The ones who brought you Let's Encrypt, bring you: Tools for gathering anonymized app usage metrics from netizens

Wednesday 18th November 2020 15:14 GMT overunder

Not a wedge, just a service :-(

"While some subscribers down the line may be paying for the service, many will have access to the service through philanthropic contributions,"

A year or so ago I was hoping this was going to be a wedge in the proprietary data collection of companies like Google. After I caught on that it was basically just another data mine/repo I gave up hope as that means it can, if successful, later be bought by a company like Google. Since we're stuck with user data collection, it would of be nice to have a "open" data collection platform, or maybe I'm wrong and it would/will be yet another entity collecting data on you.

5 0 Reply
1. Wednesday 18th November 2020 16:24 GMT Robigus
  
  Re: Not a wedge, just a service :-(
  
  Perhaps if it's incorporated as a not-for-profit outfit (in the same manner as Signal operates in the U.S.) then it will keep it out of the hands of the perverts, as they can't buy it.
  
  2 2 Reply
  1. Wednesday 18th November 2020 17:52 GMT sev.monster
    
    Re: Not a wedge, just a service :-(
    
    Or... They could just not sell it?
    
    As hinted at by the article though, hopefully it will be open source so you can roll your own servers. Keep in mind that the ACME protocol and server technology that powers Let's Encrypt is all open, too.
    
    Maybe if I took the time I could check and see if it will be or not on their website or something, but that requires effort.
    
    8 0 Reply
  2. Wednesday 18th November 2020 19:31 GMT Anonymous Coward
    
    Re: Not a wedge, just a service :-(
    
    Last I checked, the Signal non-profit foundation was a funding vehicle for Quiet Riddle Ventures LLC, who hold the intellectual property rights to the Signal service and application.
    
    2 0 Reply
    1. Thursday 19th November 2020 10:25 GMT John H Woods
      
      Re: Not a wedge, just a service :-(
      
      I'm not sure that's right - isn't Quiet Riddle Ventures LLC just their incorporated name?
      
      All of the software is open source IIRC so the IP is probably just names, logos and existing documentation.
      
      0 0 Reply
      1. Thursday 19th November 2020 14:52 GMT Anonymous Coward
        
        Re: Not a wedge, just a service :-(
        
        > isn't Quiet Riddle Ventures LLC just their incorporated name?
        
        No it isn't, Quiet Riddle and a couple of other companies in Delaware and California far pre-date the foundation. It is all a matter of public record, same as Mike Benham's name change in 2017.
        
        > All of the software is open source IIRC
        
        That's neither here nor there. You can choose your licence precisely because you own the IP (this is a big subject with plenty of room for nitpicking, let's not go there).
        
        Forget the logos, documentation or even the software. What counts are the users. Why do you think that they don't let the application federate (i.e., work like phone or email, with multiple independent service providers talking to each other)?
        
        Oh, and forget about privacy too. You are perfectly traceable, as you would expect from using a phone number as ID. In fact, the architecture is much the same as the better known competitor, Whatsapp, and in legal (or otherwise) process your messages are accessed in exactly the same way: from your phone.
        
        1 0 Reply
Wednesday 18th November 2020 16:36 GMT Flywheel

Does anyone know how much Internet traffic is taken up just slurping and forwarding personal data? This is getting ridiculous!

16 0 Reply
1. Thursday 19th November 2020 10:38 GMT Boothy
  
  I don't know about actual data volume, but my Pi-hole shows that currently, 28.1% of all my local (i.e. at home) DNS queries are being blocked, and other than 1 manual addition, that's using the default blocklists that came pre-configured with the Pi-hole.
  
  The vast majority of the blocks are to device-metrics-us.amazon.com (I have a couple of Alexa devices).
  
  In 2nd and 3rd place are a couple of blocked MS domains, combined these are still less than half of the above Amazon traffic! (One of these for some reason is an msn.com domain, why!?)
  
