The post "Everyone knows all the apps on your phone" argues that the extensive data collection practices of mobile advertising networks effectively reveal which apps individuals use, even without explicit permission. Through deterministic and probabilistic methods linking device IDs, IP addresses, and other signals, these networks can create detailed profiles of app usage across devices. This information is then packaged and sold to advertisers, data brokers, and even governments, allowing them to infer sensitive information about users, from their political affiliations and health concerns to their financial status and personal relationships. The post emphasizes the illusion of privacy in the mobile ecosystem, suggesting that the current opt-out model is inadequate and calls for a more robust approach to data protection.
23andMe offers two data deletion options. "Account Closure" removes your profile and reports, disconnects you from DNA relatives, and prevents further participation in research. However, de-identified genetic data may be retained for internal research unless you specifically opt out. "Spit Kit Destruction" goes further, requiring contacting customer support to have your physical sample destroyed. While 23andMe claims anonymized data may still be used, they assert it can no longer be linked back to you. For the most comprehensive data removal, pursue both Account Closure and Spit Kit Destruction.
HN commenters largely discuss the complexities of truly deleting genetic data. Several express skepticism that 23andMe or similar services can fully remove data, citing research collaborations, anonymized datasets, and the potential for data reconstruction. Some suggest more radical approaches like requesting physical sample destruction, while others debate the ethical implications of research using genetic data and the individual's right to control it. The difficulty of separating individual data from aggregated research sets is a recurring theme, with users acknowledging the potential benefits of research while still desiring greater control over their personal information. A few commenters also mention the potential for law enforcement access to such data and the implications for privacy.
Global Privacy Control (GPC) is a browser or extension setting that signals a user's intent to opt out of the sale of their personal information, as defined by various privacy laws like CCPA and GDPR. Websites and businesses that respect GPC should interpret it as a "Do Not Sell" request and suppress the sale of user data. While not legally mandated everywhere, adopting GPC provides a standardized way for users to express their privacy preferences across the web, offering greater control over their data. Widespread adoption by browsers and websites could simplify privacy management for both users and businesses and contribute to a more privacy-respecting internet ecosystem.
HN commenters discuss the effectiveness and future of Global Privacy Control (GPC). Some express skepticism about its impact, noting that many websites simply ignore it, while others believe it's a valuable tool, particularly when combined with legal pressure and browser enforcement. The potential for legal action based on ignoring GPC signals is debated, with some arguing that it provides strong grounds for enforcement, while others highlight the difficulty of proving damages. The lack of clear legal precedents is mentioned as a significant hurdle. Commenters also discuss the technicalities of GPC implementation, including the different ways websites can interpret and respond to the signal, and the potential for false positives. The broader question of how to balance privacy with personalized advertising is also raised.
Pressure is mounting on the UK Parliament's Intelligence and Security Committee (ISC) to hold its hearing on Apple's data privacy practices in public. The ISC plans to examine claims made in a recent report that Apple's data extraction policies could compromise national security and aid authoritarian regimes. Privacy advocates and legal experts argue a public hearing is essential for transparency and accountability, especially given the significant implications for user privacy. The ISC typically operates in secrecy, but critics contend this case warrants an open session due to the broad public interest and potential impact of its findings.
HN commenters largely agree that Apple's argument for a closed-door hearing regarding data privacy doesn't hold water. Several highlight the irony of Apple's public stance on privacy conflicting with their desire for secrecy in this legal proceeding. Some express skepticism about the sincerity of Apple's privacy concerns, suggesting it's more about competitive advantage. A few commenters suggest the closed hearing might be justified due to legitimate technical details or competitive sensitivities, but this view is in the minority. Others point out the inherent conflict between national security and individual privacy, noting that this case touches upon that tension. A few express cynicism about government overreach in general.
A misconfigured Amazon S3 bucket exposed over 86,000 medical records and personally identifiable information (PII) belonging to users of the nurse staffing platform eShift. The exposed data included names, addresses, phone numbers, email addresses, Social Security numbers, medical licenses, certifications, and vaccination records. This data breach highlights the continued risk of unsecured cloud storage and the potential consequences for sensitive personal information. eShift, dubbed the "Uber for nurses," provides on-demand healthcare staffing solutions. While the company has since secured the bucket, the extent of the damage and potential for identity theft and fraud remains a serious concern.
