Privacy stalwart Nicholas Merrill spent a decade fighting an FBI surveillance order. Now he wants to sell you phone service—without knowing almost anything about you. Nicholas Merrill has spent his career fighting government surveillance. But he would really rather you didn’t call what he’s selling now a “burner phone.” Yes, he dreams of a future where anyone in the US can get a working smartphone—complete with cellular coverage and data—without revealing their identity, even to the phone company. But to call such anonymous phones “burners” suggests that they’re for something illegal, shady, or at least subversive. The term calls to mind drug dealers or deep-throat confidential sources in parking garages. With his new startup, Merrill says he instead wants to offer cellular service for your existing phone that makes near-total mobile privacy the permanent, boring default of daily life in the US. “We're not looking to cater to people doing bad things,” says Merrill. “We're trying to help people feel more comfortable living their normal lives, where they're not doing anything wrong, and not feel watched and exploited by giant surveillance and data mining operations. I think it’s not controversial to say the vast majority of people want that.” That’s the thinking behind Phreeli, the phone carrier startup Merrill launched today, designed to be the most privacy-focused cellular provider available to Americans. Phreeli, as in, “speak freely,” aims to give its user a different sort of privacy from the kind that can be had with end-to-end encrypted texting and calling tools like Signal or WhatsApp. Those apps hide the content of conversations, or even, in Signal’s case, metadata like the identities of who is talking to whom. Phreeli instead wants to offer actual anonymity. It can’t help government agencies or data brokers obtain users’ identifying information because it has almost none to share. The only piece of information the company records about its users when they sign up for a Phreeli phone number is, in fact, a mere ZIP code. That’s the minimum personal data Merrill has determined his company is legally required to keep about its customers for tax purposes. By asking users for almost no identifiable information, Merrill wants to protect them from one of the most intractable privacy problems in modern technology: Despite whatever surveillance-resistant communications apps you might use, phone carriers will always know which of their customers’ phones are connecting to which cell towers and when. Carriers have frequently handed that information over to data brokers willing to pay for it—or any FBI or ICE agent that demands it with a court order Merrill has some firsthand experience with those demands. Starting in 2004, he fought a landmark, decade-plus legal battle against the FBI and the Department of Justice. As the owner of an internet service provider in the post-9/11 era, Merrill had received a secret order from the bureau to hand over data on a particular user—and he refused. After that, he spent another 15 years building and managing the Calyx Institute, a nonprofit that offers privacy tools like a snooping-resistant version of Android and a free VPN that collects no logs of its users’ activities. “Nick is somebody who is extremely principled and willing to take a stand for his principles,” says Cindy Cohn, who as executive director of the Electronic Frontier Foundation has led the group’s own decades-long fight against government surveillance. “He's careful and thoughtful, but also, at a certain level, kind of fearless.” Nicholas Merrill with a copy of the National Security Letter he received from the FBI in 2004, ordering him to give up data on one of his customers. He refused, fought a decade-plus court battle—and won. More recently, Merrill began to realize he had a chance to achieve a win against surveillance at a more fundamental level: by becoming the phone company. “I started to realize that if I controlled the mobile provider, there would be even more opportunities to create privacy for people,” Merrill says. “If we were able to set up our own network of cell towers globally, we can set the privacy policies of what those towers see and collect.” Building or buying cell towers across the US for billions of dollars, of course, was not within the budget of Merrill’s dozen-person startup. So he’s created the next best thing: a so-called mobile virtual network operator, or MVNO, a kind of virtual phone carrier that pays one of the big, established ones—in Phreeli’s case, T-Mobile—to use its infrastructure. The result is something like a cellular prophylactic. The towers are T-Mobile’s, but the contracts with users—and the decisions about what private data to require from them—are Phreeli’s. “You can't control the towers. But what can you do?” he says. “You can separate the personally identifiable information of a person from their activities on the phone system.” Signing up a customer for phone service without knowing their name is, surprisingly, legal in all 50 states, Merrill says. Anonymously accepting money from users—with payment options other than envelopes of cash—presents more technical challenges. To that end, Phreeli has implemented a new encryption system it calls Double-Blind Armadillo, based on cutting-edge cryptographic protocols known as zero-knowledge proofs. Through a kind of mathematical sleight of hand, those crypto functions are capable of tasks like confirming that a certain phone has had its monthly service paid for, but without keeping any record that links a specific credit card number to that phone. Phreeli users can also pay their bills (or rather, prepay them, since Phreeli has no way to track down anonymous users who owe them money) with tough-to-trace cryptocurrency like Zcash or Monero. Phreeli users can, however, choose to set their own dials for secrecy versus convenience. If they offer an email address at signup, they can more easily recover their account if their phone is lost. To get a SIM card, they can give their mailing address—which Merrill says Phreeli will promptly delete after the SIM ships—or they can download the digital equivalent known as an eSIM, even, if they choose, from a site Phreeli will host on the Tor anonymity network. Phreeli’s “armadillo” analogy—the animal also serves as the mascot in its logo—is meant to capture this sliding scale of privacy that Phreeli offers its users: Armadillos always have a layer of armor, but they can choose whether to expose their vulnerable underbelly or curl into a fully protected ball. Even if users choose the less paranoid side of that spectrum of options, Merrill argues, his company will still be significantly less surveillance-friendly than existing phone companies, which have long represented one of the weakest links in the tech world’s privacy protections. All major US cellular carriers comply, for instance, with law enforcement surveillance orders like “tower dumps” that hand over data to the government on every phone that connected to a particular cell tower during a certain time. They’ve also happily, repeatedly handed over your data to corporate interests: Last year the Federal Communications Commission fined AT&T, Verizon, and T-Mobile nearly $200 million for selling users’ personal information, including their locations, to data brokers. (AT&T’s fine was later overturned by an appeals court ruling intended to limit the FCC’s enforcement powers.) Many data brokers in turn sell the information to federal agencies, including ICE and other parts of the DHS, offering an all-too-easy end run around restrictions on those agencies’ domestic spying. Phreeli doesn’t promise to be a surveillance panacea. Even if your cellular carrier isn’t tying your movements to your identity, the operating system of whatever phone you sign up with might be. Even your mobile apps can track you. But for a startup seeking to be the country’s most privacy-focused mobile carrier, the bar is low. “The goal of this phone company I'm starting is to be more private than the three biggest phone carriers in the US. That’s the promise we’re going to massively overdeliver on,” says Merrill. “I don’t think there’s any way we can mess that up.” Merrill’s not-entirely-voluntary decision to spend the last 20-plus years as a privacy diehard began with three pages of paper that arrived at his office on a February day in New York in 2004. An FBI agent knocked on the door of his small internet service provider firm called Calyx, headquartered in a warehouse space a block from the Holland Tunnel in Manhattan. When Merrill answered, he found an older man with parted white hair, dressed in a trench coat like a comic book G-man, who handed him an envelope. Merrill opened it and read the letter while the agent waited. The first and second paragraphs told him he was hereby ordered to hand over virtually all information he possessed for one of his customers, identified by their email address, explaining that this demand was authorized by a law he’d later learn was part of the Patriot Act. The third paragraph informed him he couldn’t tell anyone he’d even received this letter—a gag order. Then the agent departed without answering any of Merrill’s questions. He was left to decide what to do, entirely alone. Merrill was struck immediately by the fact that the letter had no signature from a judge. He had in fact been handed a so-called National Security Letter, or NSL, a rarely seen and highly controversial tool of the Bush administration that allowed the FBI to demand information without a warrant, so long as it was related to “national security.” Calyx’s actual business, since he’d first launched the company in the early ’90s with a bank of modems in the nonfunctional fireplace of a New York apartment, had evolved into hosting the websites of big corporate customers like Mitsubishi and Ikea. But Merrill used that revenue stream to give pro bono or subsidized web hosting to nonprofit clients he supported like the Marijuana Policy Project and Indymedia—and to offer fast internet connections to a few friends and acquaintances like the one named in this surveillance order. Merrill