  In 4th place is my manual add, d3p8zr0ffa9t17.cloudfront.net, seems this is a fall back for Alexa devices if they can't get through to the above Amazon metrics domain.
  
  After this DNS blocked calls drop of rapidly, and cover things like Dropbox, other MS services (xxx.live.com etc), a sneaky browser plugin (presumably trying to monetise metrics) and so on.
  
  1 0 Reply
Wednesday 18th November 2020 21:04 GMT bigtreeman

deanonymising

Meanwhile the other side of the coin is deanonymising.

Even anonymised data is invading privacy, depending on how it is used.

Just leave our data alone.

Oh, except there's a buck to be made, so it's ok.

No it isn't, so just feck off.

8 1 Reply
1. Wednesday 18th November 2020 21:49 GMT Dave 126
  
  Re: deanonymising
  
  >Even anonymised data is invading privacy, depending on how it is used.
  
  Anonymous data could be a sensor on a road for the valid purpose of determining traffic patterns and subsequent road planning. The sensor counts how many times it is squished by cars, and counts them. No identfying information is collected. Do you have a problem with this?
  
  Anonymous data covers a company knowing how many orders it has shipped out.
  
  I agree that data has been slurped too much in the last twenty years. However, we're likely to find better answers if we can have discussions about it.
  
  If we can agree that there is some level of aggregate, anonymous data that companies can use to better their offerings to us (otherwise a company might make a million red scarves when the market wants blue scarves ), and the means of keeping data anonymous can be mathematically proven, isn't that a path worth at least exploring? Perhaps it is possible to build into the system a way of providing under-resourced competitors with the same anonymised data, so they can compete on quality and price (and not just market intelligence).
  
  I might choose to do that. And why not? It's my data. If someone builds an infrastructure for me to conciously share data about myself that I believe will benefit myself and society, so much the better.
  
  Netflix doesn't share viewing figures. If I shared my Netflix viewing behaviour anomyinously, along with a thousand other people, to a new entrant in that market might it result in more content that I want to watch?
  
  8 2 Reply
  1. Thursday 19th November 2020 08:25 GMT LDS
    
    "could be a sensor on a road for the valid purpose of determining traffic patterns"
    
    And why it needs to check your plate, car model, number of passengers, destination, etc. etc.? That's what "telemetry" in any software does. Anonymized or not, people should always be able to opt-in. They got obsessed with the idea the need it so they could make the software "better" - I didn't see it still, I see worse and worse software. When you stop thinking about your product, and just think user data will tell you what the product should be, you get that.
    
    The same is true for TV. The show everybody wants to see it's probably a very bad and stupid one.
    
    2 0 Reply
    1. Thursday 19th November 2020 11:22 GMT Dave 126
      
      Re: "could be a sensor on a road for the valid purpose of determining traffic patterns"
      
      > And why it needs to check your plate, car model, number of passengers, destination, etc. etc.?
      
      I was specifically referring to to the type of sensor on a road that is 'squished' by car tyres - it only counts how many times it is squished, and this is used as a proxy for how many cars pass by (I'm guessing by dividing by two). I deliberately chose an anonymous system that does not collect licence plate, number of passengers etc.
      
      1 1 Reply
    2. Thursday 19th November 2020 11:30 GMT Dave 126
      
      Re: "could be a sensor on a road for the valid purpose of determining traffic patterns"
      
      > When you stop thinking about your product, and just think user data will tell you what the product should be, you get that.
      
      I have sympathy for that point of view, especially in the arts. However, were talking about products generally here. There are cases where having real data about how real people use products in the wild can lead to better products.
      
      An anonymous example? Company making Wotsits finds that 75% of units returned to retailers under warranty have a broken Thingy. Company redesigns the Wotsit MK II to have a thicker Thingy, or to use a more durable material to make the Thingy. It might turn out that the design of the Thingy was fine, but the suppliers of the Thingy had some production issues that led to weakened Thingys.
      
