This allows to have a profile of commonly visited websites, making your shadow profile look less creepy to the governments, and you a lesser target of any kinds of snooping.

You're afraid that by securing your communication and following sound security practices you'll stand out and appear suspicious. This is exactly what the gov and other pushers of mass surveillance want you to think. The idea has no merit.

The privacy arising from the Tor network improves as traffic increases -- privacy in numbers. Being afraid to use it, and then minimizing your use as you do is detrimental to privacy for a few reasons:

• When you need Tor's protection the most (e.g. when you're buying drugs or whistle blowing), you've made that traffic stand out from your other traffic. IOW, you're signaling your adversary precisely when it's most interesting to pay extra attention to you. Your drug purchase traffic should look no different than your bicycle purchase.
• You also harm the privacy of others by reducing the cover traffic that helps everyone.
• If the bicycle shop never gets legitimate Tor traffic, this prompts the shop to mistreat Tor users by policy, which in turn weakens the usefulness of the Tor network and actually constrains it to malicious use cases -- when in fact there are non-malicious use cases that are often denied (e.g. a Qwant search).

Using Tor for searches ironically puts you at risk if you are spending all your time on Tor network.

What does time have to do with anything here? If all you do is search the web, most of your time is likely spent reading the screen, not moving data. And when you are retrieving data, you're less exposed if you do so over an e2e tunnel that runs over Tor -- not the clearnet as you suggest.

There is a good chance you will end up using the clearnet via mobile phone or computer at some place or time, thus breaking your OPSEC like a twig.

There's so many things wrong in this statement. I rarely use a "phone" (and rarely as a phone) but when I do I am not limited to clearnet. If you do a web search from your phone of course you should still use Tor, tools permitting.

You speak of OPSEC as if to know what my threat model is. You don't. And generally speaking in the context of the thread, it's safe to say mass surveillance is in all our threat models. Of course you should avoid the clearnet to mitigate mass surveillance. It's poor advice to tell ppl to do their searches over clearnet. It's also poor advice to tell people that if the hypothetical situation arises that they're forced to use the clearnet, that this somehow ruins all the OPSEC they've done on past searches before that point. It's asinine.

Formally speaking, the rule of least privilege is sensible. That is, you give the least amount of privilege necessary to get the job done. If you don't need to expose your home IP in one search and you don't need to expose to your ISP where you visit, of course you should not. If in another circumstance you need to give up that protection for some bizarre reason, then the rule of least privilege still applies; that is, you only give what you must. To suggest that ppl throw their hands up and say "because I can't securely do this search on my phone, I might as well give up on all my searches and do it all on the clearnet" is absolutely foolish.

You secure what you can to the best extent that you can, or you're not doing security properly. If after exhausting non-clearnet searches you still don't get the search result that you're after, only then would it be sensible to resort to Qwant over clearnet. I've never had to do that, btw. I've always been able to find what I need w/out clearnet searching. Some searx instances successfully scrape MS Bing, which brings you close to Qwant results w/out the clearnet and without financially sponsoring Microsoft.

I can't see which post you're replying to. These thread lines are an optical illusion.

Antifa's method of activism is controversial

While there is nothing controversial about being anti-racist, Antifa is not simply anti-racist. It's the style of activism that's controversial. From wikipedia:

Antifa is an anti-fascist political movement in the United States[2][3][4][5] comprising a diverse[6][7] array of autonomous groups that aim to achieve their objectives through the use of both non-violent and violent direct action rather than through policy reform.[8][9][10][11] Antifa political activists engage in protest tactics such as digital activism and militancy,[11][12] sometimes involving property damage, physical violence and harassment, against fascists, racists and the far-right

Petitioning for policy reform is relatively non-controversial. But that's not Antifa. Obviously some of the more extreme actions (e.g. violence and property destruction) are controversial - and Antifa is open to them.

Antifa's ideology is controversial

Components of Antifa ideology:

• anti-racism (non-controversial of course)
• anti-capitalism (obviously controversial and IMO unpopular)
• anarchy (obviously controversial and IMO unpopular)

I can't even get my head around how it's possible to be both anti-capitalist and anarchist at the same time. Anarchy is also favored by the extreme right, and obviously anarchy is a recipe for pure uncontrolled capitalism -- most oppressive form of capitalism. What am I missing?

