[HN Gopher] No user accounts, by design
___________________________________________________________________
No user accounts, by design
Author : bnr
Score : 176 points
Date : 2022-02-28 18:51 UTC (4 hours ago)
(HTM) web link (f-droid.org)
(TXT) w3m dump (f-droid.org)
| Kwpolska wrote:
| > Mozilla has taken this idea a step further with Firefox Klar
| (also known as Firefox Focus similar to Firefox Klar but with
| less private default settings).
|
| Nope, Klar == Focus in German-speaking markets, the rename was
| caused by an existing trademark: https://support.mozilla.org/en-
| US/kb/difference-between-fire...
|
| Speaking of which, Focus fits my flow of incidental, one-off
| browsing quite well -- it's my default browser. If I need a more
| serious or stateful interaction, I might have the
| service's/whatever's app installed, or use Chrome or full
| Firefox.
| kuschku wrote:
| It's actually not that simple - Firefox Focus and Firefox Klar
| are two different apps, with different packages.
|
| The official Firefox Klar builds originally contained slightly
| less tracking than the official Firefox Focus builds. Nowadays
| it might be only the trademark that keeps them separate, but
| originally there were clear differences in code.
| awinter-py wrote:
| 'anonymity is a great way to ensure privacy' is a strong argument
| IMO
|
| if (if) you assume that it's impossible for consumers to account
| for how sites use and share userdata, requiring businesses to
| allow anonymous transactions is the only policy solution to
| privacy
|
| tricky to balance a 'right to anonymous transaction' against
| other policy goals like financial KYC, fraud protection, but IMO
| our current KYC approach has been taken too far at the cost of
| consumer welfare, and there's an unexplored middle ground
| politelemon wrote:
| App developer's perspective. I have a few apps on all major
| places, including F-Droid. The 'no user accounts' thing makes
| developing and distributing on F-Droid a freeing experience, as
| compared to the G/A 'jails'. There is no pressure to meet
| arbitrary undocumented restrictions, you are not subject to the
| whims of dehumanizing AI routines, there are no ratings and
| reviews (the feedback is direct). The build and deployment
| process is not really my problem, as part of their Reproducible
| Builds, even that aspect is taken care of.
| https://f-droid.org/en/docs/Reproducible_Builds/
| sneak wrote:
| I find the distributor-does-the-building-and-signing to be
| problematic from a security point of view. I would much prefer
| that each developer does a build, signs it, and a notarization
| of some kind is added by the distributor.
|
| It seems to me that if you can compromise the f-droid
| infrastructure you can compromise millions of handsets.
| progval wrote:
| F-Droid already supports this. From GP's link:
|
| > This means that F-Droid can verify that an app is 100% free
| software while still using the original developer's APK
| signatures
| tgsovlerkhgsel wrote:
| F-droid gets many things right (e.g. verifiable builds), but it's
| just not usable in practice.
|
| Installing applications is a rare event, updating them is
| frequent, and needs to disrupt the user as little as possible.
| Android used to not allow alternative app stores to update apps
| without user interaction, but now supports this through
| UPDATE_PACKAGES_WITHOUT_USER_ACTION, which doesn't seem to be
| supported by F-droid. So it's manual clicking for each update.
|
| F-droid also somehow gets the regular update flow wrong and often
| (always?) shows an error when you try to install the update from
| the notification. That has remained unfixed for years. So you
| have to manually open it, initiate the update, then click through
| the dialogs.
|
| Additionally, the official repos update so slowly that they're
| useless for fast-moving stuff like NewPipe.
|
| Together with Android bugs like
| https://issuetracker.google.com/issues/204233247 (resetting all
| "open with" URIs on update), this makes using packages installed
| through F-Droid a nightmare.
| simcop2387 wrote:
| I believe this is a result of fdroid wanting to support older
| android versions for longer than google does. They could
| probably make two versions to allow this though but that would
| require more maintenance
| 6yyyyyy wrote:
| >So it's manual clicking for each update.
|
| You need to install the F-Droid Privileged Extension, or use a
| ROM that has it pre-installed. That way it can update apps
| without user interaction.
