• 3 Posts
Joined 3Y ago
Cake day: Nov 13, 2019


The updated article is here:


There is too much censorship & shenannigans like concealing censorship from modlogs to trust lemmy.ml anymore. I just saw a post about how the admins removed a community creator and quietly put someone else in control.

There’s a lot of tor-hostile links in this post and references to untrustworthy sites and services.

It’s bad advice. Sony and Motorola are terrible recommendations. See https://neoreddit.horobets.me/post/51

Wickr has two gren checks and is green lit across the board except jurisdiction. And yet was closed-source s/w last time i checked.

Signal has a green cell for “puddle test”, but that’s changing. OWS has announced making data recoverable.

The raw data is mostly usefuly, but some of the overall recommendations are lousy. Ignore the checkmarks.

NB: Can’t believe I had to register here with an e-mail address to comment about privacy…

Supplying an email address on Lemmy used to be optional. Has that changed?

Problem I have with searx is it does no regional searches at all

I think that’s determined by the searx instance. Some instances let you choose your UI language, as well as the results language. You can also do “site:de” if you want to search *.de sites for example.

I notice that DDG does allow users to set their search method to POST requests and support redirects to prevent search leakage.

Why would POST prevent leakage? As long as the site is HTTPS, the query is encrypted regardless of whether it’s HTTPPOST or HTTPGET.