has never publicly revealed the identity of the NSL's target, and he declined to share it with WIRED. But he knew this particular customer, and he certainly didn’t strike Merrill as a national security threat. If he were, Merrill thought, why not just get a warrant? The customer would later tell Merrill he had in fact been pressured by the FBI to become an informant—and had refused. The bureau, he told Merrill, had then retaliated by putting him on the no-fly list and pressuring employers not to hire him. (The FBI didn’t respond to WIRED’s request for comment on the case.) Merrill immediately decided to risk disobeying the gag order—on pain of what consequences, he had no idea—and called his lawyer, who told him to go to the New York affiliate of the American Civil Liberties Union, which happened to be one of Calyx’s web-hosting clients. After a few minutes in a cab, Merrill was talking to a young attorney named Jameel Jaffer in the ACLU’s Financial District office. “I wish I could say that we reassured him with our expertise on the NSL statute, but that's not how it went down,” Jaffer says. “We had never seen one of these before.” Merrill, meanwhile, knew that every lawyer he showed the letter to might represent another count in his impending prosecution. “I was terrified,” he says. “I kind of assumed someone could just come to my place that night, throw a hood over my head, and drag me away.” Phreeli will use a novel encryption system called DoubleBlind Armadillo—based on cutting edge crypto protocols known as... Phreeli will use a novel encryption system called Double-Blind Armadillo—based on cutting edge crypto protocols known as zero-knowledge proofs—to pull of tricks like accepting credit card payments from customers without keeping any record that ties that payment information to their particular phone. Despite his fears, Merrill never complied with the FBI’s letter. Instead, he decided to fight its constitutionality in court, with the help of pro bono representation from the ACLU and later the Yale Media Freedom and Information Access Clinic. That fight would last 11 years and entirely commandeer his life. Merrill and his lawyers argued that the NSL represented an unconstitutional search and a violation of his free-speech rights—and they won. But Congress only amended the NSL statute, leaving the provision about its gag order intact, and the legal battle dragged out for years longer. Even after the NSL was rescinded altogether, Merrill continued to fight for the right to talk about its existence. “This was a time when so many people in his position were essentially cowering under their desks. But he felt an obligation as a citizen to speak out about surveillance powers that he thought had gone too far,” says Jaffer, who represented Merrill for the first six years of that courtroom war. “He impressed me with his courage.” Battling the FBI took over Merrill’s life to the degree that he eventually shut down his ISP for lack of time or will to run the business and instead took a series of IT jobs. “I felt too much weight on my shoulders,” he says. “I was just constantly on the phone with lawyers, and I was scared all the time.” By 2010, Merrill had won the right to publicly name himself as the NSL’s recipient. By 2015 he’d beaten the gag order entirely and released the full letter with only the target’s name redacted. But Merrill and the ACLU never got the Supreme Court precedent they wanted from the case. Instead, the Patriot Act itself was amended to reign in NSLs’ unconstitutional powers. In the meantime, those years of endless bureaucratic legal struggles had left Merrill disillusioned with judicial or even legislative action as a way to protect privacy. Instead, he decided to try a different approach. “The third way to fight surveillance is with technology,” he says. “That was my big realization.” So, just after Merrill won the legal right to go public with his NSL battle in 2010, he founded the Calyx Institute, a nonprofit that shared a name with his old ISP but was instead focused on building free privacy tools and services. The privacy-focused version of Google’s Android OS it would develop, designed to strip out data-tracking tools and use Signal by default for calls and texts, would eventually have close to 100,000 users. It ran servers for anonymous, encrypted instant messaging over the chat protocol XMPP with around 300,000 users. The institute also offered a VPN service and ran servers that comprised part of the volunteer-based Tor anonymity network, tools that Merrill estimates were used by millions. As he became a cause célèbre and then a standout activist in the digital privacy world over those years, Merrill says he started to become aware of the growing problem of untrustworthy cellular providers in an increasingly phone-dependent world. He’d sometimes come across anti-surveillance hard-liners determined to avoid giving any personal information to cellular carriers, who bought SIM cards with cash and signed up for prepaid plans with false names. Some even avoided cell service altogether, using phones they connected only to Wi-Fi. “Eventually those people never got invites to any parties,” Merrill says. All these schemes, he knew, were legal enough. So why not a phone company that only collects minimal personal information—or none—from its normal, non-extremist customers? As early as 2019, he had already consulted with lawyers and incorporated Phreeli as a company. He decided on the for-profit startup route after learning that the 501c3 statute can’t apply to a telecom firm. Only last year, he finally raised $5 million, mostly from one angel investor. (Merrill declined to name the person. Naturally, they value their privacy.) Building a system that could function like a normal phone company—and accept users’ payments like one—without storing virtually any identifying information on those customers presented a distinct challenge. To solve it, Merrill consulted with Zooko Wilcox, one of the creators of Zcash, perhaps the closest thing in the world to actual anonymous cryptocurrency. The Z in Zcash stands for “zero-knowledge proofs,” a relatively new form of crypto system that has allowed Zcash’s users to prove things (like who has paid whom) while keeping all information (like their identities, or even the amount of payments) fully encrypted. For Phreeli, Wilcox suggested a related but slightly different system: so-called “zero-knowledge access passes.” Wilcox compares the system to people showing their driver’s license at the door of a club. “You’ve got to give your home address to the bouncer,” Wilcox says incredulously. The magical properties of zero knowledge proofs, he says, would allow you to generate an unforgeable crypto credential that proves you’re over 21 and then show that to the doorman without revealing your name, address, or even your age. “A process that previously required identification gets replaced by something that only requires authorization,” Wilcox says. “See the difference?” The same trick will now let Phreeli users prove they’ve prepaid their phone bill without connecting their name, address, or any payment information to their phone records—even if they pay with a credit card. The result, Merrill says, will be a user experience for most customers that’s not very different from their existing phone carrier, but with a radically different level of data collection. As for Wilcox, he’s long been one of that small group of privacy zealots who buys his SIM cards in cash with a fake name. But he hopes Phreeli will offer an easier path—not just for people like him, but for normies too. “I don't know of anybody who's ever offered this credibly before,” says Wilcox. “Not the usual telecom-strip-mining-your-data phone, not a black-hoodie hacker phone, but a privacy-is-normal phone.” Even so, enough tech companies have pitched privacy as a feature for their commercial product that jaded consumers may not buy into a for-profit telecom like Phreeli purporting to offer anonymity. But the EFF’s Cohn says that Merrill’s track record shows he’s not just using the fight against surveillance as a marketing gimmick to sell something. “Having watched Nick for a long time, it's all a means to an end for him,” she says. “And the end is privacy for everyone.” Merrill may not like the implications of describing Phreeli as a cellular carrier where every phone is a burner phone. But there’s little doubt that some of the company’s customers will use its privacy protections for crime—just as with every surveillance-resistant tool, from Signal to Tor to briefcases of cash. Phreeli won’t, at least, offer a platform for spammers and robocallers, Merrill says. Even without knowing users’ identities, he says the company will block that kind of bad behavior by limiting how many calls and texts users are allowed, and banning users who appear to be gaming the system. “If people think this is going to be a safe haven for abusing the phone network, that’s not going to work,” Merrill says. But some customers of his phone company will, to Merrill’s regret, do bad things, he says—just as they sometimes used to with pay phones, that anonymous, cash-based phone service that once existed on every block of American cities. “You put a quarter in, you didn’t need to identify yourself, and you could call whoever you wanted,” he reminisces. “And 99.9 percent of the time, people weren't doing bad stuff.” The small minority who were, he argues, didn’t justify the involuntary societal slide into the cellular panopticon we all live in today, where a phone call not tied to freely traded data on the caller’s identity is a rare phenomenon. “The pendulum has swung so far in favor of total information awareness,” says Merrill, using an intelligence term of the Bush administration whose surveillance order set him on this path 21 years ago. “Things that we used to be able to take for granted have slipped through our fingers.” “Other phone companies are selling an apartment that comes with no curtains—where the windows are incompatible with curtains,” Merrill says. “We’re trying to say, no, curtains are normal. Privacy is normal.”

