[HN Gopher] No user accounts, by design ___________________________________________________________________ No user accounts, by design Author : bnr Score : 176 points Date : 2022-02-28 18:51 UTC (4 hours ago) (HTM) web link (f-droid.org) (TXT) w3m dump (f-droid.org) | Kwpolska wrote: | > Mozilla has taken this idea a step further with Firefox Klar | (also known as Firefox Focus similar to Firefox Klar but with | less private default settings). | | Nope, Klar == Focus in German-speaking markets, the rename was | caused by an existing trademark: https://support.mozilla.org/en- | US/kb/difference-between-fire... | | Speaking of which, Focus fits my flow of incidental, one-off | browsing quite well -- it's my default browser. If I need a more | serious or stateful interaction, I might have the | service's/whatever's app installed, or use Chrome or full | Firefox. | kuschku wrote: | It's actually not that simple - Firefox Focus and Firefox Klar | are two different apps, with different packages. | | The official Firefox Klar builds originally contained slightly | less tracking than the official Firefox Focus builds. Nowadays | it might be only the trademark that keeps them separate, but | originally there were clear differences in code. | awinter-py wrote: | 'anonymity is a great way to ensure privacy' is a strong argument | IMO | | if (if) you assume that it's impossible for consumers to account | for how sites use and share userdata, requiring businesses to | allow anonymous transactions is the only policy solution to | privacy | | tricky to balance a 'right to anonymous transaction' against | other policy goals like financial KYC, fraud protection, but IMO | our current KYC approach has been taken too far at the cost of | consumer welfare, and there's an unexplored middle ground | politelemon wrote: | App developer's perspective. I have a few apps on all major | places, including F-Droid. The 'no user accounts' thing makes | developing and distributing on F-Droid a freeing experience, as | compared to the G/A 'jails'. There is no pressure to meet | arbitrary undocumented restrictions, you are not subject to the | whims of dehumanizing AI routines, there are no ratings and | reviews (the feedback is direct). The build and deployment | process is not really my problem, as part of their Reproducible | Builds, even that aspect is taken care of. | https://f-droid.org/en/docs/Reproducible_Builds/ | sneak wrote: | I find the distributor-does-the-building-and-signing to be | problematic from a security point of view. I would much prefer | that each developer does a build, signs it, and a notarization | of some kind is added by the distributor. | | It seems to me that if you can compromise the f-droid | infrastructure you can compromise millions of handsets. | progval wrote: | F-Droid already supports this. From GP's link: | | > This means that F-Droid can verify that an app is 100% free | software while still using the original developer's APK | signatures | tgsovlerkhgsel wrote: | F-droid gets many things right (e.g. verifiable builds), but it's | just not usable in practice. | | Installing applications is a rare event, updating them is | frequent, and needs to disrupt the user as little as possible. | Android used to not allow alternative app stores to update apps | without user interaction, but now supports this through | UPDATE_PACKAGES_WITHOUT_USER_ACTION, which doesn't seem to be | supported by F-droid. So it's manual clicking for each update. | | F-droid also somehow gets the regular update flow wrong and often | (always?) shows an error when you try to install the update from | the notification. That has remained unfixed for years. So you | have to manually open it, initiate the update, then click through | the dialogs. | | Additionally, the official repos update so slowly that they're | useless for fast-moving stuff like NewPipe. | | Together with Android bugs like | https://issuetracker.google.com/issues/204233247 (resetting all | "open with" URIs on update), this makes using packages installed | through F-Droid a nightmare. | simcop2387 wrote: | I believe this is a result of fdroid wanting to support older | android versions for longer than google does. They could | probably make two versions to allow this though but that would | require more maintenance | 6yyyyyy wrote: | >So it's manual clicking for each update. | | You need to install the F-Droid Privileged Extension, or use a | ROM that has it pre-installed. That way it can update apps | without user interaction. | blacksmith_tb wrote: | Ah, but it looks like that means you need to be rooted? | bentcorner wrote: | Link: https://f-droid.org/en/packages/org.fdroid.fdroid.privi | leged... | hadrien01 wrote: | I just use SkyDroid. It's way faster, less buggy, and | compatible with Shinzuku which allows rootless auto-updates by | making use of newer developer options (Android 11+) | btdmaster wrote: | Issue tracking here: | https://gitlab.com/fdroid/fdroidclient/-/issues/2316 | staindk wrote: | Not really a counter point because you mention a lot of other | issues with f-droid that sound valid (I haven't used it myself) | - but as a tangent regarding auto updates, I disable them | basically everywhere because I seem to have buggy experiences | too often if I allow stuff to update all the time. | | I then go through the list of updates in the Play Store once a | week or so and install those that I think might improve app | functioning/stability. I look over and install Windows updates | once a way-too-long (need to work on this). | | Feel like everyone is skimping on QA these days or something | else fishy is going on. In the last handful of years there have | been 2 or 3 Windows updates that either permanently erased data | or caused some other insane issues. I didn't get them (tbf I | understand that most people didn't), partially