Privacy

I am resharing it to benefit the highest amount of people.

I wanted to list and ask for platforms that can substitute YouTube.

Here it's:

• NASA+, Space and Astronomy Videos.
• Vimeo, Professional Videos and Documentaries.
• TED, Talks and presentations.
• PeerTube, there is not a lot of videos, but some creators upload there.
• ARTE, Euro documantries and analysis.
• RedBull TV, Sports related videos.
• RTE Player, Journalism.
• BBC videos, diverse topics.
• NFB Films, Canadian Films.

I am looking for a reliable and preferably privacy oriented alternative to Skype credit - a service that allows me to call landlines and mobile phones via an app or website. I've heard of Yadaphone and Yolla, but I don't know much about them. Do you guys have any experience with these? Do you have other recommendations?

1. Persistent Device Identifiers

My id is (1 digit changed to preserve my privacy):

38400000-8cf0-11bd-b23e-30b96e40000d

Android assigns Advertising IDs, unique identifiers that apps and advertisers use to track users across installations and account changes. Google explicitly states:

“The advertising ID is a unique, user-resettable ID for advertising, provided by Google Play services. It gives users better controls and provides developers with a simple, standard system to continue to monetize their apps.” Source: Google Android Developer Documentation

This ID allows apps to rebuild user profiles even after resets, enabling persistent tracking.

2. Tracking via Cookies

Android’s web and app environments rely on cookies with unique identifiers. The W3C (web standards body) confirms:

“HTTP cookies are used to identify specific users and improve their web experience by storing session data, authentication, and tracking information.” Source: W3C HTTP State Management Mechanism https://www.w3.org/Protocols/rfc2109/rfc2109

Google’s Privacy Sandbox initiative further admits cookies are used for cross-site tracking:

“Third-party cookies have been a cornerstone of the web for decades… but they can also be used to track users across sites.” Source: Google Privacy Sandbox https://privacysandbox.com/intl/en_us/

3. Ad-Driven Data Collection

Google’s ad platforms, like AdMob, collect behavioral data to refine targeting. The FTC found in a 2019 settlement:

“YouTube illegally harvested children’s data without parental consent, using it to target ads to minors.” Source: FTC Press Release https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-settlement-over-claims

A 2022 study by Aarhus University confirmed:

“87% of Android apps share data with third parties.” Source: Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies https://dl.acm.org/doi/10.1145/3534593

4. Device Fingerprinting

Android permits fingerprinting by allowing apps to access device metadata. The Electronic Frontier Foundation (EFF) warns:

“Even when users reset their Advertising ID, fingerprinting techniques combine static device attributes (e.g., OS version, hardware specs) to re-identify them.” Source: EFF Technical Analysis https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

5. Hardware-Level Tracking

Google’s Titan M security chip, embedded in Pixel devices, operates independently of software controls. Researchers at Technische Universität Berlin noted:

“Hardware-level components like Titan M can execute processes that users cannot audit or disable, raising concerns about opaque data collection.” Source: TU Berlin Research Paper https://arxiv.org/abs/2105.14442

Regarding Titan M: Lots of its rsearch is being taken down. Very few are remaining online. This is one of them available today.

"In this paper, we provided the first study of the Titan M chip, recently introduced by Google in its Pixel smartphones. Despite being a key element in the security of these devices, no research is available on the subject and very little information is publicly available. We approached the target from different perspectives: we statically reverse-engineered the firmware, we audited the available libraries on the Android repositories, and we dynamically examined its memory layout by exploiting a known vulnerability. Then, we used the knowledge obtained through our study to design and implement a structure-aware black-box fuzzer, mutating valid Protobuf messages to automatically test the firmware. Leveraging our fuzzer, we identified several known vulnerabilities in a recent version of the firmware. Moreover, we discovered a 0-day vulnerability, which we responsibly disclosed to the vendor."

Ref: https://conand.me/publications/melotti-titanm-2021.pdf

6. Notification Overload

A 2021 UC Berkeley study found:

“Android apps send 45% more notifications than iOS apps, often prioritizing engagement over utility. Notifications act as a ‘hook’ to drive app usage and data collection.” Source: Proceedings of the ACM on Human-Computer Interaction https://dl.acm.org/doi/10.1145/3411764.3445589

How can this be used nefariously?

Let's say you are a person who believes in Truth and who searches all over the net for truth. You find some things which are true. You post it somewhere. And you are taken down. You accept it since this is ONLY one time.

