cross-posted from: https://sopuli.xyz/post/14184367

> Lemmy version 0.19.4 introduces 3 relatively intolerable bugs, and 0.19.5 only fixes one of them. > > * cannot post, risk of data loss > * cannot cross-post, but no data loss. > * can only visit the default timeline view >

In the US, consumers can freeze their credit worthiness records and receive a code. When the records are frozen, the only orgs that can access the records are those already doing business with the consumer. If a consumer wants to open up a new account, they share the code with the prospective creditor who uses it to see the credit report.

So the question is, how are access controls on credit histories done in various EU nations? Do any use unlock codes like the US, or is it all trust based?

cross-posted from: https://sopuli.xyz/post/14006758

> Yikes. > > > “In the adequacy decision, the European Commission estimated that the U.S. ensures a level of protection for personal data transferred from the EU to U.S companies under the new framework that is essentially equivalent to the level of protection within the European Union.” (emphasis added) > > Does the EU disregard the Snowden revelations? > > And what a missed opportunity. California state specifically has some kind of GDPR analogue, so it might be reasonable if CA specifically were to satisfy an adequacy decision, (still a stretch) but certainly not the rest of the country. Such a move could have motivated more US states to do the necessary. > > I must say I’ve lost some confidence and respect for the #GDPR.

A national central bank that keeps track of bank accounts, credit records, delinquency, etc for everyone in the country has their website on Cloudflare. People are instructed to check their credit records on that site.

The question is: suppose you don’t use the site. Suppose you only request your records offline. What are the chances that Cloudflare handles your sensitive records?

I guess this might be hard to answer. I assume it comes down to whether to central bank itself uses their own website to print records to satisfy an offline request. And I assume it’s also a question of whether the commercial banks use the website of the central bank to feed it. Correct?

cross-posted from: https://sopuli.xyz/post/13133455

> It used to be that you could insert a coin into a washing machine and it would simply work. Now some Danish and German apartment owners have decided it’s a good idea to remove the cash payment option. So you have to visit a website and top-up your laundry account before using the laundry room. > > Is this wise? > > Points of failure with traditional coin-fed systems: > > 1. your coin gets stuck > 1. you don’t have the right denomination of coins > > Points of failure with this KYC cashless gung-ho digital transformation system: > > 1. your internet service goes down > 1. the internet service of the laundry room goes down > 1. the website is incompatible with your browser > 1. the website forces 3rd party JavaScript that’s either broken or you don’t trust it > 1. you cannot (or will not) solve CAPTCHA > 1. the website rejects your IP address because it is a shared IP > 1. the payment processor rejects your IP address because it is a shared IP > 1. the bank rejects your IP address because it is a shared IP > 1. the payment processor is Paypal and you do not want to share sensitive financial data with 600 corporations > 1. the accepted payment forms do not match your payment cards > 1. the accepted payment form matches, but your card is still rejected anyway for one of many undisclosed reasons: > * your card is on the same network but foreign cards are refused > * the payment processor does not like your IP address > * the copy of your ID doc on file with the bank expired, and the bank’s way of telling you is to freeze your card > * it’s one of these new online-only bank cards with no CVV code printed on the card so to get your CVV code you must install their app from Google’s Playstore (this expands into 20+ more points of failure) > 1. your bank account is literally below the top-up minimum because you only have cash and your cashless bank does not accept cash deposits; so you cannot do laundry until you get a paycheck or arrange for an electronic transfer from a foreign bank at the cost of an extortionate exchange rate > 1. you cannot open a bank account because Danish banks refuse to serve people who do not yet have their CPR number (a process that takes at least 1 month). > 1. you are unbanked because of one of 24 reasons that Bruce Schneier does not know about > 1. the internet works when you start the wash load, but fails sometime during the program so you cannot use the dryers; in which case you suddenly have to run out and buy hanging mechanisms as your wet clothes sit. > 1. (edit) the app of your bank and/or the laundry service demands a newer phone OS than you have, and your phone maker quit offering updates. > > In my case, I was hit with point of failure number 11. Payment processors never tell you why your payment is refused. They either give a uselessly vague error, or the web UI just refuses to move forward with no error, or the error is an intentional lie. Because e.g. if your payment is refused you are presumed to be a criminal unworthy of being informed. > > Danish apartment management’s response to complaints: We are not obligated to serve you. Read the terms of your lease. There is a coin-operated laundromat 1km away. > > Question: are we all being forced into this shitty cashless situation in order to ease the hunt for criminals?