Lemmy censorship

In the case of lemmy.ml leadership, what we see is extreme censorship. We're not just talking censorship of trashy messages. I recently posted a thread on the status of the cock.li email servers, and it was censored because the word "cock" appeared in the domain name. (proof). Obviously it's essential to mention the domain name of the service we're talking about.

No one will care if racist msgs get censored, but any post that's incompatible with an anti-capitalist or anti-government viewpoint is also likely to be censored when you see how fast and loose they are with the censor trigger.

This is quite false to begin with. One does not need to use Tor all the time, firstly.

We're talking about searches. Of course you should use Tor for searches. To avoid Tor (and the like) in the context of web searching is to compromise more of your identity attributes for nothing. That's a bad trade.

Secondly, I am not a DDG patron,

I was speaking generally. Ppl bashing Startpage w/such emotion ("backstabbing") tend to be DDG patrons. This particular crowd is relatively irrational. Startpage has some issues but nowhere near as extreme as the laypeople's reaction.

Moreover, DDG being a US company is an instant red flag for me.

Sure, but it shouldn't be the biggest red flag in your box of red flags, and it shouldn't outweigh sound security practices (like using Tor or i2p or the like for web searching).

It is a fact that any search engine, no matter SearX (instance) or Qwant or Ecosia or DDG, have to rely on either Google’s or Microsoft’s web crawlers and index databases.

That is not a fact. Gigablast, Exalead, Mojeek, & Metager are all search engines with unique indexes that rely wholly on their own crawling. Some searx instances source from a local YaCy crawler.

It's also an oversight to describe searx instances, Qwant, Ecosia, and DDG as equals in this regard. Most searx instances scrape their results, which means they do not financially support the privacy abusing corporation they source from. DDG pays MS & Yahoo for API access, thus financially sponsoring adversaries of privacy proponents. Qwant and Ecosia likely also pay for API access (and if they don't, you can bet the price is paid by direct data sharing - which Ecosia and Qwant admit to in their privacy policy).

What matters to us is tracking, and Qwant helps prevent it effectively.

Qwant treats Tor users with hostility. This means that Qwant disables an important tool to help prevent tracking. You're left with trusting Qwant's adherence to their privacy policy, which is obviously a bad idea when it's a company who is hostile toward users who act to protect themselves. We have to trust privacy policies to some extent, but Qwant ensures that the extent of trust needed is greater than it is with Tor friendly services.

It's suspect that Qwant allows Tor users to submit a query, and only thereafter pushes a Google reCAPTCHA -- which is exactly what Ecosia does. This suggests that Bing triggers the CAPTCHA, which means that more information is being fed to Bing than just the query string.

And the privacy policies confirm this. Ecosia's privacy policy admits to sharing everything with Bing, while Qwant only admits to sharing user agent and the first 3 octets of your "salted" IP address, approximate geolocation with Bing. What's the "salt"? It's not necessarily random (in fact, not likely random). It could even be an encoded composition of anything from your browser print. Whatever is sent, it's evidentally specific enough for Bing to know the query comes over Tor. And in any case, you're trusting some weasel wording with Qwant. You have no guarantee that the hash that Qwant generates is not unique to you and non-unique across your multiple visits. The hash could even be more unique than your IP address, and it's supplemented with your approximate geographic location (which as well could simply be expressed as "Tor" since exit node geolocation is meaningless).

Although Ecosia admits to sharing more data than Qwant, Ecosia honors the do-not-track flage and Qwant does not. It's quite possible that setting the DNT flag reduces Ecosia's info sharing more than Qwant's.

I see a pattern of emotional StartPage bashing -- and it's bizarre that it often comes from loyal DDG patrons. Both DDG and StartPage profit from untargeted ads. Both are US companies. StartPage self-hosts while DDG hosts on Amazon. DDG's supply chain is far more evil than Startpage's.

Qwant is worse than both DDG & SP b/c it treats tor users with hostility. Qwant and DDG both source from MS Bing, and I find MS a more evil force in the world than Google. I'm not just talking about privacy but also involvement in fossil fuels and private prisons.