| blacksmith_tb wrote:
| Ah, but it looks like that means you need to be rooted?
| bentcorner wrote:
| Link: https://f-droid.org/en/packages/org.fdroid.fdroid.privi
| leged...
| hadrien01 wrote:
| I just use SkyDroid. It's way faster, less buggy, and
| compatible with Shinzuku which allows rootless auto-updates by
| making use of newer developer options (Android 11+)
| btdmaster wrote:
| Issue tracking here:
| https://gitlab.com/fdroid/fdroidclient/-/issues/2316
| staindk wrote:
| Not really a counter point because you mention a lot of other
| issues with f-droid that sound valid (I haven't used it myself)
| - but as a tangent regarding auto updates, I disable them
| basically everywhere because I seem to have buggy experiences
| too often if I allow stuff to update all the time.
|
| I then go through the list of updates in the Play Store once a
| week or so and install those that I think might improve app
| functioning/stability. I look over and install Windows updates
| once a way-too-long (need to work on this).
|
| Feel like everyone is skimping on QA these days or something
| else fishy is going on. In the last handful of years there have
| been 2 or 3 Windows updates that either permanently erased data
| or caused some other insane issues. I didn't get them (tbf I
| understand that most people didn't), partially thanks to having
| auto updates disabled.
| thaumasiotes wrote:
| > In the last handful of years there have been 2 or 3 Windows
| updates that either permanently erased data or caused some
| other insane issues.
|
| I'm still mad about the Windows update that permanently
| stopped Windows from working with my Bose headphones. The
| headphones continued to work perfectly with anything that
| wasn't running Windows.
| andai wrote:
| >I look over and install Windows updates once a way-too-long
|
| I thought you needed some kind of registry hacks or something
| to disable automatic updates since W10, can you elaborate on
| how you got it to stop pestering you?
| ancientsofmumu wrote:
| > _...but it 's just not usable in practice._
|
| > _...this makes using packages installed through F-Droid a
| nightmare._
|
| I run 2x Androids with near 80%-90% of the packages installed
| from F-Droid repos (to include Bromite and Bitwarden custom
| repos); it has quirks and is not perfect - but far from "not
| usable" and "nightmare" as your hyperbole would suggest.
| newaccount74 wrote:
| Same here. Curation could still be better on F-Droid, but I'm
| very happy with it overall.
|
| Thank you whoever is behind it, you're doing a great job.
| kbelder wrote:
| In order to reduce disruption from updates, I've found it
| necessary to turn them off. I'll go into the play store and
| update the ones I want to update, when I want to.
|
| So for at least some users, this isn't a problem at all. It's a
| better default.
| bduerst wrote:
| How do you solve problems arising from bad actors without an
| object representing the user?
| wpietri wrote:
| It depends on context, but often having an object representing
| the user is at best a speed bump to a bad actor. Social media's
| an obvious example here. I know Twitter does quite a lot to
| limit bad actors, but the outcome is still not great.
|
| The vast bulk of sites want to make signup easy, meaning user
| objects are cheap. Cheap user ids are easily disposed of and
| replaced. So if you need to keep bad actors out, user accounts
| may not help a ton.
| psanford wrote:
| We're just talking about software delivery here. Its the same
| as Debian not requiring you register before using `apt` to
| install packages (or every other linux distro).
| bduerst wrote:
| The article gives specific examples like virtual meeting
| software that doesn't have users, just URLs. It's more than
| that.
| hedora wrote:
| The solution for that is easy: Don't share the new URL with
| someone that was a jerk in the past. (And don't make it
| easy to guess meeting URLs)
| bduerst wrote:
| How do you share a URL without a user representation to
| share with? How do you prevent others from sharing URLs
| with bad actors? Or meeting passwords?
|
| https://en.wikipedia.org/wiki/Zoombombing
| tedunangst wrote:
| You send the url to your friends however you like. Email,
| chat, QR code. You don't send it to people who aren't
| your friends.
| bduerst wrote:
| > How do you prevent others from sharing URLs with bad
| actors?