My mom claims there is no problems into being tracked and stuff and that "Every normal person will use gmail"; My brother says you only should hide your data if you are a criminal or something.

This is a list of phone manufacturers that lock their bootloaders to prevent people from installing custom operating systems (LineageOS etc) to remove bloatware and spyware/tracking.

NextDNS analytics

I tried wyze and find it silly how video clips are limited to 5 seconds unless you give them money every month. I want something where the footage is saved on a local sdcard/hdd without any cloud reliance. Even better if I don't have to be locked into using the manufacturer's app, but I'm flexible on that.

I liked using it but 15€/year for navigation is too much for me. I'm going to stick to osmand now. At least osmand is open source. It has roughly the same features. It's just not that beautiful. I paid for osmand btw. What's your alternative? Edit: And I like paying for osmand because it is open source.

I have a store bought consumer router connected to my ISP's router which is in bridge mode, and it's one of the few remaining proprietary mystery boxes in my network that I don't know how to audit. I recently made a post about whether I should switch to PFsense, and this was one of my motivations (though I forgot to mention it in that post). Is there an effective way to check whether my router is part of a Mirai botnet or some other malware that scanned the internet and found some vulnerability in my router? As far as I know, once infected, things like updating the firmware or pressing the reset button aren't guaranteed to remove it because it can just take control of those processes and persist. In my specific configuration, can malware from the internet even see my main router or just the ISP router it's connected to? In my threat model, I'm most concerned about my local traffic to and from my server being exfiltrated by some cybercrime group as a lot of it is HTTP or HTTP proxy data. Not so much general internet bound traffic which is usually HTTPS or VPN. Obviously I don't want to be "participating" in botnet attacks or other cybercrime infrastructure either.

https://www.livemint.com/news/india/if-you-don-t-want-jyotiraditya-scindia-says-sanchar-saathi-app-is-optional-amid-strong-opposition-protests-11764659707854.html

It's listed on fedidb, but tosdr.org says You are being tracked via social media cookies/pixels on its points list.

If I keep all incoming connections blocked, but also all outgoing connections blocked except my browser (no MS/Win service is communicating with anything online), would my attack surface be just the browser? So it wouldn't matter if Win is not updated?

So a bit ago I got an add for "canned rambutan". I had looked up Rambutan a few days prior after hearing it mentioned 10 hours into the video game Baby Steps. I wasn't using a VPN at the time and I didn't have fingerprinting protections active but I only mentioned it to a few sources (according to my browser history) all of which generally are implied to be private. Which of these do you think is the reason the ad networks know? - Wikipedia - Startpage Search - Duckduckgo Search - My ISP - Firefox - My Firefox Extensions - Kubuntu - CachyOS - The omnipotent algorithm connecting my mentions of Baby Steps with my progress through the game. - Does this only make sense if my browser history is incomplete? - Maybe I was using DNS over HTTPS via Cloudflare at the time of my search. Any guesses as to where the weak link is?

It seems many if not all of today's AR glasses use Bluetooth, which means that if you're close enough, it should be possible to detect people who are wearing them (and/or anything else that's using Bluetooth)

cross-posted from: https://lemmy.zip/post/54163653 > > The Indian telecommunications authority, the Department of Telecommunications (DoT), has instructed eight messenger services to implement a permanent binding to inserted SIM cards. Affected are WhatsApp, Telegram, Signal, Snapchat, ShareChat, as well as the Indian services Arattai, JioChat, and Josh. According to the directive, the companies must ensure within 90 days that their services can only be used with a physically inserted SIM card.

Hello everyone! [Journiv](https://journiv.com/) is a self-hosted private journaling application that puts you in complete control of your personal reflections. Built with privacy and simplicity at its core, Journiv offers comprehensive journaling capabilities including mood tracking, prompt-based journaling, media uploads, analytics, and advanced search. All while keeping your data on your own infrastructure. Journiv [v0.1.0-beta.9 ](https://github.com/journiv/journiv-app/releases/tag/v0.1.0-beta.9)is out with * Markdown support * Inline media (images and video) with viewer. * Many bug fixes and improvements. Watch [demo](https://www.youtube.com/watch?v=SV7aM4BoSfg) **The Journey Ahead** Journiv is in active development, with a fully functional backend, a web frontend, and mobile apps launching soon. It is self-hosted, and designed to be your companion for decades. Journiv is being built because our memories deserve to be ours, forever. **Learn More** * [Spin up Journiv](https://journiv.com/docs/installation) * [Journiv on DB Tech Youtube Channel](https://www.youtube.com/watch?v=2lNEr0EmgFg) * [Journiv on noted.lol](https://noted.lol/journiv/) * [Watch other demo videos](https://www.youtube.com/@JournivApp)

