The blog post encourages readers to experiment with a provided Python script that demonstrates how easily location can be estimated using publicly available Wi-Fi network data and the Wigle.net API. By inputting the BSSIDs (unique identifiers) of nearby Wi-Fi networks, even without connecting to them, the script queries Wigle.net and returns a surprisingly accurate location estimate. The post highlights the privacy implications of this accessible technology, emphasizing how readily available information about wireless networks can be used to pinpoint someone's location with a simple script, regardless of whether location services are enabled on a device. This reinforces the previous post's message about the pervasiveness of location tracking.
Sourcehut, a software development platform, has taken a strong stance against unwarranted data requests from government agencies. They recount a recent incident where a German authority demanded user data related to a Git repository hosted on their platform. Sourcehut refused, citing their commitment to user privacy and pointing out the vague and overbroad nature of the request, which lacked proper legal justification. They emphasize their policy of only complying with legally sound and specific demands, and further challenged the authority to define clear guidelines for data requests related to publicly available information like Git repositories. This incident underscores Sourcehut's dedication to protecting their users' privacy and resisting government overreach.
Hacker News users generally supported Sourcehut's stance against providing user data to governments. Several commenters praised Sourcehut's commitment to user privacy and the clear, principled explanation. Some discussed the legal and practical implications of such requests, highlighting the importance of fighting against overreach. Others pointed out that the size and location of Sourcehut likely play a role in their ability to resist these demands, acknowledging that larger companies might face greater pressure. A few commenters offered alternative strategies for handling such requests, such as providing obfuscated or limited data. The overall sentiment was one of strong approval for Sourcehut's position.
The post "Everyone knows all the apps on your phone" argues that the extensive data collection practices of mobile advertising networks effectively reveal which apps individuals use, even without explicit permission. Through deterministic and probabilistic methods linking device IDs, IP addresses, and other signals, these networks can create detailed profiles of app usage across devices. This information is then packaged and sold to advertisers, data brokers, and even governments, allowing them to infer sensitive information about users, from their political affiliations and health concerns to their financial status and personal relationships. The post emphasizes the illusion of privacy in the mobile ecosystem, suggesting that the current opt-out model is inadequate and calls for a more robust approach to data protection.
Hacker News users discussed the privacy implications of app usage data being readily available to mobile carriers and how this data can be used for targeted advertising and even more nefarious purposes. Some commenters highlighted the ease with which this data can be accessed, not just by corporations but also by individuals with basic technical skills. The discussion also touched upon the ineffectiveness of current privacy regulations and the lack of real control users have over their data. A few users pointed out the potential for this data to reveal sensitive information like health conditions or financial status based on app usage patterns. Several commenters expressed a sense of resignation and apathy, suggesting the fight for data privacy is already lost, while others advocated for stronger regulations and user control over data sharing.
Amazon has removed the "Do Not Send" toggle in Alexa's privacy settings that previously prevented voice recordings from being reviewed by human annotators. While users can still delete their voice history and choose not to participate in the "Help improve Alexa" program, automatic deletion is no longer an option, meaning some voice recordings will be retained for an unspecified period for ongoing model development. Amazon claims this change simplifies privacy settings and reflects the primary way customers manage their data (i.e., through activity deletion).
Hacker News users reacted with cynicism and resignation to the news that Amazon silently removed the Alexa voice recording privacy option. Many expressed the belief that Amazon never truly honored the setting in the first place, speculating the data was still collected regardless of user preference. Some commenters suggested that this move further erodes trust in Amazon and reinforces the perception that "big tech" companies prioritize data collection over user privacy. Others recommended alternative smart home solutions that respect privacy or simply avoiding such devices altogether. A few wondered about the technical or legal reasons behind the change, with some speculating it might be related to training large language models.
The Register reports that Google collects and transmits Android user data, including hardware identifiers and location, to its servers even before a user opens any apps or completes device setup. This pre-setup data collection involves several Google services and occurs during the initial boot process, transmitting information like IMEI, hardware serial number, SIM serial number, and nearby Wi-Fi access point details. While Google claims this data is crucial for essential services like fraud prevention and software updates, the article raises privacy concerns, particularly because users are not informed of this data collection nor given the opportunity to opt out. This behavior raises questions about the balance between user privacy and Google's data collection practices.
HN commenters discuss the implications of Google's data collection on Android even before app usage. Some highlight the irony of Google's privacy claims contrasted with their extensive tracking. Several express resignation, suggesting this behavior is expected from Google and other large tech companies. One commenter mentions a study showing Google collecting data even when location services are disabled, and another points to the difficulty of truly opting out of this tracking without significant technical knowledge. The discussion also touches upon the limitations of using alternative Android ROMs or de-Googled phones, acknowledging their usability compromises. There's a general sense of pessimism about the ability of users to control their data in the Android ecosystem.
Mozilla's Firefox Terms state that they collect information you input into the browser, including text entered in forms, search queries, and URLs visited. This data is used to provide and improve Firefox features like autofill, search suggestions, and syncing. Mozilla emphasizes that they handle this information responsibly, aiming to minimize data collection, de-identify data where possible, and provide users with controls to manage their privacy. They also clarify that while they collect this data, they do not collect the content of web pages you visit unless you explicitly choose features like Pocket or Firefox Screenshots, which are governed by separate privacy policies.
HN users express concern and skepticism over Mozilla's claim to own "information you input through Firefox," interpreting it as overly broad and potentially invasive. Some argue the wording is likely a clumsy attempt to cover necessary data collection for features like sync and breach alerts, not a declaration of ownership over user-created content. Others point out the impracticality of Mozilla storing and utilizing such vast amounts of data, suggesting it's a legal safeguard rather than a reflection of actual practice. A few commenters highlight the contrast with Firefox's privacy-focused image, questioning the need for such strong language. Several users recommend alternative browsers like LibreWolf and Ungoogled Chromium, perceiving them as more privacy-respecting alternatives.