      0 1 Reply
      1. Thursday 19th November 2020 16:11 GMT doublelayer
        
        Re: "could be a sensor on a road for the valid purpose of determining traffic patterns"
        
        The only problem with that is that that's the argument every time someone decides they want more data, including extremely personal data. First argument is that it makes products better for me and I should be grateful that they're not charging me extra for that. Second argument says that it's not that invasive after all; it's just what someone could see if they looked over at me from across the road with an electron microscope. Third argument says that I have agreed to their data collection by consenting to their eighty-page user agreement, and if I didn't agree to that, I still consented by visiting their page, and if I didn't visit their page, then I consented by proxy by using a page which included their content, and if I tried to block their domains to prevent loading their content, then I consented because their content is important and they need to keep others' sites from breaking which is why they took so many expensive steps to include their content anyway and evade the most concerted efforts to stay away from it.
        
        Truly anonymous data collection, from a public place, using methods that would guarantee anonymity, is fine. For that reason, the example of a road pressure sensor is acceptable. Data collection from items that have been voluntarily relinquished to a different person is fine, so the returned product example is acceptable. My computer is not a public place. My computer was not given to someone else. This makes the collection of truly anonymous data very difficult. Even if it is entirely anonymous, there's still the issue of consent, which in many cases is not obtained. No matter how many nice and simple comparisons are made, they're still misleading and imprecise.
        
        1 0 Reply
      2. Thursday 19th November 2020 20:01 GMT Inkey
        
        Re: "could be a sensor on a road for the valid purpose of determining traffic patterns"
        
        "An anonymous example? Company making Wotsits finds that 75% of units returned to retailers under warranty have a broken Thingy. Company redesigns the Wotsit MK II to have a thicker Thingy, or to use a more durable material to make Blahhhblahh..."
        
        I fail to see how collecting user data and having a metric for every bit of user involvement makes a better thing ... this could easily be cordinated between manufacturer and sales outlet...
        
        In fact if the product had been tested for its intended purpose it would be plainly obvious to even the janitor that said whotsit neended to be made more durable...
        
        A better example would be to make great products that sell themselves last long and dont cost the priverbial arm n leg .... do that and you wont need to sell users data to all sorts of bottom feeders and worse ... make the net a fekken joyless contrived shit cake with a ribbin it seems fast becoming...
        
        Your argument seems more like a marketing driod shtik about "great after sales" and "we care about your privacy" .... its like the emperiors new coat ...
        
        A new economy of data which adds no value to the user nor in most cases the the recipiant of all the slurp.... controll groups are more often than not cagey about what they really think of product x and just came for the bisciuts and doughnuts... and a third of them will be friends with marketing driod to help them flatter the client so they get repeat business...
        
        we have let people who make and create stuff all convince the people with stuff all between the ears that this is progress ...it's not
        
        Anonomisied it may be, open source potentialy... but it's more bandwidth more compute and more resource ... roll your own ... now you need another processor and someone to manage it and its another attack vector.... for what exactly "insight"..please
        
        National Geographic 42 cookies excluding whats termed legitimate interest and partners ...what insight could NG get from my single visit other than an interest in astronomy that would make the need for all of that slurp a benifit to me or their magazine
        
        At best it's amozon showing me products i have already bought at worst it's sold to fuckwit politicos intent on scaring history by inteligengce researchers
        
        who belive they can acurately gauge a populace's sentiment and droids who think the insights they get can be spun into a narative that paints a skewed version on reality that benifits niether the populace nor the creators of data...
        
        Someware in the middle big data has a fantastic benifit to the whole wide world.... but while it sits with wealthy shareholders whose only contribution is to use wealth in pursiut of ever more power its an unsastainable dead end!
        
        I feel bad for the folks who have do this sort of thing for a crust ...i do but it is what it is... just ask microshaft the OG of slurp ...are their products any better fuck no .... in fact i haven't used my M$ box in months cause it's to scary and stressfull... And i would tell them that.... all they had to do was ask!
        
