“The space researcher was allegedly randomly checked on arrival, during which his professional computer and personal telephone were allegedly searched. Similarly, messages about the Trump administration’s treatment of scientists have been found.”

I have been looking for a good calorie tracker on iOS for some time, but have never found one with the features I want while being either open source or privacy respecting (or both). Android has a few options but the UI is very dated to day the least.

In order to fill this gap, I am considering building one, but if someone can point me to an existing app to save me the time, I would be very thankful.

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

https://9to5google.com/2025/03/18/pebble-smartwatch-core-reboot-price-battery-pre-order/

cross-posted from: https://lemmy.ca/post/40848536

On Lemmy when we view someone's profile we have a "Send Message" option. We are warned the message is not truly private. We may see a recommendation to "create an account on Element.io for secure messaging" or we might see a "Send Secure Message" button to send a message to a user through matrix.to for users who have configured this feature.

Looking closely, we might notice element.io and matrix.to connections are going through Cloudflare. For anyone expecting to have a private conversation, this link may explain why there could be cause for concern (search for "TLS flows" at that link). https://lemmy.world/post/26919564

Is https://tuta.com/ a perfect email service? No, it's not. Tuta employees do not have access to your messages on the server at rest, which is a very strong feature. Since the service is hosted in Germany, with sufficient legal justification, the German government could request an encrypted version of your mailbox and Tuta would have to comply. With enough time and resources, any encryption can be compromised. For most people for most use cases, such a situation is already sufficient.

I do not want to encourage people to use the service for illegal activites and so I will suggest if you want to do something illegal, do it elsewhere.

For the rest of us, I think Tuta has a lot to offer. Tuta trades in money, not data. You pay for a service with a generous amount of storage (20 GB), several email address aliases (which could be used for points cards or other data collection services), encrypted searching of your full mailbox, unlimited calendars, the ability to use your own domain name for email accounts, and more. Paying by Monero, Bitcoin, or cash are also privacy focused options through their partner, Proxystore.

Tuta also understands there are people who can accept a basic plan for private communication, and offers a fairly generous free tier, providing 1 GB of storage while still offering the same encryption benefits for stored messages and messages sent between Tuta users. Encrypted search may be limited to more recent messages with the free tier, and only 1 calendar is available. The free tier is generous enough for everyone to use Tuta for relatively private communication.

You could start with a free account and optionally switch to a paid account later, when needed.

First, visit the Download Tuta section. https://tuta.com/#download

Downloads exist for Android (strikingly it can be downloaded from F-Droid), iOS, Windows, Linux, and macOS.

To use an Android APK file downloaded from F-Droid, you may need to change your phone's settings to enable the "Install unknown apps" option.

Different models of Andoid phones have different paths to this option. 1 Open the Settings app on your phone. 2 Go to Apps or Apps & notifications or Security & fingerprint or Security. 3 Go to 3 periods at the top right and choose Special access or Special app access or Advanced and then Special app access or for older phones you might already be in the right place and can scroll down. 4 Select Install unknown apps and enable a file manager app (My Files) or Unknown sources and enable it or Install from Unknown Sources and enable it. 5 Confirm your choice to allow apps to be installed from unknown sources.

Once you install the app, you can sign up for an account.

It is possible to sign up using a web browser, but your email address and password are likely to be synchronized by your web browser, and the confidentiality aspect may disappear. Don't let your web browser save your email and password if you choose to sign up using your web browser.

A lazy person can rely on the downloaded mobile app or desktop application to save the password, provided you normally take good steps to protect your device from physical access.

After you create your account, you will be given 64 character recovery code to write on paper. It is highly recommended you record these 64 characters on paper and store the paper in a safe place. Maybe the same place where you would put a cryptocurrency passphrase or a secret map to pirate treasure. It would also be nice to write the password on paper and safely store it there.

