It’s interesting how you went from “it’s not relevant at all” to “it’s relevant in general but not in this case” after I gave you a reply.
If you have found a new security or privacy flaw, I would love to hear about it. But pushing your irrelevant opinions on others who are not interested, is unpleasant for us, and a waste of time for you.
My opinions are not irrelevant, as I laid out in my previous comment that you just agreed with. Others are obviously interested, and it’s not “unpleasant” for them, as people responded and upvoted (and no downvotes)–indicating it’s relevant. It’s not a waste of time for me, because not only did it take me negligible time to type literally three sentences (actually, I copy-and-pasted the comment from one I made earlier, I didn’t even write it fresh here), but it has value to others and as such is not a waste of time for me.
So whether he agrees with you that guys can become girls or vice versa, or whether he believes the same narrative that you do regarding corona is simply irrelevant.
The strawman construction was a nice little touch. Completely ignoring the part where I laid out that my personal stance and agreement or disagreement with the CEO is irrelevant, you act as if I personally disagree with the CEO and then use that to dismiss me.
You obviously have an agenda. So be it. But this conversation is truly a waste of time: you were obviously wrong and as soon as that was pointed out you shift goalposts.
If you think the two are unrelated you’re oblivious to the considerations that must be taken into account when discussing potential privacy concerns in software. It’s not ad hominem to acknowledge that the personal convictions and values of the CEO (and indeed other employees) can potentially decrease the sense of privacy of a product.
If the CEO is so adamant in his anti-X stance that he decides it’s acceptable to censor access to materials about X, or perhaps worse that he decides to expose anyone using his software that discusses or supports X, would not consider those valid concerns?
Companies are made of people, and software is made by people. Since people are not neutral, companies and software are also not neutral. The stances of a company or software on privacy, freedoms, etc are all influenced by the stances on those exact issues by the constituent people of the company and developers of the software.
Consider Elon Musk and Twitter. Given Elon’s personal beliefs and how adamant he is to enact and enforce those beliefs, do you consider him a neutral influence on the privacy of Twitter as a product? There is no way to see him as a neutral influence; he has direct influence by his ideological stance on the software. As such, if you have enough distrust in him or his ideological stance, that can transfer to distrust in Twitter as software.
In fact, it’s not even about whether I support the CEO or whether I think his stance is “right” or “wrong” as you imply. It’s entirely about how the CEO sees his beliefs in relation to the company and product he’s overseeing. I could entirely agree with the CEO and still consider their influence to be a detriment to the product if he puts his ideology ahead of pragmatism, for example.
It depends on how Google wants to play this. If they require website operators to use WEI in order to serve ads from Google’s ad network (a real possibility), then suddenly 98.8% of websites that have advertising, and 49.5% of all websites would be unusable unless you’re using Chrome. It’s probably safe to assume they’d also apply this to their own products, which means YouTube, Gmail, Drive/Docs, all of which have large userbases. The spec allows denying attestation if they don’t like your browser, but also if they don’t like your OS. They could effectively disallow LineageOS and all Android derivatives, not just browser alternatives.
A fork like Vivaldi, Brave or Opera could opt not to implement these changes
It doesn’t quite work like that. They wouldn’t choose to not implement the change, because the change comes from upstream via Chromium. They would have to choose to remove the feature which, depending on how it’s integrated, could be just as much work as implementing it (or more, if Google wants to be difficult on purpose). Not implementing the change is zero effort; removing the upstream code is a lot of effort.
Within the context of Chrome and other Chromium based web browsers, this means that Google will be able to monitor your web browsing in a new way any time you’re using a browser based on Chrome/Chromium.
With only slight hyperbole, we can say that Google can do this monitoring already.
What’s worse, is now they can:
- Refuse you access to information by refusing to attest your environment.
- Restrict your browser, extensions, and operating system setup by refusing attestation.
- Potentially bring litigation against you for attempting to circumvent DRM (in the USA it’s illegal to bypass DRM).
- Leverage their ad network to require web site operators to use attestation if they wish to serve ads via Google. AKA force you to use Chrome to use big websites.
- Derank search results for sites that are not using attestation.
In my opinion, the least harmful part of this is the ability to monitor page access, because they can more or less do this for Chrome users anyway. What’s really harmful here is the potential to restrict access to and destroy practically the entirety of the internet.
I see what you’re saying but I still disagree. If you are making that much money and living paycheck to paycheck, it’s your own fault and is a lack of self control or money management knowledge. If you’re making $7.25 an hour and living paycheck to paycheck, no amount of self control and money management knowledge will mean you aren’t living paycheck to paycheck. Living paycheck to paycheck is a personal failing when you’re in the top 1% of earners in the country.