South Korea's Personal Information Protection Commission has accused DeepSeek, a South Korean AI firm specializing in personalized content recommendations, of illegally sharing user data with its Chinese investor, ByteDance. The regulator alleges DeepSeek sent personal information, including browsing histories, to ByteDance servers without proper user consent, violating South Korean privacy laws. This data sharing reportedly occurred between July 2021 and December 2022 and affected users of several popular South Korean apps using DeepSeek's technology. DeepSeek now faces a potential fine and a corrective order.
Several Hacker News commenters express skepticism about the accusations against DeepSeek, pointing out the lack of concrete evidence presented and questioning the South Korean regulator's motives. Some speculate this could be politically motivated, related to broader US-China tensions and a desire to protect domestic companies like Kakao. Others discuss the difficulty of proving data sharing, particularly with the complexity of modern AI models and training data. A few commenters raise concerns about the potential implications for open-source AI models, wondering if they could be inadvertently trained on improperly obtained data. There's also discussion about the broader issue of data privacy and the challenges of regulating international data flows, particularly involving large tech companies.
The author claims to have found a vulnerability in YouTube's systems that allows retrieval of the email address associated with any YouTube channel for a $10,000 bounty. They describe a process involving crafting specific playlist URLs and exploiting how YouTube handles playlist sharing and unlisted videos to ultimately reveal the target channel's email address within a Google Account picker. While they provided Google with a proof-of-concept, they did not fully disclose the details publicly for ethical and security reasons. They emphasize the seriousness of this vulnerability, given the potential for targeted harassment and phishing attacks against prominent YouTubers.
HN commenters largely discussed the plausibility and specifics of the vulnerability described in the article. Some doubted the $10,000 price tag, suggesting it was inflated. Others questioned whether the vulnerability stemmed from a single bug or multiple chained exploits. A few commenters analyzed the technical details, focusing on the potential involvement of improperly configured OAuth flows or mismanaged access tokens within YouTube's systems. There was also skepticism about the ethical implications of disclosing the vulnerability details before Google had a chance to patch it, with some arguing responsible disclosure practices weren't followed. Finally, several comments highlighted the broader security risks associated with OAuth and similar authorization mechanisms.
The Asurion article outlines how to manage various Apple "intelligence" features, which personalize and improve user experience but also collect data. It explains how to disable Siri suggestions, location tracking for specific apps or entirely, personalized ads, sharing analytics with Apple, and features like Significant Locations and personalized recommendations in apps like Music and TV. The article emphasizes that disabling these features may impact the functionality of certain apps and services, and offers steps for both iPhone and Mac devices.
HN commenters largely express skepticism and distrust of Apple's "intelligence" features, viewing them as data collection tools rather than genuinely helpful features. Several comments highlight the difficulty in truly disabling these features, pointing out that Apple often re-enables them with software updates or buries the relevant settings deep within menus. Some users suggest that these "intelligent" features primarily serve to train Apple's machine learning models, with little tangible benefit to the end user. A few comments discuss specific examples of unwanted behavior, like personalized ads appearing based on captured data. Overall, the sentiment is one of caution and a preference for maintaining privacy over utilizing these features.
Summary of Comments ( 50 )
https://news.ycombinator.com/item?id=43716704
Hacker News users generally agreed with the article's premise, expressing concern over the ease with which location can be approximated or even precisely determined using readily available data and relatively simple techniques. Several commenters shared their own experiences replicating the author's methods, often with similar success in pinpointing locations. Some highlighted the chilling implications for privacy, particularly in light of data breaches and the potential for malicious actors to exploit this vulnerability. A few offered suggestions for mitigating the risk, such as VPN usage or scrutinizing browser extensions, while others debated the feasibility and effectiveness of such measures. Some questioned the novelty of the findings, pointing to prior discussions on similar topics, while others emphasized the importance of continued awareness and education about these privacy risks.
The Hacker News post titled "Everyone knows your location, Part 2: try it yourself and share the results" generated a moderate amount of discussion with a mix of reactions and insights related to the original article's claims about location tracking.
Several commenters shared their own experiences attempting the location tracking techniques described in the article, with varying degrees of success. Some reported being able to pinpoint locations with surprising accuracy, while others found the methods less effective or inconsistent. This led to a discussion about the reliability and practicality of these techniques in real-world scenarios.
A key point of discussion revolved around the ethical implications of readily accessible location tracking methods. Commenters debated the potential for misuse and the need for greater awareness and control over personal location data. Some argued for stricter regulations and increased transparency from companies collecting and utilizing location information.
Technical details of the tracking methods were also examined. Commenters discussed the specifics of IP address geolocation, WiFi positioning, and other techniques, including their limitations and potential vulnerabilities. Some commenters with expertise in networking and security offered insights into the accuracy and feasibility of these methods, pointing out factors that could influence the results.
The conversation touched upon the trade-offs between convenience and privacy in the context of location-based services. Commenters acknowledged the benefits of location services for navigation, personalized recommendations, and other applications, but also expressed concerns about the potential for surveillance and data breaches.
Some commenters also discussed potential mitigations and defenses against unwanted location tracking. Suggestions included using VPNs, disabling location services on devices, and being mindful of the permissions granted to apps.
Finally, a few commenters questioned the overall novelty of the information presented in the article, suggesting that the methods described were already well-known within the security and privacy community. However, they acknowledged the value in raising public awareness about these issues and making them accessible to a wider audience.