| |
| ▲ | drink_machine 2 days ago | parent | next [-] | | Shouldn't you have spent some time to think through basic things like this before trying to write an opinion piece on anonymity? Certainly it shows a lack of depth of understanding. | | |
| ▲ | everdrive 2 days ago | parent | next [-] | | The privacy crowd seems to be incapable of grey areas. Are all these the same thing? Are they all the same severity of problem? - A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties.
- A government website uses a standard framework and that framework loads a google subdomain. In principle, Google could use this to track you but there's no evidence that this actually happens.
- A website tracks user sessions so they can improve UI but don't sell that data to 3rd parties.
- A website has many 3rd party domains, many of which are tracking domains.
- Facebook knows exactly who you are and sells your information to real-time-bidding ad services.
- Your cell phone's 3G connection must in principle triangulate you for the cell phone to function, but the resolution here is fuzzy.
- You use Android and even when your GPS is turned "off" Google is still getting extremely high resolution of your location at all times and absolutely using that information to target you.
A LOT of the privacy folks would put all those examples in the same category, and it absolutely drives me up a wall. It's purity-seeking at the expense of any meaningful distinction, or any meaningful investigation that actually allows uses to make informed decisions about their privacy. | | |
| ▲ | johnnyanmac a day ago | parent | next [-] | | The issue isn't about the present but the future. You don't just assume Google one day won't try to compromise government data. Even if they don't, it opens up more attack vectors for malicious 3rd parties who want that data. That's why you can't be careless. | | |
| ▲ | TeMPOraL a day ago | parent [-] | | That is paranoia. At any time any company could turn evil, and any free(ish) government could become totalitarian overnight. This is a fact, but also pretty useless one. The real questions to ask are, how likely it is to happen, and if that happens, how much did all these privacy measures accomplish. The answer to those are, "not very", and "not much". Down here on Earth, there are more real and immediate issues to consider, and balance to be found between preventing current and future misuse of data by public and private parties of all sides, while sharing enough data to be able to have a functioning technological civilization. Useful conversations and realistic solutions are all about those grey areas. | | |
| ▲ | johnnyanmac a day ago | parent | next [-] | | >At any time any company could turn evil, and any free(ish) government could become totalitarian overnight. This is a fact, but also pretty useless one. Is it isrlsss paranoia when it's happening around us as we speak? It's strange how we call it "preparation" to spend trillions of dollars on mobilizing a military, but "paranoia" to simply take some best practices and not have the citizen's data dangling around. Its a much cheaper aspect with huge results, like much of tech. I live in a good neighborhood and I have left my door unlocked once or twice to no consequence. That doesn't mean it's paranoia to make a habit out of locking my doors. That's all I assert here. Care and effort. I don't know all the subtle steps to take since I'm not in cybersecurit, but we still shouldn't excuse sloppiness. | |
| ▲ | 15 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | everdrive 17 hours ago | parent | prev | next [-] | | This is really well-stated, and I'd add that even if you want to adopt the paranoid perspective, it still shouldn't lead someone to flatten all risks until they look the same. In real-world scenarios with real risk (military, firefighting, policing, etc.) real effort is made to measure and prioritize risks. Without that measuring and prioritizing risks the privacy crowd prevented from making real improvement. | |
| ▲ | drob518 16 hours ago | parent | prev [-] | | Exactly. Just because something is possible doesn’t mean it’s probable. Everything is a risk. Everyone needs to prioritize against the set of risks that can be identified and figure out if they can be mitigated. |
|
| |
| ▲ | dylan604 a day ago | parent | prev | next [-] | | > - A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties. Even if this sounds innocent, these must be turned over if you are provided a warrant or subpoena (which ever would be appropriate, IANAL). | | |