|
| Sure, but then the student who shares their interactive
| class URL (w/ or w/o password) on 4chan still isn't
| accounted for.
| nonrandomstring wrote:
| What we used to call "Need to know" is making a comeback. You
| don't need to know. I don't need to know. And in most cases the
| less we do know the better. Glad that GDPR is spreading this
| fundamental security principle again. Most websites could and
| should dispense with sign-in. Even those that have something to
| sell can compartmentalise that function these days. That's why I
| like Gemini, because of its regression to more or a less
| stateless web that is about words, roles, knowledge, links,
| things and places, but not so much about people and "identity".
| That's where we've gone wrong with WWW.
| hinkley wrote:
| I have been experimenting with trying to draw a line between
| wants and consequences where I work. It's tough, and I'm only
| barely making headway, but on a large project what you often
| end up with is people adding costs to the system without a
| clear payoff, and without cost accounting.
|
| I am trying to get telemetry in place to demonstrate how much
| of our capacity is going to particular features, so that we can
| say, okay, that wizbang thing is costing us $100k a year. Our
| profit is 1:X (we make $X for every dollar we spend). Is this
| lowering or raising our profit margin?
|
| I think we are completely disconnected from opportunity costs
| and the entire center of most orgs I've been in are all about
| covering your own butt and telling stories. Until the layoffs
| happen and then we discover that the investors, advisors and
| some of the C suite actually care about whether spending $1 for
| the _prospect_ of making $1.50 is a complete waste of time and
| energy. And I often wonder if some of the narratives I hear
| about who got laid off and why are not seeing this calculus in
| the results.
| newaccount74 wrote:
| I try to follow this as much as possible, but at some point when
| providing a paid service you run into the problem that you need
| to track whether the user has paid for the software or not.
|
| So even though my software does not require user accounts, it
| requires a serial number to activate all features. That serial
| number can be linked to the purchaser, so in theory my app could
| do really invasive tracking. (It doesn't, but my users have to
| rely on my word)
|
| How can one fix this? I would love for my software to somehow
| anonymously check whether the user paid for it, and isn't running
| it on more than X devices, but I'm not sure how this could be
| done without revealing the users identity.
| 13415 wrote:
| Mullvad allows Bitcoin purchases of tokens, which can then be
| used as a serial for the VPN that works for the time period
| you've purchased. Users can change tokens any time. That's
| probably close to what you're already doing.
| Liquix wrote:
| Love the sentiment & love F-Droid. Vote for non-dark patterns
| with your patronage wherever possible!
|
| It's a bit sad how a website _not_ employing a dark pattern
| inspires explicit praise these days...
| neonate wrote:
| https://archive.is/DcvFS
| jkaptur wrote:
| I've been thinking a lot about this for https://www.diffdiff.net.
| After convenience, privacy is the core of the value proposition -
| the text to diff doesn't get sent to the server.
|
| On the other hand, though, if you want to publish/share a diff,
| then, you know, _privacy is the core of the value proposition_ ,
| so you probably don't want to share it with the whole world, much
| less let the whole world edit or delete it!
|
| It's possible to design a scheme with hard-to-guess URLs, URL
| parameters with "secret edit tokens" and so on, but that feels
| hard to use and different from how other sites work.
|
| I'm quite torn.
| syrrim wrote:
| The way mega.nz works is the sharable url contains a decryption
| key in the hash. The server only sees encrypted data, the
| client requests that data then decrypts it. This design ensures
| they have no ability to see user content, while still enabling
| users to share links on the web.
| m1sta_ wrote:
| They still have the ability to see user content, but it would
| require them to make a change to their codebase. If they did
| such a change silently...
| 2OEH8eoCRo0 wrote:
| I've always wished that mobile app "stores" worked more like
| Linux package managers.
| encryptluks2 wrote:
| Still hopeful to get a proper Linux phone someday.
| imiric wrote:
| The PinePhone (Pro) and its ecosystem looks promising, no?
| I'd say we're closer than ever to it being a capable daily
| driver, certainly by the next iteration.
| wpietri wrote:
| I tried something like this once and it worked surprisingly well,
| even for a UGC site.