HN commenters were largely critical of Eshyft's security practices, calling the exposed data "a treasure trove for identity thieves" and expressing concern over the sensitive nature of the information. Some pointed out the irony of a cybersecurity-focused company being vulnerable to such a basic misconfiguration. Others questioned the competence of Eshyft's leadership and engineering team, with one commenter stating, "This isn't rocket science." Several commenters highlighted the recurring nature of these types of breaches and the need for stronger regulations and consequences for companies that fail to adequately protect user data. A few users debated the efficacy of relying on cloud providers like AWS for security, emphasizing the shared responsibility model.
Ecosia and Qwant, two European search engines prioritizing privacy and sustainability, are collaborating to build a new, independent European search index called the European Open Web Search (EOWS). This joint effort aims to reduce reliance on non-European indexes, promote digital sovereignty, and offer a more ethical and transparent alternative. The project is open-source and seeks community involvement to enrich the index and ensure its inclusivity, providing European users with a robust and relevant search experience powered by European values.
Several Hacker News commenters express skepticism about Ecosia and Qwant's ability to compete with Google, citing Google's massive data advantage and network effects. Some doubt the feasibility of building a truly independent index and question whether the joint effort will be significantly different from using Bing. Others raise concerns about potential bias and censorship, given the European focus. A few commenters, however, offer cautious optimism, hoping the project can provide a viable privacy-respecting alternative and contribute to a more decentralized internet. Some also express interest in the technical challenges involved in building such an index.
RLama introduces an open-source Document AI platform powered by the Ollama large language model. It allows users to upload documents in various formats (PDF, Word, TXT) and then interact with their content through natural language queries. RLama handles the complex tasks of document parsing, semantic search, and answer synthesis, providing a user-friendly way to extract information and insights from uploaded files. The project aims to offer a powerful, privacy-respecting, and locally hosted alternative to cloud-based document AI solutions.
Hacker News users discussed the potential of running powerful LLMs locally with tools like Ollama, expressing excitement about the possibilities for privacy and cost savings compared to cloud-based solutions. Some praised the project's clean UI and ease of use, while others questioned the long-term viability of local processing given the resource demands of large models. There was also discussion around specific features, like fine-tuning and the ability to run multiple models concurrently. Some users shared their experiences using the project, highlighting its performance and comparing it to other similar tools. One commenter raised a concern about the potential for misuse of powerful AI models made easily accessible through such projects. The overall sentiment was positive, with many seeing this as a significant step towards democratizing access to advanced AI capabilities.
Mozilla's Firefox Terms state that they collect information you input into the browser, including text entered in forms, search queries, and URLs visited. This data is used to provide and improve Firefox features like autofill, search suggestions, and syncing. Mozilla emphasizes that they handle this information responsibly, aiming to minimize data collection, de-identify data where possible, and provide users with controls to manage their privacy. They also clarify that while they collect this data, they do not collect the content of web pages you visit unless you explicitly choose features like Pocket or Firefox Screenshots, which are governed by separate privacy policies.
HN users express concern and skepticism over Mozilla's claim to own "information you input through Firefox," interpreting it as overly broad and potentially invasive. Some argue the wording is likely a clumsy attempt to cover necessary data collection for features like sync and breach alerts, not a declaration of ownership over user-created content. Others point out the impracticality of Mozilla storing and utilizing such vast amounts of data, suggesting it's a legal safeguard rather than a reflection of actual practice. A few commenters highlight the contrast with Firefox's privacy-focused image, questioning the need for such strong language. Several users recommend alternative browsers like LibreWolf and Ungoogled Chromium, perceiving them as more privacy-respecting alternatives.
South Korea's Personal Information Protection Commission has accused DeepSeek, a South Korean AI firm specializing in personalized content recommendations, of illegally sharing user data with its Chinese investor, ByteDance. The regulator alleges DeepSeek sent personal information, including browsing histories, to ByteDance servers without proper user consent, violating South Korean privacy laws. This data sharing reportedly occurred between July 2021 and December 2022 and affected users of several popular South Korean apps using DeepSeek's technology. DeepSeek now faces a potential fine and a corrective order.