I don’t think Google engineers are living paycheck to paycheck,
The median total compensation for a Google employee in 2022 was $279,802. The highest-paid software engineers can make up to $718,000 a year in base salary, although most reported making between $100,000 to $375,000 in base salary. They can also receive bonuses of up to $605,000. This would put them in the top 1% of earners in the country.
Google Software Engineer Salaries, average compensation by level:
| Level | Total |
|---|---|
| L3 (Entry Level) | $192K |
| L4 | $268K |
| L5 | $372K |
| L6 | $543K |
That’s a weirdly reductive and frankly useless way to frame the situation.
First, a paid firefighter and paid social worker are making the world better, just as much as a volunteer firefighter and charity worker. I’m not sure why you made the distinction.
Second, it’s not a dichotomy between making the world better and worse. There are things that obviously are bad, and there are things that obviously are good. But there are also things that are almost entirely neutral, or somewhere in between. It’s not an all-or-nothing situation: things can be degrees of good and bad.
If you insist on making it relative: these people are currently doing something more bad than what they were doing before. Whether you think what they were doing before was good or bad doesn’t really matter. What matters is that this new thing is bad. And that’s the problem.
I find the defense of someone doing active harm under the guise of “their job” to be shameful.
Bro it’s their job
Do you put any blame on the people who came up with this idea? With executives who steer and determine what is going to be implemented? It’s also just their job. My point was (and is) that doing bad things because it’s your job is not different than doing bad things that aren’t part of your job. And the point I made and I’ll reiterate is: ideas are just ideas; its the engineers who are implementing the ideas and making them reality. No one at the company is innocent, and that includes engineers.
If my job was asking me to do evil things, I’d not be comfortable working that job. It’s the same nonsense with Facebook: you know you’re working for an evil company, which is destroying the social fabric around the world, and yet you don’t judge yourself for contributing to evil because it’s your job. It’s inexcusable.
The engineers are writing up the spec, implementing the prototype, and will eventually be responsible for the rollout. The engineers are as much at fault as whoever thought up the idea. Without the engineers being complacent, the idea would be nothing more than an idea.
“Just following orders” has never been a good excuse for doing bad things.
Ok, two things are happening here.
they offer no reasonable basis for distrusting Signal, the tech that they attempt to vilify.
One, is that they did provide what they considered reasonable basis for distrusting Signal. Given that they thought Signal should not be trusted, the quote you posted is pretty obviously to be interpreted as: thankfully China hasn’t naively adopted a compromised communications platform with a USA intelligence backdoor. Now, if you want to say their basis for distrust is not reasonable, or is false, that’s completely fine. But in doing so it doesn’t change the author’s intent behind the quote which you posted.
Given said dev’s past comments, it is reasonable to infer that the reference to China presents them as an example to be followed here.
Two, is that it should be pretty clear they are saying China should be followed here in a very specific and explicit way: they aren’t saying follow China in every way under the sun. It’s very obvious from context and from what is explicitly said that they mean: China’s distrust and refusal to adopt (what they consider) a platform with USA backdoors should be followed. And I think that’s an entirely reasonable statement to make. No one should naively adopt compromised communications platforms.
There is no honest reading of the quote (especially given the rest of the context of the essay leading up to the quote) that could lead someone to conclude that this particular essay is (1) advocating for and supporting China spying on its citizens and (2) advocating for other countries following China in spying on citizens. It’s pretty obvious the only honest reading of this is: “I believe Signal has USA backdoors. Given that, I’m glad China hasn’t adopted its use heavily. I also think other countries should follow China in not naively accepting such technologies”.
Again, you can disagree with the foundational reasons for distrust, and that could be very useful. But painting the essay and quote the way you (and others here) are is just intellectually dishonest. Disagree with what is actually said, not with what you imagine (or wish) was said.
But they serve ads. Do they say these ads are fully anonymized? The primary reason other vendors suck up all your data is precisely to serve ads. Why is Brave’s serving ads different?
I personally don’t find inserting affiliate referral codes acceptable either, but yes at the end of the day this is the user’s preference whether or not this is all acceptable to them.
Can you provide sources for this?
The source is that Russia murders its own oligarchs the second they fall out of Putin’s favor, and ships anyone who holds up a blank sign in protest of the regime gets shipped off to the front lines. No way that man would survive a second if he ever went against the party line. Which means he hasn’t done so.
A simple no would have been sufficient. I’m not interested in baseless speculation. I had hoped you had actual evidence, which would intrigue me greatly. As it is, I have someone’s imagination put to paper.
If I were him, I’d get on the next plane to the US and happily spend the rest of my life in Leavenworth rather than allow myself to become a propaganda tool for a bunch of genocidal fascists.
