Autonomía digital y tecnológica

Código e ideas para una internet distribuida

Linkoteca. privacidad


Email is an essential service in every business, and the effect of a company losing control over their email service is devastating, even if the company has merged or shut down. Sensitive information and documents are often exchanged over emails between clients, colleagues, vendors and service providers due to the convenience. Consequently, if a bad actor takes control of an entire business’s email service, sensitive information can end up in wrong hands.

Data Processing Agreement (DPA) is a legal contract between the data controller and data processor guaranteeing that the data processor will appropriately handle the data provided by the data controller under the rules of GDPR. This states the liabilities and obligations of both the data controller and data processor, the purpose and the extent of data processing, and the relationship between the aforementioned parties.

…a relación desigual de clase entre las Big Tech y sociedades de países del sur global o empobrecidas en el norte global. El fenómeno tiene nombre: colonialismo digital. En muchas ocasiones, el desarrollo de estas tecnologías en países donde las fronteras legales a nivel digital son difusas o inexistentes, la implementación de estas tecnologías y estructuras ni siquiera ha sido consentida por las personas que comienzan a utilizarla. De hecho, Sam Altman, el directivo de la empresa OpenaAI que desarrolla ChatGPT y Worldchain, explicaba a comienzos de este verano que ya había registrado el iris de más de dos millones de personas con una esfera metálica situada en espacios públicos por todo el mundo, también en el Estado español.

La autenticación biométrica, si no se implementa adecuadamente, puede exponer a los usuarios a riesgos de seguridad y privacidad, ya que esos servidores siempre serán susceptibles de ser atacados y los datos biométricos, que son inherentemente personales, una vez comprometidos, no se podrán cambiar como cualquier contraseña. Si los sistemas que almacenan estos datos son vulnerables a hackeos, los usuarios podrían enfrentar un riesgo significativo de robo de identidad.

Una extensa investigación de la MIT Technological Review reveló que la empresa estadounidense subcontrató cientos de personas que cobran por ojo escaneado en países empobrecidos, entre otros. Por ejemplo, en aldeas de Indonesia ofrecieron Airpods y vales por 25 Worldcoins a cambio de su información biométrica. También organizaron talleres de criptomoneda en centros educativos para escanear a cientos de estudiantes incluso algunos de ellos menores de edad. La revista entrevistó a más de 35 personas en seis países (Indonesia, Kenia, Sudán, Ghana, Chile y Noruega) que trabajaron para o en nombre de Worldcoin, que habían sido escaneados o que fueron reclutados sin éxito para participar.

Google’s newest proposed web standard is… DRM? Over the weekend the Internet got wind of this proposal for a «Web Environment Integrity API. » The explainer is authored by four Googlers, including at least one person on Chrome’s «Privacy Sandbox» team, which is responding to the death of tracking cookies by building a user-tracking ad platform right into the browser.

Perhaps the most telling line of the explainer is that it «takes inspiration from existing native attestation signals such as [Apple’s] App Attest and the [Android] Play Integrity API.» Play Integrity (formerly called «SafetyNet») is an Android API that lets apps find out if your device has been rooted. Root access allows you full control over the device that you purchased, and a lot of app developers don’t like that. So if you root an Android phone and get flagged by the Android Integrity API, several types of apps will just refuse to run. You’ll generally be locked out of banking apps, Google Wallet, online games, Snapchat, and some media apps like Netflix. You could be using root access to cheat at games or phish banking data, but you could also just want root to customize your device, remove crapware, or have a viable backup system. Play Integrity doesn’t care and will lock you out of those apps either way. Google wants the same thing for the web.

Captura de pantalla de la interfaz de Invidious

User features

  • Lightweight
  • No ads
  • No tracking
  • No JavaScript required
  • Light/Dark themes
  • Customizable homepage
  • Subscriptions independent from Google
  • Notifications for all subscribed channels
  • Audio-only mode (with background play on mobile)
  • Support for Reddit comments
  • Available in many languages, thanks to our translators

Data import/export

  • Import subscriptions from YouTube, NewPipe and Freetube
  • Import watch history from NewPipe
  • Export subscriptions to NewPipe and Freetube
  • Import/Export Invidious user data

Le passe sanitaire est la traduction d’évolutions techniques qui pourraient supprimer ces anciennes limites et permettre à cette forme de répression de s’appliquer à l’ensemble de la population, pour une très large diversité de lieux et d’activités.

Elle permet notamment de confier à des dizaines de milliers de personnes non-formées et non-payées par l’État (mais simplement munies d’un smartphone) la mission de contrôler l’ensemble de la population à l’entrée d’innombrables lieux publics, et ce, à un coût extrêmement faible pour l’État puisque l’essentiel de l’infrastructure (les téléphones) a déjà été financée de manière privée par les personnes chargées du contrôle.