Even by your standard of trusting the privacy policy, DDG is a fail. DDG has already been caught violating their own privacy policy.

W.r.t threat models, an appropriate threat model for most people is to at a bare minimum control for mass surveillance, since we're all impacted by it. DDG directly pushes CloudFlare sites to users and its supply chain is infested with PRISM corps and other mass surveillance entities.

see https://lemmy.ml/post/31321

Runnaroo's IP is owned by Google according to my records, although the "Cloud Firewall" add-on says it's owned by Amazon. Either way, that's not good.

BTW, ycombinator is has ties to Peter Thiel and runs on Amazon AWS, so not a good link to share publicly.

I think rejecting spam is better compared

Hold on.. we're talking about ham here not spam. Should the large corporations be dictating terms, so small providers and self-sufficient people cannot self-serve and be in control of their own data?

When outlook.com refuses an email on the basis of IP reputation alone, corporate interests prevail and the little guy is forced to dance for them. I will not dance for them. And I will not share every outbound message with a corporate 3rd party. This is why I run my own mail server. EFF wrote a good article on collateral damage done by this brain-dead anti-spam practice.

The smart and RFC-compliant approach is to accept every RFC-compliant msg (interoperability is the purpose of RFCs and they've broken that). Smart recipients score the message and IP reputation is only 1 of many factors for assessing whether something is spam. When a service uses IP reputation alone, it's crude and reckless because it blocks ham and other factors get ignored, resulting in a poor judgement.

That's probably the most comprehensive ESP data I've seen. Here's a few that are missing:

• mail2tor (claims to have imap and smtp service but they're broken.. effectively it's web-only, and i think clearnet inbound mail does not work)
• onionmail.info (imap,pop3,onion host forces use of self-signed SSL cert which is kind of silly)
• elude.in (used to have free pop3 or imap but jerked the rug out from free-riders w/out warning)
• underwood (Tor only [both directions])
• wiremail
• torbox (Tor only [both directions])

I would like to see some columns to cover whether a service can send or receive to/from tor and clearnet networks. Some onion services can receive clearnet and some cannot (as they only give you a .onion email address). I don't think I've found any clearnet email providers that can handle sending to .onion email addresses - which means a non-tor user cannot email someone with an .onion address.

This would be useful to keep track of.

Gmail is has "Softfail" for the SPF. I don't think that's accurate. I run my own mail server on a dynamic IP, and gmail usually instantly rejects my connection. I'd speculate this happens about 90% of the time. Perhaps the other 10% is a softfail (msg is accepted but then sent to recipient's spam box).

It's a shame that "reject" is coded green. It's evil when SPF settings reject messages from dynamic IP addresses in an incompetent bid to block spam in a way the recklessly causes collateral damage to legit self-hosters. This ultimately forces senders to share their outbound email with yet another 3rd party, which is an attack on privacy. It also helps large corporations keep a stranglehold on the whole email industry.

I will not email outlook or gmail users. I tell them if they want email from me they have to switch to a service that works.. that respects the RFC. It breaks email to reject RFC-compliant messages purely on the basis of IP reputation.

I've been boycotting EasyJet because they 403 Tor users. Interesting to see their collateral-damage prone security methods have failed them anyway.

#PoeticJustice

Tor Browser is a tool for achieving anonymity while using services are actively trying to identify you. If every service had a perfect record of no-logging, no-tracking and no-fingerprinting then the Tor project would be obsolete.

You're conflating Tor and its network with Tor Browser, which is an optional browser client for the web. Tor serves purposes beyond anonymity. Tor also conceals metadata from your ISP, not just the service. Tor also conceals your whereabouts -- and gives you the option to appear in a different location of your choice. If I'm in India trying to buy airfare from California to London, some airlines try to be smart and guess your location as a basis for where to make the sale and consequently force you to use Indian money and payment methods. Tor can make you appear to be in California to make the transaction possible. Some merchants try to restrict sales to the country they operate in. E.g. sears.com will show you the door if you access it from outside the US, when in fact you may be travelling out of the country looking to do transaction within the US.