| ▲ | Brian_K_White a day ago | parent [-] | | But it's not malicious. It's not ideal, and it should be addressed, but it's not bad faith or intentional spying or even gross negligence or incompetence. | | |
| ▲ | dylan604 a day ago | parent [-] | | When you claim you keep no logs yet find out you are keeping logs, what is that if not incompetence or negligence? | | |
| ▲ | Brian_K_White a day ago | parent [-] | | Human. And what was their reaction upon having this crime brought to their attention? It was exactly all anyone could ask for. Shitting on well-intentioned people who merely failed to be perfect is not a great way to get the most of what you ultimately want. If you think intent doesn't matter then what happens when well-intentioned people decide it's not worth trying because no matter what they will be crucified as murderers even if all they did wrong was fail to clean the break room coffee pot. The actual baddies are still there and have no inhibitions and now not even any competition. | | |
| ▲ | dylan604 12 hours ago | parent [-] | | Calling a strike a strike does not blame the batter. It’s simply calling it for what it is. Even if the person corrects the wrong does not mean that incompetence or negligence was not the correct description. This entire being offended for the correct words used to describe things is tiresome. It’s like people being offended at being told they are ignorant. Ignorant does not mean stupid. Just because ignorant people are ignorant of the word does not make people using words correctly mean or bad or full of ill will. |
|
|
|
| |
| ▲ | Rygian a day ago | parent | prev | next [-] | | They belong in the same category: the end user has zero agency over how their privacy is impacted, and is at the whim of the wishes/agency of whoever is serving content to them. Whether the one serving the content is exploiting data at the present moment has very little relevance. Because the end user has no means to assert whether it is happening or not. | |
| ▲ | roncesvalles a day ago | parent | prev [-] | | >A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties. If data exists, it can be subpoenaed by the government. Personally, I don't understand people's mindless anathema about being profiled by ad companies, as if the worst thing ever in the world is... being served more relevant ads? In fact I love targeted ads, I often get recommended useful things that genuinely improve my life and save me hours in shopping research. It's the government getting that data that's the problem. Because one day you might do something that pisses off someone in the government, and someone goes on a power trip and decides to ruin your life by misusing the absolute power of the state. | | |
| ▲ | ahartmetz 20 hours ago | parent | next [-] | | The private sector - banks, insurances, your e-mail provider, cloud storage provider... - can mess with you pretty well, too. | |
| ▲ | hdgvhicv 16 hours ago | parent | prev | next [-] | | If a correlation has the data it will sell it to anyone, including the government If a government has the data there’s a chance it will stay in the government at least You either 1) don’t want it stored 2) are happy for government to have it but not companies 3) are happy for everyone to have it | |
| ▲ | everdrive 17 hours ago | parent | prev [-] | | The government would need to know what to subpoena, and what to prioritize as well. In principle could the government subpoena my ISP, learn I'd used a VPN, subpoena the VPN, learned I visited Wikipedia, then subpoena Wikipedia to finally learn what articles I'd written. Yes, but in practice this will never happen. There's no interest in doing so, and it's unclear a judge would be convinced that useful information could be obtained from such a path. On the other hand, if I'm making death threats on Facebook, there's a much more realistic path: view the threats from a public source --> subpoena Facebook for private data. Treating the two risks as similar is madness. |
|
| |
| ▲ | amarant a day ago | parent | prev | next [-] | | We all mess up and miss things, op has shown maturity enough to admit to their mistakes and improve from them. My takeaway from this thread is an increased amount of trust in OP. Not because they made a mistake, but because of how they handled it. Well done OP! | |
| ▲ | ybceo 2 days ago | parent | prev | next [-] | | I disagree. Like I said earlier : Web server logs were not tied to user credentials in any way, they were used for debugging purposes and could not have been used to identify users. | | |