Happy winter and merry festivities! Last year I made [a post](https://lemmy.ml/post/23393825) outlining many gift ideas for privacy enthusiasts. I'm back this year with an updated list. Privacy enthusiasts, by nature, are sometimes difficult to buy gifts for. This list is here to make it easier for you to come up with ideas, even if you don't directly gift what's on the list. I've decided to make a rule this year: **only physical items**. You can't put a subscription under the tree. ## [3D printers](https://en.wikipedia.org/wiki/3D_printing) 3D printers can turn plastic into any shape you want. While a lot of 3D printers include proprietary privacy-invasive software, there are open-source options such as [RepRap](https://www.reprap.org/wiki/RepRap). The privacy benefit of these comes in the form of [homemade firearms](https://en.wikipedia.org/wiki/Homemade_firearm). Traditional firearms include many elements to trace the ammunition back to the firearm, but homemade firearms (such as ones made using a 3D printer) exclude these. The reliability of the firearm depends on the quality of the 3D printer, but the designs are getting easier and easier to make. ## Accessories Especially for phones, there are a few of privacy accessories that are simple but effective. - [Faraday bags](https://en.wikipedia.org/wiki/Security_bag#Faraday_Bag) - [Lens covers](https://en.wikipedia.org/wiki/Lens_cover) (which some phone cases include) - [Microphone blockers](https://en.wikipedia.org/wiki/Microphone_blocker) (which is more effective as a [recording jammer](https://inv.nadeko.net/watch?v=FyeCn7HlLck)) - [Monitor filters](https://en.wikipedia.org/wiki/Monitor_filter) (better known as privacy screen protectors) ## [Anonymous dress](https://www.notrace.how/threat-library/mitigations/anonymous-dress.html) Anonymous dress is clothing that conceals your identity in public. Obtaining these items of clothing is a chore, so it's always easiest when it is gifted by somebody else. Black, unthemed clothing does the best job of protecting privacy. The holy grail of anonymous dress is: - A [balaclava](https://en.wikipedia.org/wiki/Balaclava_(clothing)) to hide your face. - A [baseball cap](https://en.wikipedia.org/wiki/Baseball_cap) to further hide your face, although a [sun hat](https://en.wikipedia.org/wiki/Sun_hat) does a better job. - A hooded [down jacket](https://en.wikipedia.org/wiki/Down_jacket) to hide body shape and skin color. There are significantly long down jackets that extend below the knees that can somewhat conceal your gait too. Last year I included jackets that spoof AI recognition or blind infrared cameras, but those are very difficult to find and can be very identifying. - [Elevator shoes](https://en.wikipedia.org/wiki/Elevator_shoe) to conceal your height. - [Sunglasses](https://en.wikipedia.org/wiki/Sunglasses) to hide your eyes. [Reflectacles](https://www.reflectacles.com/) do the best job of this. - [Touchscreen gloves](https://en.wikipedia.org/wiki/Glove#Sport_and_recreational) to prevent fingerprints and still be able to use touchscreens. Normal gloves work when paired with a [capacitive stylus](https://en.wikipedia.org/wiki/Stylus_(computing)#Capacitive). - An [umbrella](https://en.wikipedia.org/wiki/Umbrella) to hide your clothing from surveillance cameras. ## [Ciphers](https://en.wikipedia.org/wiki/Cipher) Not all encryption is digital. Traditionally, complex codes and ciphers were created to conceal messages. Hardware devices like the [enigma machine](https://en.wikipedia.org/wiki/Enigma_machine) were used to further aide the process. Modern versions of those devices, as well as related items such as [invisible ink](https://en.wikipedia.org/wiki/Invisible_ink) are still around and can be a fun project. ## [Computers](https://en.wikipedia.org/wiki/Computer) Laptops, desktops, and servers are all useful devices for accessing digital services privately. While there is no best choice, some lists can help shine some light on which hardware is considered secure: - [PrivSec.dev Laptop Hardware Security](https://github.com/PrivSec-dev/privsec.dev/blob/Laptop-Hardware-Security/content/posts/knowledge/Laptop%20Hardware%20Security/index.md) - [Qubes OS Hardware Compatibility List](https://www.qubes-os.org/hcl/) ## [Concealment devices](https://en.wikipedia.org/wiki/Concealment_device) Concealment devices are things that look like ordinary objects, but in some way or another, have a hidden compartment used for storage. These are excellent ways to hide sensitive items such as cash, backup security tokens, and more. These are excellent gifts if you're giving one-on-one rather than at a party. ## [Cryptocurrency wallets](https://en.wikipedia.org/wiki/Cryptocurrency_wallet) Cryptocurrency wallets are devices used to securely store (the keys for) cryptocurrency such as the private cryptocurrency [Monero](https://www.getmonero.org/). The two best options are: - [Ledger](https://shop.ledger.com/pages/hardware-wallet) - [Trezor](https://trezor.io/compare) ## Dumb tech Dumb tech is the opposite of smart tech. It doesn't connect to every device in your house. It doesn't broadcast that data to a corporation. It doesn't get exposed in a data breach. It doesn't get hacked. It doesn't go down when the internet goes offline. Things like dumb TVs or dumb cars are becoming harder to find but more and more valuable for privacy. ## [Mail](https://en.wikipedia.org/wiki/Mail) Mail is almost always sensitive. For that reason, it's useful to protect the contents by using [security envelopes](https://www.walmart.com/browse/office-supplies/security-envelopes/1229749_6318396_8064009). For delivering packages privately, it's also useful to have a [label printer](https://en.wikipedia.org/wiki/Label_printer) capable of printing shipping labels. ## [Money](https://en.wikipedia.org/wiki/Money) [Banks](https://en.wikipedia.org/wiki/Bank) and [payment service providers](https://en.wikipedia.org/wiki/Payment_service_provider) are almost always incredibly privacy invasive and offer poor security. While some of these issues can be mitigated with services like [Privacy](https://www.privacy.com/), it doesn't fix the underlying issue. Anonymous payments not only protect your privacy, but protect your money too, and having the ability to make payments like these is what allows privacy to further grow. Anonymous payment methods include: - [Cash](https://en.wikipedia.org/wiki/Cash) - [Gift cards](https://en.wikipedia.org/wiki/Gift_card) (when purchased with cash and adequate anonymous dress) - [Monero](https://www.getmonero.org/) (which is physical when paired with a cryptocurrency wallet) - [Stored-value card](https://en.wikipedia.org/wiki/Stored-value_card) (when purchased with cash and adequate anonymous dress) ## [Optical discs](https://en.wikipedia.org/wiki/Optical_disc) Optical discs are a physical way to store movies, shows, music, games, and more. The idea is that, instead of paying a subscription and streaming content, you can pay a one-time fee and get the full quality media offline. This is also excellent for [ripping](https://en.wikipedia.org/wiki/Ripping) to