HN

Need help?
<- Back
Privacy doesn't mean anything anymore, anonymity does

Privacy doesn't mean anything anymore, anonymity does

ybceo

Comments (171)

  • dtj1123
    The onion link for the site appears to be broken.
  • snakepit
    In many ways, we're past the point of no return. So-called ubiquitous technical surveillance is largely the norm, often encroaching by design beyond the boundaries of expected decency.Informational terrorism, a dysphemism that describes the manner by which certain data is abused to "re-rank content" for a "personalized experience," is encoded into the DNA of certain large tech companies.
  • mk89
    At first I thought it was a blog. No, this is a company. So, their privacy page (https://servury.com/privacy/):> Server Logs > Like all web services, our servers may log: > IP addresses of visitors > Request timestamps > User agent strings > These logs are used for security and debugging purposes and are not linked to your account.That's already a huge breach in comparison to mullvad privacy page. (https://mullvad.net/en/help/no-logging-data-policy)
  • serial_dev
    I know it’s a different context, but with this catchy title, I can’t resist pointing out that anonymity also doesn’t mean anything.You can have cryptocurrencies in your wallet, (on most chains) you are anonymous but have no privacy, your transaction history can be accessed by anyone.It’s all fine and dandy, you can enjoy your anonymity, about as long as you make your first transaction.You might be anonymous, but basically you hand over your full transaction history and balance anytime you pay for a coffee or tshirt.
  • jrm4
    Thank you, op, for bringing sanity to this whole thing.Relatedly, this is why I think every "new" social media service that isn't Mastodon is barking up the most wrong tree with "take everything with you," you're essentially helping to build an even harder to erase social history.Mastodon's individual server model, like email's, is better PRECISELY because each node is a point of "failure." That makes erasure easier. Which is good.
  • o999
    @ybceo As long as you use Cloudflare to verify users [fingerprints] and traffic between users and your service is decrypted at Cloudflare side, I am afraid it difficult to take these anonymity claims seriously.Please do not to rely on fingerprinters or CDNs that does TLS-termination for you.
  • bfkwlfkjf
    Speaking of mullvad. I recently learned about mullvad browser, which is basically tor browser minus connecting via the your network. This is interesting because the tor project has put the most effort into fingerprinting resistance. If you care about privacy and you have a customized browser, you're likely uniquely finger printable [1]. If you don't want to connect via tor, there's no excuse not to use the mullvad browser. (Doesn't require you to use mullvad VPN; comes with the mullvad plugin, disabled by default, to optionally use mullvad encrypted DNS. Last point, I wrote to the tor project and asked "is it possible to use tor browser minus tor network", and they responded "that's the mullvad browser", so this isn't just my recommendation)[1] https://coveryourtracks.eff.org
  • made3
    "Please unblock challenges.cloudflare.com to proceed."talk about anonymity but uses cloudflare. you threw away your tls and allow cloudflare to sit in the middle of the user and your web page. you're a hypocrite.
  • al_borland
    Any business that isn’t willing to be as anonymous as Mullvad, I assume has a compromised business model that I don’t really like. Assuming there aren’t obvious reasons for needing the data, like tax filing, or various regulatory requirements.I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so. It also means they can avoid all the lawyers writing complicated and confusing privacy policies, or cookie approval pop-ups.
  • theturtletalks
    What scares me is that the more privacy oriented you are, the easier you are to fingerprint. At what point does privacy mean blending in with the crowd and not sticking out?
  • ____mr____
    > Stripe customer ID and payment method ID Wouldnt this information allow for the authorities to just go to Stripe and ask the relevant information there? Sure, you don't store exact personally identifying info, but you store a breadcrumb that can lead whoever has the power to request that information to trace back to the end user
  • AnthonyMouse
    This seems like the wrong end of the system to fix the problem. Someone saying "we don't log your IP address" isn't something you can easily verify, so the promise doesn't mean much because if they suck they're just going to lie about it.What you need instead is to make it easy and common for people to use browsers that resist fingerprinting, VPNs/Tor, custom email addresses per-account, etc. Because then instead of claiming to not log your information, they simply do not have it.The biggest thing we need is a better way to pay someone over the internet without them knowing who you are.
  • jacquesm
    There is no such thing as anonymity. With the number of bits required to ID a person and the fact that you are leaking such bits all the time you can simply forget about anonymity.Many people online seem to think that they are anonymous and so were emboldened to do stuff that they might not have done if they had realized this. They continued to feel extremely good at this right up until the knock on the door.
  • gruez
    >Here's how the average "privacy-focused" service actually works:> ...>5. Confirm identity for "fraud prevention" (now we have your ID)I can't tell whether OP is being hyperbolic but it's certainly not representative of the average "privacy-focused" service I've came across. The typical service only asks for an email and maybe billing information (can be prepaid card or crypto). The only exception is protonmail, which might require SMS verification[1], but given the problem of email spam I'm sympathetic, and it's bypassble by paying. It's certainly not the "average" service, and no service asked to "Confirm identity".[1] https://proton.me/support/human-verification
  • duskdozer
    Maybe ironically - just going on the title because I can't read the rest as a result - it's behind a cloudflare gate.
  • CalRobert
    Sadly, everybody using a browser from a massive ad company and an idp (not to mention a company with an interest in crawling the entire web for AI at the same time site owners are dealing with better scrapers) means the entire web will be login-only over time.
  • titzer
    > If you use our servers for illegal activity, law enforcement can still investigate. They just can't start with "who owns this account" because we can't answer that question.You're going to have a tussle with law enforcement, and you're going to lose. Your service will last < 2 years because you will not be able to afford the lawyers you need to defend against even one muscle move by the government.Good luck!
