tens of millions) of dollars are stolen every day. If anonymity didn't exist it would be easy to stop this, wouldn't it?
> realized
Most UK and Australian writers would spell it "realised" so there's a bit right there.
Even if you include no personal information, there is information in writing style.
Stylometry is the study of this. Yes, there's also adversarial stylometry - distorting your writing style to fool an analysis. It's probably effective now, but that could change overnight and every archived post that every OSINT organisation has collected is deanomynised.
Yeah you can say "I change my style". But there's some bits that don't have false positives. If I EVER say "praise the omminsiah" I'm definetly au fait in 40k memes. If I ever say au fait I'm a person who has at least a rough idea of what it means. There's no false positive here, so if you can just find about 29 undeniable uncorrelated bits that are known to not have false positives ... a more advanced analysis could exploit this in a more continuous way (e.g. the likelihood of it being a false positive). I should shut up now.
"Stylometry is the study of this."
It's as old as history. In the days super-abbreviated telegrams (words were costly) you could even get two for the price of one--the author and the Morse code operator who actually sent the telegram. He could be recognized by his Morse fist, other Morse operators on the network would recognize him by the style of his sending even though they were only listening to dots and dashes,
Well there's anonymity from authorities, and there's anonymity from garden variety lunatics.
There exists a grey area between not getting away with nefarious activities, and not having your life ruined by a lynch mob because you didn't approve their preferred CoC on a hobby project or some other perceived injustice.
Is there? The government apparatus that's meant to investigate these crimes is the same one elected by the mob.
If you find yourself a member of any group a campaign can mobilize the mob against, that entire investigatory apparatus can be turned against you.
Without privacy, we are doomed to endless purity purges.
This seems like the wrong end of the system to fix the problem. Someone saying "we don't log your IP address" isn't something you can easily verify, so the promise doesn't mean much because if they suck they're just going to lie about it.
What you need instead is to make it easy and common for people to use browsers that resist fingerprinting, VPNs/Tor, custom email addresses per-account, etc. Because then instead of claiming to not log your information, they simply do not have it.
The biggest thing we need is a better way to pay someone over the internet without them knowing who you are.
> The biggest thing we need is a better way to pay someone over the internet without them knowing who you are.
What's the reason you don't want sellers to know who you are?
That would be like buying things in real life while wearing a ski mask and paying with cash.
What's the reason for the seller to know who I am?
Any normal pre-total-surveillance store would've had zero issues selling me something for cash if I walked in wearing a ski mask.
"The biggest thing we need is a better way to pay someone over the internet without them knowing who you are."
I've been saying that for years. Buy a prepaid card for cash at say the supermarket with xyz value on it and a unique email address included (an anonymous debit card with email). That is every new card you buy would have a different disposable email address that would expire when the card is empty.
Such a scheme could also be used to donate micro payments to opensource projects, ad-free Youtubers, etc. and do so anonymously. Moreover, it would make payments easier thus overcome the "requires effort to do" resistance when it comes to donating. Making donating super easy would I reckon greatly increase the income for all those on the receiving end.
However I can't see it happening, governments would outlaw it claiming it'd be used to transfer money for nefarious purposes, money laundering etc.
The major reason I don't donate to good/charitable causes is that I cannot do so anonymously.
Shame really.
> The biggest thing we need is a better way to pay someone over the internet without them knowing who you are.
Cryptocurrency?
That's what I thought. I think an open source crypto payment gateway that "just works" could probably make it more prevalent. (Is there any?)
Isn't that pretty much table stakes for being a cryptocurrency? Run a node (they're all open source), publish your address, and you're all set up to receive payments in that currency.
Every one I've tried "just works". The trick is getting people to join you.
> Every one I've tried "just works". The trick is getting people to join you.
As the other comment pointed out, if it's easy enough, that problem will take care of itself. I would also add "lightweight", cloning the entire block is not something everyone would do.
If it was made easy and common for ordinary people to use.
True. For 99% of the people mining it yourself of demanding getting paid in crypto is not viable. That means you go to an exchange, and all you do is then logged at this government regulated exchange.
I suppose you could engage in some cloak and dagger exchange at night, but again, the 99% won't do that. The ones who do, are most likely capable of setting up their own services, anonymously, so they don't need to have a commercial, for-profit as their middleman.
Maybe ironically - just going on the title because I can't read the rest as a result - it's behind a cloudflare gate.
Sadly, everybody using a browser from a massive ad company and an idp (not to mention a company with an interest in crawling the entire web for AI at the same time site owners are dealing with better scrapers) means the entire web will be login-only over time.