create a digital archive to stream from your own servers for free. ## [Paper](https://en.wikipedia.org/wiki/Paper) Your most sensitive information is put at risk the moment it becomes digitized, so pen and paper isn't so bad for some uses: - Earlier this year, Amazon [removed the option to download and transfer ebooks](https://www.reddit.com/r/kindle/comments/1inr9uy/fyi_amazon_is_removing_download_transfer_option/). It's becoming increasingly harder to "own" an ebook, especially without using privacy-invasive software. For that reason, [books](https://en.wikipedia.org/wiki/Book) are much better for privacy. - Calendar apps are convenient for reminders, but they often sync to cloud services or include telemetry. Physical [calendars](https://en.wikipedia.org/wiki/Calendar) are a good way to have peace of mind knowing that your personal events are away from prying eyes and can be erased without a trace. - [Notebooks](https://en.wikipedia.org/wiki/Notebook) are also useful for the same reasons as books. There are also numerous benefits to writing things down instead of typing them. ## [Paper shredders](https://en.wikipedia.org/wiki/Paper_shredder) Paper shredders destroy sensitive documents to prevent obtaining sensitive information by digging through landfills. However, shredded documents can be recovered using [automated software](https://www.unshredder.com/). The paper shredder industry hasn't discovered fire yet, it seems. ## [Power cables](https://en.wikipedia.org/wiki/Power_cable) Most cables carry both power and data. However, that can be exploited by cleverly designing fake power stations that discreetly steal data when plugged into devices. Some cables only deliver power, without delivering data. These are incredibly useful for protecting vulnerable devices in public settings. ## [Printers](https://en.wikipedia.org/wiki/Printer_(computing)) Printers suck. So much so that [not even Framework wanted to make one](https://inv.nadeko.net/watch?v=os_fHy1mB_M&t=565). Nevertheless, a new printer called [Open Printer](https://www.crowdsupply.com/open-tools/open-printer) is in the works. Until it's finished, the best option is to gift a printer that allows printing over a wired connection. ## [Promotional merchandise](https://en.wikipedia.org/wiki/Promotional_merchandise) There is no shortage of promotional merchandise for privacy. Some of my favorites include: - [Electronic Frontier Foundation](https://shop.eff.org/) - [Naomi Brockwell TV](https://shop.nbtv.media/) - [Privacy Guides](https://shop.privacyguides.org/) I also recently found products like [this](https://www.redbubble.com/i/hoodie/I-Do-Not-Consent-To-Being-Recorded-White-Text-by-lostfigment/172562280.BN4XF) that serve a functional benefit of telling people you don't want to be recorded without explicitly talking to them. ## [Rayhunter](https://efforg.github.io/rayhunter/) Rayhunter is a device created by the [Electronic Frontier Foundation](https://www.eff.org/) to detect [Stingray](https://en.wikipedia.org/wiki/Stingray_phone_tracker) attacks. It can be installed on [supported devices](https://efforg.github.io/rayhunter/supported-devices.html), which are great gifts for high threat model people. ## [Safes](https://en.wikipedia.org/wiki/Safe) Safes are a secure box to store sensitive items. I shouldn't need to explain why this is a good idea. ## [Security seals](https://en.wikipedia.org/wiki/Security_seal) Security seals are a special type of sticker that makes it very clear if the seal has ever been broken. This is useful to place on the case of computers or other containers that shouldn't be opened often. ## [Security tokens](https://en.wikipedia.org/wiki/Security_token) Security tokens are hardware devices used to authenticate accounts at a hardware level. When setup correctly, they are one of the most secure way to login. The most popular open source options are: - [Nitrokey](https://www.nitrokey.com/products/nitrokeys) - [OnlyKey](https://onlykey.io/) - [SoloKeys](https://solokeys.com/) ## [Smartphones](https://en.wikipedia.org/wiki/Smartphone) [GrapheneOS](https://grapheneos.org/) is the most private and secure operating system available. They [recently announced](https://xcancel.com/GrapheneOS/status/1977413966231175393) that they are partnering with an OEM to manufacture devices designed for GrapheneOS. However, until that device is made available, [Google Pixels](https://store.google.com/category/phones) are still the only device GrapheneOS can be installed on. ## [USB flash drives](https://en.wikipedia.org/wiki/USB_flash_drive) USB flash drives are the unsung heroes for so many areas of privacy. Whether it be installing operating systems such as [Qubes OS](https://www.qubes-os.org/) and [Tails](https://tails.net/), or creating offline [Seedvault](https://github.com/seedvault-app/seedvault) backups for GrapheneOS, USB flash drives have a multitude of uses. Just remember: it's better to have many, smaller USB flash drives than one, large USB flash drive. ## [Wi-Fi hotspots](https://en.wikipedia.org/wiki/Wi-Fi_hotspot) Wi-Fi hotspots are (for privacy use-cases) hardware devices that allow connecting devices to the cellular network in a much more private way. The best one that supports an excellent privacy organization is the [Calyx Internet Membership](https://calyxinstitute.org/membership/internet). ## [Wired headphones](https://en.wikipedia.org/wiki/Headphones#Wired) Wired headphones not only provide higher quality audio output, but they also avoid the [history of security issues with Bluetooth](https://en.wikipedia.org/wiki/Bluetooth#Security) and the surveillance capitalism that comes with [Bluetooth Low Energy beacons](https://en.wikipedia.org/wiki/Bluetooth_Low_Energy_beacon). Which type of wired headphones you gift depends on a lot of factors, but one that pairs nicely with Google Pixels are the [Pixel USB-C earbuds](https://store.google.com/us/product/usb_c_earbuds) sold by Google themselves. ## [Wireless routers](https://en.wikipedia.org/wiki/Wireless_router) Wireless routers often leak everything sent through them. For that reason, custom software such as [OpenWrt](https://openwrt.org/) was designed to replace the privacy invasive software preinstalled on routers. OpenWrt also created their own router called the [OpenWrt One](https://openwrt.org/toh/openwrt/one). Earlier this year, they announced that they would be creating a new router called the [OpenWrt Two](https://openwrt.org/voting/2025-02-12-openwrt-two). It hasn't come out yet, but maybe it will be on the list next year. # Conclusion There is no shortage of privacy tech. The same technology that empowers privacy is the thin veil slowing down the world from its dystopian target. Giving the gift of privacy means giving the gift of a better future for those of us fighting on the front lines. ### Lack-of-AI notice I’ve been burned before, so I always try to mention that none of my content is AI generated. It isn’t even AI assisted. Just because something is comprehensive and well-structured does not make it AI generated. Every word I write is my own. Thank you for your understanding.