        0 0 Reply
  2. Thursday 19th November 2020 08:45 GMT Anonymous Coward
    
    Re: deanonymising
    
    My problem isn't the data collection per se. It's the lack of transparency and inability to access my own complete dataset.
    
    Figuring out a way to do that without de-anonymising yourself would be very interesting.
    
    Having it stored client side and only readable remotely if I permit it seems like a pipe dream.
    
    2 0 Reply
2. Wednesday 25th November 2020 17:30 GMT EnviableOne
  
  Re: deanonymising
  
  if it can be de-annonymised, it hasn't been properly anonymised in the first place.
  
  with some data sets, they are so small, or the number of indicators collected is so large, that you can identify an individual. like say a Specific Cancer type case statistics traced to Postcode level
  
  There are legitamate uses for bulk telemetry data, and they will drive product improvement, however, currently this data can be easily traced back to you, with this technology, it can't.
  
  0 0 Reply
Wednesday 18th November 2020 21:41 GMT Claverhouse

Stop Helping

I still don't like being spied upon.

5 0 Reply
Wednesday 18th November 2020 22:56 GMT fidodogbreath

Your privacy is important to us

The Internet Security Research Group (ISRG) has a plan to allow companies to collect information about how people are using their products while protecting the privacy of those generating the data.

Hmm, where have we heard that before? Oh, that's right: every single privacy policy and TOS.

1 0 Reply
1. Thursday 19th November 2020 08:42 GMT Dan 55
  
  Re: Your privacy is important to us
  
  You're right, everyone should stick with Google Analytics.
  
  3 0 Reply
  1. Thursday 19th November 2020 13:23 GMT Anonymous Coward
    
    Re: everyone should stick with Google Analytics
    
    Indeed. It makes blocking it all the easier.
    
    Google is only after your data so that they can sell it and sling ads for totally useless shit at you.
    
    Google is not your friend. They are the enemy of privacy (or one of them)
    
    1 0 Reply
2. Thursday 19th November 2020 09:03 GMT John Robson
  
  Re: Your privacy is important to us
  
  Whilst we have heard it before... I am for more open to the idea from an organisation such as LE than am from most others.
  
  Public code review and detailed analysis to follow I'm sure, bit it is a step in the correct direction.
  
  3 0 Reply
3. Friday 27th November 2020 18:49 GMT Eric.R.
  
  Re: Your privacy is important to us
  
  hmm... I wonder if the ISRG needs to be audited, imagine another 2015 IETF debacle if any of those culprits were invo... hol'up...
  
  0 0 Reply
Thursday 19th November 2020 14:53 GMT StrangerHereMyself

Good idea, but...

This is actually a very good idea, since I've been looking for a privacy focused alternative to Google-Analytics for years.

There's only one but. If this finds traction the acquired information will become extremely valuable. And eventually pure greed will start to creep in.

If you're sitting on a potential gold-mine whilst having trouble making ends meet it will become very tempting put your hand in the cookie-jar.

So I'm very interested in their story on how they're going to prevent this.

1 0 Reply
1. Friday 20th November 2020 10:27 GMT bombastic bob
  
  Re: Good idea, but...
  
  how they're going to prevent this.
  
  don't log any personally identifying information - that'd be a good start. then assume that a single application's usage information might get duplicate entries, so some other means of transactioning (besides personally identifying info) would be needed. A reasonably long hash based on a user's info might do it. THAT kind of thing.
  
  Nione of this is hard, it just means setting it up so that the aggregate data can NOT be tied back to whoever or whatever generated it.
  
  Now I have to ask the OTHER data slurpers why THEY aren't doing it THIS way... since it IS _SO_ SIMPLE!!!
  
  1 0 Reply
Friday 27th November 2020 17:53 GMT Anonymous Coward

True colors, and of course it's Mozilla and co.

Harbourers of known stooges market nifty way to extend data collection. Backdooring cryptography too hard and too obvious huh?

I know, lets try the 'anonymised metrics' bamboozle, everyone forgets their data is being slurped when thats used, because yay PrIVacY.

0 0 Reply