Several Hacker News commenters express skepticism about the accusations against DeepSeek, pointing out the lack of concrete evidence presented and questioning the South Korean regulator's motives. Some speculate this could be politically motivated, related to broader US-China tensions and a desire to protect domestic companies like Kakao. Others discuss the difficulty of proving data sharing, particularly with the complexity of modern AI models and training data. A few commenters raise concerns about the potential implications for open-source AI models, wondering if they could be inadvertently trained on improperly obtained data. There's also discussion about the broader issue of data privacy and the challenges of regulating international data flows, particularly involving large tech companies.
An Oregon woman discovered her private nude photos had been widely shared in her small town, tracing the source back to the local district attorney, Marco Bocci, and a sheriff's deputy. The photos were taken from her phone while it was in police custody as evidence. Despite the woman's distress and the clear breach of privacy, both Bocci and the deputy are shielded from liability by qualified immunity (QI), preventing her from pursuing legal action against them. The woman, who had reported a stalking incident, now feels further victimized by law enforcement. An independent investigation confirmed the photo sharing but resulted in no disciplinary action.
HN commenters largely discuss qualified immunity (QI), expressing frustration with the legal doctrine that shields government officials from liability. Some argue that QI protects bad actors and prevents accountability for misconduct, particularly in cases like this where the alleged actions seem clearly inappropriate. A few commenters question the factual accuracy of the article or suggest alternative explanations for how the photos were disseminated, but the dominant sentiment is critical of QI and its potential to obstruct justice in this specific instance and more broadly. Several also highlight the power imbalance between citizens and law enforcement, noting the difficulty individuals face when challenging authority.
Umami is a self-hosted, open-source web analytics alternative to Google Analytics that prioritizes simplicity, speed, and privacy. It provides a clean, minimal interface for tracking website metrics like page views, unique visitors, bounce rate, and session duration, without collecting any personally identifiable information. Umami is designed to be lightweight and fast, minimizing its impact on website performance, and offers a straightforward setup process.
HN commenters largely praise Umami's simplicity, self-hostability, and privacy focus as a welcome alternative to Google Analytics. Several users share their positive experiences using it, highlighting its ease of setup and lightweight resource usage. Some discuss the trade-offs compared to more feature-rich analytics platforms, acknowledging Umami's limitations in advanced analysis and segmentation. A few commenters express interest in specific features like custom event tracking and improved dashboarding. There's also discussion around alternative self-hosted analytics solutions like Plausible and Ackee, with comparisons to their respective features and performance. Overall, the sentiment is positive, with many users appreciating Umami's minimalist approach and alignment with privacy-conscious web analytics.
The author claims to have found a vulnerability in YouTube's systems that allows retrieval of the email address associated with any YouTube channel for a $10,000 bounty. They describe a process involving crafting specific playlist URLs and exploiting how YouTube handles playlist sharing and unlisted videos to ultimately reveal the target channel's email address within a Google Account picker. While they provided Google with a proof-of-concept, they did not fully disclose the details publicly for ethical and security reasons. They emphasize the seriousness of this vulnerability, given the potential for targeted harassment and phishing attacks against prominent YouTubers.
HN commenters largely discussed the plausibility and specifics of the vulnerability described in the article. Some doubted the $10,000 price tag, suggesting it was inflated. Others questioned whether the vulnerability stemmed from a single bug or multiple chained exploits. A few commenters analyzed the technical details, focusing on the potential involvement of improperly configured OAuth flows or mismanaged access tokens within YouTube's systems. There was also skepticism about the ethical implications of disclosing the vulnerability details before Google had a chance to patch it, with some arguing responsible disclosure practices weren't followed. Finally, several comments highlighted the broader security risks associated with OAuth and similar authorization mechanisms.
A recent study reveals that CAPTCHAs are essentially a profitable tracking system disguised as a security measure. While ostensibly designed to differentiate bots from humans, CAPTCHAs allow companies like Google to collect vast amounts of user data for targeted advertising and other purposes. This system has cost users a staggering amount of time—an estimated 819 billion hours globally—and has generated nearly $1 trillion in revenue, primarily for Google. The study argues that the actual security benefits of CAPTCHAs are minimal compared to the immense profits generated from the user data they collect. This raises concerns about the balance between online security and user privacy, suggesting CAPTCHAs function more as a data harvesting tool than an effective bot deterrent.