I've read about creating separate users at the OS level, but I'm hoping for something a tad lighter. Are separate Firefox profiles and/or multi-account containers a thing in any of the various Firefox spinoffs for Android? Testing in Fennec browser, in the little kebab menu, I see an option to sign in, but that's not what I want. I don't see anything related to profiles. When I browse to the page for the multi-account containers extension, it says not compatible w/ Android. Does one of the other Firefox spinoffs for Android have either of these features (profiles or multi-account containers)?

Apparently Europe finally got Whatsapp to enable 3rd party chats making it easier to switch to more privacy friendly alternatives [article](https://about.fb.com/news/2025/11/messaging-interoperability-whatsapp-enables-third-party-chats-for-users-in-europe/) However the only other app that currently works with it is "BirdyChat"?? Have anybody found any news about when serious alternatives will be integrated?

If I am already using a rooted but proprietary smartphone (Samsung Galaxy S23), downloading my apps from other sources than Google Play, how would Google be able to control what I do with it? If necessary, I could just stay on my current OS build as well. All in all, while politically and philosophically, Google's new policy is bad, I don't feel threatened by it with my current understand of the situation and technology...

We have no idea what content is most viral on YouTube, Meta, TikTok, LinkedIn, or X – because they refuse to share basic data. On the DSA’s Birthday (Oct 4th) we've led a “mass data access request” along with @mozilla and DSA40 Data Access Collaboratory, where a series of ~20 orgs requested daily data on their top 1,000 most-viewed posts in EU Member States. Every single one refused. Join us in demanding platform transparency. Posted on mastodon: https://chaos.social/@algorithmwatch/115620980818833875

With the UK apparently floating ideas of a VPN ban it's got me worried about the future of anonymity online. Now people have already pointed out that a VPN ban doesn't make sense because of all the legitimate uses of one and wouldn't even be enforceable anyway, but that got me thinking. What if governments ordered websites (such as social media sites) to block traffic originating from a VPN node? Lots of sites already do this (or restrict your activity if they detect a VPN) to mitigate spam etc. and technically that wouldn't interfere with "legitimate" (in the eyes of the gov) VPN usage like logging onto corporate networks remotely It's already a pain with so many sites either blocking you from access or making you jump through a million captchas using VPNs now. I'm worried it's about to get a whole lot worse

Or have to go through great lengths to escape. In my country you can't buy any medicine without showing your ID... I mean, you technically can, but if you are registered they "give" like an 80% discount, so everyone thinks it's a great deal, not realizing that's the normal price, they are just pretending you can still go and buy a simple cold medicine without sharing your ID, phone, email, and street address with the drug store and whoever they decide to sell that information to, you just have to pay absurdly more. Yeah, you can lie about all the other information, but not really about your ID number. Probably soon, to get the "discount", you are going to have to verify your email or phone number as well.

> Contrary to headlines suggesting the EU has “backed away” from Chat Control, the negotiating mandate endorsed today by EU ambassadors in a close split vote paves the way for a permanent infrastructure of mass surveillance. > While the Council removed the _obligation_ for scanning, the agreed text creates a toxic legal framework that incentivizes US tech giants to scan private communications indiscriminately, introduces mandatory age checks for all internet users, and threatens to exclude teenagers from digital life. The article is non-paywalled, freely readable on the link --^

I use Linux on all my personal computers and privacy respecting ROMs on phones, and Pi-Hole, but a part I haven't really taken a look at is my network at home. I currently have my ISP's smart router in bridge mode connected to a brand name Wi-Fi 6 router with a wireless "mesh" range extender. I really like the range extender because it has an Ethernet port so it's basically a "free" Ethernet plug for that room connected to a high power Wi-Fi transceiver that's faster than a lot of on board Wi-Fi antennas. But I feel like it's probably not the best thing privacy and security wise? I already don't use the app and luckily it still has a web interface for management, but I don't know how secure the firmware is or if it has any corporate "analytics" or not. I'm thinking a PFsense or similar router software on Linux box to connect to the bridge port of my ISP's router since I was told the "Ethernet" cable connecting from it to the fiber modem won't work with a store bought router, I assume it has some kind of DRM? I already have an old PC in mind to convert to a router. I assume I could just use the onboard Ethernet port to talk to the router and add my own USB NIC to connect to the main switch? I don't know what to do for Wi-Fi though, could I buy two dedicated access points and put them on different floors, and have them both connected to the wired network? How hard would it be to have those be the same Wi-Fi network and have devices actually switch between them depending on location? Also, most of my NICs and switches are from the thrift store or eBay for higher end used server parts. Is that bad? As in how worried should I be about the firmware running in those being tampered with by whoever owned it last?

Hello. I installed Linux Mint on a new desktop that I built about a week ago, and I'm starting to get used to it, so it's probably time to start using it for some actual life things. A couple of these do involve talking with family members all in Facebook Messenger, as well as the necessity of using Google Workspace for some work-related functions. I'm aware that using both of these is a compromise of privacy in and of itself, but I'm still interested in mitigating the damages best as I can. What steps can I take to make the usage of these as private and non-invasive as possible? If it helps at all, the browser I'm using is Firefox and the operating system is Linux Mint.

I purchased a custom domain to use with mailbox.org. The MX records are setup and basic tests are working. I'm getting myname@customdomain.com showing up in my mailbox.org account. But I got confused with setting up a family member with theirname@customdomain.com Do they need to pay for a plan too? There not worried about the privacy they just want the custom email address. Is there anyway to do this for free or cheaper, without self hosting email? Side question. I've been paying for anonaddy to hide my normal @outlook account. Are there any benefits in keeping anonaddy to send emails to my custom domain. Instead of just using a catchall, or pre-configuring some aliases? The only benifits I see are - Anonaddy can make accounts on the fly - On The Fly accounts might be easier to disable than things sent to a catchall - Anonaddy dosnt reveal your domain (maybe this is the big draw card?) Thanks.

I mean for fingerprinting protections I go minimal with extensions. I only have Ublock origin. I want to keep dark reader but for fingerprinting issue I'm not doing it. So if I keep js disabled with Ublock origin (I'm doing it for a while now) and then install dark reader will websites still be able to tell that I have dark reader installed?

Greetings! I've been daily driving a Raspberry Pi 4B as a home server for quite a while now and thought it was a great time to make the switch to a proper NAS. My current Home Server setup uses 2 Raspberry Pi's. One is where i selfhost all of the stuff i need, and one hosts my website. The Pi only has 4gb of RAM, which is ok for me. But i can't really say much about it's performance. In Jellyfin, it's struggling with streaming music. Not even a movie, a single MP3 file, it struggles with it. I tried solutions like Nextcloud for a Selfhosted Cloud Storage Solution, but it would always wipe out it's config every time the pi reboots. I am looking forward to buy a Synology NAS. Their Web interface seems intuitive (theres even docker support too) and easy to use. However, i really am concerned on what data can Synology collect off of it. So, what data can Synology collect off the NAS and is it safe in a Privacy nerd's view?