But, this is where YOU ARE WRONG.

THEY can easily know your IDs - specifically your advertising ID, or else one of the above. They send this to Google to know which all EMAIL accounts are associated with these IDs. With 99.9% accuracy, AI can know the correct Email because your EMAIL and ID would have SIMULTANEOUSLY logged into Google thousands of times in the past.

Then they can CENSOR you ACROSS the internet - YouTube, Reddit, etc. - because they know your ID. Even if you change your mobile, they still have other IDs like your email, etc. You can't remove all of them. This is how they can use this for CENSORING. (They will shadow ban you, you wont know this.)

• The access is limited to immigrants with final removal orders
• This breaks decades of IRS promise of tax data confidentiality
• The deal follows leadership changes at IRS that favored cooperation

I have been looking for a good calorie tracker on iOS for some time, but have never found one with the features I want while being either open source or privacy respecting (or both). Android has a few options but the UI is very dated to day the least.

In order to fill this gap, I am considering building one, but if someone can point me to an existing app to save me the time, I would be very thankful.

“The space researcher was allegedly randomly checked on arrival, during which his professional computer and personal telephone were allegedly searched. Similarly, messages about the Trump administration’s treatment of scientists have been found.”

https://9to5google.com/2025/03/18/pebble-smartwatch-core-reboot-price-battery-pre-order/

Fastbackgroundcheck. com says there's info on me on truthfinder, spokeo, peoplefinders and instantcheckmate. When I try going through all four of those sites takes a super long time, including a few times in the past when I tried getting reports on myself.

The progress bars reach 100% and reset continously. If these sites are legimate like some reddit users claim, then why or be upfront about wanting me to pay? Right now I'm convinced that these sites are snake oil, maybe they work if you pay but the behavior of the free options turn me off. They act 100% like typical scam websites, the kind that asks you to complete three surveys on external sites with fake progress bars.

Basic info like my full name, address, age, and siblings can be found with search engines easily but I feel like there's no point in trying to wipe it if there aren't methods that could definitely work.

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

On Lemmy when we view someone's profile we have a "Send Message" option. We are warned the message is not truly private. We may see a recommendation to "create an account on Element.io for secure messaging" or we might see a "Send Secure Message" button to send a message to a user through matrix.to for users who have configured this feature.

Looking closely, we might notice element.io and matrix.to connections are going through Cloudflare. For anyone expecting to have a private conversation, this link may explain why there could be cause for concern (search for "TLS flows" at that link). https://lemmy.world/post/26919564

Is https://tuta.com/ a perfect email service? No, it's not. Tuta employees do not have access to your messages on the server at rest, which is a very strong feature. Since the service is hosted in Germany, with sufficient legal justification, the German government could request an encrypted version of your mailbox and Tuta would have to comply. With enough time and resources, any encryption can be compromised. For most people for most use cases, such a situation is already sufficient.

I do not want to encourage people to use the service for illegal activites and so I will suggest if you want to do something illegal, do it elsewhere.

For the rest of us, I think Tuta has a lot to offer. Tuta trades in money, not data. You pay for a service with a generous amount of storage (20 GB), several email address aliases (which could be used for points cards or other data collection services), encrypted searching of your full mailbox, unlimited calendars, the ability to use your own domain name for email accounts, and more. Paying by Monero, Bitcoin, or cash are also privacy focused options through their partner, Proxystore.

Tuta also understands there are people who can accept a basic plan for private communication, and offers a fairly generous free tier, providing 1 GB of storage while still offering the same encryption benefits for stored messages and messages sent between Tuta users. Encrypted search may be limited to more recent messages with the free tier, and only 1 calendar is available. The free tier is generous enough for everyone to use Tuta for relatively private communication.

You could start with a free account and optionally switch to a paid account later, when needed.

First, visit the Download Tuta section. https://tuta.com/#download

Downloads exist for Android (strikingly it can be downloaded from F-Droid), iOS, Windows, Linux, and macOS.

To use an Android APK file downloaded from F-Droid, you may need to change your phone's settings to enable the "Install unknown apps" option.

Different models of Andoid phones have different paths to this option. 1 Open the Settings app on your phone. 2 Go to Apps or Apps & notifications or Security & fingerprint or Security. 3 Go to 3 periods at the top right and choose Special access or Special app access or Advanced and then Special app access or for older phones you might already be in the right place and can scroll down. 4 Select Install unknown apps and enable a file manager app (My Files) or Unknown sources and enable it or Install from Unknown Sources and enable it. 5 Confirm your choice to allow apps to be installed from unknown sources.

