No more Discus

I’ve been forced to remove Discus comments from tailpuff.net. They have taken the same approach to the GDPR that Facebook has taken, and while I think the GDPR sucks, I think this kind of corporate sleaze sucks worse. I won’t support people who treat the public as if we’re too stupid to see their crimes for what they are.

So from now on, or until I find a superior alternative, comments on tailpuff.net will require you to register for an account. I thought about offering guest commenting but unfortunately the maturity level of the human public has not reached a point where that can work.

Alternatives?

If you know of a similar service that respects it’s users privacy, please let me know. I do like the Single-Sign-On aspect of Discus but no feature is worth sacrificing privacy or the privacy of my visitors.

broken telephone and the hammer which smashed it

Tracking Cookies, Analytics, and the GDPR. Or “How I learned to stop worrying and FUCK the European Union”

General Data Protection Regulation

Wikipedia: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The General Data Protection Regulation, often referred to as the GDPR for short, is a European Union law taking effect in 2018. This law was crafted to address the problem of corporations exploiting the data they gather from consumers using their internet products, which has gotten completely out of hand.

Enter: The Problems

GDPR was rushed. This is most blatantly evident in the huge number of obvious per-use-cases where it simply does not apply. There’s a whole lot of exemptions made to allow for conflicts with other laws. They wanted to punish Facebook, and they did not take the time required to craft a thoughtful solution that will survive long term. I will try to address some of the more damaging issues introduced by this regulation.

WHOIS: A necessary public tool for the Internet to function

The first casualty in this story is the WHOIS service. When you register a domain name you are leasing a public resource from a limited pool of similar resources. For this reason it is absolutely necessary to ensure that every domain name registered is a real person, who is using their domain for real legitimate purposes. In cases where they are not, the domain is released back into the public pool so that someone more deserving can utilize it.

WHOIS not only provides a means of contacting the owner or maintainer for a particular domain, it also provides an important tool for diagnosing security problems such as being attacked from specific networks. It is necessary to use WHOIS to contact the appropriate administrator handling security on those networks.

Because of the terrible way in which GDPR has been executed, there has been a rushed effort to “fix” WHOIS to be compliant with GDPR. But WHOIS doesn’t need fixing, it works exactly the way it’s supposed to already. The problem is ignorance among the users, period.

Analytics, a god given right.

Another huge problem area is website analytics. GDPR places restrictions on the kinds of data that can be gathered using tracking and reporting software. But this is insanity, you can’t restrict what methods I use to monitor and police the activity of those accessing MY networks. I am 100% within my rights to scan and record 100% of your requests against my server, all of your page-viewing habits, and anything else I can think of. It’s my toy, and you’re touching it. You damn well better believe I’m recording your fingerprints and there is nothing anyone can do about that. When you are visiting my website you are not entitled to privacy. (I do respect your privacy, you just aren’t entitled to it). One nation cannot change this with some bullshit law, it’s a fundamental concept of property ownership, it’s older than the EU and more important.

The EU is Disintegrating. Why do their laws matter?

This is a contentious item to be sure but no less important. With the removal of Greece and then the United Kingdom, it is reasonable to assume that the European Union is already dead. It is too soon to assume that they will recover from the loss of two significant member nations. We don’t have a lot of historical precedent, but typically when a “union” starts losing members it is no longer a union. Why should the global marketplace conform to the laws of a failed nation? What gives the EU more authority on this subject than say, a collection of Third World nations? Nothing. It’s favoritism from “Western” nations. That’d be fine, if the EU weren’t crumbling, but all of the indications are that it is. Maybe we shouldn’t be betting on the losers.

So what’s the right answer?

FUCK man, how the hell should I know? The internet was not invented with privacy in mind. Encryption was an after-thought. Here’s a suggestion, why don’t we spend the next 5 to 10 years brainstorming and crafting an INTELLIGENT and BUG-FREE privacy protection treaty? The Internet is a global environment, and laws which regulate behavior on the Internet should only be those which all of us living on this planet can agree upon. This is really common sense that any properly educated adult could only conclude.

Why are you down on privacy rights?

I’m not. You probably realize if you’ve spent time on my blog I’m a die-hard privacy advocate. I also hate poorly crafted regulations, which is what the GDPR is. I wish they would have spent more time on it. I wish they would have consulted with more qualified experts. Maybe if they’d crafted the law on github and allowed the public to submit issues, the result would have been better. Heck all laws should be written this way.

Some Tips

There is a classic saying well known amongst grey-bearded hackers: “If you don’t want it known, don’t use the phone”. You should firstly assume that whatever you’re doing on the Internet, someone is watching it. If you want to protect your data you should encrypt it, and secure your computer against unauthorized spying. Visit ssd.eff.org for a lot of excellent tutorials on how to achieve this.

This Post is a Work In Progress

The consequences and fallout of the GDPR are still unfolding. I will be updating this post as I find more things to complain about which would surely have been caught if they’d spent a bit more time on the bill.

Encryption, PGP and Keybase.io

Privacy matters. Encryption matters.

Everyone has heard that the united states government is spying on you. They probably aren’t the only ones. If you aren’t concerned that strangers are reading your emails and instant messages and tracking your browsing histories you really, really should be.

A strong encrypted solution to online privacy has existed since 1991 when PGP was invented. A lot of people think that key-pair encryption, also known as end-to-end encryption, is really complicated or technical but it isn’t.

How it works

You have two keys. a PRIVATE KEY and a PUBLIC KEY. Your PRIVATE KEY is kept private, and you give your PUBLIC KEY to the world.

Receiving encrypted files & emails

When someone wants to send you an encrypted message or file, they encrypt it using your PUBLIC KEY. You decrypt it with your PRIVATE KEY.

Sending encrypted files & emails

When you want to send someone else an encrypted message or file, you encrypt it using their PUBLIC KEY and the other person decrypts it using their PRIVATE KEY.

The Trust Issue

There is another consideration, how do you know if the PUBLIC KEY that claims to be from john.doe@example.com actually belongs to Mr. Doe? In the past the method was to create a “web of trust”. John would personally give you his PUBLIC KEY, and you would digitally sign it using your key. Then when John gives his PUBLIC KEY to someone else, they can see that you have vouched for it’s authenticity. The problem with this is that everyone needs to do it. This has been one of the greatest hurdles in the adoption of key-pair encryption.

Enter Keybase.io

The clever folks at Keybase.io have found a solution. Their service allows you to connect your PUBLIC KEY with various online identities, such as Twitter and Reddit, or websites which you control. These entities are considered trust-worthy, because we use them every day to communicate with our family, friends, and colleagues. This service practically solves the trust issue, eliminating the necessity for the “web of trust”.

Keybase.io will also help you with the creation of a key pair, which simplifies and standardizes the process for a lot of people. Keybase.io also generates seperate key pairs for each device that you use, be it a smart phone or a laptop or desktop. If you stop using a particular device (for example if your smart phone is lost or stolen) you can revoke the keys for that device, preventing someone from using it to impersonate you, without having to destroy your original PRIVATE KEY.

The Future, Transparency and Ease-of-Use

Encryption is the future. It is the future because the alternatives are too horrifying to live with, which is why we have books and movies like 1984 and The Matrix warning us about them years in advance. Privacy is sacred and as a race human beings are going to embrace it, whether the government likes it or not (they really don’t like it). There have been technical hurdles to overcome, but with open-source community funded projects like Keybase.io, I am confident that the future of privacy looks bright.