thanks to having | auto updates disabled. | thaumasiotes wrote: | > In the last handful of years there have been 2 or 3 Windows | updates that either permanently erased data or caused some | other insane issues. | | I'm still mad about the Windows update that permanently | stopped Windows from working with my Bose headphones. The | headphones continued to work perfectly with anything that | wasn't running Windows. | andai wrote: | >I look over and install Windows updates once a way-too-long | | I thought you needed some kind of registry hacks or something | to disable automatic updates since W10, can you elaborate on | how you got it to stop pestering you? | ancientsofmumu wrote: | > _...but it 's just not usable in practice._ | | > _...this makes using packages installed through F-Droid a | nightmare._ | | I run 2x Androids with near 80%-90% of the packages installed | from F-Droid repos (to include Bromite and Bitwarden custom | repos); it has quirks and is not perfect - but far from "not | usable" and "nightmare" as your hyperbole would suggest. | newaccount74 wrote: | Same here. Curation could still be better on F-Droid, but I'm | very happy with it overall. | | Thank you whoever is behind it, you're doing a great job. | kbelder wrote: | In order to reduce disruption from updates, I've found it | necessary to turn them off. I'll go into the play store and | update the ones I want to update, when I want to. | | So for at least some users, this isn't a problem at all. It's a | better default. | bduerst wrote: | How do you solve problems arising from bad actors without an | object representing the user? | wpietri wrote: | It depends on context, but often having an object representing | the user is at best a speed bump to a bad actor. Social media's | an obvious example here. I know Twitter does quite a lot to | limit bad actors, but the outcome is still not great. | | The vast bulk of sites want to make signup easy, meaning user | objects are cheap. Cheap user ids are easily disposed of and | replaced. So if you need to keep bad actors out, user accounts | may not help a ton. | psanford wrote: | We're just talking about software delivery here. Its the same | as Debian not requiring you register before using `apt` to | install packages (or every other linux distro). | bduerst wrote: | The article gives specific examples like virtual meeting | software that doesn't have users, just URLs. It's more than | that. | hedora wrote: | The solution for that is easy: Don't share the new URL with | someone that was a jerk in the past. (And don't make it | easy to guess meeting URLs) | bduerst wrote: | How do you share a URL without a user representation to | share with? How do you prevent others from sharing URLs | with bad actors? Or meeting passwords? | | https://en.wikipedia.org/wiki/Zoombombing | tedunangst wrote: | You send the url to your friends however you like. Email, | chat, QR code. You don't send it to people who aren't | your friends. | bduerst wrote: | > How do you prevent others from sharing URLs with bad | actors? | | Sure, but then the student who shares their interactive | class URL (w/ or w/o password) on 4chan still isn't | accounted for. | nonrandomstring wrote: | What we used to call "Need to know" is making a comeback. You | don't need to know. I don't need to know. And in most cases the | less we do know the better. Glad that GDPR is spreading this | fundamental security principle again. Most websites could and | should dispense with sign-in. Even those that have something to | sell can compartmentalise that function these days. That's why I | like Gemini, because of its regression to more or a less | stateless web that is about words, roles, knowledge, links, | things and places, but not so much about people and "identity". | That's where we've gone wrong with WWW. | hinkley wrote: | I have been experimenting with trying to draw a line between | wants and consequences where I work. It's tough, and I'm only | barely making headway, but on a large project what you often | end up with is people adding costs to the system without a | clear payoff, and without cost accounting. | | I am trying to get telemetry in place to demonstrate how much | of our capacity is going to particular features, so that we can | say, okay, that wizbang thing is costing us $100k a year. Our | profit is 1:X (we make $X for every dollar we spend). Is this | lowering or raising our profit margin? | | I think we are completely disconnected from opportunity costs | and the entire center of most orgs I've been in are all about | covering your own butt and telling stories. Until the layoffs | happen and then we discover that the investors, advisors and | some of the C suite actually care about whether spending $1 for | the _prospect_ of making $1.50 is a complete waste of time and | energy. And I often wonder if some of the narratives I hear | about who got laid off and why are not seeing this calculus in | the results. | newaccount74 wrote: | I try to follow this as much as possible, but at some point when | providing a paid service you run into the problem that you need | to track whether the user has paid for the software or not. | | So even though my software does not require user accounts, it | requires a serial number to activate all features. That serial | number can be linked to the purchaser, so in theory my app could | do really invasive tracking. (It doesn't, but my users have to | rely on my word) | | How can one fix this? I would love for my software to somehow | anonymously check whether the user paid for it, and isn't running | it on more than X devices, but I'm not sure how this could be | done without revealing the users identity. | 13415 wrote: | Mullvad allows Bitcoin purchases of tokens, which can then be | used as a serial for the VPN that works for the time period | you've