| ▲ | pear01 2 days ago | parent | next [-] | | You disagree and yet you agreed 100% and made the change. I thought the point the preceding parent comment is making is that you should have thought of that beforehand. Yet you seemed to already come to a judgement about it yet then quickly agreed to reverse yourself. Sounds like a clear "lack of a depth of understanding" to me. | | | |
| ▲ | procaryote 2 days ago | parent | prev | next [-] | | From your faq: "We maintain zero logs of your activities. We don't track IP addresses, …" Front page says "zero logs" Some logs, including specifically datapoints you have promised not to log, but you mean well (?) is pretty different from zero logs | | |
| ▲ | ffsm8 2 days ago | parent [-] | | Fwiw, zero logs in that context is usually in the relation to requests through the VPN, whereas this discussion is about requests on their homepage? Or did I misunderstand something here? |
| |
| ▲ | organsnyder 2 days ago | parent | prev | next [-] | | I have a static IP address; and most connections tend to have long-lived leases anyways. It can easily be used to identify me, even if you don't explicitly tie it to my account. | |
| ▲ | drink_machine 2 days ago | parent | prev [-] | | [flagged] | | |
| ▲ | ybceo 2 days ago | parent [-] | | I went ahead and took action on the criticism as soon as I saw the parent comment. All apache access logs are piped to /dev/null now. I'm not here to debate, the reason I posted here is to hear what people thought and see how I could improve my platform based on the criticism. | | |
| ▲ | basedrum 2 days ago | parent | next [-] | | Look into the Apache module called mod-remove-IP, it's old and hasn't had any changes for years, but it works much better than just disabling in the logs because it will also persist those removals throughout any frameworks. Also with Apache you cannot as easily destroy your error logs which sometimes have IPS in them. Consider nginx as an alternative | | |
| ▲ | reactordev 2 days ago | parent [-] | | Consider Caddy as an alternative. Nginx is no better. Both Apache httpd and nginx are old and don’t support newer protocols like HTTP/3. Maybe I’m wrong. Another issue is with Apache httpd’s routing. Removing the IP messes up routing sometimes when using mod_rewrite. | | |
| |
| ▲ | navigate8310 2 days ago | parent | prev [-] | | I appreciate your opinion on anonymity, but, it's nothing more than, "trust me bro". And being a US company that further tingles the spidy sense. | | |
| ▲ | joemazerino 2 days ago | parent [-] | | The US isn't the sole transgressor against privacy. EU has made that pretty clear in the last month. | | |
| ▲ | sallveburrpi 2 days ago | parent [-] | | What happened in the last month? Genuine question | | |
| ▲ | joemazerino 14 hours ago | parent [-] | | Look up Chat Control. | | |
| ▲ | sallveburrpi 14 hours ago | parent [-] | | Chat Control was first proposed in 2022 and is still in parliament.
Some try to push it through again and again but it gets blocked.
I don’t see why it should be different this time and so far nothing has actually changed for EU citizens. |
|
|
|
|
|
|
| |
| ▲ | lisbbb a day ago | parent | prev [-] | | Privacy was a joke--every time I gave someone my data that data got breached, including the US government. |
| |
| ▲ | ljlolel 2 days ago | parent | prev | next [-] | | The whole thing is behind cloudflare! | | |
| ▲ | megous 2 days ago | parent | next [-] | | Anonymity is responsibility of a visitor in any case. If the visitor's anonymity depends on some website not storing logs, the visitor lost already. | | |
| ▲ | reactordev 2 days ago | parent [-] | | Your browser knows more about you than you do. When accessing a website, anonymous or not, it sends a fingerprint so to speak to that site and its ad network. It’s there that your anonymity ceases and you are identified, classified, segmented, and fed more “How to stay safe online” ads. There’s no escaping it. Chromium is not to be trusted. |
| |
| ▲ | bossyTeacher 2 days ago | parent | prev [-] | | in 2025, can small and medium businesses afford to be exposed to the world wild web? You don't need to be a major site these days to be DDosed on the regular | | |
| ▲ | V__ 2 days ago | parent | next [-] | | Who gets ddosed on the regular? Spam is a regular problem, but I have never encountered a ddos on a business website. | |