Privacy-centric tool advice sites -- Credibility examined -- part 1: web search engines (DDG & Qwant)
This is an examination of the integrity and credibility of the following projects that attempt to advise privacy-focused consumers. | site | mission statement of purpose | |---|---| | [de-Google-ify](https://markosaric.com/surveillance-capitalism/) | "*These ethical alternatives will help you de-Google-ify your life, have a calmer and far less intrusive online experience.*" | | [Frama](https://framasoft.org/en/) | "*promotion, dissemination and development of free software, enhancement of open source culture, and an online platform of open services.*" ([full charter](https://framasoft.org/en/charte/)) | | [PRISM-Break](https://prism-break.org/en/) | "*Help make mass surveillance of entire populations uneconomical! We all have a right to privacy, which you can exercise today by encrypting your communications and ending your reliance on proprietary services.*" | | [PTIO](https://privacytools.io/) | "*You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. PrivacyTools provides services, tools and knowledge to protect your privacy against global mass surveillance.*" | | [Security Checklist](https://securitycheckli.st/) | "*An open source checklist of resources designed to improve your online privacy and security. Check things off to keep track as you go.*" | | [Surveillance Self-Defense](https://ssd.eff.org/en) | "*our [EFF's] expert guide to protecting you and your friends from online spying.*" | | [Stallman](https://stallman.org) | (advice is tech freedom centric but RMS also has a respectible stance on privacy issues) | | [Switching Software](https://switching.software) | "*Ethical, easy-to-use and privacy-conscious alternatives to well-known software*" | | [ThinkPrivacy](thinkprivacy.ch) | "*It's your data. It's time you take control of it.*" # Harmful endorsement: DuckDuckGo ("DDG") Why it's harmful: [article](https://dev.lemmy.ml/post/31321) | site | DuckDuckGo endorsement | site's position & mission are inconsistent | endorsement or condemnation contains misinfo or withholds pitfalls | |---|---|---|---| | [de-Google-ify](https://markosaric.com/surveillance-capitalism/) | [yes](https://markosaric.com/surveillance-capitalism/#replace-google-search-with-duckduckgo) | yes, if you consider DDG an unethical alternative | site withholds DDG wrongdoing, and makes a positive claim that DDG has no filter bubble (which is disputed) | | [Frama](https://framasoft.org/en/) | no (and in fact DDG [blacklisted](https://contact.framasoft.org/wp-content/uploads/newsletters/newsletter10.html) Framabee) | no | n/a | | [PRISM-Break](https://prism-break.org/en/) | [yes](https://prism-break.org/en/projects/duckduckgo/) | yes, by economically supporting privacy abusing surveillance capitalists (direct adversaries of the PRISM-Break mission) | site withholds DDG wrongdoing | | [PTIO](https://privacytools.io/) | [yes](https://www.privacytools.io/providers/search-engines/) | yes, financing privacy abusers works against PTIO's mission. | site cautions about UKUSA, but withholds most DDG wrongdoing | | [Security Checklist](https://securitycheckli.st/) | yes | depends on user's previous tool whether DDG is an improvement | site withholds DDG wrongdoing and also makes unverifiable\* claims | | [Surveillance Self-Defense](https://ssd.eff.org/en) | [almost](https://ssd.eff.org/en/module/how-use-tor-macos) | meh, you decide | Endorsement is kind of implied by TB advocacy & presentation of default search engine without caution | | [Stallman](https://stallman.org) | [no](https://stallman.org/articles/duckduckgo-censorship.html) | no | page overlooks most DDG issues, but it was only meant to expose one issue | | [Switching Software](https://switching.software) | [yes](https://switching.software/replace/google-search/) | yes, if you consider DDG an unethical alternative | site withholds DDG wrongdoing and also makes unverifiable\* claims | | [ThinkPrivacy](thinkprivacy.ch) | [yes](https://web.archive.org/web/20200326231847/www.thinkprivacy.ch/search) | yes, financing privacy abusers works against TP's mission. | site withholds DDG wrongdoing and also makes unverifiable\* claims | (\*) DDG *claims* they do not track users, but they cannot prove it. So when a third party like [Switching Software](https://switching.software) or [ThinkPrivacy](thinkprivacy.ch) states DDG does not track you, they are asserting something they can't. They should not be endorsing DDG in the first place, but if they insist, then they should instead say something like "DDG claims not to track you" so as to avoid deceiving people about the verifiability of the claim. It's particularly interesting to note that ThinkPrivacy gives the highest endorsement to [Startpage](https://www.thinkprivacy.ch/checklist.html), which was bought by US advertising company "System1". Yet ThinkPrivacy [loudly condemns](https://www.thinkprivacy.ch/cutting-the-wire) for the very