purchased. Users can change tokens any time. That's | probably close to what you're already doing. | Liquix wrote: | Love the sentiment & love F-Droid. Vote for non-dark patterns | with your patronage wherever possible! | | It's a bit sad how a website _not_ employing a dark pattern | inspires explicit praise these days... | neonate wrote: | https://archive.is/DcvFS | jkaptur wrote: | I've been thinking a lot about this for https://www.diffdiff.net. | After convenience, privacy is the core of the value proposition - | the text to diff doesn't get sent to the server. | | On the other hand, though, if you want to publish/share a diff, | then, you know, _privacy is the core of the value proposition_ , | so you probably don't want to share it with the whole world, much | less let the whole world edit or delete it! | | It's possible to design a scheme with hard-to-guess URLs, URL | parameters with "secret edit tokens" and so on, but that feels | hard to use and different from how other sites work. | | I'm quite torn. | syrrim wrote: | The way mega.nz works is the sharable url contains a decryption | key in the hash. The server only sees encrypted data, the | client requests that data then decrypts it. This design ensures | they have no ability to see user content, while still enabling | users to share links on the web. | m1sta_ wrote: | They still have the ability to see user content, but it would | require them to make a change to their codebase. If they did | such a change silently... | 2OEH8eoCRo0 wrote: | I've always wished that mobile app "stores" worked more like | Linux package managers. | encryptluks2 wrote: | Still hopeful to get a proper Linux phone someday. | imiric wrote: | The PinePhone (Pro) and its ecosystem looks promising, no? | I'd say we're closer than ever to it being a capable daily | driver, certainly by the next iteration. | wpietri wrote: | I tried something like this once and it worked surprisingly well, | even for a UGC site. | | Years back we were doing something that included users | documenting TV shows. We had a big meeting where people put every | feature they wanted on index cards. We laid the cards out a | founder's dining room table. The host got their change jar and | each person got a certain number of pennies to mark features they | thought were vital for first launch. | | After the first round of token-voting, the "user accounts" card | had no votes. At first it seemed impossible. But after some | discussion, we realized that viewing users didn't need accounts | for launch. For people who wanted to edit, we let them type in a | name to take credit for their contributions if they wanted, but | with no verification. At worst, we figured we could add something | more robust if the need were stronger. | | It turned out fine. The launch got out earlier and we got to test | a number of key product hypotheses without having to build any | sort of user account system. Months later it did eventually | become the highest priority. But not having accounts worked way | longer than I expected. | hinkley wrote: | What's been professionally frustrating me for years as a | developer is how much of the engineering and operational budget | for a project is tied up into identifying and tracking users. | The first time this happened to me we had some idiot who | insisted that we needed to display exactly how many logged on | users there were on every page load. There was no point in | doing so, and we had proven that it was _at least_ ten percent | of the cost of each page load. In fact it was higher than that | but 10% is what we could proved. My current project is about | our customers, not the users, and probably 80% of the operating | budget is about making the customer feel like they 're running | the show. Often with demonstrable and even cliched consequences | for the users. | | Without customization or user tracking, many, many workflows | shift to read-mostly. Many are idempotent. Some can be fully | cached. Some can be edge-cached. | | The dark secret of 'social' media that has been slowly coming | out is that they aren't social. They aren't about 'Us', they're | about _me_. Me, me, me. So of course the whole workflow is | build around who I am and what I want. That 's not just | unhealthy, it's also really fucking expensive. And if it's | really expensive we can't just eat the cost as a 'value add', | we now have to monetize it. So things were already pretty dark | and then compensation came into the picture and now it's | positively dire. | sneak wrote: | What about abuse/vandalism? If the whole web has edit | privileges, what's to stop someone from scripting changing all | of the titles to random strings every hour? Do you do a captcha | on every edit or something? | | I think the main idea around user accounts is that they | centralize a point of applying captchas as well as a tiny bit | of data collection (some form of contact information) that can | be used for antispam (e.g. banning certain email address | domains from creating accounts, or banning certain email | addresses, etc). | wpietri wrote: | I'm familiar with the theory. But accounts just aren't a big | barrier to determined bad actors. | | Note that the world's biggest content site, Wikipedia, allows | anonymous edits and always has. And note also that some of | big tech companies, despite having all the money in the | world, still have problems with fake accounts. So at best, | requiring user accounts is one possible anti-abuse step, but | it's neither necessary nor sufficient to prevent abuse. | sneak wrote: | > _Note that the world 's biggest content site, Wikipedia, | allows anonymous edits and always has._ | | Not really. You can't edit Wikipedia from a VPN (even with | a user account!), and I think they ban most datacenters. | The edits aren't really anonymous if they publicly | associate with a piece of PII that, for most people, | directly maps to their name and home address. | wpietri wrote: | Oh? My current IP is 2601:646:4300:758:f676:3f1b:8b5:42a. | Please show me how to turn that into my name and home | address. Thanks! | sneak wrote: | Comcast has a portal for law enforcement to request | subscriber information at https://lea.comcast.com . That | IPv6 address, plus the current date and time, uniquely | identifies you by name and service address. Any edits you | make to Wikipedia from that address are not anonymous. | danShumway wrote: | GP's "directly" is a pretty large overstatement, but at | the same time I've noticed something of an uptick over | the past couple of years of people saying that IP | addresses aren't PII or that people shouldn't be | concerned with them getting leaked, and I just don't | think that stands up to much scrutiny. | | If IP addresses didn't matter for privacy, Tor routing | wouldn't exist. If IP addresses weren't useful for | blocking specific users, IP bans wouldn't exist. If IP | addresses weren't useful for tracking, operators wouldn't | have gotten up in arms about Apple's private relay | service. Obviously this stuff matters. | | Remember that not everyone lives in or around San | Francisco. For someone in a suburban/rural area, an IP | address combined with things like timestamps, user ids, | and the text of the edits can go a really long way | towards unmasking them. Even for people who live in more | urban areas, it is still obviously easier to find someone | who lives in San Francisco than it is to find someone who | could be living anywhere on the West Coast. If they could | also have been using a VPN, or time-shifting their | posts... that makes it even harder. | | In contrast, how hard do you really think it would | actually be to get some address data from a voter roll or | via a warrant or even just through one of the scummy | person lookup services online and to iterate through | everyone who shares that IP address and check to see how | many of them are named Pietri? Or who have shared the | username wpietri across another account, or posted | somewhere else at roughly the same time? Your IP address | is drastically reducing the search-space for other | attacks, many of which (timing, text-analysis, etc) are | impossible to get rid of when making a Wikipedia edit. | skybrian wrote: | Accounts alone won't do it. Accounts and invites might? But | then someone who doesn't know anyone on the site needs to | figure out how to contact someone who's a member. | | It's not good for growth, but some websites are fine with | that. | hinkley wrote: | Over time the quality of the invites go down as well. | | If I'm in the picky group, and we send out 5 invites | total, but the unpicky group sends out 10, then 2/3 of | the invites are unpicky - if the groups are the same | size, which they probably won't be for a while (I'm | probably inviting people who are almost as picky as I am) | | There's also someone on the team who thinks we'd grow | faster if we simplified the onboarding process, which is | true but also means when we piss off some user they can | create a bunch of accounts while they're still spun up | and cause a bunch of overhead for the support team and | the developers. That gets expensive too. | [deleted] | seppoonbi wrote: | There is also midground which takes good/bad parts of both | worlds. Users have id's but no username or password. Some | imageboards use this. | a_c wrote: | I have been thinking how we can incentivize people building | netizen friendly website/app. Creating users, cookies, | javascripts heavy, paywall, analytics, etc all share a common | incentive of ease of monetization. Privacy, usability, | performance, all important stuff, but apparently not important | enough, as a result plummeted. | | Would love to learn the options! | [deleted] | lifeisstillgood wrote: | The thing that F-droid are getting right here is "if we don't | track you, you have privacy from us". | | But privacy is not secrecy. If f-droid tracked my every waking | move, and then just never bother to look at that data, I would | still have privacy from them. | | What they are doing here is a form of guaranteeing their future | good behaviour. Which is nice, but there are other methods. For | example I am happy to announce my plans to _not_ rob a bank. But | there are means in place to ensure I do not - At least not twice. | | So while it is nice to find ways to avoid having user accounts at | all, most hospitals will have to have other means to keep their | users privacy. | | Most of the time we are going to need to rely on regulation, | where PII data (which lets face it is 98% of all data) will both | legally and culturally have to be protected at levels hardly | dreamed of today. | hinkley wrote: | > I would still have privacy from them. | | No, they have an unexploited asset and you think you're safe | because nobody has exploited it yet. This is false security. If | money gets tight they'll exploit it. If they get bought out the | new owners will exploit it. If they get hacked, the entire | Internet will exploit it. | | I would highly recommend that you spend a little bit of time | thinking about or working with groups of dissidents, other | oppressed groups, even people who have been sexually harassed. | I have seen so much wrong-thinking about what Security actually | is and it's always people living in a privilege bubble, not | thinking of actual, real life existential threat that exposure | can represent until they have some user in hiding because they | got death threats after being doxxed. Or just plain | disappearing because their government black-bagged them over | something they posted online. ___________________________________________________________________ (page generated 2022-02-28 23:00 UTC)