Désormais, et soudainement, l’État a les moyens matériels pour réguler l’espace public dans des proportions presque totales.

Ce parallèle nous permet d’apporter une précision importante : qu’il s’agisse du passe sanitaire ou de la détection automatique des comportements « anormaux », ces systèmes ne nécessitent pas forcément un contrôle d’identité. Le logiciel d’imagerie qui signale votre comportement « anormal » se moque bien de connaître votre nom. De même, en théorie, le passe sanitaire aussi pourrait fonctionner sans contenir votre nom – c’est d’ailleurs ce que prévoyait la loi initiale sur la sortie de crise ou, plus inquiétant, ce que proposent désormais certaines entreprises en se fondant non plus sur le nom mais le visage. Dans ces situations, tout ce qui compte pour l’État est de diriger nos corps dans l’espace afin de renvoyer aux marges celles et ceux qui – peu importe leurs noms – ne se conforment pas à ses exigences.

Même dans son format le plus sophistiqué, l’efficacité du passe sur le plan sanitaire resterait toujours à démontrer – il demeure de nombreuses incertitudes, que ce soit sur la valeur des tests au bout de 72 heures, sur le taux de transmission même une fois vacciné, sur le cas des nouveaux variants, sur l’efficacité de la contrainte pour inciter la population à se faire vacciner, ou sur la durée de validité à retenir pour les tests de dépistage.

The Cybersecurity Tech Accord promotes a safer online world by fostering collaboration among global technology companies committed to protecting their customers and users and helping them defend against malicious threats.

Signatories are committed to advancing the mission of the Cybersecurity Tech Accord by partnering on initiatives that improve the security, stability and resilience of cyberspace. By combining the resources and expertise of the global technology industry, the Cybersecurity Tech Accord creates a starting point for dialogue, discovery and decisive action.

¿Qué medidas tomas al navegar por internet?. ¿Te proteges contra scripts como javascript y otros, contra la publicidad, el rastreo y el fingerprinting o evitar en lo posible tu huella digital?. ¿Qué navegadores usas en tu ordenador?, ¿usas extensiones en los mismos?

Desde hace años uso Firefox compilado con unos cuantos arreglos. No suelo bloquear demasiado mediante extensiones y sí mediante firewall y el famoso /etc/hosts con miles de dominios y subdominios.

I’ve managed to cobble together a device that is not only dirt cheap for what it does, but is extremely capable in its own right. If you have any interest in building your own home router, I’ll demonstrate here that doing so is not only feasible, but relatively easy to do and offers a huge amount of utility – from traffic shaping, to netflow monitoring, to dynamic DNS.

I built it using the espressobin, Arch Linux Arm, and Shorewall.

The Linksys WRT3200ACM has Tri-Stream 160 technology that doubles bandwidth to help maintain speed better than most dual-band routers. Additional features such as MU-MIMO technology helps each device stay connected to the network at the fastest possible speed without interfering with the performance of other devices.

Linksys’ Smart Wi-Fi smartphone app also lets you manage and monitor your network from anywhere at any given time, but it’s the open-source aspect that really shines for security-focused router buyers, since you can easily use “packages” from trustworthy open source distributions such as OpenWRT or DD-WRT and establish a secure VPN, monitor and analyze network traffic or detect network intrusions instantaneously. Since the firmware packages are all open source, that also means that they’ve been extensively “peer-reviewed” by security experts, making them much more likely to be free of vulnerabilities that hackers can exploit.

SPs (Internet Service Providers) generally offer DNS services to their customers, so when you don’t set up DNS servers on your computer or router, your DNS queries will run on your ISPs DNS servers. Using the default ISP DNS servers can result in certain problems while browsing the Internet:

Issues can happen with DNS requests themselves; most of the time they’re unencrypted and this leaves room for different types of DNS attacks.

Al instalar la aplicación, la misma solicita permisos para acceder al micrófono y al sistema de geolocalización. De esta manera, cuando el usuario está en un lugar público, como puede ser un bar o un café, el micrófono del teléfono móvil se activa y es utilizado para analizar el sonido ambiente del entorno, el cual es contrastado con la base de datos para determinar si el audio corresponde a un partido cuyos derechos de reproducción son propiedad de LaLiga. Además del micrófono, la aplicación utiliza el sistema de geolocalización del equipo para ubicar el local desde el que se retransmite el partido y comprobar si se trata de un cliente. En caso de que no lo sea y que la emisión del partido sea ilegal, la entidad propietaria de los derechos de reproducción de los partidos ha llegado a enviar inspectores a los bares para comprobar que sean abonados.