It used to be that you could insert a coin into a washing machine and it would simply work. Now some Danish and German apartment owners have decided it’s a good idea to remove the cash payment option. So you have to visit a website and top-up your laundry account before using the laundry room.

Is this wise?

Points of failure with traditional coin-fed systems:

1. your coin gets stuck
2. you don’t have the right denomination of coins

Points of failure with this KYC cashless gung-ho digital transformation system:

1. your internet service goes down
2. the internet service of the laundry room goes down
3. the website is incompatible with your browser
4. the website forces 3rd party JavaScript that’s either broken or you don’t trust it
5. you cannot (or will not) solve CAPTCHA
6. the website rejects your IP address because it is a shared IP
7. the payment processor rejects your IP address because it is a shared IP
8. the bank rejects your IP address because it is a shared IP
9. the payment processor is Paypal and you do not want to share sensitive financial data with 600 corporations
10. the accepted payment forms do not match your payment cards
11. the accepted payment form matches, but your card is still rejected anyway for one of many undisclosed reasons:
    • your card is on the same network but foreign cards are refused
    • the payment processor does not like your IP address
    • the copy of your ID doc on file with the bank expired, and the bank’s way of telling you is to freeze your card
    • it’s one of these new online-only bank cards with no CVV code printed on the card so to get your CVV code you must install their app from Google’s Playstore (this expands into 20+ more points of failure)
12. your bank account is literally below the top-up minimum because you only have cash and your cashless bank does not accept cash deposits; so you cannot do laundry until you get a paycheck or arrange for an electronic transfer from a foreign bank at the cost of an extortionate exchange rate
13. you cannot open a bank account because Danish banks refuse to serve people who do not yet have their CPR number (a process that takes at least 1 month).
14. you are unbanked because of one of 24 reasons that Bruce Schneier does not know about
15. the internet works when you start the wash load, but fails sometime during the program so you cannot use the dryers; in which case you suddenly have to run out and buy hanging mechanisms as your wet clothes sit.
16. (edit) the app of your bank and/or the laundry service demands a newer phone OS than you have, and your phone maker quit offering updates.

In my case, I was hit with point of failure number 11. Payment processors never tell you why your payment is refused. They either give a uselessly vague error, or the web UI just refuses to move forward with no error, or the error is an intentional lie. Because e.g. if your payment is refused you are presumed to be a criminal unworthy of being informed.

Danish apartment management’s response to complaints: We are not obligated to serve you. Read the terms of your lease. There is a coin-operated laundromat 1km away.

Question: are we all being forced into this shitty cashless situation in order to ease the hunt for criminals?

I’ve noticed that if you try to contact corp or gov offices the old fashioned way, they simply ignore you. They want to force you to use email or solve a CAPTCHA. The fix I have in mind is a tweak on this idea:

https://sopuli.xyz/post/12919557

but the first contact you make with an office need not even be GDPR¹ related. If you contact a gov or corp for any purpose and they ignore it, your next request can and should include an access request for records on how they handled your initial correspondence.

¹ GDPR isn’t the only game in town. Brazil and California supposedly have some privacy law similar to the GDPR which I assume includes a right of access. Hence why they were also mentioned in the title.

#fuckEmail

I just had to send a msg to a gov office.