The irony is that the same companies pushing us toward login-only everything are also the ones best positioned to survive it
We're quite a few years into this period of technology. At a certain point, these "AI is going to kill the web!" predictions either need to come true or just be dismissed as false.
I don't see how those points bolster your conclusion. These pressures predate AI by over a decade and haven't forced a significant tidal change in the way the internet is used.
> Stripe customer ID and payment method ID Wouldnt this information allow for the authorities to just go to Stripe and ask the relevant information there? Sure, you don't store exact personally identifying info, but you store a breadcrumb that can lead whoever has the power to request that information to trace back to the end user
> And for those who need traditional payments? We support Stripe. Because pragmatism matters. But we don't pretend that credit card payments are anonymous. We're honest about the trade-offs.
I think this paragraph is clear enough about that?
>Here's how the average "privacy-focused" service actually works:
> ...
>5. Confirm identity for "fraud prevention" (now we have your ID)
I can't tell whether OP is being hyperbolic but it's certainly not representative of the average "privacy-focused" service I've came across. The typical service only asks for an email and maybe billing information (can be prepaid card or crypto). The only exception is protonmail, which might require SMS verification[1], but given the problem of email spam I'm sympathetic, and it's bypassble by paying. It's certainly not the "average" service, and no service asked to "Confirm identity".
[1] https://proton.me/support/human-verification
A phone number IS identity these days.
According to article, the whole authorization system is flawed. But we haven’t invent a new one and the one we’ve got never meant to be private, it is just a way to separate users from each other. We need something unique, a "primary key" for our DB, and that’s email or phone or username that has to be stored somewhere. A server, someone else’s computer, call it what you want. It has good privacy between users, but the admin can see everything, because otherwise management of the service would be impossible.
There is no anonymity, there is always someone you have to trust in the chain of WAN networking (DNS,ISP,VPN). If you want anonymity and privacy, you selfhost (examining the code is also a prerequisite). There is no other way to do it.
> but the admin can see everything, because otherwise management of the service would be impossible.
It depends on what service you’re offering. There are many cases where you can have end-to-end encryption so that you can know who your users are, host their data but cannot do anything with it.
> If you use our servers for illegal activity, law enforcement can still investigate. They just can't start with "who owns this account" because we can't answer that question.
You're going to have a tussle with law enforcement, and you're going to lose. Your service will last < 2 years because you will not be able to afford the lawyers you need to defend against even one muscle move by the government.
Good luck!
Why? That's kind of the whole point of this: they can cooperate entirely and give them everything they have. You think they'll get into legal trouble because they aren't gathering data?
You ever heard of the phrase “show me the man and I’ll show you the crime”? These guys are gonna discover what that means really quickly.
There are a number of companies/products that operate under this principle (mullvad and signal come to mind). Are you saying all of those are futile and misleading? Or are you saying that you expect they all have significant money and legal teams to defend against a crooked cop's thirst for vengeance for not responding the way they wanted during an investigation?
I’m saying it’s only a matter of time before they get Pavel Durov’ed.
No, this is a brilliantly original way to prevent legal action that has never been previously conceived of in the history of the internet.
Good old "we can't decrypt your laptop but we can repeatedly smash your head into the table until you start cooperating"
Even if you don't want to live entirely on the anonymous web, it's useful to see how many products claim privacy while being structurally incapable of delivering it
The problem with this in our current society is that staying anonymous becomes your whole identity. I have a friend who for the longest time didn’t use Venmo, Uber, etc. because of privacy reasons, but the lifestyle was just not sustainable. Ultimately convenience killed privacy.
I guess those are just examples and there are much more significant things, because Venmo and Uber seem far from indispensable.
>Ultimately convenience killed privacy.
By design, unfortunately.
We have to choose where anonymity is worth the tradeoffs, but it's still quite possible to live without Venmo, Uber, etc.
So my understanding is, what Mullvad is to VPNs, and what Tarsnap is to S3 (kinda), Servury is to entire VMs. It's a prepaid model, you get an account identifier, and that's basically it.
This is very cool. I have wondered for a very long time why such a site does not exist. What pops to mind is that you could get better unit economics reselling really small VMs to the privacy obsessed. I know some netizens who would pay a dollar a month for, say, a tiny NetBSD VM and 64 MB of RAM to serve their tiny static demoscene website of yore. There are some real wizards of there.
Not sure if that's in your roadmap but definitely something to consider in this space.
I’m fine with no account recovery but they would definitely need a major warning about that at sign up time so users can take extra care to save their info.
the only way is “anonymity by design”. history showed us that “don’t be evil” does not work if the entity can change its mind unilaterally.
be confident that the service is not keeping logs? JÁ!