DDG is not capable of any serious direct attacks on Tor identification and if you have evidence showing the contrary please share it here.

DDG and DDG's privacy-abusing partners all profit from advertising. The metadata has value to marketers so all contributions to that data ultimately feeds the bottom line -- and thus feeds privacy abusers (Amazon, Verizon/Yahoo, Microsoft). Data is worth more than oil. The mere use of Tor is itself immediately evident to DDG simply from the IP address, and that data is also worth money. And that's before we even begin to discuss the browser prints.

Tor cannot change the fact that DDG was caught using tracker cookies,

This is intentionally obtuse and you know it. I’m obviously not arguing that the Tor project can change anything about DDG internally, but it’s cookie policy and identity resetting feature prevent DDG from linking multiple sessions together (and you should not be doing multiple unrelated activities in the same browser without a reset, as they advise.)

You've argued that Tor eliminates all direct privacy abuses from DDG that were enumerated in the referenced article. This shows a fundamental misunderstanding of how cookies work. The Tor network does nothing to cause or hinder cookies. The Tor Browser honors cookies (if it didn't, you wouldn't be able to login to websites). Users can take extra steps with any browser to mitigate abuses with cookies but this has nothing to do with Tor.

DDG relies on users trusting them. Most DDG users trust DDG, and thus didn't generally do anything special to mitigate tracker cookies when DDG was pushing them. DDG has proven to be untrustworthy, and Tor Project is still directing users to it.

Tor does not prevent fingerprinting.

Tor browser is the most developed anti-fingerprinting project out there.

You're conflating Tor with TB here by quoting a comment about Tor. You should have addressed what I said just after that (about Tor Browser), b/c I've already addressed this. While I agree that TB has the best FP resistence, this does not support your thesis.

You've lost track of the thread and your line of reasoning. You're trying to advocate Tor Browser defaulting to DDG on the basis that Tor eliminates privacy abuse arising out of DDG use. When in fact Tor has the same effect on any search service. The same reasoning would just as well support Google as a default search engine.

The problem is that default search serves as an endorsement by a trusted authority. And it's more than that, because users who aren't meticulous or don't care about endorsement will actually use the default b/c they either can't be bothered to change it, or they don't know how. If you can't see the privacy abuse then you're not following the money.

ACLU, EFF, & Tor all pre-date Paypal’s existence.

How’s that relevant?

It's proof that they are capable of surviving without Paypal.

Now PayPal is ubiquitous and they depend on it.

It's an unnecessary dependency -- and it's a stretch to call it a dependency at all. You'd do better to argue that banks are essential. But certainly not Paypal. Paypal is replaceable by already existing payment methods.

PayPal contributes a huge portion of their donations. Judging by the use of the word most I would assume that over half. But that’s not relevant. What’s important that PayPal is hugely important for their monetary survival.

This is non-sequitur logic. It does not follow that because most donations are via Paypal, that absence of Paypal implies those donations go to zero. Those donations simply take a different path in the absence of Paypal. Now the case of Wikileaks is special because banks and credit cards cooperated in the blockade at the same time, so the normal alternate paths were shut down as well.

I extend this logic from WikiLeaks to ACLU, EFF etc because I think it would be reasonable to assume that WikiLeaks donations sources are representative, and thus can be applies to other organizations.

Even if you were able to establish that Wikileaks can't survive without Paypal, it would not extend to ACLU or EFF, which are American orgs not in the slightest at risk of a blockade. ACLU and EFF both have US bank accounts, and so do the Paypal donors. In the US Paypal is 100% redundant.

My point was that Tor already has one shady donor, so why would they accept/deny donations from other unethical organizations/sources?

It's a red herring. While every single Paypal donation acts as an enabler for Paypal and directly generates data for abusive sharing, payments from the government do not pose a direct, tangable, obvious compromise on civil liberties. Perhaps you can speculate that Tor does favors in return, but you'd have to elaborate on what those favors are and whether they compromise civil liberties. Either way, it's irrelevant to this discussion. Even in the most perverse case scenario, such payments still do not support a case for Paypal donations. This is just grasping at straws.