| ▲ | encom 2 days ago | parent | prev | next [-] | | Baseless fear mongering. I've had webservers raw-dogging the Internet for about 25 years. Nothing of any consequence has happened. Hasn't happened to anyone I know, either. Anecdata yes, but people are making it sound like running a webserver is like connecting a Windows XP machine to the internet - instant pwnage. It isn't. I've been DDoS'ed exactly once. In 2003 I got into a pointless internet argument on IRC, and my home connection got hammered, which of course made me lose the argument by default. I activated my backup ISDN, so my Diablo 2 game was barely interrupted. | | |
| ▲ | hollerith 2 days ago | parent [-] | | >I've had webservers But have those webservers supported a small or medium-sized business? | | |
| ▲ | trollbridge 2 days ago | parent | next [-] | | Mine do, although I do use Cloudflare. I've periodically removed Cloudflare because of issues with reissuing SSL certs, Cloudflare being down, and other reasons, and haven't noticed any problems. The biggest benefit I get from Cloudflare is blocking scraper robots, which I've just been too lazy to figure out how to do myself. | |
| ▲ | sdoering 2 days ago | parent | prev [-] | | Mine did. Mine do. Never a problem. Not once. |
|
| |
| ▲ | 63stack a day ago | parent | prev | next [-] | | Yes. The whole "you will be ddosd if you are exposed to the world wide web" is fud. (And/or racketeering) | |
| ▲ | immibis 2 days ago | parent | prev [-] | | Despite what Cloudflare wants you to think, yes, yes they can. Also you can sue whoever DDoSes you and put them in jail. It's easier than it used to be, since the internet is heavily surveilled now. The malicious actors with really good anonymity aren't wasting it attacking a nobody. |
|
| |
| ▲ | sdoering 2 days ago | parent | prev | next [-] | | Does it matter, when CF is collecting all that already before people even reach your site? | | |
| ▲ | zbentley a day ago | parent | next [-] | | Does CF matter, when intermediate ISPs are collecting IP address and DNS query activity and can be subpoenaed? The answer to both this and parent is yes: partial privacy improvements are still improvements. There are two big reasons for this and many smaller reasons as well: First, legal actors prioritize who to take action against; some cases are “worth seeing if $law-enforcement-agency can get logs from self-hosted or colo’d servers with minimal legal trouble” but not “worth subpoenaing cloudflare/a vpn provider/ISP for logs that turned out not to be stored on the servers that received the traffic“. Second, illegal actors are a lot more likely to break into your servers and be able to see traffic information than they are to be able to break into cloudflare/vpn/ISP infrastructure. Sure, most attackers aren’t interested in logs. But many of the kind of websites whose logs law enforcement is interested in are also interesting to blackmailers. | |
| ▲ | dylan604 a day ago | parent | prev [-] | | If the authorities come to TFA site with demands, they can't do anything about what CF is doing. All they can do is turn over what they have, and/or prove they don't have what is being asked of them. What some 3rd party does is not germane at all. |
| |
| ▲ | mk89 2 days ago | parent | prev [-] | | Are you allowed to do that in US? I see the company is located in the USA, can companies disable logging just like that? (Asking because I really don't know) | | |
| ▲ | SoftTalker 2 days ago | parent | next [-] | | I don't know either, but I would guess there are no laws that says internet service operators must log anything. But, banks and financial services now must obey "know your customer" laws so it's not beyond imagination that similar laws could be applied to websites and ISPs operating in a particular country. | |
| ▲ | drnick1 a day ago | parent | prev | next [-] | | What is truly absurd is that most websites default to logging activities. It's as if they actively conspired against their users. | |
| ▲ | immibis 2 days ago | parent | prev [-] | | In most countries the law doesn't say you have to log everything about your users, but it does say that if you log it and the police ask for it then you have to give the data to them. | | |
| ▲ | singpolyma3 2 days ago | parent [-] | | I think you mean if a court asks for it. And they have to ask for something you actually have | | |
| ▲ | immibis 2 days ago | parent [-] | | That's why companies that actually care about privacy (I think there are only two - Mullvad and Signal?) make a point of not ever capturing the data to begin with, and deleting what they do capture as soon as possible. | | |
| ▲ | singpolyma3 a day ago | parent [-] | | Interesting that you mention those two as I'd not trust either with private data. They engage in too much magical thinking in their marketing for my liking... | | |
|
|
|
|
|