He’s not saying anything. He’s not being a propaganda tool. You can make a rather weasily attempt to say his not denouncing something is in essence supporting it and thus being a propaganda tool, but that’s a stretch and rather disingenuous.
I think you may be right actually. When I read this
In this process, our EDDM vendor made a significant mistake by not excluding names, but instead including names before addresses, resulting in the distribution of personalized mailers.
from their statement, I made an assumption because I didn’t look at how EDDM works. The way I read “not excluding names, but instead including names” was: We sent a list of names to the vendor; the vendor was supposed to exclude those names, and mail to everyone else in the ZIP, but instead, they mailed to only those names. It seems that’s not an accurate understanding of the situation. I think the correct reading is: we said “no names” on our EDDM mailers but they acted as if we said “yes names” on our EDDM mailers.
From my original interpretation, that is essentially a customer list leak, or at least a ‘localized’ customer list leak, especially for anyone in a shared living environment where someone else may see the name printed on a Brave mailer and learn that that person is a Brave user.
Thanks for clearing it up though. Let me try to go back and edit a few previous comments where I’ve said this to clarify.
Edit: My comment below was based on a faulty understanding of how EDDM mailers worked and a faulty assumption I based on that ignorance. What they did in reality is little more than sending out spam mail, it was not a privacy violation.
Purely from a privacy standpoint, however, there has never been an indication they have violated users’ trust in that regard.
That’s simply not true though.
They have sent out direct mailers that basically equated to a customer list leak.
In regards to the mailers, they messed up and passed blame,
In this process, our EDDM vendor made a significant mistake by not excluding names, but instead including names before addresses, resulting in the distribution of personalized mailers.
I hope you consider a customer list leak to be a breach of privacy. And seeing how they didn’t take responsibility but tried to pass blame, they didn’t take such a mistake very seriously or respond in a manner that instills further trust.
Edit: My comment below was originally based on a faulty understanding of how EDDM mailers worked and a faulty assumption I based on that ignorance. What they did in reality is little more than sending out spam mail, it was not a privacy violation. I’ve removed the mention of the EDDM mailers since they aren’t relevant given this.
I’d take a peek at the wikipedia entry about their business model, which mentions some stuff that isn’t the most savory:
… Brave earns revenue from ads by taking a 15% cut of publisher ads and a 30% cut of user ads. User ads are notification-style pop-ups, while publisher ads are viewed on or in association with publisher content.
On 6 June 2020, a Twitter user pointed out that Brave inserts affiliate referral codes when users navigate to Binance
With regards to the CEO, he made a donation to an anti-LGBT cause when he was CEO of Mozilla in 2008. He lost his job at Mozilla due to his anti-LGBT stance. He also spreads COVID misinformation.
As others have pointed out, it’s also Chromium based, and so it is just helping Google destroy the web more than they already have.
Snowden doesn’t make any public statements any more without express permission from the Russian government.
Can you provide sources for this?
It might make sense for him to self-censor to avoid angering one of the few places that are allowing him to stay but even that’s not a given: if he felt something needed to be said badly enough, he’s shown to be the type of person who would rather something be said and take the repercussions on the nose than to leave something unsaid.
“Signal’s use luckily never caught on by the general public of China (or the Hong Kong Administrative region), whose government prefers autonomy, rather than letting US tech control its communication platforms, as most of the rest of the world naively allows.”
When you’re holding up China as an example for the world to follow for privacy
I interpret that quote to say that China doesn’t trust US tech like the rest of the world does. It’s not saying that China has more privacy and the rest of the world should follow, it’s saying that the rest of the world also shouldn’t be so naively trustworthy of US tech either.
No of course you can’t opt out of the social credit score.
what you watch on it is absolutely used to adjust your credit score.
And yet another bold claim that you are even being so bold as to say is absolutely true. Do you have evidence for this one, either?
I’m asking you to defend your claim that not using TikTok specifically affects your social credit score.
So no, i don’t have a direct source that says “you must use this app or your credit score goes down”, i have a reasonable informed idea that it probably does, based on china’s current treatment of it’s citizens.
This absolutely doesn’t follow. Can you elaborate on your logic here? There is no obvious line of reasoning from “china’s current treatment of its citizens” to “TikTok is mandatory”. Your imagination is not evidence of something.
Why, do you happen to a single or any even tangentially related source pretending it doesn’t?
I’m not the one asserting that failure to use TikTok negatively affects your social credit score; no, I can’t find a source that explicitly states “not using TikTok doesn’t affect your social credit score”, because that’s not how this works. You make a positive assertion you provide evidence to back that up.
while currently the core-engine is kept highly encrypted and we do not publish it
Why not? If you’re 100% confident it’s secure, you should have no issue making it public. If you aren’t 100% confident its secure, not making it public is just dishonest and ends up hurting trust when something inevitably does happen. Also, what do you mean that the code is “highly encrypted”? First off, using phrases like “highly encrypted” and “military grade” are already massively suspicious because they’re marketing terms that really don’t mean anything. Second, keeping the code encrypted (at rest perhaps?) doesn’t mean anything; and in order to run the code, it has to be un-encrypted anyway.
