Zagorath
Formerly /u/Zagorath on the alien site.
- 0 Posts
- 36 Comments
I agree with you about dropdown menus being something that could/should be natively available to HTML, but I’m less convinced about form submission. Sure, if we assume everything is happy path it’s a great idea, but a system needs to be robust enough to handle a variety of cases. Maybe you want to redirect a user to a log-on page if they get back a 401, or present an explanation if they get a 403. A 5XX should usually display some sort of error message to the user. A 201 probably needs to add an element into the page, while a 200 might do nothing, or might alter something on the page.
With the huge range of possible paths and desired effects, it pretty quickly becomes apparent that designing an HTML & CSS–only spec that can meet the needs is infeasible. There’s definitely a case to be made that JavaScript has become too powerful and can do too many potentially dangerous or privacy-invading things. And maybe a new range of permissions could be considered to limit a lot of that at a more fundamental level. But what we’re talking about here with the form submission stuff is the real bare-bones basic stuff JavaScript was designed to make easier—alter the contents of web pages on the fly in response to user actions. And it’s really, really good at that.
- Your operating system
- Your CPU architecture
Agree. No reason they should have this.
- Your JS interpreter’s version and build ID
I can see a reasonable argument for this being allowed. Feature detection should make this unnecessary, but it doesn’t seem to be fully supported yet.
- Plugins & Extensions
This is clearly a break of the browser sandbox and should require explicit permission at the very least (if not be blocked outright…I’m curious what the legitimate uses for these would be).
- Accelerometer and gyroscope & magnetic field sensor
Should probably be tied to location permission, for the sake of a simple UX.
- Proximity sensor
Definitely potential legitimate reasons for this, but it shouldn’t be by default.
- Keyboard layout
As someone who uses a non-QWERTY (and non-QWERTY-based) layout, this is one I have quite a stake in. The bottom line is that even without directly being able to obtain this, a site can very easily indirectly obtain it anyway, thanks to the difference between event.code and event.key. And that difference is important, because there are some cases where it’s better to use one or the other. A browser-based game, for example, probably wants to use event.code so the user can move around based on where WASD would be on a QWERTY keyboard, even though as a Dvorak user, for me that would be <AOE. But keyboard shortcuts like J and K for “next”/“previous” item should usually use event.key.
There could/should be a browser setting somewhere, or an extension, that can hide this from sites. But it is far too useful, relative to its fingerprinting value, to restrict for ordinary users.
how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways
It’s also simple presence detection. “You have a proximity sensor” is a result not every browser will have, so it helps narrow down a specific browser.
if you’re an excel power user, you’ll need to learn Libreoffice Calc
Let’s be honest…most people who are Excel power users probably need to interact with other users. Sending and receiving documents and templates, etc. Simply learning Calc yourself isn’t going to suffice, you’d have to convince your entire business to switch.
Yeah I agree. I’d love to get rid of maps, but location history is just way too valuable to give up, and I couldn’t find anybody else who does it.
I also really like navigation that’s responsive to current traffic levels. Obviously even if someone else provided that, them having fewer users would mean it’s not going to be very effective, but I’d be willing to switch to someone else who at least was attempting to do that, even if their userbase wasn’t there yet.
Right now though…nobody that I could find even tries to do either of those crucial features.
He also used the word “triggered” in the Reddit comments in the way right wingers are wont to do, and then tried to play the “I’m not American, I don’t understand how that word looks to you” card. Never mind that plenty of non-Americans know perfectly well how that looks.
No, it’s far more likely he picked up that word and knew exactly how it was used because he’s been hanging out in far right spaces.
Here’s an article from last year. It’s Australian, but I think it likely that car brands have the same or similar privacy policies wherever you go.
In short: Tesla and Korean brands are the worst. Japanese brands apart from Mazda are the best for privacy.
Interesting in theory, so thanks for sharing. But in practice, not going to matter. It would require a third party to win in at least one state before the EC can fail to reach a majority.
Edit: actually on second thought, I suppose a tie is also possible without a third party winning. But still, a tiny edge case, really.
Reposting some links from a thread two days ago about his response on Reddit.
I thought this comment (and the thread below it…and the lack of any reply to it despite the CEO being all over the thread elsewhere) was pretty telling.
It’s much less of a strong tell, but is slightly concerning that he’s picked up language like “triggered”. As comments there say, his excuse of not being in-tune with American politics could be real, but are also possibly just plausible deniability, because he may have picked up on that language by hanging out online with fascists.
Gerrymandering isn’t possible with presidential races. And he won by 86 electoral college votes, including all of the states people were looking at as possible swing states. That’s why everyone is saying he won a landslide.
The fact that he won despite being a literal convicted criminal and despite having previously shown himself to be one of, if not the worst president in history, says a huge amount about Americans’ willingness to accept fascism. People are right to be troubled by this.
Yeah, there’s a reason I added that clarifying second sentence. To be a little more nuanced (but still overly simplistic because I don’t feel like writing an enormous essay right now), I would say you don’t have any expectation of privacy by default in public, but that anything that might reasonably amount to stalking because it’s targeted tracking of an individual, even if it involves footage of someone in public, is certainly not ok.