|
| Years back we were doing something that included users
| documenting TV shows. We had a big meeting where people put every
| feature they wanted on index cards. We laid the cards out a
| founder's dining room table. The host got their change jar and
| each person got a certain number of pennies to mark features they
| thought were vital for first launch.
|
| After the first round of token-voting, the "user accounts" card
| had no votes. At first it seemed impossible. But after some
| discussion, we realized that viewing users didn't need accounts
| for launch. For people who wanted to edit, we let them type in a
| name to take credit for their contributions if they wanted, but
| with no verification. At worst, we figured we could add something
| more robust if the need were stronger.
|
| It turned out fine. The launch got out earlier and we got to test
| a number of key product hypotheses without having to build any
| sort of user account system. Months later it did eventually
| become the highest priority. But not having accounts worked way
| longer than I expected.
| hinkley wrote:
| What's been professionally frustrating me for years as a
| developer is how much of the engineering and operational budget
| for a project is tied up into identifying and tracking users.
| The first time this happened to me we had some idiot who
| insisted that we needed to display exactly how many logged on
| users there were on every page load. There was no point in
| doing so, and we had proven that it was _at least_ ten percent
| of the cost of each page load. In fact it was higher than that
| but 10% is what we could proved. My current project is about
| our customers, not the users, and probably 80% of the operating
| budget is about making the customer feel like they 're running
| the show. Often with demonstrable and even cliched consequences
| for the users.
|
| Without customization or user tracking, many, many workflows
| shift to read-mostly. Many are idempotent. Some can be fully
| cached. Some can be edge-cached.
|
| The dark secret of 'social' media that has been slowly coming
| out is that they aren't social. They aren't about 'Us', they're
| about _me_. Me, me, me. So of course the whole workflow is
| build around who I am and what I want. That 's not just
| unhealthy, it's also really fucking expensive. And if it's
| really expensive we can't just eat the cost as a 'value add',
| we now have to monetize it. So things were already pretty dark
| and then compensation came into the picture and now it's
| positively dire.
| sneak wrote:
| What about abuse/vandalism? If the whole web has edit
| privileges, what's to stop someone from scripting changing all
| of the titles to random strings every hour? Do you do a captcha
| on every edit or something?
|
| I think the main idea around user accounts is that they
| centralize a point of applying captchas as well as a tiny bit
| of data collection (some form of contact information) that can
| be used for antispam (e.g. banning certain email address
| domains from creating accounts, or banning certain email
| addresses, etc).
| wpietri wrote:
| I'm familiar with the theory. But accounts just aren't a big
| barrier to determined bad actors.
|
| Note that the world's biggest content site, Wikipedia, allows
| anonymous edits and always has. And note also that some of
| big tech companies, despite having all the money in the
| world, still have problems with fake accounts. So at best,
| requiring user accounts is one possible anti-abuse step, but
| it's neither necessary nor sufficient to prevent abuse.
| sneak wrote:
| > _Note that the world 's biggest content site, Wikipedia,
| allows anonymous edits and always has._
|
| Not really. You can't edit Wikipedia from a VPN (even with
| a user account!), and I think they ban most datacenters.
| The edits aren't really anonymous if they publicly
| associate with a piece of PII that, for most people,
| directly maps to their name and home address.
| wpietri wrote:
| Oh? My current IP is 2601:646:4300:758:f676:3f1b:8b5:42a.
| Please show me how to turn that into my name and home
| address. Thanks!
| sneak wrote:
| Comcast has a portal for law enforcement to request
| subscriber information at https://lea.comcast.com . That
| IPv6 address, plus the current date and time, uniquely
| identifies you by name and service address. Any edits you
| make to Wikipedia from that address are not anonymous.
| danShumway wrote:
| GP's "directly" is a pretty large overstatement, but at
| the same time I've noticed something of an uptick over
| the past couple of years of people saying that IP
| addresses aren't PII or that people shouldn't be
| concerned with them getting leaked, and I just don't
| think that stands up to much scrutiny.