It is not recommended to use a "notes app" or any other electronic method of storing your 64 character recovery code. The convenience of cloud sync means you may lose the confidentiality of your communication. For a similar reason, it is not recommended to print your 64 character recovery code. You may instead choose not to store a copy of the 64 character recovery code anywhere since you can look it up later within your account as long as you do not forget your password.

If you usually enjoy using the convenience of synchronizing passwords from one device to another, a different approach is offered for Tuta. Install a mobile app or desktop application on each device and save your password within the Tuta mobile app or Tuta desktop application. If you protect physical access to your device, you can enjoy this convenience without your password being synchronized through another cloud service.

If you are willing not to be lazy, choose a password you can remember and do not mind typing each time.

After you create your account and log in, useful icons will appear on the left side of the screen. On mobile devices, you may need to open a menu of 3 horizontal bars to access the icons. Select the lightbulb icon (News) and choose to deactivate (or activate) usage data. Close the popup.

In that same section of icons, choose the gear icon (Settings). On mobile devices, you may need to open a menu of 3 horizontal bars menu to switch between Settings subpages. Switch to the Email subpage.

On the Settings Email subpage, there are useful settings. You can change how emails are displayed. You can change the email signature to a custom one. You can set a default delivery value for emails to non-Tuta users (confidential means sharing a password with them, not confidential means unencrypted email, and your choice can be changed when writing an email). Under the Email addresses heading you can expand the list and press the 3 horizontal dots to set your name.

If you ever plan to email someone outside of Tuta, you'll want to set your name so your email isn't marked as spam. If you only want to use Tuta privately with friends and family, you do not need to set your name and emails will still be delivered safely to other Tuta users.

Most other Settings have reasonable defaults and can be viewed later.

To return to your inbox on a mobile device, press the Emails icon in the lower left. On desktop, click the Emails button in the upper right.

On your mobile device, you can create a New email by pressing the piece of paper and pencil icon in the upper right. On desktop, click the New email button at the upper left.

Tuta protects your IP address and does not send it in the email header of your email messages.

Tuta emails you, including tips, news, self-promotion of their paid plans, and partner ads offering a discount. Other than targeting free users with self-promotion of their paid plans, there are no targeted advertisements. Your mailbox is not used to profile you and your mailbox is not given to AI.

If you previously created a Tuta account and saved your password in your web browser, I suggest changing your password and do not save the updated password in your web browser. To change your password, choose the gear icon (Settings) on the left side of the screen. On mobile devices, you may need to open a menu of 3 horizontal bars to access the icons. The Login subpage is already selected and you can change your password. You can also choose to update your recovery code if you feel it may have been leaked.

I suggest using Lemmy's "Send Message" feature to share your Tuta account with other Lemmy users and then continue your private discussions more privately with Tuta.

Fastbackgroundcheck. com says there's info on me on truthfinder, spokeo, peoplefinders and instantcheckmate. When I try going through all four of those sites takes a super long time, including a few times in the past when I tried getting reports on myself.

The progress bars reach 100% and reset continously. If these sites are legimate like some reddit users claim, then why or be upfront about wanting me to pay? Right now I'm convinced that these sites are snake oil, maybe they work if you pay but the behavior of the free options turn me off. They act 100% like typical scam websites, the kind that asks you to complete three surveys on external sites with fake progress bars.

Basic info like my full name, address, age, and siblings can be found with search engines easily but I feel like there's no point in trying to wipe it if there aren't methods that could definitely work.

META allows you to have messenger, without having a facebook account. At least here in Europe. This is great, as some families, communities and even workplaces depend on it for instant messaging. This is the case with my new job. They have a messenger group for important messages and shift trades ("can someone take my shift tomorrow")

That said, it seems like it is making life hard for people who only have messenger and no facebook. People have not been able to find me, even though i have a pretty unique name. The results show "no results" even though i do have an account with this name, and can be found by some. Even when they do find me, by be searching for them and adding them as a friend, I can't be added to the group chat. This works some times and not others. I can never know if people can actually find me, when they try.