One difference with Mullvad is VPN traffic is ephemeral. Here, a VPS has a persistent disk attached, that could contain identifying information (if it is necessary to do useful work).
And, also not very funny, those corps never tell in advance which data they "require". They grab my mail on "the first page" of the registration form. Then, on "the second page", they ask for my phone and my address. Should I decide to agree to this, they will finally tell me on "the third page", that they only support credit card, no PayPal, no direct payment via Bank ...
The onion link for the site appears to be broken.
It's a bit ironic the page is protected by Cloudflare. So, all of our traffic is going through some other company to log and track before it gets to you, eh?
Glad I had to do a Cloudflare turnstile captcha to see this page
What I was wondering after reading the article: How does Mulvad actually decouple banking data from the account ID? Or is it as simple as verify transaction once but never log?
You can pay with an envelope of cash, so they don't need your banking data to begin with.
Perhaps so, but that's damn difficult or very risky for all but a very select few.
Because you can't mail cash? Or it won't be delivered without a return address
I think they remove the invoice after a month. You can also, send them cash in an envelope
So there's no subscription thing going on, you just manually pay invoices?
I once spent an entire year issuing chargebacks on AWS charges coming from god knows what AWS account. Most likely some client project I forgot about and didn't have the login to anymore, who knows. Makes me think about that - for a service where you can't login if you lose the credentials, how do you cancel a subscription? In my case I had to eventually just cancel the credit card and get a new number.
No subscription. It’s pay as you go. You top up $X and you get X months. That’s it. If your month expires, it expires. Just top off and you’re good to go.
I would much rather have privacy with e2e encryption than have anonymity. The way that works is a direct connection between two parties without use of a central server, like webRTC.
I don’t know what’s wrong with these comments. This is the kind of smart design we want to see and everyone is doing nitpicking.
Can we have just better things or are we going to reject everything that’s not perfect and by doing so concede the whole point and just give up?
Well done OP for the right approach and your business. This has always been my design (when possible) to approach data security. When you don’t have data you don’t have to worry about its security.
Best of luck, ignore the naysayers.
I like the idea of this but I'm a certain this article is AI generated.
This was authored using an LLM, wasn't it. The style is unmistakable. Stop wasting our time with this slop.
Here's the thing. It's not just x, it's hyperbole y. Hyperbole. Y.
Yeeeep. I'm very disappointed because the subject matter is important.
thank you. absurd no other comments noticed
tl;dr “Privacy” = the data is private i.e. only on your devices. Or if the raw data is public but encrypted and the key is private, I think that qualifies.
“Anonymity” = the data is public but not linked to its owner’s identity.
If you’re sharing your data with a website (e.g. storing it unencrypted), but they promise not to leak it, the data is only “private” between you and them…which doesn’t mean much, because they may not (and sometimes cannot) keep that promise. But if the website doesn’t attribute the data except to a randomly-generated identifier (or e.g. RSA public key), the data is anonymous. That’s the article.
Although a server does provide real privacy if it stores user data encrypted and doesn’t store the key, and you can verify this if you have the client’s unobfuscated source.
Also note that anonymity is less secure than privacy because the information provides clues to the owner. e.g. if it’s a detailed report on a niche topic with a specific bias and one person is known to be super interested in that topic with that bias, or if it contains parts of the owner’s PII. But it’s much better than nothing.
Europe is currently being tormented by this exact contradiction: on one hand, it has the GDPR—the world's strictest privacy law, supposedly protecting personal data; on the other, a flood of new regulations under the banners of "child safety," "counter-terrorism," and "anti-money laundering" are systematically strangling real anonymity.
> That's not privacy. That's performance art.
Smells like it was written by an LLM so I stopped reading.
The very premise is false, privacy does mean something, and anonymity doesn't really exists. This is an advertisement.
I agree, privacy still means a lot. It's a term that's been co-opted by the large tech companies which operate with impunity. It will has meaning that cannot change.
The post also misunderstands privacy
> Privacy is when they promise to protect your data.
Privacy is about you controlling your data. Promises are simply social contracts.
> "privacy" has become the most abused word in tech
Ideally, an argument about privacy would start with its notion of privacy.
https://en.wikipedia.org/wiki/Privacy#Conceptions_of_privacy
AI generated article. What a slop.
> Privacy is Marketing. Anonymity is Architecture.
But in order to read the article you need to enable JS. What a joke.