Email has been generally broken¹ the past couple decades. I prefer fax. It’s more reliable and I choose what I want to disclose to the recipient. Even in cases where part of the fax transmission routes over email, it’s still more reliable than pure email because those fax→email gateways are managed by recipients to ensure all-or-nothing (all faxes are delivered or none of them). Fax is immune to shenanigans like “mail server X accepts mail from Y but not Z”.

When I tried to send the fax, the fax machine did not answer. So I voice called the office. They said “we unplugged our fax machine”. WTF! So I said please plug it back in because I’m trying to send a fax. So a bit later I tried again and it worked.

Folks, we are losing fax because most of the population does not grasp the privacy compromise with email, and the compromise of netneutrality and reliability. If I am the only person in the world who keeps fax in use, fax will die fast because it’s easy to marginalise 1 person.

cross-posted from: https://sopuli.xyz/post/12944261

> The psychology of this problem is that users are too lazy to maintain multiple accounts when all they have is Lemmy’s stock web client. So they choose one of the big nodes: lemmy.world, sh.itjust.works, lemm.ee, lemmy.ca, etc. > > These Cloudflare-centralized nodes are able to greedily exploit the #networkEffect because due to lack of multi-account software. If there were some well-made 3rd party client apps for Lemmy that would be designed for multiple accounts, then more users would be willing to create accounts in more decentralized parts of the fedi. > > Mastodon somewhat proves this because the client-side tooling is in place to make it convenient to have 6 or Mastodon accounts. And Mastodon nodes are better balanced.

cross-posted from: https://sopuli.xyz/post/12558862

> So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending. > > It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article: > > > In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it. > > What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost. > > It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register). > > But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor. > > Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce. > > It’s obviously an encroachment of the data minimisation principle under the #GDPR. More data is being collected than necessary. > > ¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending.

It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article:

> In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it.

What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost.

It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register).

But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor.

Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce.

It’s obviously an encroachment of the data minimisation principle under the GDPR. More data is being collected than necessary.

¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

cross-posted from: https://sopuli.xyz/post/12515826

> I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this: > > From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion > To: someoneElse@clearnet_addy.com > > I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?

I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this: From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion To: someoneElse@clearnet_addy.com I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?

cross-posted from: https://sopuli.xyz/post/10440580

> The source of this article is in a walled garden that disrespects our privacy so I will not cite it. But here’s the text, posted here in the free world for all people to access: > > --- > > The menace of “the War on Cash” is making steady headway across the board. > > And that’s whether it concerns big-time international policy-makers pushing for total digitization of financial assets – or individual examples that showcase just how serious this threat is. > > Here’s one such case: Elizabeth Dasburg and two others were denied the right to use cash to pay entry fee to the Fort Pulaski National Monument in Georgia, managed by the National Park Service. > > It’s turned into, “parks, but no recreation” – because the victims of this violation of US law regulating the use of domestic currency have now opted for litigation. > > Plain and simple, Dasburg and the two others believe it is still illegal in the US to refuse to accept the country’s legal tender. Or is it? That’s the question the US District Court for the District of Columbia will have to spell out. > > Judging by the filing, the Fort Pulaski employees were equally indoctrinated against accepting cash, as they were trying to be helpful. The visitors were first told in no uncertain terms that only cards are accepted. > > We obtained a copy of the complaint for you here. > > And then, if – say they had no cards (that they might not want to use them doesn’t seem to have been a consideration) – they were instructed to go to a grocery chain like Walmart and buy a gift card. > > However bizarrely and unnecessarily complicated this might sound – all the more ironic, because it appears the “explanation” for this policy is that cards are more “convenient” – that’s what Fort Pulaski wanted. > > Cards. Of any sort. Things that can be tracked and tied to a person, in other words. > > “By forcing people to use credit cards or digital wallets, under the guise of convenience, the National Park Service becomes a player in the surveillance state, undermining park visitors’ privacy right,” Children’s Health Defense (CHD) General Counsel Mack Rosenberg commented on the case – and the state of affairs. > > CDH has decided to put its money where its mouth is and support the defendants’ case financially. > > The National Park Service is said to have been working on cashless-only payment options for some years, the scheme now in effect in to close to 30 national parks, historic sites and monuments. > > While those behind such things are always happy to present themselves as champions of “equality and diversity,” the reality looks quite different. > > “Only half of low-income households have access to a credit card, according to a March 2022 Federal Reserve Bank of New York report,” CHD President Laura Bono said in a letter to the Park and Service CEO.