But that doesn’t really contradict my point which is that however unethical PayPal is, a lot of projects/organizations depend on it, because PayPal is convenient to use, and thus a lot of people use it, and so it becomes a major source of income for many of the aforementioned organizations projects, and so they can’t stop accepting donations via it.

In the face of many options, people choose the most convenient, for the most part. When you eliminate the most convenient payment option, they will still choose the most convenient option. The high numbers are nothing more than a testament to what a majorty of people find most convenient and this has fooled you to think it's essential. It is not.

Because otherwise they would have virtually no money at all, and thus shut down

ACLU, EFF, & Tor all pre-date Paypal's existence. No, they don't "need" Paypal for survival.

(see what happened when WikiLeaks when major payment providers blocked them), because, unfortunately, almost everyone uses those payment methods at the moment.

This proves my point. Wikileaks was not just blocked by Paypal, it was blocked by credit cards as well. Despite the massive blockade, Wikileaks survived.

Paypal is the biggest offender of payment blockades (particularly political in nature and biased in favor of Peter Thiel's right-wing agenda), which only advances the point that we have an ethical duty to shrink Paypal.

And if you think about the word ethical, what would you qualify as so?

By my own standard it's unethical for any org or person to accept Paypal, but I'm not applying my own standards here in the context you're replying to. I'm applying the standards of the orgs themselves. Paypal works against ACLU's own mission. Paypal works against EFF's own mission. Notice that I did not name countless vendors of electronics, bicycle parts, etc that accept Paypal, because Paypal doesn't contradict their mission.

It's one thing to hold everyone to your own standard, but if you can't hold an organization to their own ethical principles something is wrong.

I mean, their main sponsor by far is CIA, what else is here to say?

First of all, the Navy invented Tor, so if you have a problem with a nation having an intelligence agency or military then you're advocating against Tor's creator.

There are countless free software projects that operate without a dime because people who need that software have an interest in contributing maintenance code. If Tor Project were to hypothetically get zero funding, you might see little or no outreach programs, Tor stickers, and marketing frills, but the software would live on.

I don’t have a bank account, nor do I have PayPal, so I’m not really sure about that, but from what I know it’s a lot more convenient to pay with PayPal than it is to pay from a traditional bank account. But again, not sure about this…

Convenience is the top rationalization for unethical conduct and transactions. It also has the least merit.

lol what? How? I mean, you really only need to leave your Bitcoin address… that’s weird…

Things have changed, so my comment is no longer relevant. In the past, Tor Project did not publish a BTC address. Donors were forced to go to a CloudFlare site and do the transaction through a 3rd party (bitpay.com). It was an absolute embarrassment for Tor Project and there was a long bug report about it. The bug report lingered for years but it seems to have been deleted-- likely due to the embarrassment. They claimed that they could not simply let BTC enter because they need to make a tax declaration on what they receive, and the tax declaration must be in a national currency. So they used a 3rd party who instantly converted all their bitcoin donations into national currency for accounting purposes. They foolishly chose a CloudFlare site to do that. Seems to be history now. They are using btcpayserver.org and superficially i see no issues there.

It's worth noting that Tor Project has a record of not eating their own dog food. Apart from subjecting ppl to CloudFlare sites, their bug tracker has a history of mistreating Tor users, and if you try to subscribe to their newsletter using an onion email address they can't handle it.

All of the mentioned issues with DDG relating immediately to the user in the thread you linked are circumvented by the Tor browser.

That's not true, nor would it suffice if it were true. I'll deal with the truthfulness first:

• Tor cannot change the fact that DDG was caught using tracker cookies, nor does Tor prevent the storage and transmission of cookies of any kind (be it session cookies or tracker cookies).
• Tor does not prevent fingerprinting. A specific browser (Tor Browser, should you choose to use it) can resist fingerprinting but it's not fool proof. Anti-fingerprinting is lost when a user installs browser plug-ins.
• Tor cannot change the fact that DDG includes your language with the session data that it collects.
• Tor does not prevent DDG from sharing your session data with advertisers.
• Tor cannot prevent DDG from producing Tor-hostile CloudFlare sites in the results. Tor is useless against data CloudFlare collects on all traffic (including HTTPS traffic with user creds).