The PinePhone is a smartphone, developed by computer manufacturer Pine64, intended for allowing the user to have full control over the device. Measures to ensure this are running mainline Linux based mobile operating systems, assembling the phone with screws, so that it can be easily disassembled for repairs and upgrades[4], and including six kill switches / security switches for its hardware, which are accessible by removing the back cover of the phone.

Captura de pantalla de iuvia.io

Run your own cloud with email, calendar, storage and many other services in-house easily and get out of locked-in SaaS services to your own self hosted cloud.

IUVIA is a commercial hardware device and OS architecture that privacy-centric projects can use as a distribution ecosystem, and activists and other privacy-concerned individuals can use to access all the different features they need or that currently seek from cloud services.

There are a number of suggestions for the technical implementation of this concept. These proposals range from dystopian systems of full surveillance to targeted, completely anonymous methods of alerting potentially infected persons without knowledge of the specific person.

In principle, the concept of a «Corona App» involves an enormous risk due to the contact and health data that may be collected. At the same time, there is a chance for «privacy-by-design» concepts and technologies that have been developed by the crypto and privacy community over the last decades. With the help of these technologies, it is possible to unfold the epidemilogical potential of contact tracing without creating a privacy disaster. For this reason alone, all concepts that violate or even endanger privacy must be strictly rejected.

Solid, an open-source project to restore the power and agency of individuals on the web.

Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance – by giving every one of us complete control over data, personal or not, in a revolutionary way.

Solid is a platform, built using the existing web. It gives every user a choice about where data is stored, which specific people and groups can access select elements, and which apps you use. It allows you, your family and colleagues, to link and share data with anyone. It allows people to look at the same data with different apps at the same time.

In 2009, I said, “The web as I envisaged it we have not seen yet.” That was because people were using the web just for documents, not for the data of a big web-wide computer. Since then, we have seen a wave of open data, but not of read-write data. For example, much open government data is produced through a one-way pipeline, so we can only view it. With Solid, it becomes a read-write web where users can interact and innovate, collaborate and share.

Surveillance on news websites is particularly problematic because the news you consume may reveal your political leanings or health interests — information that is not just exploited by corporations to sell you things, but could also be abused by governments. And because news organizations benefit from the surveillance economy by running advertisements targeted to reader interests, they may be less likely to report on their own tracking practices.

The Times’s privacy policy does not disclose the vast majority of tracking companies (including BlueKai) on its site, requires users to accept cookies to fully use the site and explicitly states that The Times ignores the “do not track” browser setting.

Worse, only 10 percent of these outside parties are disclosed in privacy policies of the news sites we studied, meaning even diligent readers will never learn who collects their data. From a privacy perspective, news websites are among the worst on the web.

The result is that as online advertising networks become more highly centralized, the old model of a independently managed and free press is being replaced by one where giant technology companies control user data and the purse strings.

Users are tracked online by a multitude of companies in order to build detailed records of individual browsing behaviors, often without consent. Many website operators are unaware of the user data they collect, and more importantly, the third parties who collect data on visitors to their sites.

Identifying data leaks and locating inadequate privacy policies which govern this type of data collection is critical in the context of new international regulations governing data protection.

“Sueño con un mundo en el que cada uno tenga sus datos encriptados antes de subirlos a la red. Ahora mismo, la situación es que todo el mundo da sus datos sin recibir nada a cambio. Y los damos para todo. Le preguntamos a Siri por la recomendación de un restaurante para comer, para cualquier cosa. Creo que debería haber, y Microsoft lo ha planteado en ocasiones, un mercado de datos que la gente pudiera decidir si quiere dar sus datos y a cambio pudiera recibir un tipo de compensación”, explica. “Ahora en la inteligencia artificial se utilizan muchos algoritmos con múltiples propósitos, como el reconocimiento de caras, recomendaciones de libros, imágenes médicas y tratamientos… Pero hay un problema de privacidad porque si subes todos tus datos biológicos a la nube no sabes quién y cómo puede utilizarlos”

Fue fundadora de Women in Numbers, un exitoso colectivo para trabajar en red que se ha extendido a otros campos como el de las biomatemáticas, Lauter sostiene que la sociedad debería apoyar más a las mujeres.

Do you hate your Internet Service Provider? Do you hate your Email Provider?

We’ll help you send them a GDPR Data Access Request designed to waste as much of their time as possible. They are legally required to respond to your request within 30 days!