cross-posted from: https://sopuli.xyz/post/10336994

> I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one. > > Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt. > > I should have kept track of the birth date I supplied. I will; from now on.

cross-posted from: https://sopuli.xyz/post/9861733

> I would cast my drop-in-the-ocean vote if it didn’t require needlessly reckless disclosures. The question is- which states offer more privacy than others? These are some of the issues: > > publication of residential address > --- > It’s obviously fair enough that you must disclose your residential address to the election authority so you get the correct ballot. But then the address is public. WTF? I’m baffled that the voter turnout isn’t lower. > > Exceptionally, Alaska enables voters to also supply a mailing address along with their residential address. In those cases, the residential address is not made public. But still an injustice as PO Boxes are not gratis so privacy has a needless cost. > > Some states give the mailing address option exclusively to battered spouses. So if you are a victim of domestic abuse, you can go through a process by which you receive an address for the public voting records that differs from your residential address. Only victims of domestic abuse get privacy that should be given to everyone. > > publication of political party affiliation > --- > You are blocked from voting in primary elections unless you register a party affiliation, in which case you can only vote in the primary election of that party. A green party voter cannot vote in the democrat primary despite the parties being similar. The party you register in is public. So e.g. your neighbors, your boss, and your prospective future boss can snoop into your political leanings. > > AFAIK, this is the same for all states. > > publication of your voting activity (which is used for shaming) > --- > Whether you voted or not is public. If you register to vote but do not vote, it’s noticed. There is a shaming tactic whereby postcards are sent saying “your neighbors the Johnsons at 123 Main St. voted early -- will you do your civic duty too? Note that the McKinneys at 125 Main St. have not voted; perhaps you can remind them?” They of course do this in an automated way, so non-voters know their neighbors are receiving postcards that say they did not partake in their civic duty. > > forced disclosure to Cloudflare > --- > These states force all voter registrations through Cloudflare: > > * Arizona > * Florida > * Georgia > * Hawaii > * Idaho > * New York > * Ohio > * Rhode Island > * Washington > > That’s not just public info, but everything you submit with your registration including sensitive info like DL# and/or SSN goes to Cloudflare Inc. Cloudflare is not only a privacy offender but they also operate a walled garden that excludes some demographics of people from access. Voters can always register on paper, but whoever the state hires to do the data entry will likely use the Cloudflare website anyway. So the only way to escape Cloudflare getting your sensitive info in the above-mentioned states is to not vote. > > To add to the embarrassment, the “US Election Assistance Commission” (#USEAC) has jailed their website in Cloudflare’s walled garden. Access is exclusive and yet they proudly advertise: “Advancing Safe, Secure, Accessible Elections”. > > solutions > --- > What can a self-respecting privacy seeker do? When I read @BirdyBoogleBop@lemmy.dbzer0.com’s mention¹ of casting a “spoiled” vote which gets counted, I thought I’ll do that.. but then realized I probably can’t even get my hands on a ballot if I am not registered to vote. So I guess the penis drawing spoiled vote option only makes a statement about the ballot options. It’s useless for those who want to register their protest against the voter registration disclosures. > > Are there any states besides Alaska that at least give voters a way to keep their residential address out of publicly accessible records? > > 1) it was mentioned in this thread: https://lemmy.dbzer0.com/post/8502419

In the US banks are capturing the voices of their customers who contact their call centers for any reason. So if a USian vocally says something controversial they probably have no hope of anonymity if they called their bank in recent years.