I don’t even care about the privacy aspect per se. Phone number as user ID is a crappy UX that fundamentally does not work when international travel, multiple devices, or needing to get a number changed. It also doesn’t work for shared accounts or people who might want multiple identities.
Some of these relate to privacy, secondarily, but my primary concern is the UX.
I have no idea what the law is in India, but if he got a “hacking” charge for this it would be a gross miscarriage of justice, considering he never once did anything resembling social engineering, brute forcing passwords, any sort of injection attack, or anything else that might actually be involved in hacking.
However, assuming he never tried to reach out to the company themselves first (and I saw no indication in the article that he had), this is really quite a horrible irresponsible disclosure. It’s pretty obviously a significant leak of sensitive data—both customer and business data—and giving them 90 days to fix it before alerting the public to what you found is pretty basic security ethics.
They’re not designed with privacy in mind, but I think one of the best things for video is supporting smaller more independent platforms. Things like Nebula, which is made up of a curated selection of high quality YouTubers who upload their YouTube videos sans advertising, as well as some small amount of unique bonus content. Nebula is owned by its creators, as an added bonus.
Or Dropout, made from the former CollegeHumor YouTube channel, it’s mostly sketch and improv comedy, as well as some D&D play videos.
Neither are privacy focused explicitly, but because of their direct relationship to their customers and lack of interest in advertising, they’re not incentivised to be bad for privacy like the bigger free platforms are.
I had one of these with a new account recently. I forget what platform it was, but it wasn’t anything from Meta. Didn’t need to move your face in any specific way, but it was obviously doing some checks for signs of life so a simple photo wouldn’t work. I found a video of some random dude on YouTube just staring at the camera, and I pointed my camera my computer screen while that played. Difficult, considering they only allowed the front-facing camera to work.
Gonna be honest, there’s no price I’d be willing to pay for YouTube Premium.
I used to pay for YouTube Red. I didn’t cancel it because it was too expensive, I cancelled it in retaliation for all the other shitty things YouTube has been doing. If YouTube wants me to return as a paying member, they need to reinstate the ability for small accounts to monetise their YouTube accounts; they need to stop demonetising/restricting educational content that might be related to war, weapons, sex, or sexuality; and they need to change their copyright policy to make it much, much harder to abuse false claims.
then quickly just dropping the pictures
Could even poke a camera-sized hole in the picture. And disguise it by putting that hole over something similarly-coloured.
But anyway, but of it is really that you can be held in contempt for refusing to unlock with biometrics, if they’ve got an appropriate warrant.
I believe the reason the 5th is usually referenced is that this usually comes up in situations where the 4th is already not relevant. Either because there already is a warrant, or because you’re crossing a border (which IMO seems like an incredibly sketchy excuse and would likely not have been accepted by those who originally penned the 4th amendment, but is at least well-established law at this point).
With the court order, you must give the passcode and/or unlock the phone
The thing is, case law has determined that this is not the case. Passcodes are fairly well protected, from what I’ve heard. You cannot be made to divulge them anywhere in the US, because of the 5th amendment, even with a warrant. Case law is more split on whether biometrics should be offered the same protection.
Though again, this is all my understanding of it having heard it third hand from Americans. Mostly from Americans who themselves are not legal experts, though I think I’ve at least a couple of times heard it directly from lawyers.
Most traffic these days goes over secure channels. Any time the website you’re accessing is HTTPS, they can see that you’re accessing that website, but they can’t see which pages you’re on our read what they say, or what you submit.
The exception is if they get you to install their own certificate to allow them to man-in-the-middle you. Laws in some authoritarian countries already require devices have root certificates that allow the government to spy on everything. And the EU is currently considering the same. Which should be a major concern for any European residents.
Also not a lawyer or a US person, but from listening to American tech media, this has been an issue of some debate for a decade or more now.
The trick lies in their 5th amendment right against self-incrimination. Police cannot require you to give your PIN because that would violate 5th amendment rights. It has been ruled in some parts of America (but the ruling in other parts has been the opposite, IIRC) that you can be forced to give biometric unlocks. In my opinion this is kinda silly and inconsistent. It might be in line with the letter of the law, but it’s certainly not in keeping with its spirit.
Honestly, Mozilla doesn’t even have the resources to maintain a proper WebKit-based version of Firefox on iPadOS, when a large amount of the work is handled for them by Apple. (See, for example, the fact that it still does not support multiple windows, a feature that has been available since 2019.) It would seem a mistake for them to try taking on a much larger load of work when they can’t handle what they’ve already taken on.
I think you’d have a hard time legally saying that they have to provide a service to users when that service is paid for by selling access to users via advertising, even if the user refuses to allow that access. It would probably qualify as “necessary for such performance”.
Having the extra option to pay to remove ads (while I think this price is ridiculously excessive) is a pretty reasonable compromise. Although it also feels kinda icky in the sense that it means you’re essentially turning privacy into a privilege for the wealthy. So I dunno, it’s a tricky issue.
I would feel a lot better about it if the price was anything close to how much they actually make from people’s data. Something like $30 per year according to Facebook themselves, in 2019.
But yeah, the notion that people should be entitled to all these online services completely free of charge while also not allowing it to be paid for through advertising is ludicrous.
Why is the open source Chromium ranked worse than Google Chrome?