It's also insufficient to disregard issues that do NOT "relate immediately" to the user. Of the tens of privacy abuses cited in that article, there is exactly one bullet point that does not directly affect Tor users. Let's do a walk-through: Tor cannot change history, so Weinburg's history of privacy abuse does not change. Tor cannot prevent DDG from blacklisting Framabee. All of the abuses w.r.t CloudFlare are actually more acutely exaserbated for Tor users, and in fact deanonymization of Tor users arise out of CloudFlare. Tor does not circumvent DDG's censorship of anything, including the threesome injunction. Tor does not stop DDG from partnering with other privacy abusers like Amazon & Verizon. Tor does not prevent DDG from abusing a spot at FOSDEM to market their service.

The user is not forced to use DDG

This is irrelevant. The issue is that DDG's money bought influence, and it worked. Torproject is abusing the public trust and exploiting its perceived credibility.

and frankly shipping with DDG puts them ahead of every major browser project.

Nonsense. A privacy-centric browser does not "get ahead" by endorsing a privacy abuser -- most especially one that masquerades as a privacy champion. Tor project is playing a significant part in proliferating DDG's falsely positioned marketing. And it only cost DDG $25k.

The EFF have done so much important legal work for the wide-adoption of Tor in the US. They should be applauded for this and I’m not sure why you bring up being close to the EFF as though it’s a bad thing.

I never said it was "a bad thing". It's important to understand the effect of that relationship. When one project sells out it enables the corruption to spread to other partners.

Sure it has. First of all, there is the same effect when the NRA donates money to a republican candidate. There doesn't need to be an explicit reciprocity agreement for a senator to realize they need to please the NRA. And when a senator takes an action that benefits the NRA, they can make countless excuses citing other (official) reasons for their action. This is the same for any org that receives donations.

DDG, who is falsely positioned as privacy respecting gave $25k to Tor Project, who then endorses DDG and maintains DDG as the default search engine on Tor Browser. The effect is directly evident. DDG also leads users straight to the prime adversary of the Tor community: CloudFlare.

Tor Project is also very tight with EFF. If they were any tighter they'd be the same org. And so you will find that EFF also endorses DDG despite its history of wrongdoing.

correction: these projects need as much money as they can ethically get. When their mission is inherently ethical in nature, tossing out ethics (ethics of their own mission) defeats their own purpose and undermines their credibility. They're subjecting unwitting donors to civil liberties abuses. You don't do that to your supporters -- the people trying to help out.

ACLU and EFF only need money from Americans, since they only benefit Americans. They must have US bank accounts to deposit the Paypal money into, and their US based donors also necessarily have US bank accounts. So check & ACH wire are inherently available. And in most cases credit card is also a common option for US-based donors & recipients. Adding Paypal is purely adding to the privacy abuse.

Tor Project are simply sellouts. They never turn down money. They've accepted donations from DDG and Reddit. Tor Project has a strong presence in the US and Germany. Nixing Paypal does not hinder conventional US or European payment methods. I'm not sure how much of their funding comes from Russia or Asia but at a very minimum they could restrict the Paypal option to the regions that need it. Note as well the Torproject accepts bitcoin and they do so in a manner that ironically subjects donors to a CloudFlare site (the top adversary of the Tor Project). They're simply reckless.

FSF is essentially US-based and serving the US. FSFE covers Europe. Other regions benefit incidentally from FSF, FSFE,Protonmail, & Framasoft. In any case, they too could limit Paypal to non-US-EU payments.

I'm always disgusted when I see projects centered on civil liberties who accept Paypal. In particular, these organizations should be ashamed of using Paypal:

• ACLU
• EFF
• Tor Project
• FSF -- they try to discourage Paypal with: "(not recommended: requires nonfree JavaScript)", but really they shouldn't be accepting it
• Pinephone store -- exclusively Paypal! You can't buy a phone without it!
• Protonmail
• Thinkprivacy -- would be foolish to donate here anyway
• Framasoft

I can't upvote b/c the headline is wrong. But it's a good story.