Is the same thing not happening in Russia and Israel? An IDF soldier came on broadcast radio and criticized Israel, and a Russian citizen criticized Putin. Shouldn’t they be concerned about doxxing risks?

It would be reckless if the radio station did not disguise their voices, but I don’t get the impression their voices are being disguised. So I just wonder if voice disguising tech is so good at making the voice sound natural that it’s not detectable.

cross-posted from: https://sopuli.xyz/post/8702045

> (⚠ Enshitification warning: The linked article has a cookie wall; just click “reject” and the article appears) > > Google is ending the public access to the cache of sites it indexes. AFAICT, these are the consequences: > > * People getting different treatment due to their geographic location will lose the cache they used as a remedy for access inclusion. > * People getting different treatment due to having a defensive browser will lose access. > * The 12ft.io service which serves those who suffer access inequality will be rendered useless. > * Google will continue to include paywalls in search results, but now consumers of Google search results will be led to a dead-end. > * The #InternetArchive #WaybackMachine will take on the full burden of global archival. > * Consumers will lose a very useful tool for circumventing web enshitification. > > Websites treat the Google crawler like a 1st class citizen. Paywalls give Google unpaid junk-free access. Then Google search results direct people to a website that treats humans differently (worse). So Google users are led to sites they cannot access. The heart of the problem is access inequality. Google effectively serves to refer people to sites that are not publicly accessible. > > I do not want to see search results I cannot access. Google cache was the equalizer that neutralizes that problem. Now that problem is back in our face.

(cross-posting to privacy forums because cache access enables privacy seekers to reach content that otherwise requires them to step outside of Tor)

cross-posted from: https://sopuli.xyz/post/8557194

> This is a FOSS tool that enables people to check a website for #GDPR compliance.

cross-posted from: https://sopuli.xyz/post/7625705

> According to the linked article, 72 studies suggest that wi-fi radiation harms/kills #bees -- and by some claims is a threat to their continued existence. I suppose if extinction were really a likely risk there would be widespread outrage and bee conservationists taking actions. It seems there is a lack of chatter about this. This thread also somewhat implies disinterest in even having wi-fi alternatives. > > In any case, does anyone think this is a battle worth fighting? Some possible off-the-cuff actions that come to mind: > * ban the sale of wi-fi devices bigger than a phone in Europe¹ if they do not also comply with these conditions: > * include an ethernet port as well. So e.g. macbooks would either have to bring back the ethernet port or nix wi-fi (and obviously Apple wouldn’t nix Wi-Fi). > * have a physical wi-fi toggle switch on the chassis (like Thinkpads have) > * force public libraries with Wi-Fi to give an ethernet port option so library users at least have the option of turning off their own wi-fi emissions. > * ban the sale of Wi-Fi APs that do not have: > * a configurable variable power setting that is easily tunable by the user; maybe even require a knob or slider on the chassis. > * bluetooth that is internet-capable > * force phones that include wi-fi to also include bluetooth as well as the programming to use bluetooth for internet. Bluetooth routers have existed for over a decade but they are quite rare.. cannot be found in a common electronics shop. > > Regarding bluetooth, it is much slower than wi-fi, lower range, and probably harder to secure. But nonetheless people should have this option for situations where they don’t need wi-fi capability. E.g. when a phone is just sitting idle it could turn off wi-fi and listen over bluetooth for notifications. > > I suspect the 1st part of this quote from the article explains the lack of concern: > > “The subject is uncomfortable for many of us because it interferes with our daily habits and there are powerful economic interests behind mobile communication technology.” > > 1. I say /Europe/ because it’s perhaps the only place where enough people would be concerned and where you also have the greatest chance of passing pro-humanity legislation (no “Citizens United” that human needs have to compete with).