Once you install the app, you can sign up for an account.

It is possible to sign up using a web browser, but your email address and password are likely to be synchronized by your web browser, and the confidentiality aspect may disappear. Don't let your web browser save your email and password if you choose to sign up using your web browser.

A lazy person can rely on the downloaded mobile app or desktop application to save the password, provided you normally take good steps to protect your device from physical access.

After you create your account, you will be given 64 character recovery code to write on paper. It is highly recommended you record these 64 characters on paper and store the paper in a safe place. Maybe the same place where you would put a cryptocurrency passphrase or a secret map to pirate treasure. It would also be nice to write the password on paper and safely store it there.

It is not recommended to use a "notes app" or any other electronic method of storing your 64 character recovery code. The convenience of cloud sync means you may lose the confidentiality of your communication. For a similar reason, it is not recommended to print your 64 character recovery code. You may instead choose not to store a copy of the 64 character recovery code anywhere since you can look it up later within your account as long as you do not forget your password.

If you usually enjoy using the convenience of synchronizing passwords from one device to another, a different approach is offered for Tuta. Install a mobile app or desktop application on each device and save your password within the Tuta mobile app or Tuta desktop application. If you protect physical access to your device, you can enjoy this convenience without your password being synchronized through another cloud service.

If you are willing not to be lazy, choose a password you can remember and do not mind typing each time.

After you create your account and log in, useful icons will appear on the left side of the screen. On mobile devices, you may need to open a menu of 3 horizontal bars to access the icons. Select the lightbulb icon (News) and choose to deactivate (or activate) usage data. Close the popup.

In that same section of icons, choose the gear icon (Settings). On mobile devices, you may need to open a menu of 3 horizontal bars menu to switch between Settings subpages. Switch to the Email subpage.

On the Settings Email subpage, there are useful settings. You can change how emails are displayed. You can change the email signature to a custom one. You can set a default delivery value for emails to non-Tuta users (confidential means sharing a password with them, not confidential means unencrypted email, and your choice can be changed when writing an email). Under the Email addresses heading you can expand the list and press the 3 horizontal dots to set your name.

If you ever plan to email someone outside of Tuta, you'll want to set your name so your email isn't marked as spam. If you only want to use Tuta privately with friends and family, you do not need to set your name and emails will still be delivered safely to other Tuta users.

Most other Settings have reasonable defaults and can be viewed later.

To return to your inbox on a mobile device, press the Emails icon in the lower left. On desktop, click the Emails button in the upper right.

On your mobile device, you can create a New email by pressing the piece of paper and pencil icon in the upper right. On desktop, click the New email button at the upper left.

Tuta protects your IP address and does not send it in the email header of your email messages.

Tuta emails you, including tips, news, self-promotion of their paid plans, and partner ads offering a discount. Other than targeting free users with self-promotion of their paid plans, there are no targeted advertisements. Your mailbox is not used to profile you and your mailbox is not given to AI.

If you previously created a Tuta account and saved your password in your web browser, I suggest changing your password and do not save the updated password in your web browser. To change your password, choose the gear icon (Settings) on the left side of the screen. On mobile devices, you may need to open a menu of 3 horizontal bars to access the icons. The Login subpage is already selected and you can change your password. You can also choose to update your recovery code if you feel it may have been leaked.

I suggest using Lemmy's "Send Message" feature to share your Tuta account with other Lemmy users and then continue your private discussions more privately with Tuta.

cross-posted from: https://lemmy.ca/post/40848536

cross-posted from: https://europe.pub/post/9311

In case you ever wanted to blur your house from google street view you can. A little privacy i suppose, its pretty easy. you dont need a reason to do it. This probaly the only thing google lets opt out of which is cool.

Originally posted on Reddit

The only Pixel I have is a Pixel 3XL which is not supported anymore for updates. A few questions. does that mean at some point you have to buy a new phone all the time? How long are they supported, do I need the buy the newest one everytime to have a decently long support? If I can install Calyx, but have already degoogled my phone, is Calyx still useful? But I suppose at this point it's still better to get a Pixel anyway and install Graphene which is supposedly better? how risky is it to run an unsupported phone like my Pixel 3XL? What can happen?