Cross posted from: https://feddit.uk/post/40232992 european funds recovery initiative Search Search... Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR HOME Related News Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR Last week we at [EFRI](https://efri.io/finleaks-a-retaliation-platform-full-of-defamation/) wrote about the *[Digital Omnibus leak](https://efri.io/the-digital-omnibus-leak-a-stealth-attack-on-the-gdpr/)* and warned that the European Commission was preparing a stealth attack on the [GDPR](https://efri.io/the-digital-omnibus-leak-a-stealth-attack-on-the-gdpr/) Since then, two things have happened: The Commission has now officially [published](https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal) its Digital Omnibus proposal. noyb (Max Schrems’ organisation) has released a detailed legal analysis and new campaigning material that confirms our worst fears: this is not harmless “simplification”, it is a deregulation package that cuts into the core of the GDPR and ePrivacy. **What noyb has now put on the table** On 19 November 2025, noyb [published a new piece](https://noyb.eu/en/digital-omnibus-eu-commission-wants-wreck-core-gdpr-principles) with the blunt headline: “**Digital Omnibus: [EU](https://efri.io/recent-development-on-crypto-regulation-in-the-eu-and-in-the-us/) Commission wants to wreck core GDPR principles**” Here’s a focused summary of the four core points from noyb’s announcement, in plain language: **New GDPR loophole via “pseudonyms” and IDs** The Commission wants to narrow the definition of “personal data” so that much data under pseudonyms or random IDs (ad-tech, data brokers, etc.) might no longer fall under the GDPR. This would mean a shift from an objective test (“can a person be identified, directly or indirectly?”) to a subjective test (“does this company currently want or claim to be able to identify someone?”). Therefore, whether the GDPR applies would depend on what a company says about its own capabilities and intentions. Different companies handling the same dataset could fall inside or outside the GDPR. For users and authorities, it becomes almost impossible to know ex ante whether the GDPR applies – endless arguments over a company’s “true intentions”. Schrems’ analogy: it’s like a gun law that only applies if the gun owner admits he can handle the gun and intends to shoot – obviously absurd as a regulatory concept. arzh-CNnlenfrdeitptrues european funds recovery initiative Search Search... Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR HOME Related News Digital Omnibus: How Big Tech Lobbying Is Gutting the GDPR Last week we at EFRI wrote about the Digital Omnibus leak and warned that the European Commission was preparing a stealth attack on the GDPR Since then, two things have happened: The Commission has now officially published its Digital Omnibus proposal. noyb (Max Schrems’ organisation) has released a detailed legal analysis and new campaigning material that confirms our worst fears: this is not harmless “simplification”, it is a deregulation package that cuts into the core of the GDPR and ePrivacy. What noyb has now put on the table On 19 November 2025, noyb published a new piece with the blunt headline: “Digital Omnibus: EU Commission wants to wreck core GDPR principles” Here’s a focused summary of the four core points from noyb’s announcement, in plain language: New GDPR loophole via “pseudonyms” and IDs The Commission wants to narrow the definition of “personal data” so that much data under pseudonyms or random IDs (ad-tech, data brokers, etc.) might no longer fall under the GDPR. This would mean a shift from an objective test (“can a person be identified, directly or indirectly?”) to a subjective test (“does this company currently want or claim to be able to identify someone?”). Therefore, whether the GDPR applies would depend on what a company says about its own capabilities and intentions. Different companies handling the same dataset could fall inside or outside the GDPR. For users and authorities, it becomes almost impossible to know ex ante whether the GDPR applies – endless arguments over a company’s “true intentions”. Schrems’ analogy: it’s like a gun law that only applies if the gun owner admits he can handle the gun and intends to shoot – obviously absurd as a regulatory concept. **Weakening ePrivacy protection for data on your device** Today, Article 5(3) ePrivacy protects against remote access to data on your devices (PCs, smartphones, etc.) – based on the Charter right to the confidentiality of communications. The Commission now wants to add broad “white-listed” exceptions for access to terminal equipment, including “aggregated statistics” and “security purposes”. Max Schrems finds the wording of the new rule to be extremely permissive and could effectively allow extensive remote scanning or “searches” of user devices,ces as long as they are framed as minimal “security” or “statistics” operations – undermining the current strong protection against device-level snooping. **Opening the door for AI training on EU personal data (Meta, Google, etc.)** Despite clear public resistance (only a tiny minority wants Meta to use their data for AI), the Commission wants to allow Big Tech to train AI on highly personal data, e.g. 15+ years of social-media history. Schrems’ core argument: People were told their data is for “connecting” or advertising – now it is fed into opaque AI models, enabling those systems to infer intimate details and manipulate users. The main beneficiaries are US Big Tech firms building base models from Europeans’ personal data. The Commission relies on an opt-out approach, but in practice: Companies often don’t know which specific users’ data are in a training dataset. Users don’t know which companies are training on their data. Realistically, people would need to send thousands of opt-outs per year – impossible. Schrems calls this opt-out a “fig leaf” to cover fundamentally unlawful processing. On top of training, the proposal would also privilege the “operation” of AI systems as a legal basis – effectively a wildcard: processing that would be illegal under normal GDPR rules becomes legal if it’s done “for AI”. Resulting in an inversion of normal logic: riskier technology (AI) gets lower, not higher, legal standards. **Cutting user rights back to almost zero – driven by German demands** The starting point for this attack on user rights is a debate in Germany about people using GDPR access rights in employment disputes, for example to prove unpaid overtime. The German government chose to label such use as “abuse” and pushed in Brussels for sharp limits on these rights. The Commission has now taken over this line of argument and proposes to restrict the GDPR access right to situations where it is exercised for “data protection purposes” only. In practice, this would mean that employees could be refused access to their own working-time records in labour disputes. Journalists and researchers could be blocked from using access rights to obtain internal documents and data that are crucial for investigative work. Consumers who want to challenge and correct wrong credit scores in order to obtain better loan conditions could be told that their request is “not a data-protection purpose” and therefore can be rejected. This approach directly contradicts both CJEU case law and Article 8(2) of the Charter of Fundamental Rights. The Court has repeatedly confirmed that data-subject rights may be exercised for any purpose, including litigation and gathering evidence against a company. As Max Schrems points out, there is no evidence of widespread abuse of GDPR rights by citizens; what we actually see in practice is widespread non-compliance by companies. Cutting back user rights in this situation shifts the balance even further in favour of controllers and demonstrates how detached the Commission has become from the day-to-day reality of users trying to defend themselves. **EFRI’s take: when Big Tech lobbying becomes lawmaking** For EFRI, the message is clear: the Commission has decided that instead of forcing Big Tech and financial intermediaries to finally comply with the GDPR, it is easier to move the goalposts and rewrite the rules in their favour. The result is a quiet but very real redistribution of power – away from citizens, victims, workers and journalists, and towards those who already control the data and the infrastructure. If this package goes through in anything like its current form, it will confirm that well-organised corporate lobbying can systematically erode even the EU’s flagship fundamental-rights legislation. That makes it all the more important for consumer organisations, victim groups and digital-rights advocates to push back – loudly, publicly and with concrete case stories – before the interests of Big Tech are permanently written into EU law.