Nothing in that article says that Munich is switching back to anything linux based. It only says that Munich stands behind the "Public Money - public code" paradigm that started in Italy. This simply means that if Munich writes any code itself, then it will be open source (and it need not run on linux). This principle is meant to prevent a government from directly developing closed source software. Munich is still free to use public money to buy existing closed-source COTS software, and Munich will likely continue with its commitment to Microsoft.

If Munich were to switch back to Ubuntu, this would be much bigger news.

it's also worth noting that Session is founded and staffed by alt right people.

Signal does not accept non-mobile phone numbers.

You're neglecting the elephant in the room. AWS is an Amazon service. Even if you can fully trust the sealed sender mechanism, you certainly cannot stop OWS from paying money to Amazon.

Amazon is a notorious privacy abuser who has pushed surveillance into homes and neighborhoods by way of Alexa and Ring. Amazon has made an astronomical investment in facial recognition technology that's used to abuse the privacy of countless people globally.

When you feed a vendor or service that feeds Amazon (e.g. Open Whisper Systems "Signal"), you are contributing to privacy abuse.

You cannot use Signal without a mobile phone subscription. All mobile phone connections (CDMA or GSM alike) inherently impose tracking. Additionally, most of Europe imposes GSM registration which is linked to national ID. So the mere precondition to establish such service is in itself privacy abuse -- and that's before we even talk about forced disclosure of the phone number to OWS.

Anonymity IS privacy. Specifically, anonymity is privacy of identity. So no, it's not two different concepts. It's a subset/superset relationship of the same thing.

Calling "privacy" and "anonymity" two different concepts is an attempt to downplay the importance of anonymity. The problem is that you never have absolute privacy, and when privacy is attacked or lost for one reason or another you better have anonymity. You should think of anonymity as a 2nd layer of protection from disclosure.

I choose a quite obscure LAN IP so it's less trivial for someone who gets past the firewall to target a host. There are thousands of LAN subnets, so once you divide a non-unique fingerprint into thousands, it's quite trivial to identify unique hosts, particularly if the traffic to a particular site is not in the thousands.

Even running a browser add-on/extension is sufficient to alter a fingerprint to be more unique.

Hold on.. the Tor network does not solve the browser printing problem. To mitigate finger printing you need the Tor Browser. You also must forgo plugins/extensions, because they are finger printable.. which includes extensions that are designed to protect your privacy. So no simple answer.

Also note that Tor Browser devs not all that competent. They have defaulted the search engine to one that promotes privacy abuse (DuckDuckGo), and they refused to edit the padlock icon for HTTPS connections to CloudFlare (see the bug reports). And note as well that their bug tracker is ironically hostile toward Tor users -- which means bugs (incl. security bugs) are going unreported. So not a good project to be trusting.

Reminds me of this:

CloudFlare doesn't give a shit about all the problems inherently cause by pushing reCAPTCHA on people. So why would they do this? Obviously CloudFlare's own given rationale is untrustworthy because it includes statements like "We have strict privacy commitments" and "it was difficult to prioritize removing something that was largely working".

"Earlier this year, Google informed us that they were going to begin charging for reCAPTCHA"

^Ah, there's the real reason -- now unburied so no one else needs to visit CloudFlare's blog.

Bingo. Not to mention that people without mobile phones (either by choice or by poverty) are excluded from contacting friends through Signal. The absurdly reckless mandate to get a mobile phone and share the ph# with OWS is what inspired this issue:

https://github.com/privacytoolsIO/privacytools.io/issues/779

which grew into something quite large. Something like requiring a mobile phone is so fundamentally indicative of an organization with little regard for privacy that you can easily expect to find other issues. Once you take a close look at it, the red flags are like mushrooms (after spotting the first one you start to see there are many clustered in the same area). And there are many mass surveillance vectors with OWS Signal. PrivacyTools and PRISM Break continue to lead ppl astray by sending them to Signal.

It's javascript, so unless Signalapp takes special defensive actions, anything in javascript is possible. E.g. Google could get your internal LAN IP address even if you proxy your traffic through Tor -- which can then be used as part of the fingerprint. Visit wtfismyip.com to see how that works.

So, the IP address is not only leaked to the person they are talking to, but also to the people running the network.

That's right. So the ISPs will know who is talking to who, and the participants will know details about each other's IP address and thus approximate location. Avoiding that implies either having a trusted hub that everyone connects to, or using Tor or I2P.