It’s been a few years since this kind of argument has come up, but it’s one that we’ve had to swat down a few times in the past: it’s the argument that somehow if a company offers a service for free, it means that they’ll absolutely snarf up all your data, and that requiring services be paid for directly by users somehow would fix that.

Of course, it seems rather easy to point out why that’s wrong with two examples. First we pay for other services such as our broadband and mobile data providers and they are so much worse on the privacy front, it’s not even remotely comparable. It’s not as if magically paying for the service has stopped AT&T or Verizon from being horrific on the privacy front. The snarfing up of data doesn’t go away if you pay for services.

Second, there are businesses that have been built on giving away free tools without having to snarf up your data. Indeed, that’s actually how Google succeeded for much of its early history. It didn’t need to know everything about you. It just needed to know what you were searching for. And that was massively successful. It’s true that, over time, Google has moved away from that, but others (like DuckDuckGo) have stepped into that space as well.

está la aproximación íntima y personal a la gestión de las claves, en contraposición a la aproximación colectiva o comunal. He visto a varios colectivos compartir la contraseña de una cuenta de correo electrónico, Facebook, o Twitter, que son del colectivo y se gestionan de forma grupal. Obviamente no es la mejor forma de gestionar y resguardar la información de nuestro colectivo, pero es valioso recordar que en grupos militantes de gran parte del sur global seguramente lo «privado» se entiende de forma diferente que en el norte, y las más de las veces cruza lo personal y llega a lo colectivo.

Si hablamos de cuentas de correo electrónico es fácil decir: pues hay que usar una lista de correos en vez. Pero se complica si hablamos de plataformas como Twitter que no están diseñadas para las colectividades, al contrario, fomentan el individualismo y el «leadership» informativo.

Otro punto interesante es que tenemos que plantearnos radicalmente cómo es que hacemos las capacitaciones. No se trata de enseñar herramientas, asumiendo demasiado rápido dónde están los problemas. Varios procesos de aprendizaje tienden a fracasar porque son como la misa cristiana: todas hacemos reconocimiento de culpa y en la euforia del momento prometemos mejorar, y luego hacemos unas claves GPG larguísimas y super buenas pero que acaban inservibles porque a los tres meses de no usarlas nos las olvidamos

Es como lo de la mooncup: no porque nos digan que es lo mejor tiene necesariamente que resultarnos fácil, ni cómodo.

Por ahora, esa idea: afirmar nuestro derecho a la intimidad, también en la red. Y de poner una llave del tamaño que queramos, aunque luego, en casa, la pongamos bajo la alfombra porque así nos viene en gana.

A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That’s all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they’re sharing data on their users with the Chinese government. When you use a VPN, you’re trusting that VPN with the same deep level of access to your online activity that you’d normally give your ISP. In other words, now they can see what you’re up to whenever you’re using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they’re also smaller, more opaque, and less publicly accountable.

…la CNIL vient de sanctionner Google à hauteur de 50 millions d’euros, considérant que le ciblage publicitaire qu’il réalise sur son système d’exploitation Android n’est pas conforme au règlement général pour la protection des données (RGPD), la nouvelle loi européenne entrée en application le 25 mai 2018. Cependant, cette sanction n’est qu’une toute première partie de la réponse à notre plainte contre Google, qui dénonçait surtout le ciblage publicitaire imposé sur Youtube, Gmail et Google Search en violation de notre consentement.

Amazon has launched a new service that uses machine learning to extract key data from patient records and can potentially help healthcare providers and researchers save money, make treatment decisions, and manage clinical trials. The company announced the service, called Amazon Comprehend Medical

Amazon’s other recent forays into healthcare include paying almost $1 billion to acquire online prescription service PillPack

It joins other large tech companies that are increasingly focused on healthcare. For example, earlier this year Apple launched a feature that lets customers view their hospital medical records on their iPhones, while Google recently hired former Geisinger CEO David Feinberg to unify and lead the healthcare initiatives across its businesses, including search, Google Brain, Google Fit, and Nest.

Of course, the uploading of medical records to the cloud for machine-learning analysis might questions from patients about how Comprehend Medical will ensure their privacy. Amazon says patient data is encrypted and can only be unlocked by customers who have a key, and that no data processed will be stored or used for training its algorithms. Comprehend Medical complies with the Health Insurance Portability and Accountability Act (HIPAA).

La modificación más relevante es la que hace que se deje de dar visibilidad a los contenidos que están a punto de violar las condiciones de uso de Facebook. Es decir, las publicaciones que se acercan a las líneas rojas marcadas por la red sobre desinformación, violencia, incitación al odio, clickbait y amenazas; incluso aunque no hayan violado estas condiciones de forma estricta.