I have tried letting people search me by name, email, and phone number. The username feature does not work. It says it is broken and i should try later. Also all setting are set to be very loose, and there are no request in the message requests, or spam folders.

Any of you have experienced this, and feel like a second grade user, because you don't have a facebook account besides the messenger account?

PS: i am also in the process of raising a privacy case with the irish data authorities, because META has not deleted my data as requested in August 2024 but that is with an entirely different email to the one i am using now.

cross-posted from: https://europe.pub/post/9311

In case you ever wanted to blur your house from google street view you can. A little privacy i suppose, its pretty easy. you dont need a reason to do it. This probaly the only thing google lets opt out of which is cool.

Originally posted on Reddit

The only Pixel I have is a Pixel 3XL which is not supported anymore for updates. A few questions. does that mean at some point you have to buy a new phone all the time? How long are they supported, do I need the buy the newest one everytime to have a decently long support? If I can install Calyx, but have already degoogled my phone, is Calyx still useful? But I suppose at this point it's still better to get a Pixel anyway and install Graphene which is supposedly better? how risky is it to run an unsupported phone like my Pixel 3XL? What can happen?

After the whole Firefox debacle I'm trying to find a new privacy oriented browser for my Mac and iOS devices with bookmark syncing. Ideally an open source browser but I don't think one exists right now that has both macOS and iOS versions. For example LibreWolf has a Mac app but no iOS app.

It's not open source but Orion browser which exists on both Mac and iOS is the only browser I can find on Apple's App Store that has "Data Not Collected. The developer does not collect any data from this app." on its app store page.

And it has some interesting features like being able to run Chrome/Firefox extensions on iOS (including uBlock).

But I did some digging into Kagi, the makers of Orion and was turned off by them being an AI search company. Also, despite Kagi claiming Orion completely blocks fingerprinting I couldn't get Orion to pass EFF's fingerprinting benchmark tool; it always said I was unique no matter what settings I tried. And I've read some other questionable things about how Kagi operates its business which I won't go into here.

I know there's Brave but I'm turned off by the company's connection to crypto and their inclusion of AI in their browser.

Maybe Vivaldi? Vivaldi however says they do some anonymized telemetry to collect usage statistics. And again these two browsers also aren't open source either.

I'm afraid there are no good macOS + iOS browser setups? I'm hoping someone will correct me. 😬

edit: typos

Recently there has been controversy around Mozilla Firefox.

I've been looking for an alternative but really struggling, seems like every alternative has a downside:

• Vivaldi: Uses some proprietary code and likely not doing much better on the user data side of things, also based on Chromium.

• Tor: Uses Tor protocol and so is quite slow, my ISP would probably also think I'm a drug lord.

• Fennec: Basically looks the same as Firefox but guessing less up to date, F-Droid has a warning about it's using Mozilla services for tracking.

What are you guys using? Have you found anything good?

TL;DR: With Firefox 56, Mozilla combined Firefox Health Report and Telemetry data into a single setting called “technical and interaction data”, which was then enabled by default. This data was then shared with advertising partners on a de-identified or aggregated basis.

Porn companies must take strong action to protect privacy and prevent future harms

On March 3, 2025 Canada’s Privacy Commissioner announced that Pornhub’s practices fail to ensure meaningful consent has been obtained from everyone appearing in videos uploaded to the platform. (Shutterstock)

Elaine Craig, Dalhousie University

At a time of increased emphasis on buying Canadian, the country’s porn consumers can presumably rest easy. A Canadian business, Ethical Capital Partners (ECP), owns the world’s largest porn website, Pornhub. But do Canadian porn users have nothing to worry about?

On March 3, Canada’s privacy commissioner announced that Pornhub’s practices fail to ensure meaningful consent has been obtained from everyone appearing in videos uploaded to the platform, and that he will seek a federal court order directing Pornhub to comply with Canada’s privacy laws.