same reason. Why? Dan Arel works for Startpage. This arose out of a scandal where Mr. Arel was advising the privacytools.io project at the time PTIO was considering pulling their endorsement of Startpage. To be fair, DuckDuckGo has a much more extensive history of undermining privacy both directly and by proxy through partnerships with privacy abusers than Startpage. ## Harmful endorsement: Qwant While Qwant has some privacy strengths that make it substantially more trustworthy and privacy-respecting than DuckDuckGo, it still has noteworthy issues that undermine privacy: 1. Privacy 1. Tor hostility -- Tor users are sometimes forced to [solve a CAPTCHA](https://dev.lemmy.ml/post/31645), and it's implemented in a destructive manner. That is, the search query is collected ***before*** Qwant decides to push a CAPTCHA. Since the user has already invested effort in typing the query, the user is coerced to solve the puzzle in order to not throw away their effort to that point. Then after successfully solving the puzzle, the query is wiped out anyway and the user is forced to retype their query. 1. No proxy feature. Some search engines like Searxes and Metager give an alternative proxy or cached link that avoids directly connecting to the site in the results. This is useful for all users but it's important to Tor users because many sites block or mistreat Tor users, in which case Tor users must visit the site indirectly. Qwant neglects to accommodate. 1. Qwant's [swag store](http://store.qwant.com/) accepts Paypal, who then shares customers data with [600 companies](https://www.schneier.com/blog/archives/2018/03/the_600_compani.html) amid [other abuses](https://dev.lemmy.ml/post/30880). 1. Qwant's [swag store](http://store.qwant.com/) says "follow us on Facebook", leading users into mass surveillance and makes no mention of their [Mastodon account](https://social.privacytools.io/@Qwant). 1. Microsoft [partnership](https://betterweb.qwant.com/en/how-microsoft-tools-strengthen-qwant/) has been ongoing. 1. Qwant patronizes Microsoft for its [advertising network](https://en.wikipedia.org/wiki/Qwant) 1. Qwant claims they no longer use Bing search results, but this is disputed. (And then they [admit](https://mastodon.social/@Qwant/103692143045274520) to it) 1. Qwant [uses](https://betterweb.qwant.com/en/how-microsoft-tools-strengthen-qwant/) Microsoft Azure cloud services. 1. Qwant's [swag store](http://store.qwant.com/) sells apparel made of cotton, which is bad for the environment. 1. Qwant has [ties](https://social.privacytools.io/@Qwant/102945184291956539) to [Fight for the Future Inc](https://dev.lemmy.ml/post/31655), an organization that claims to fight for net neutrality yet uses CloudFlare themselves. We won't document all of Microsoft's wrongdoing here, but MS has a long history of privacy abuse and still today they are embroiled in privacy scandals such as financial facial recognition technology to AnyVision and violating the GDPR. | site | Qwant endorsement | site's position & mission are inconsistent | endorsement misinforms or withholds pitfalls | |---|---|---|---| | [de-Google-ify](https://markosaric.com/surveillance-capitalism/) | no | no | n/a | | [Frama](https://framasoft.org/en/) | no | no | n/a | | [PRISM-Break](https://prism-break.org/en/) | no | no | n/a | | [PTIO](https://privacytools.io/) | [yes](https://www.privacytools.io/providers/search-engines/) | yes | site withholds Qwant wrongdoing | | [Security Checklist](https://securitycheckli.st/) | no | no | n/a | | [Surveillance Self-Defense](https://ssd.eff.org/en) | no | no | n/a | | [Stallman](https://stallman.org) | no | no | n/a | | [Switching Software](https://switching.software) | [yes](https://switching.software/replace/google-search/) | yes, if you consider Qwant unethical | site withholds Qwant wrongdoing and also makes unverifiable\* claims | | [ThinkPrivacy](thinkprivacy.ch) | no | no | n/a | (\*) Qwant *claims* they do not track users, but they cannot prove it. So when a third party like [Switching Software](https://switching.software) states Qwant does not track you, they are asserting something they can't. They should not be endorsing Qwant in the first place, but if they insist, then they should instead say something like "Qwant claims not to track you" so as to avoid deceiving ppl about the verifiability of the claim. OTOH, Qwant would be violating the GDPR if they did track you contrary to their privacy policy, so perhaps it's fair enough for Switching Software to make this assertion (unlike DDG, who is bound only contractually & they've shown to violate it already). It's worth considering that sites that endorse DuckDuckGo and nothing else are actually more harmful than sites that list other alternatives like Qwant, b/c there is more likeliness that users opt to use DDG when it's the only endorsed choice. ([part 2: messaging services](https://dev.lemmy.ml/post/32542)) ([part 3: s/w repos](https://dev.lemmy.ml/post/35452))