Hacker News users generally agree with the premise that CAPTCHAs are exploitative. Several point out the irony of Google using them for training AI while simultaneously claiming they prevent bots. Some highlight the accessibility issues CAPTCHAs create, particularly for disabled users. Others discuss alternatives, such as Cloudflare's Turnstile, and the privacy implications of different solutions. The increasing difficulty and frequency of CAPTCHAs are also criticized, with some speculating it's a deliberate tactic to push users towards paid "captcha-free" services. Several commenters express frustration with the current state of CAPTCHAs and the lack of viable alternatives.
Tim investigated the precision of location data used for targeted advertising by requesting his own data from ad networks. He found that location information shared with these networks, often through apps on his phone, was remarkably precise, pinpointing his location to within a few meters. He successfully identified his own apartment and even specific rooms within it based on the location polygons provided by the ad networks. This highlighted the potential privacy implications of sharing location data with apps, demonstrating how easily and accurately individuals can be tracked even without explicit consent for precise location sharing. The experiment revealed a lack of transparency and control over how this granular location data is collected, used, and shared by advertising ecosystems.
HN commenters generally agreed with the article's premise that location tracking through in-app advertising is pervasive and concerning. Some highlighted the irony of privacy policies that claim not to share precise location while effectively doing so through ad requests containing latitude/longitude. Several discussed technical details, including the surprising precision achievable even without GPS and the potential misuse of background location data. Others pointed to the broader ecosystem issue, emphasizing the difficulty in assigning blame to any single actor and the collective responsibility of ad networks, app developers, and device manufacturers. A few commenters suggested potential mitigations like VPNs or disabling location services entirely, while others expressed resignation to the current state of surveillance. The effectiveness of "Limit Ad Tracking" settings was also questioned.
The Supreme Court upheld a lower court's ruling to ban TikTok in the United States, citing national security concerns. However, former President Trump, who initially pushed for the ban, has suggested he might offer TikTok a reprieve if certain conditions are met. This potential lifeline could involve an American company taking over TikTok's U.S. operations. The situation remains uncertain, with TikTok's future in the U.S. hanging in the balance.
Hacker News commenters discuss the potential political motivations and ramifications of the Supreme Court upholding a TikTok ban, with some skeptical of Trump's supposed "lifeline" offer. Several express concern over the precedent set by banning a popular app based on national security concerns without clear evidence of wrongdoing, fearing it could pave the way for future restrictions on other platforms. Others highlight the complexities of separating TikTok from its Chinese parent company, ByteDance, and the technical challenges of enforcing a ban. Some commenters question the effectiveness of the ban in achieving its stated goals and debate whether alternative social media platforms pose similar data privacy risks. A few point out the irony of Trump's potential involvement in a deal to keep TikTok operational, given his previous stance on the app. The overall sentiment reflects a mixture of apprehension about the implications for free speech and national security, and cynicism about the political maneuvering surrounding the ban.
TikTok was reportedly preparing for a potential shutdown in the U.S. on Sunday, January 15, 2025, according to information reviewed by Reuters. This involved discussions with cloud providers about data backup and transfer in case a forced sale or ban materialized. However, a spokesperson for TikTok denied the report, stating the company had no plans to shut down its U.S. operations. The report suggested these preparations were contingency plans and not an indication that a shutdown was imminent or certain.
HN commenters are largely skeptical of a TikTok shutdown actually happening on Sunday. Many believe the Reuters article misrepresented the Sunday deadline as a shutdown deadline when it actually referred to a deadline for ByteDance to divest from TikTok. Several users point out that previous deadlines have come and gone without action, suggesting this one might also be uneventful. Some express cynicism about the US government's motives, suspecting political maneuvering or protectionism for US social media companies. A few also discuss the technical and logistical challenges of a shutdown, and the potential legal battles that would ensue. Finally, some commenters highlight the irony of potential US government restrictions on speech, given its historical stance on free speech.
iOS 18 introduces homomorphic encryption for some Siri features, allowing on-device processing of encrypted audio requests without decrypting them first. This enhances privacy by preventing Apple from accessing the raw audio data. Specifically, it uses a fully homomorphic encryption scheme to transform audio into a numerical representation amenable to encrypted computations. These computations generate an encrypted Siri response, which is then sent to Apple servers for decryption and delivery back to the user. While promising improved privacy, the post raises concerns about potential performance impacts and the specific details of the implementation, which Apple hasn't fully disclosed.