When ECP acquired Aylo (then called MindGeek), which owns Pornhub and other porn businesses, the company made numerous public statements. ECP’s executives stated in a release that Aylo was “built upon a foundation of trust, safety and compliance.” ECP executives also stated they were confident the company operates “legally and responsibly.”

However, class actions and individual lawsuits brought by women who allege Pornhub distributed videos of them without their consent, reports in 2020 of child rape videos on the platform and allegations of widespread content piracy do not align with ECP’s claims about Pornhub’s origins.

Privacy commissioner’s report

ECP’s assertion that Pornhub was built on trust and safety is also refuted by the privacy commissioner’s findings. In 2024, Commissioner Philippe Dufresne released a critical report regarding Aylo, following a complaint by a woman who alleged her ex-boyfriend uploaded a sexually explicit video of her to Pornhub without her consent. The video was copied and shared online hundreds of times.

The commissioner found that in 2015, when the video was posted, Pornhub’s process for ensuring consent was “wholly ineffective,” and that this had “devastating consequences for thousands of individuals whose intimate images were shared” without their knowledge and consent.

Dufresne stated the company was still failing “to ensure that it has obtained valid and meaningful consent from all individuals depicted in content uploaded to its websites.” He maintained this position in his announcement on March 2. ECP, which disputes the commissioner’s findings, launched unsuccessful legal proceedings to prevent Dufresne’s report from being published, delaying its release by nearly a year.

Numerous women have alleged horrific stories about their efforts to have videos removed from Pornhub that they did not consent to have uploaded (or in some cases, even created), only to be met with delay, a lack of response and administrative obstacles.

Today, Pornhub’s systems for verifying consent and responding to take-down requests are significantly more robust; they are likely superior to the mechanisms used by other platforms. But the lawsuits, testimony from victimized women and the commissioner’s report suggest this is hardly a company “built upon a foundation of trust, safety and compliance.” And according to the Dufresne, Pornhub is still not compliant with the law.

Harmful content

When they acquired the company, ECP executives told the media they bought Aylo to promote “consensual and sex-positive adult entertainment.” Academic research, including my own, has examined content on porn platforms that depicts the sexual assault of sleeping or unconscious women, the sexual abuse of children by their fathers or step-fathers and the use of misogynistic meta-data — video titles, tags, and content categories — to promote content to users.

Depictions, including fictional ones, of sexual assault by step-fathers against step-daughters, or of sexual acts imposed upon sleeping women, are not sex-positive. Using misogynistic video titles and tags to organize and amplify hateful assertions about women and adolescent girls is not sex-positive.

Pornhub’s content moderation policies prohibit this type of harmful content. If Pornhub consistently enforced its own rules regarding depictions of non-consensual sex, hate speech and community standards, the depictions of sexual assault and the hateful and discriminatory titles, tags and categories of porn that I found in my research would not be present.

The company could presumably do this, given its claim that every piece of content on its site is approved by human moderators, and the success it has had relative to other platforms in eliminating and preventing child sexual abuse material.

The harms posed by fictional depictions of sexual assault, and the use of misogynistic titles and tags to promote porn, are significantly heightened because of the nature of the porn business today. Porn has changed enormously in the last decade. It has become social media.

Contemporary porn’s ubiquity and social media character greatly enhance its capacity to shape our sexual culture, including in harmful ways. (Shutterstock)

Porn as social media

Like big tech generally, and social media in particular, the porn industry is shaped by search engine optimization, algorithms, data and the advertising revenue that drives the internet’s attention economy. As a result, porn is now freely available to anyone with a cellphone, exploding rates of consumption. And like other forms of social media, porn today is interactive.

These technological changes in the porn industry reveal that, if made easily accessible, many people will watch porn. Indeed, close to 10 per cent of Canadians visit Pornhub every day.

Contemporary porn’s ubiquity and social media character greatly enhance its capacity to shape our sexual culture, including in harmful ways. Broad social engagement with any practice, including the consumption of sexually explicit material, informs our relationships, norms and values. Eroticizing the sexual assault of unconscious women or step-daughters, or deploying misogynistic hate speech to shock, entice and arouse large segments of our communities, shapes how we understand and relate to consent, allegations of sexual assault and concepts of sexual desire.