There’s a bit of a debate about pros & cons of opening it, regarding confidential comms.
How so? Here are the possibilities:
- Your code is 100% secure:
- You don’t release it: nobody trusts your claim of security (and fairly so).
- You do release it: people can verify for themselves that your claim is valid.
- Your code is not 100% secure:
- You don’t release it: nobody trusts your claim of security (and fairly so).
- You do release it: you can potentially have bugs discovered for you; or, people will fairly decide not to use an insecure product.
There’s no situation in which not releasing code helps security or trust. Security by obscurity is not security.
Anyway we are independently pen-tested by volunteers.
Which is fine as one facet of being verifiably secure, but it’s not suffucient. Code can have flaws that pen-testers will not (or are very unlikely to) stumble upon, even with fuzzing environments. The proper approach is to have the code audited and openly-available and to have independent pen-testing of the running implementation.
Not that I was a potential user of your software to begin with, but the way you’re describing your product and operations really would turn me off trusting it.
not rival of Signal, WhatsApp (or similar), but instead a complement for higher privacy
Sure sounds like you’re a rival if your bio is accurate. What do you gain from positioning yourself as not-a-rival? Wouldn’t it be more honest and benificial to position yourself as a rival, and be very explicit in how and why you are better than alternatives?
Sorry for the several hashtags, it’s just the habit when posting
Why is this a habit though? It doesn’t help discoverability, at least not for random shit like #people and #policy and #terms. What is the point of that? Don’t all these services have full-text search, where searching for #Signal and Signal are equally effective at finding comments mentioning Signal? And, even if it was exceptionally useful at helping discoverability, it really hurts readability: it becomes harder to scan and is visually cluttered. It takes me significantly longer to read somethign full of #tags than without, and I’m lately likely to forgo reading such a comment entirely rather than put up with line noise.
Says the person with a 4 day old account who’s bio is literally marketing-speak for a rival app:
The #messaging application with #anonymous identity, #untraceable content and military-grade #security. AKA the Dark Messenger.
Also, what is this infuriating nonsense where #every #word #is #tagged? #Can #you #not #type #normally? #Or #is #it #automated? #It’s #inane. And it hurts readability, which is really the bigger problem.
Depends on what you call a scam. I am not sure it’s the right word, but duplicitous behavior and definite privacy violations (even if by negligence) are absolutely true.
They have sent out direct mailers that basically equated to a customer list leak; also I’d take a peek at the wikipedia entry about their business model, which mentions some stuff that isn’t the most savory:
… Brave earns revenue from ads by taking a 15% cut of publisher ads and a 30% cut of user ads. User ads are notification-style pop-ups, while publisher ads are viewed on or in association with publisher content.
On 6 June 2020, a Twitter user pointed out that Brave inserts affiliate referral codes when users navigate to Binance
In regards to the mailers, they messed up and passed blame,
In this process, our EDDM vendor made a significant mistake by not excluding names, but instead including names before addresses, resulting in the distribution of personalized mailers.
With regards to the CEO, he made a donation to an anti-LGBT cause when he was CEO of Mozilla in 2008. He lost his job at Mozilla due to his anti-LGBT stance.
He also spreads COVID misinformation.
the money exchanged is for the servers, not for the data
That doesn’t hold up.
That’s like when you buy a sticker and the ounce of weed just “comes with it”. The money is for the sticker, not the weed. If your concern is who has your data, whether it was sold alone or as part of some other purchase doesn’t matter.
He made the donation when he was CEO of Mozilla in 2008. He lost his job at Mozilla due to his anti-LGBT stance.
He also spreads COVID misinformation.
They have sent out direct mailers that basically equated to a customer list leak; also I’d take a peek at the wikipedia entry about their business model, which mentions some stuff that isn’t the most savory:
… Brave earns revenue from ads by taking a 15% cut of publisher ads and a 30% cut of user ads. User ads are notification-style pop-ups, while publisher ads are viewed on or in association with publisher content.
On 6 June 2020, a Twitter user pointed out that Brave inserts affiliate referral codes when users navigate to Binance
In regards to the mailers, they messed up and passed blame,
In this process, our EDDM vendor made a significant mistake by not excluding names, but instead including names before addresses, resulting in the distribution of personalized mailers.
.iois a ccTLD though and is subject to the whims of the British Indian Ocean Territory. They can, for any reason, remove domains. See what recently happened with Mali and.ml.