This thread does an interesting comparison:


YaCy is a crawler. It’s a great tool for supplying your own search engine to the public, but end users will find searx nodes more practical.

DuckDuckGo's privacy abuses-- current, historic, and by proxy
There are substantial privacy and civil liberty issues with DuckDuckGo. Here they are spot-lighted: * ***Nefarious History of DDG founder & CEO***: * DDG's founder (Gabriel Weinberg) has a [history](https://www.reddit.com/r/privacy/comments/aqz3q8/the_history_of_duckduckgos_founder_is_disturbing/) of privacy abuse, starting with his founding of [Names DB](https://en.wikipedia.org/wiki/Names_Database), a surveillance capitalist service designed to coerce naive users to submit sensitive information about their friends. (2006) * Weinberg's [motivation](http://web.archivecrfip2lpi.onion/web/20181116102800/https://www.eyerys.com/articles/people/search-engine-and-privacy-gabriel-weinberg) for creating DDG was not actually to "spread privacy"; it was to create something big, something that would compete with big players. As a privacy abuser during the conception of DDG (Names Database), Weinberg sought to become a big-name legacy. Privacy is Weinberg's means (not ends) in that endeavor. Clearly he doesn't value privacy -- he values perception of privacy. * ***Direct Privacy Abuse***: * DDG [was caught](http://web.archivecrfip2lpi.onion/web/20130627082930/http://www.alexanderhanff.com/duckduckgone) violating its own privacy policy by issuing tracker cookies. * DDG's app [sends every URL](https://github.com/duckduckgo/Android/issues/527) you visit to DDG servers. ([reaction](https://cmpwn.com/@sir/104444543789319623)). * DDG is currently collecting users' operating systems and everything they highlight in the search results. (to verify this, simply hit F12 in your browser and select the "network" tab. Do a search with javascript enabled. Highlight some text on the screen. Mouseover the traffic rows and see that your highlighted text, operating system, and other details relating to geolocation are sent to DDG. Then change the query and submit. Notice that the previous query is being transmitted with the new query to link the queries together) * DDG is accused of [fingerprinting](https://betanews.com/2019/01/07/duckduckgo-fingerprinting-accusation/) users' browsers. * When clicking an ad on the DDG results page, all data available in your session is sent to the advertiser, which is why the Epic browser project [refuses](https://www.epicbrowser.com/FAQ.html) to set DDG as the default browser. * DDG [blacklisted](https://contact.framasoft.org/wp-content/uploads/newsletters/newsletter10.html) Framabee, a search engine for the highly respected framasoft.org consortium. * ***Censorship***: Some people replace Google with DDG in order to avoid censorship. DDG is not the answer. * DDG is [complying](https://stallman.org/articles/duckduckgo-censorship.html) with the "celebrity threesome injunction". * ***CloudFlare***: DDG promotes one of the largest [privacy abusing](https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544) tech giants and adversary to the Tor community: CloudFlare Inc. DDG results give high rankings to CloudFlare sites, which consequently compromises privacy, net neutrality, and anonymity: * Anonymity: CloudFlare DoS attacks Tor users, causing substantial damage to the Tor network. * Privacy: All CloudFlare sites are surreptitiously MitM'd by design. * Net neutrality: CloudFlare's attack on Tor users causes access inequality, the centerpiece to net neutrality. * DDG T-shirts are sold using a [CloudFlare site](https://duckduckgo.merchmadeeasy.com/), thus surreptitiously sharing all order information (name, address, credit card, etc) with CloudFlare despite their statement at the bottom of the page saying "DuckDuckGo is an Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs." (2019) * DDG hired CloudFlare to host spreadprivacy.com (2019) * ***Harmful Partnerships with Adversaries of Privacy Seekers***: * DDG patronizes privacy-abuser **Amazon**, using AWS for hosting. * Amazon is making an astronomical investment in facial recognition which will destroy physical travel privacy worldwide. * Amazon uses Ring and Alexa to surveil neighborhoods and the inside of homes. * Amazon [paid](https://arstechnica.com/tech-policy/2018/04/facebook-donated-200000-to-kill-a-privacy-law-but-now-its-backtracking/) $195k to fight privacy in CA. (also see http://cal-access.sos.ca.gov/Campaign/Committees/Detail.aspx?id=1401518&view=late1) * Amazon runs sweat shops, invests in climate denial, etc.. the list of non-privacy related harms is too long to list here. * DDG feeds privacy-abuser **Microsoft** by patronizing the Bing API for search results