|
| If IP addresses didn't matter for privacy, Tor routing
| wouldn't exist. If IP addresses weren't useful for
| blocking specific users, IP bans wouldn't exist. If IP
| addresses weren't useful for tracking, operators wouldn't
| have gotten up in arms about Apple's private relay
| service. Obviously this stuff matters.
|
| Remember that not everyone lives in or around San
| Francisco. For someone in a suburban/rural area, an IP
| address combined with things like timestamps, user ids,
| and the text of the edits can go a really long way
| towards unmasking them. Even for people who live in more
| urban areas, it is still obviously easier to find someone
| who lives in San Francisco than it is to find someone who
| could be living anywhere on the West Coast. If they could
| also have been using a VPN, or time-shifting their
| posts... that makes it even harder.
|
| In contrast, how hard do you really think it would
| actually be to get some address data from a voter roll or
| via a warrant or even just through one of the scummy
| person lookup services online and to iterate through
| everyone who shares that IP address and check to see how
| many of them are named Pietri? Or who have shared the
| username wpietri across another account, or posted
| somewhere else at roughly the same time? Your IP address
| is drastically reducing the search-space for other
| attacks, many of which (timing, text-analysis, etc) are
| impossible to get rid of when making a Wikipedia edit.
| skybrian wrote:
| Accounts alone won't do it. Accounts and invites might? But
| then someone who doesn't know anyone on the site needs to
| figure out how to contact someone who's a member.
|
| It's not good for growth, but some websites are fine with
| that.
| hinkley wrote:
| Over time the quality of the invites go down as well.
|
| If I'm in the picky group, and we send out 5 invites
| total, but the unpicky group sends out 10, then 2/3 of
| the invites are unpicky - if the groups are the same
| size, which they probably won't be for a while (I'm
| probably inviting people who are almost as picky as I am)
|
| There's also someone on the team who thinks we'd grow
| faster if we simplified the onboarding process, which is
| true but also means when we piss off some user they can
| create a bunch of accounts while they're still spun up
| and cause a bunch of overhead for the support team and
| the developers. That gets expensive too.
| [deleted]
| seppoonbi wrote:
| There is also midground which takes good/bad parts of both
| worlds. Users have id's but no username or password. Some
| imageboards use this.
| a_c wrote:
| I have been thinking how we can incentivize people building
| netizen friendly website/app. Creating users, cookies,
| javascripts heavy, paywall, analytics, etc all share a common
| incentive of ease of monetization. Privacy, usability,
| performance, all important stuff, but apparently not important
| enough, as a result plummeted.
|
| Would love to learn the options!
| [deleted]
| lifeisstillgood wrote:
| The thing that F-droid are getting right here is "if we don't
| track you, you have privacy from us".
|
| But privacy is not secrecy. If f-droid tracked my every waking
| move, and then just never bother to look at that data, I would
| still have privacy from them.
|
| What they are doing here is a form of guaranteeing their future
| good behaviour. Which is nice, but there are other methods. For
| example I am happy to announce my plans to _not_ rob a bank. But
| there are means in place to ensure I do not - At least not twice.
|
| So while it is nice to find ways to avoid having user accounts at
| all, most hospitals will have to have other means to keep their
| users privacy.
|
| Most of the time we are going to need to rely on regulation,
| where PII data (which lets face it is 98% of all data) will both
| legally and culturally have to be protected at levels hardly
| dreamed of today.
| hinkley wrote:
| > I would still have privacy from them.
|
| No, they have an unexploited asset and you think you're safe
| because nobody has exploited it yet. This is false security. If
| money gets tight they'll exploit it. If they get bought out the
| new owners will exploit it. If they get hacked, the entire
| Internet will exploit it.
|
| I would highly recommend that you spend a little bit of time
| thinking about or working with groups of dissidents, other
| oppressed groups, even people who have been sexually harassed.
| I have seen so much wrong-thinking about what Security actually
| is and it's always people living in a privilege bubble, not
| thinking of actual, real life existential threat that exposure
| can represent until they have some user in hiding because they
| got death threats after being doxxed. Or just plain
| disappearing because their government black-bagged them over
| something they posted online.
___________________________________________________________________
(page generated 2022-02-28 23:00 UTC)