Hello everyone! First of all, thanks a lot for the [amazing response](https://lemmy.world/post/38696249) and interest in Journiv. We have [hundreds of stars](https://github.com/journiv/journiv-app/stargazers), thousands of [docker pull](https://hub.docker.com/r/swalabtech/journiv-app) and many many [feature request](https://github.com/journiv/journiv-app/issues) (and bugs reports) on Github in just two weeks (sleepless two weeks for me :)). [Journiv](https://journiv.com/) v0.1.0-beta.8 is out and in it I have added the most requested features. **Highlights:** * OIDC support (now pretty stable) * In app [one click export-import](https://www.youtube.com/watch?v=rQRpQbyExMU) with history. So you always have your memories safe and backed up even if you don't want to deal with docker backups * Role Based Access Control for user management. * Many quality of life features and bug fixes. * Read the release notes [here](https://github.com/journiv/journiv-app/releases/tag/v0.1.0-beta.8) Journiv began as a deeply personal project, a way for me to capture memories, reflections, and the stories behind thousands of photos and videos of my fast-growing kids. What started as a tool for my own parenting journey has grown into something that fills a real gap in the self-hosting community. If you’re curious, you can read the full story behind Journiv [here](https://journiv.com/blog/the-story-behind-journiv). I’m grateful that Journiv is now helping others preserve their memories as well. **The Journey Ahead** Journiv is in active development, with a fully functional backend, a web frontend, and mobile apps launching soon. It is self-hosted, and designed to be your companion for decades. Journiv is being built because our memories deserve to be ours, forever. **So this Thanksgiving, give your family the gift of memories that last forever!**

**Solved:** Thanks to all who commented, especially those who took the time to respond to my follow-up questions. Your responses were enough to convince me of the value of buying a custom domain in order to keep one's true email address private w/ the added benefit of working on websites that block known domains of temp/forwarding service providers. Key takeaways: - Forwarding services' shared domains are useful for blending in w/ the crowd. (credit to @Cricket@lemmy.zip) - Custom domains are handy when you don't care about blending in and you want to use a website that blacklists known domains of disposable/forwarding service providers, including the paid-tier domains. - Deciding whether to enable catch-all: - Enabled: You can make up new addresses without having to configure the alias manually each time, but it's also easier for spammers to guess valid addresses. - Disabled: It's more difficult for spammers to guess valid addresses, but you'll have to configure your aliases manually *unless* you have regex matching for automatic creation of new aliases. With regex matching for automatic creation of new aliases, disabling catch-all has few if any downsides. - Regex matching: Seems to provide the best of all worlds by making it harder for spammers to guess valid addresses without having to configure aliases manually each time. - For aliases, including a string of random characters after the company name makes it harder for spammers to guess your other aliases and/or learn where else you have accounts by spamming emails to every `$companyname@example.com` and seeing which ones bounce back. (credit to @erebion@news.erebion.eu) **Original post:** I've recently signed up for an email forwarding service w/ aliases so that I can keep my true email address private when I sign up for new websites and services. I should clarify that I'm less concerned about *concealing my identity* as I am about protecting my real email address, identifying who leaked my info when my email address is compromised, and being able to stop the spam by turning off that alias. While updating my existing profiles to point to aliases instead of my real address, I've hit a snag - some sites (Steam, Slack, etc) won't allow me to update my email address to any known domains from my email forwarding service. On these sites that block email forwarding addresses, for now I'm either updating my existing email address w/ a plus sign if the website allows it, otherwise I'm just leaving my existing email address unchanged. It's not the end of the world, they already have my real email address, and I can probably go a Very Long Time without needing to check those inboxes anyway, but I'm still miffed that I can't completely migrate my existing accounts to my new scheme. I've read numerous posts about the benefits of custom domains to enable portability of email service providers, and I'm wondering if custom domains are the answer to these sites that disallow forwarding addresses, but I have questions: - How do other people deal with this situation? - Do these websites that block known email forwarding domains typically work on a whitelist or blacklist model? If the former (whitelist), then I'm thinking a custom domain will have the same problem, but if the latter (blacklist), then I reckon a custom domain with catchall might work. - Particularly owners of custom domains, do you find your custom domain is allowed more often than not or do you run into the same problem? EDIT: Clarified my objectives.

The drama and accusations the GrapheneOS developers are spewing and engaging in are giving me a bad taste in the mouth and make me doubt the OS’s reliability am I the only one?

[Donate](https://grapheneos.org/donate) [Discord Server](https://discord.gg/grapheneos) [Message Link](https://discord.com/channels/1176414688112820234/1176434676311797760/1442528725370540208)

Our latest blog post is aimed at people who 'get it' about online privacy, but who struggle to convince friends and family to take it seriously. We hope it helps!

Cross posted from: https://feddit.uk/post/39979350 [TRANSLATED ARTICLE] **EU chat control comes – through the back door of voluntariness** The EU states have agreed on a common position on chat control. Data protection advocates warn against massive surveillance. What is in store for us? After lengthy negotiations, the EU states have agreed on a common position on so-called chat control. Like from one Minutes of negotiations of the Council working group As can be seen, Internet services will in future be allowed to voluntarily search their users' communications for information about crimes, but will not be obliged to do so. The Danish Council Presidency wants to get the draft law through the Council "as quickly as possible", "so that the trilogue negotiations can begin promptly", the minutes say. Feedback from states should be limited to "absolute red lines". **Consensus achieved** The majority of States supported the compromise proposal. At least 15 spoke in favor, including Germany and France. Germany "welcomed both the deletion of the mandatory measures and the permanent anchoring of voluntary measures", said the protocol. However, other countries were disappointed. Spain in particular "continued to see mandatory measures as necessary, unfortunately a comprehensive agreement on this was not possible". Hungary also "seen voluntariness as the sole concept as too little". Spain, Hungary and Bulgaria proposed "an obligation for providers to detect, at least in open areas". The Danish Presidency "described the proposal as ambitious, but did not take it up to avoid further discussion. The organization Netzpolitik.org, which has been reporting critically on chat control for years, sees the plans as a fundamental threat to democracy. "From the beginning, a lobby network intertwined with the security apparatus pushed chat control", writes the organization. “It was never really about the children, otherwise it would get to the root of abuse and violence instead of monitoring people without any initial suspicion.” Netzpolitik.org argues that "encrypted communication is a thorn in the side of the security apparatus". Authorities have been trying to combat private and encrypted communication in various ways for years. A number of scholars criticize the compromise proposal, calling voluntary chat control inappropriate. "Their benefits have not been proven, while the potential for harm and abuse is enormous", one said open letter. According to critics, the planned technology, so-called client-side scanning, would create a backdoor on all users' devices. Netzpolitik.org warns that this represents a "frontal attack on end-to-end encryption, which is vital in the digital world". The problem with such backdoors is that "not only the supposedly 'good guys' can use them, but also resourceful criminals or unwell-disposed other states", argues the organization. **Signal considers withdrawing from the EU** Journalists' associations are also alarmed by the plans. The DJV rejects chat control as a form of mass surveillance without cause and sees source protection threatened, for which encrypted communication is essential. The infrastructure created in this way can be used for political control "in just a few simple steps", said the DJV in a statement Opinion. The Messenger service Signal Already announced that it would withdraw from the EU if necessary. Signal President Meredith Whittaker told the dpa: “Unfortunately, if we were given the choice of either undermining the integrity of our encryption or leaving Europe, we would make the decision to leave the market.” **Next steps in the legislative process** The Permanent Representatives of the EU states are due to meet next week on the subject, followed in December by the Ministers of Justice and Home Affairs, these two bodies are due to approve the bill as the Council's official position. The trilogue then begins, in which the Commission, Parliament and Council must reach a compromise from their three draft laws. Parliament had described the original plans as mass surveillance and called for only unencrypted suspect content to be scanned. The EU Commission had originally proposed requiring Internet services to search their users' content for information about crimes without cause and to send it to authorities if suspected.