and uses Outlook email service. * Microsoft Office products violate the GDPR (the Dutch government discovered numerous violations) * Microsoft finances AnyVision to equip the Israeli military with facial recognition to be used against the Palestinians who they oppress. * Microsoft [paid](https://arstechnica.com/tech-policy/2018/04/facebook-donated-200000-to-kill-a-privacy-law-but-now-its-backtracking/) $195k to fight privacy in CA. (also see http://cal-access.sos.ca.gov/Campaign/Committees/Detail.aspx?id=1401518&view=late1) * DDG hires Microsoft for email service: `torsocks dig @ mx duckduckgo.com +tcp | grep -E '^\w'` ==> "...duckduckgo-com.mail.protection.outlook.com" * DDG is [partnered](https://www.ghacks.net/2016/07/01/duckduckgo-yahoo-partnership/) with **Yahoo** (aka Oath; plus **Verizon** and **AOL** by extension). DDG helps Yahoo profit by patronizing Yahoo's API for search results, and also through advertising. The Verizon corporate conglomerate is evil in many ways: * Yahoo, Verizon, and AOL all supported CISPA (unwarranted surveillance bills) * Yahoo, Verizon, and AOL all use DNSBLs to block individuals from running their own mail servers, thus forcing an over-share of e-mail metadata with a relay. * Verizon and AOL both drug test their employees, thus intruding on their privacy outside of the workplace. * Verizon supports the TTP treaty. * Yahoo voluntarily ratted out a human rights journalist (Shi Tao) to the Chinese gov w/out warrant, leading to his incarceration. * Yahoo recently recovered "deleted" e-mail to convict a criminal. The deleted e-mail was not expected to be recoverable per the Yahoo Privacy Policy. * Verizon received $16.8 billion in Trump tax breaks, then immediately laid off thousands of workers. * (2014) Verizon fined $7.4 million for [violating customers’ privacy](https://www.huffingtonpost.com/2014/09/03/verizon-privacy_n_5760132.html) * (2016) Verizon fined $1.35 million for [violating customers’ privacy](https://www.cnet.com/news/verizon-racks-up-1-35-m-bill-for-violating-consumer-privacy/) * (2018) Verizon paid $200k to [fight privacy in CA](https://arstechnica.com/tech-policy/2018/04/facebook-donated-200000-to-kill-a-privacy-law-but-now-its-backtracking/). See also [this page](http://cal-access.sos.ca.gov/Campaign/Committees/Detail.aspx?id=1401518&view=late1) * (2018) Verizon caught [taking voice prints](https://www.reddit.com/r/privacytoolsIO/comments/ac8p1x/verizon_voice_fingerprinting_on_customer_support/)? * [more dirt](https://old.reddit.com/r/privacy/comments/62ezji/which_american_mobile_carrier_is_the_most_privacy/) (scroll down to Verizon) * (2016) Yahoo [caught](https://www.theguardian.com/technology/2016/oct/04/yahoo-secret-email-program-nsa-fbi) surreptitiously monitoring Yahoo Mail messages for the NSA. * ***Advertising Abuses & Corruption***: * DDG consumed a room at FOSDEM 2018 to deliver a sales pitch despite its proprietary non-free server code, then dashed out without taking questions. Shame on FOSDEM organizers for allowing this corrupt abuse of precious resources. * Tor Project accepted a $25k "contribution" (read: bribe) from DDG, so you'll find that DDG problems are down-played. This is why Tor Browser defaults to using DDG and why Tor Project endorses DDG over [Ss](https://ss.wodferndripvpe6ib4uz4rtngrnzichnirgn7t5x64gxcyroopbhsuqd.onion) -- and against the interests of the privacy-seeking Tor community. The EFF also pimps DDG -- a likely consequence of EFF's close ties to Tor Project. For the record, this is how Tor Project responds to criticism about their loyalty toward DuckDuckGo (their benefactor) in IRC: > 18:20 < psychil> if torbrowser is going to be recommended, it should also be open to scrutiny. in the absence of that transparency, you create an untrustworthy forum. > 18:20 < psychil> we've seen a loyalty from TB toward duckduckgo, but DDG is in partnership with Verizon, Yahoo, AOL et. al. > 18:21 < psychil> all CISPA-sponsoring companies > 18:22 < psychil> if ppl choose to trust them fair enough, but this trust shouldn't be pushed on every user weighing their choice of browsers > 18:26 -!- mode/#tor [-b psychil@*!*@*] by ChanServ > 18:27 < YY_Bozhinsky> psychil: i am using Tor (thanks to Tor Devs)... PLUS brain - good bundle. I am happy. And please, don't rush to change Reality (do it slowly with love and respect). Because it's home for many ppl. They construct their lives in it. Think twice before ruining that. Please. > 18:27 -!- mode/#tor [+b psychil!*@*] by ChanServ > 18:27 -!- psychil was kicked from #tor by ChanServ [wont stop the FUD] Indeed, Tor Project is notoriously fast to censor any discourse (no matter how civil) when it supports a narrative that doesn't align with their view / propaganda.