I'm curious what everyone thinks about DuckDuckGo's current settings. I have my browser settings set to delete history, cache and cookies on closing. This creates an issue when using duckduckgo as my primary search engine. Their 'default' settings (available right below the searchbar) seem far from privacy focused. AI Chat is on by default and used 'sometimes', as well as 'advertisting' and 'location' settings that are on by default. This requires me to have to change the settings every time I load my browser due to any settings I save being deleted by my browser setup. I don't want to install a duckduckgo extension. How do others deal with this? I know you can 'save anonymously' your settings in the cloud, but I'm not eager to do that.

collapsed inline media

collapsed inline media

The answer to "what is Firefox?" on Mozilla's FAQ page about its browser used to read:

The Firefox Browser is the only major browser backed by a not-for-profit that doesn’t sell your personal data to advertisers while helping you protect your personal information.

Now it just says:

The Firefox Browser, the only major browser backed by a not-for-profit, helps you protect your personal information.

In other words, Mozilla is no longer willing to commit to not selling your personal data to advertisers.

A related change was also highlighted by mozilla.org commenter jkaelin, who linked direct to the source code for that FAQ page. To answer the question, "is Firefox free?" Moz used to say:

Yep! The Firefox Browser is free. Super free, actually. No hidden costs or anything. You don’t pay anything to use it, and we don’t sell your personal data.

Now it simply reads:

Yep! The Firefox Browser is free. Super free, actually. No hidden costs or anything. You don’t pay anything to use it.

Again, a pledge to not sell people's data has disappeared. Varma insisted this is the result of the fluid definition of “sell” in the context of data sharing and privacy.

In TOS they can have our data entered in browser as royalty free data. Now, what? I know we can use Librewolf but if Mozzila goes full evil. Then what choice we have. Can we make Mozzila reverse this changes? Remind them to be not evil? Both Proton and Firefox are core part of my privacy focus life. I swear to God I hate capitalism they all are just doing this for money.

Stolen from @vmstan

More analysis from @wiredfire:

It’s nothing to do with [difficulties in using multiple platforms]. It’s to do with the massive backlash they got on Fedi for their CEO being all Trumpy and somewhat horrible right wing. So they’ve run away because they were made to feel unwelcome on account of us not letting their BS fly.

Original screenshot is of the bio of https://mastodon.social/@protonprivacy and wasn’t a post (that confused me for a sec).

Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.

TL;DR: keep your apps updated & don't scan QR codes that you don't trust.

I've been working on my privacy setup and breaking away from Proton. There are a bunch of email providers I looked at, same with email aliases, password managers, etc.

But I don't understand the state of calendars. It feels like they're always shoved into email services, and they're all so crappy looking.

I was able to find one or two Android apps that are open source, and they look like they're 20 years old.

Proton Calendar, for all its faults, looks really good.

Why, in 2025, is there no simple calendar as a service with nothing else included? And why do the UIs all look like complete trash?

I don't get it. Can't one of us hire an intern to take a week to learn a CSS framework and create a decent calendar UI? Am I missing something?

Hi there!

Context: After the recent debacle with Proton I was finally pushed to look for other alternatives. I had already wanted to change services for a while so it was nice to get the final push. It's still a good service, open-source and all. I personally just wanted to look for something else. However, I had not realised how deeply I was integrated into the email+alias feature they had, and how much work it is to change out of this, I have a fair amount of accounts.

I have now found a new email provider and bought a new domain. However I've got a few questions for those to who rock custom domains:

1. Do you use random strings before the @ sign? Or do you use it like lemmy@example.com?
2. Because I'm considering using this as a catch-all address, doesn't this mean that anyone who wants (and knows the domain) and send spam on any random string before the @? Are you worried about this, and are there any counters to this?
3. As far as I've understood the main benefit of using my own domain for email, is that it will make it a lot easier to change providers in the future, as I can just change the nameservers so traffic is directed elsewhere - correct?

Thanks for any input, experiences or thoughts about this.

Ps. My threatmodel isn't that complex, I mainly want to stop spam from any potential services selling my email.

!privacy@lemmy.dbzer0.com

Hello everyone,

After a discussion on !fedigrow@lemm.ee ( https://feddit.org/post/6950586 ), a few people interested in privacy decided to reopen !privacy@lemmy.dbzer0.com as an alternative to !privacy@lemmy.ml .

It's also nice to have a privacy community on an instance that can be accessed via VPNs.

Feel free to join us there!

Unnecessary and deeply concerning bow to the new "king"