Google is reportedly working on an A.I.-based health and wellness coach.

Thanks to its spectrum of hardware products, Google would have a notable advantage over existing wellness coaching apps. While its coach, as reported, would primarily exist on smartwatches to start, Android Police noted that the company could include a smartphone counterpart as well. The company could also eventually spread it to Google Home or Android TV. The latter is unchartered territory for these kinds of apps, which are typically limited to smartphones and wearables. With availability in the home, lifestyle coaching recommendations could become increasingly contextual and less obtrusive. If you ask for a chicken parmesan dinner recipe, it could offer a healthier alternative instead; or if you’re streaming music at 10 p.m. and have set a goal to get more sleep, perhaps it could interrupt your music playback to remind you start getting ready for bed. A smartwatch or phone could do this too, of course, but by linking up its product ecosystem, Google could deliver helpful notifications in the context that makes the most sense.

Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.

It’s important to note at the outset that because Confidential Mode emails are not end-to-end encrypted, Google can see the contents of your messages and has the technical capability to store them indefinitely, regardless of any “expiration date” you set. In other words, Confidential Mode provides zero confidentiality with regard to Google.

But that’s only the beginning of the problems with Gmail’s new built-in IRM. Indeed, the security properties of the system depend not on the tech, but instead on a Clinton-era copyright statute. Under Section 1201 of the 1998 Digital Millennium Copyright Act (“DMCA 1201”), making a commercial product that bypasses IRM is a potential felony, carrying a five-year prison sentence and a $500,000 fine for a first offense. DMCA 1201 is so broad and sloppily drafted that just revealing defects in Google IRM could land you in court.

We believe that using the term “Confidential Mode” for a feature that doesn’t provide confidentiality as that term is understood in infosec is misleading.

Un cliente de mensajería que no depende de servidores centralizados, usa la red Tor para ofrecer comunicaciones cifradas de extremo a extremo y es de código abierto.

A diferencia de las aplicaciones de mensajería tradicionales, Briar no depende de un servidor central – los mensajes se sincronizan directamente entre los dispositivos de los usuarios. Los mensajes se envían a través de la red Tor, protegiendo a los usuarios y en caso de que Internet no funcione, puede sincronizarse vía Bluetooth o Wi-Fi.

Su sistema para añadir contactos tampoco es convencional ya que, se genera un código que la persona a añadir debe escanear con su dispositivo móvil. De esta forma se busca que haya un encuentro físico entre el usuario y el futuro contacto. La lista de contacto se cifra y se almacena localmente en cada dispositivo.

Logo Fuck off Google

Search results without being spyed on.

Results are obtained -via proxy- from Google, Yahoo, Bing, etc. to ensure you will not disclose any personal or behavioural data to these companies. These results are «neutral» ie. not influenced by your profile (you are out of the «filter bubble» designed to serve you ads you are more likely to click…).

Sidewalk Labs says the sensor information would also support long-term planning. The data would fuel a virtual model of Quayside, which urban planners could use to test infrastructure changes quickly, at low cost, and without bothering residents. It could also be stored in a shared repository that entrepreneurs and companies could draw on to make their own products and services for Quayside.

Unsurprisingly for a company spawned, in part, by technologists, Sidewalk thinks of smart cities as being rather like smartphones. It sees itself as a platform provider responsible for offering basic tools (from software that identifies available parking spots to location-based services monitoring the exact position of delivery robots), much as Google does with its smartphone operating system, Android. Details are still under discussion, but Sidewalk plans to let third parties access the data and technologies, just as developers can use Google’s and Apple’s software tools to craft apps.

Though Sidewalk Labs says the data would be used for a community purpose, such as giving transit discounts to low-income residents, regulating building temperatures, and keeping trash cans from overflowing, not everyone is convinced. “There are definitely questions about whether Sidewalk Labs will try to make money by tracking people’s daily interactions,” says David Roberts, who studies cities at the University of Toronto. “What data will be collected, how personal will it be, how will it be used, and who will have access to it?”

…vos signets, vos courriels, vos contacts, vos fichiers sur Google Drive, toutes les informations citées ci-dessus, vos vidéos YouTube, les photos que vous avez prises sur votre téléphone, les produits que vous avez achetés en passant par Google et les sociétés qui vous les ont vendus…

La société détient également les informations de votre calendrier, vos hangouts Google, l’historique de vos déplacements, la musique que vous écoutez, les Google books que vous avez achetés, les groupes Google dont vous faites partie, les sites Internet que vous avez créés, les téléphones que vous avez eus, les pages que vous avez partagées, combien de pas vous faites par jour…