Exactly. I run sans JS by default. At least this warns me to either avoid the site or to take the risk (browser button--red for JS block, green unblock).
it's 2025. chances are you had peeps in class/uni who are now in the Stasi networks of informants and/or in some more or less obscure agency or more or less related private company so your anonymity only works from birth and even then only if you are lucky or your family "gets it" and has resources and brains beyond.
some people believe supply chain attacks are rare and hard to pull off and expensive and only valuable in extreme cases but if you ever worked at a local delivery service or pharmacy or something other where people and the necessary machines are being aggregated in some basements or even backrooms for all use cases from all times for wholesale forgery and fiddling with people, you know that the situation is ugly, not bad. throw in the many coders, network engineers and hardware specialists with ties to above entities and bombaclat, Jahmunkey, we fucked!
#TheEconomicsOfPunchedDrugs #Automation #DataAnalysis #SituationalAssessment #HeyIsThatATurdNuggetAtTheTopOfThatPyramid
Nice ad you bought! Oh wait
"privacy" or not sharing your space with a creepy room mate, and reading the internet without adds ar3 parallel
running three flavors of the same off brand browser, each optimised for different segments of online content is what seems to be the minimum.
they are so desperate to sell me something, (a truck) that it's wild, as it is one of the few monitisable things I consistently look for (parts, service procedures), the , pause, when I do certain searches gives me time to predict that yes, the machinery is grinding hard, and will ,shortly, triumphantly, produce, a ,truck.
Good luck guys, you will surely attract the attention of Feds very quickly.
Yet another promotional post of Mullvad team. Nice story, but I don't buy it.
Email is fine when it is an option. Mullvad have even option to pay with a credit card & PayPal. That's more sensitive data than Email.
Is this a joke?
hyperbolic.
anonymity in your product could be a sensible design choice that your customers could value. fine. go nuts.
but in general? hard disagree. anonymity is fragile and can't be guaranteed, privacy is a legal obligation which can actually be enforced if push comes to shove.
also that page reads like slop : it's not X, it's Y. blah blah blah. this is a marketing piece trying to go viral.
How tf are you supposed to provide working authentication without storing the email somewhere? Should i just disable password resets and tell the users to fuck off if they forget theirs? Cant even use passkeys as they make users identifiable too.
How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.
In that case one could argue emails dont make users identifiable either, if the addresses dont contain any meaningful names
A passkey is always one per site. Emails tend to be naturally reused, unless the visitor uses a paid aliasing service (plus trick is trivial to canonize, having a dozen mailboxes on a self-hosted email still associates them with each other, because there's no anonymity set to speak of, and major email providers like Gmail won't let you register an account today without a phone number, credit card, or passport).
Users need to have hard memorization or record of a paraphrase, same as a crypto wallet. Or just use web3 for auth, that can work well if users have decent opsec.
That’s a trade off if you don’t want the service to know who you are
The battle on privacy/anonymity/whatever is lost. Get over it. What we need is a new social paradigm where everyone is happy despite the lack of privacy.
Please provide your full legal name (include any other names you go by), occupation and place of employment, phone number[s], email address[es], usernames on other social media accounts, eye color, height, weight, list of any health conditions. That's just to start, then we can start going over more info.
Suk Mai Dik, living in Yo Momma's Trailer, employed as Yo Momma's Pimp.
Sorry but I just couldn't resist hehehe.
> The battle on X is lost. Get over it. What we need is a new social paradigm where everyone is happy despite the lack of X.
Where have I heard this before?
Sounds like Scott McNealy in 1999. At the time I hated the idea, but have to admit now his viewpoint is winning and on the way to won.
Betamax is obviously the better standard.
What's your definition of privacy?
Everybody says I should be ok having no privacy and yet frown upon me posting photos of the poop I take on Instagram.
Yes, exactly, that's what I'm talking about. Imagine a world where it's completely acceptable to post poop on Instagram, and people who don't want to look at it simply tick "don't display poop". The thing is, the "if you have nothing to hide then you have nothing to fear" argument IS true, under assumption that others would be understanding and compassionate to your intentions. Which is exactly the opposite of the legal/societal system we currently have.
What I'm trying to say is that the core issue is "people aren't trustworthy" and "we need privacy" is a bandaid on the former problem. If we manage to create a society where people are trustworthy, the need of privacy will disappear.
The core problem is that people have (and will always have) divergent goals, and a large subset of people see no problem in using coercive and even violent means to ensure that their own “team” wins. This is human nature and cannot be remedied.
The thing is, same logic applies to other entities that form groups, like cells in an organism, or ants in a colony.
Then the government is overturned by a totalitarian clique that declares displaying poop punishable by death, and this includes any past display of poop. Suddenly you find yourself here
Apparently neither does spelling. "anymore" -> "any more"
I didn't think anyone [not any one] could be more pedantic than I am. Damn it.
D@mn, I believed you were thinking that no one (not noone) could be more pedantic than you.
https://www.merriam-webster.com/dictionary/anymore
Anymore is a word though.