A spoke-and-hub rig is probably good enough to avoid mass surveillance, but insufficient to avoid targeted surveillance (as someone could observe the hub traffic from the outside and track the payload movement). So whether you can avoid Tor/I2P depends on your threat model. The easy answer is to use Tor or I2P.

I asked for an invite code so I could evaluate them further. That was 5 days ago and they still have not sent the code.

Is Tor necessary?

If these people already trust each other, then Tor is simply not the best tool for the job. If they need to see each other, then they don't need anonymity. The 10 people can connect directly to each other via self-hosted VPN.

Or is there concern that it would be visible to ISPs/outsiders that these people are connecting to each other, or that the attendees would know each others whereabouts? If that's the case, then you need Tor or I2P.

Avoiding exit nodes

The biggest strain on Tor is use of exit nodes. So if you could use onion servers to avoid the need for exit nodes, it would be better for the Tor network and better quality A/V for you. If you have to use exit nodes, so be it.. I don't see an ethical issue there. Tor's main purpose has become to serve activists.

By the way, trying video calls over Tor would probably be really painful,

Wire and Jami do video chat over Tor without significant issues. It's functional enough.

Jami had a chronic freezing issue ~1 year ago when I tried it, but that's not inherently due to Tor.

Swiss ownership

It's actually in Iceland. And note as well that the NSA has formed Swiss companies precisely because ppl tend to trust Swiss entities unconditionally, so expect there to be wolves in sheep's clothes in that area.

Danish schools have no regard for privacy and expect students to use Facebook, Google, and Microsoft tools for collaboration. Facebook was to some extent avoidable when students could get announcements face to face. Now with students being forced home, they will most certainly have no choice but to concede and use the MAGAF that will be forced on them.

The CTemplar website has links to:

• Microsoft LinkedIn
• Twitter
• Facebook
• Reddit

No Mastodon, no Diaspora... superficially they don't look committed privacy.

It's rather deceiving. Customers sign up for "Internet" service, but they're getting something less. They should not be allowed to call it Internet service if they block traffic. It's clear that AT&T is not forthcoming about the block. They were "willing" to fix the problem, but conveniently incompetent. This implies that AT&T probably didn't write in their ToS that they block Tutanota as an official policy.

Some states have a law against deceptive sales practices. So perhaps AT&T can be sued on that basis, or on the basis of breach of contract or negligence.

The client app for Signal users is also non-free software soon to be removed from the FSF Directory:

https://directory.fsf.org/wiki/Signal

Huge list of security problems with Signal:

https://github.com/privacytoolsIO/privacytools.io/issues/779

(and note that privacytools.io still endorses Signal even after being made aware of this)

privacytools is not a good site to send ppl to. They endorse a lot of bad players. The site is rife with entities that privacy seekers should be avoiding. They use a Microsoft Github repo to manage bug reports. Have a look at the bug reports. Experts expose lots of privacy abuses in bug reports and the amateur sell-outs in control of the commits ignore them. They not only show poor judgement by endorsing privacy abusers who work directly against their mission, but they also neglect to enumerate the traps and pitfalls on the endorsement pages.

It's plainly evident when you navigate privacytools.io that there's a serious credibility problem. Amid the bad endorsements (e.g. DDG, Signal), you see links to Facebook, Twitter, Microsoft Github, Microsoft LinkedIn, Amazon-hosted Reddit.

I have been searching extensively for a place to upload torrents. I refuse to use CloudFlare sites and I refuse to solve Google CAPTCHAs. These constraints have killed every torrent site I've encountered (including .onion sites, strangely enough).

I was quite enthusiastic to see a commandline tool. In principle, using a pull request to upload torrents would be fine. But it looks like npm is used, which I think recently crashed for a lot of people recently and the ultimate problem was that npm relies on CloudFlare. I also see that the project is on gitlab.com. I can never login to gitlab.com because of a google captcha. And AFAIK, doing a PR is only possible by logging in via the gui, correct?

So I'm still looking for a way to upload a torrent file without solving a Google CAPTCHA and with CloudFlare out of the loop.