There is nothing inherently harmful about watching porn, and not all porn contributes negatively to our social environment. However, ECP’s claims about the history of the world’s largest porn company suggest a lack of accountability regarding the tremendous harm that porn websites cause women and girls.

Transparency and accountability

Given porn’s heightened role in shaping our sexual culture in a platform society, content that depicts sexual assault or is framed in the language of misogyny is harmful to all of us. Presumably, this is why Pornhub’s policies prohibit this type of content. But content moderation rules are only as good as their enforcement.

ECP says it rebranded Aylo to reflect a “renewed commitment to…trust and safety” and to allow “the company to refocus its efforts to lead by example through transparency and public engagement.” The type of leadership that ECP contemplates requires a commitment to the truth and a willingness to rigorously uphold one’s own rules: the kind of commitment and willingness exhibited by Canada’s privacy commissioner, in this case.

To “lead by example,” ECP should start with transparency and forthright public accountability regarding the foundations upon which Pornhub was actually built and how it operated for many years. This must be followed by compliance with the privacy commissioner’s recommendations, and insistence that Pornhub’s content moderation policies are consistently and rigorously enforced.

Elaine Craig, Professor of Law, Dalhousie University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

I haven't played Minecraft since 2015, but I get the feeling I might again in the new few years as I wanna find new hobbies. I know that game has changed a whole lot but I don't have any official online data on it.

I've had this Microsoft account for over a decade and its probably full of personal information that I wanna let go of, I've already exported all my data. I would need to pay $30 for another copy of Minecraft, same price I paid in 2013. I just did a bunch of searching and its not possible to transfer my Minecraft license to another account.

Synopsis

Starting April 1, 2026, the income tax department will have the authority to access social media, emails, and other digital spaces to curb tax evasion. This has been granted to them under the new income tax bill. This will also include search and seizure powers over your assets and documents, which have raised major privacy concerns. Experts warn of challenges to fundamental privacy rights without judicial oversight and procedural safeguards.

I need a Google account to sign up for a service I'm interested in, so I want to create a bogus account for that. Problem is I need a phone number to verify it. I obviously don't want to use my actual number, so I tried some of those online temporary number services, but none of them worked. I get different error messages when trying to use them: "Number has been used too many times", "Number can't be used for verification", stuff like that. Do you guys know of a way to get a working number?

I'm curious what everyone thinks about DuckDuckGo's current settings. I have my browser settings set to delete history, cache and cookies on closing. This creates an issue when using duckduckgo as my primary search engine. Their 'default' settings (available right below the searchbar) seem far from privacy focused. AI Chat is on by default and used 'sometimes', as well as 'advertisting' and 'location' settings that are on by default. This requires me to have to change the settings every time I load my browser due to any settings I save being deleted by my browser setup. I don't want to install a duckduckgo extension. How do others deal with this? I know you can 'save anonymously' your settings in the cloud, but I'm not eager to do that.

To fill these gaps in our knowledge, we have created an open source project called Rayhunter.1 It is developed to run on an Orbic mobile hotspot (Amazon, Ebay) which is available for $20 or less at the time of this writing. We have tried to make Rayhunter as easy as possible to install and use, regardless of your level of technical knowledge. We hope that activists, journalists, and others will run these devices all over the world and help us collect data about the usage and capabilities of cell-site simulators (please see our legal disclaimer.)

Rayhunter works by intercepting, storing, and analyzing the control traffic (but not user traffic, such as web requests) between the mobile hotspot Rayhunter runs on and the cell tower to which it’s connected. Rayhunter analyzes the traffic in real-time and looks for suspicious events, which could include unusual requests like the base station (cell tower) trying to downgrade your connection to 2G which is vulnerable to further attacks, or the base station requesting your IMSI under suspicious circumstances.