Keybase <-- stay away from it, seriously.
# Keybase, we have a problem. The Keybase software and service are both littered with severe bugs that create a security and legal nightmare. Here are some of the issues: * Deception: Their software is a server masquerading as a client app. They simply call it an "app" on this page: https://keybase.io/docs/the_app/install_linux but it's actually a surreptitious *server* that runs continuously in the background as a daemon. * Deception: Tor mode serves only to mislead users. The tool actually surreptitiously phones home to the central server of Keybase, Inc. without using Tor at all. This is not the usual DNS leak that Tor users are accustomed to, the connection itself takes place outside of the #Tor network. It's not incidental. This is in their _privacy policy_: "When you access or use the Service,we automatically collect and store information about your browsing habits and your use of the Service (“Usage Information”),including: a. Your computer’s IP address.. f. Session times and lengths" * Malice: Keybase is designed to reverse users' edits to the `run_keybase` script. So users who try to patch the leaks by introducing torsocks wrappers in that script will learn who really owns that tool on the next upgrade or downgrade, when the script is overwritten. The overwriting is also silent, so some users will be unaware when their traffic becomes exposed. This also means adding firejail sandboxing to that script will also be reversed. It's no accident, they enforce it in the ToS that you agree to: "We may automatically check your version of the Software. We may also automatically download to your computer or device new versions of the Software." * SoftwareFreedom: The javascript on www.keybase.io is non-free software (it fails the #LibreJS test). * Malice: There are so many security bugs that keybase developer Jack O'Connor ("oconnor663") is outright deleting some of the more embarrassing security-critical bug reports. This censorship is the most malicious variety because it blocks other users from becoming aware of pitfalls in software that they have trusted. (Hence this article, which is out of reach for Jack O'Connor to censor) * Malice: The login webform is coded as a pop-up to force users to disable their ad blockers. * Malice: Users who are wise enough to distrust the keybase server have no way to receive messages that are collected through the _Keybase Chat_ mechanism. * Deception: People who send messages using _Keybase Chat_ are not given feedback on non-delivery. So humans are actually composing messages that are silently black-holed! Nothing is more reckless and irresponsible than a messaging service that fails to deliver without telling the sender. What's even more perverse is that non-delivery is not a rare event-- it's simply a matter of the recipient not running their junk software. So it's designed to cause widespread harm, the scale of which that could provoke a class action. So they've actually written a clause in their ToS to attempt to block class actions: 'Any Claim must be brought in the respective party’s individual capacity, and not as a plaintiff or class member in any purported class, collective,representative, multiple plaintiff, or similar proceeding (“Class Action”).' They also have: INDEMNIFICATION, LIMITATION OF LIABILITY, ARBITRATION, and NO WARRANTY clauses to block all actionability of their malice. * Bug: Further exacerbating the previous two issues is the fact that the "Keybase Chat" button cannot be disabled. Users not running the dodgy software are still forced to have this blackhole-feeding mechanism on their profiles. * Hypocrisy: Keybase sends all notifications in-the-clear as plaintext despite having the recipients pubkey and having built their own software to use it. Keybase, Inc does not eat their own dog food. * Bug: If you disable the (insecure) notifications and you are not running their (insecure) software, then you have no way of knowing that someone has tried to send a message. So human-written messages are not only black-holed, but both sender and recipient are unaware of the non-delivery. * Bug: The Keybase installer creates the directory "/keybase" with all world privileges (and yes, they root it in "/"). The keybase developers have said they believe that mounting a filesystem to that directory blocks access to it (so they are unaware of bind mounts). * Malice: advertising is opt-out, not opt-in. From their ToS: "we may send you communications..promotional information and materials..We give you the opportunity to opt-out of receiving promotional electronic mail from us by following the opt-out instructions provided in the message." They are encouraging users to use an unsubscribe link in a spam message. Informed users know is a bad idea, as it signals that an e-mail address is actively in use. * Bug: Keybase does not sign their e-mail messages, thus exposing their users to phishing attacks. Keybase, Inc again demonstrates they don't eat their own dog food. * Deception: They say files are end-to-end encrypted, but this legal loophole gives them immunity for any shenanigans in that regard: "We collect and store files and information that you transmit to other parties using the Service or that you elect to store on the Service." * Deception: This appears on the Keybase website: "The Keybase website is ok, but the Keybase app is faster, safer, and more powerful than doing it in a browser." When they say the "website is ok", it's a gross oversight to imply that you can rely on the website alone when doing so entails forfeiting access to inbound messages (for which the collection cannot be disabled). And when they say the "app is safer", it's a lie.