Hacker News users discussed the practical implications and limitations of homomorphic encryption in iOS 18. Several commenters expressed skepticism about Apple's actual implementation and its effectiveness, questioning whether it's fully homomorphic encryption or a more limited form. Performance overhead and restricted use cases were also highlighted as potential drawbacks. Some pointed out that the touted benefits, like encrypted search and image classification, might be achievable with existing techniques, raising doubts about the necessity of homomorphic encryption for these tasks. A few users noted the potential security benefits, particularly regarding protecting user data from cloud providers, but the overall sentiment leaned towards cautious optimism pending further details and independent analysis. Some commenters linked to additional resources explaining the complexities and current state of homomorphic encryption research.
Grayjay is a desktop application designed to simplify self-hosting for personal use. It offers a user-friendly interface for installing and managing various self-hosted applications, including services like Nextcloud, Jellyfin, and Bitwarden, through pre-configured containers. The app automates complex setup processes, like configuring reverse proxies and SSL certificates with Let's Encrypt, making it easier for non-technical users to run their own private cloud services on their local machines. It focuses on privacy, ensuring all data remains within the user's control.
Hacker News users discussed Grayjay's new desktop app, primarily focusing on its reliance on Electron. Several commenters expressed concern about Electron's resource usage, particularly RAM consumption, questioning if it was the best choice for a note-taking application. Some suggested alternative frameworks like Tauri or Flutter as potentially lighter-weight options. Others pointed out the benefits of Electron, such as cross-platform compatibility and ease of development, arguing that the resource usage is acceptable for many users. The discussion also touched on the app's features, with some users praising the focus on Markdown and others expressing interest in specific functionality like encryption and local storage. A few commenters mentioned existing note-taking apps and compared Grayjay's features and approach.
Summary of Comments ( 392 )
https://news.ycombinator.com/item?id=43518866
Hacker News users discussed the privacy implications of app usage data being readily available to mobile carriers and how this data can be used for targeted advertising and even more nefarious purposes. Some commenters highlighted the ease with which this data can be accessed, not just by corporations but also by individuals with basic technical skills. The discussion also touched upon the ineffectiveness of current privacy regulations and the lack of real control users have over their data. A few users pointed out the potential for this data to reveal sensitive information like health conditions or financial status based on app usage patterns. Several commenters expressed a sense of resignation and apathy, suggesting the fight for data privacy is already lost, while others advocated for stronger regulations and user control over data sharing.
The Hacker News post "Everyone knows all the apps on your phone" (linking to a Substack article about app usage data collection) generated a lively discussion with several compelling comments.
Many commenters discussed the technical mechanisms behind this data collection, pointing out that it goes beyond simply tracking app store downloads. Several highlighted the role of "device graphs," which link together various devices and online identities belonging to the same individual through sophisticated cross-referencing of information like IP addresses, advertising identifiers, and shared accounts. This allows companies to build a comprehensive picture of a user's app usage even across different devices. Some elaborated on how this data is packaged and sold, emphasizing the scale and pervasiveness of this practice.
A recurring theme was the lack of genuine informed consent. Commenters argued that the current opt-out mechanisms are often buried in complex privacy policies or presented in a way that discourages users from exercising their choices. Some expressed skepticism about the effectiveness of privacy-focused operating systems or VPNs in fully mitigating this tracking, given the sophisticated techniques employed by data brokers.
Several commenters discussed the implications of this data collection, ranging from targeted advertising to potential misuse by governments or malicious actors. Some raised concerns about the chilling effect this surveillance could have on freedom of expression and association. The potential for discrimination based on inferred characteristics from app usage was also mentioned.
A few commenters offered practical advice on mitigating this tracking, such as regularly clearing advertising identifiers and being selective about the permissions granted to apps. However, there was a general consensus that individual efforts are insufficient and that stronger regulatory measures are needed to address the systemic nature of this data collection.
Some of the more compelling comments included specific examples of how this data is used, anecdotes about unexpected data linkages, and technical deep dives into the methods employed by data brokers. The discussion also touched upon the ethical implications of this practice and the broader societal consequences of widespread digital surveillance. While some comments offered a resigned acceptance of this reality, others expressed a desire for greater transparency and control over personal data.