It’s important to state which Searx instance is used in the testing, because every instance is different. Every instance operator chooses who to source from, and some of them even source from their own YaCy crawler.

“Free software” that forces execution of non-free software isn’t really free. (see paragraph “2” below)

There is nothing particularly wrong with the gitlab software, but that software must be hosted and configured and there are copious ethical problems with the gitlab.com service that the OP suggested:

  • Sexist treatment toward saleswomen who are told to wear dresses, heels, etc.
  • Hosted by Google.
  • Proxied through privacy abuser CloudFlare.
  • tracking
  • Hostile treatment of Tor users trying to register.
  • Hostile treatment of new users who attempt to register with a @spamgourmet.com forwarding email address to track spam and to protect their more sensitive internal email address.
  • Hostile treatment of Tor users after they’ve established an account and have proven to be a non-spammer.

Regarding the last bullet, I was simply trying to edit an existing message that I already posted and was forced to solve a CAPTCHA (attached). There are several problems with this:

  • CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
  • CAPTCHAs put humans to work for machines when it is machines that should work for humans.
  • CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
  • The reCAPTCHA puzzle requires a connection to Google
    1. Google’s reCAPTCHAs compromise security as a consequence of surveillance capitalism that entails collection of IP address, browser print.
      • anonymity is compromised.
      • (speculative) could Google push malicious j/s that intercepts user registration information?
    2. Users are forced to execute non-free javascript (recaptcha/api.js).
    3. The reCAPTCHA requires a GUI, thus denying service to users of text-based clients.
    4. CAPTCHAs put humans to work for machines when it is machines who should be working for humans. PRISM corp Google Inc. benefits financially from the puzzle solving work, giving Google an opportunity to collect data, abuse it, and profit from it. E.g. Google can track which of their logged-in users are visiting the page presenting the CAPTCHA.
    5. The reCAPTCHAs are often broken. This amounts to a denial of service. gitlab_google_recaptcha
      • E.g.1: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
      • E.g.2: ccha
    6. The CAPTCHAs are often unsolvable.
      • E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
      • E.g.2: the puzzle is expressed in a language the viewer doesn’t understand.
    7. (note: for a brief moment gitlab.com switched to hCAPTCHA by Intuition Machines, Inc. but now they’re back to Google’s reCAPTCHA)
    8. Network neutrality abuse: there is an access inequality whereby users logged into Google accounts are given more favorable treatment the CAPTCHA (but then they take on more privacy abuse). Tor users are given extra harsh treatment.