  • mnls
    According to article, the whole authorization system is flawed. But we haven’t invent a new one and the one we’ve got never meant to be private, it is just a way to separate users from each other. We need something unique, a "primary key" for our DB, and that’s email or phone or username that has to be stored somewhere. A server, someone else’s computer, call it what you want. It has good privacy between users, but the admin can see everything, because otherwise management of the service would be impossible.There is no anonymity, there is always someone you have to trust in the chain of WAN networking (DNS,ISP,VPN). If you want anonymity and privacy, you selfhost (examining the code is also a prerequisite). There is no other way to do it.
  • bilsbie
    I’m fine with no account recovery but they would definitely need a major warning about that at sign up time so users can take extra care to save their info.
  • basket_horse
    The problem with this in our current society is that staying anonymous becomes your whole identity. I have a friend who for the longest time didn’t use Venmo, Uber, etc. because of privacy reasons, but the lifestyle was just not sustainable. Ultimately convenience killed privacy.
  • eleveriven
    Even if you don't want to live entirely on the anonymous web, it's useful to see how many products claim privacy while being structurally incapable of delivering it
  • hiAndrewQuinn
    So my understanding is, what Mullvad is to VPNs, and what Tarsnap is to S3 (kinda), Servury is to entire VMs. It's a prepaid model, you get an account identifier, and that's basically it.This is very cool. I have wondered for a very long time why such a site does not exist. What pops to mind is that you could get better unit economics reselling really small VMs to the privacy obsessed. I know some netizens who would pay a dollar a month for, say, a tiny NetBSD VM and 64 MB of RAM to serve their tiny static demoscene website of yore. There are some real wizards of there.Not sure if that's in your roadmap but definitely something to consider in this space.
  • qwertyuiop12
    the only way is “anonymity by design”. history showed us that “don’t be evil” does not work if the entity can change its mind unilaterally.be confident that the service is not keeping logs? JÁ!
  • DerSaidin
    One difference with Mullvad is VPN traffic is ephemeral. Here, a VPS has a persistent disk attached, that could contain identifying information (if it is necessary to do useful work).
  • BloondAndDoom
    I don’t know what’s wrong with these comments. This is the kind of smart design we want to see and everyone is doing nitpicking.Can we have just better things or are we going to reject everything that’s not perfect and by doing so concede the whole point and just give up?Well done OP for the right approach and your business. This has always been my design (when possible) to approach data security. When you don’t have data you don’t have to worry about its security.Best of luck, ignore the naysayers.
  • nilslindemann
    And, also not very funny, those corps never tell in advance which data they "require". They grab my mail on "the first page" of the registration form. Then, on "the second page", they ask for my phone and my address. Should I decide to agree to this, they will finally tell me on "the third page", that they only support credit card, no PayPal, no direct payment via Bank ...
  • bitbasher
    It's a bit ironic the page is protected by Cloudflare. So, all of our traffic is going through some other company to log and track before it gets to you, eh?
  • pogue
    Glad I had to do a Cloudflare turnstile captcha to see this page
  • Prunkton
    What I was wondering after reading the article: How does Mulvad actually decouple banking data from the account ID? Or is it as simple as verify transaction once but never log?
  • austin-cheney
    I would much rather have privacy with e2e encryption than have anonymity. The way that works is a direct connection between two parties without use of a central server, like webRTC.
  • joemazerino
    I like the idea of this but I'm a certain this article is AI generated.
  • sloppppp
    This was authored using an LLM, wasn't it. The style is unmistakable. Stop wasting our time with this slop.
  • undeniablemess
    AI generated article. What a slop.
  • specialist
    > "privacy" has become the most abused word in techIdeally, an argument about privacy would start with its notion of privacy.https://en.wikipedia.org/wiki/Privacy#Conceptions_of_privacy
  • armchairhacker
    tl;dr “Privacy” = the data is private i.e. only on your devices. Or if the raw data is public but encrypted and the key is private, I think that qualifies.“Anonymity” = the data is public but not linked to its owner’s identity.If you’re sharing your data with a website (e.g. storing it unencrypted), but they promise not to leak it, the data is only “private” between you and them…which doesn’t mean much, because they may not (and sometimes cannot) keep that promise. But if the website doesn’t attribute the data except to a randomly-generated identifier (or e.g. RSA public key), the data is anonymous. That’s the article.Although a server does provide real privacy if it stores user data encrypted and doesn’t store the key, and you can verify this if you have the client’s unobfuscated source.Also note that anonymity is less secure than privacy because the information provides clues to the owner. e.g. if it’s a detailed report on a niche topic with a specific bias and one person is known to be super interested in that topic with that bias, or if it contains parts of the owner’s PII. But it’s much better than nothing.
  • guuger
    Europe is currently being tormented by this exact contradiction: on one hand, it has the GDPR—the world's strictest privacy law, supposedly protecting personal data; on the other, a flood of new regulations under the banners of "child safety," "counter-terrorism," and "anti-money laundering" are systematically strangling real anonymity.
  • photon_garden
    > That's not privacy. That's performance art.Smells like it was written by an LLM so I stopped reading.
  • vpribish
    hyperbolic.anonymity in your product could be a sensible design choice that your customers could value. fine. go nuts.but in general? hard disagree. anonymity is fragile and can't be guaranteed, privacy is a legal obligation which can actually be enforced if push comes to shove.also that page reads like slop : it's not X, it's Y. blah blah blah. this is a marketing piece trying to go viral.
  • bobbyschmidd
    it's 2025. chances are you had peeps in class/uni who are now in the Stasi networks of informants and/or in some more or less obscure agency or more or less related private company so your anonymity only works from birth and even then only if you are lucky or your family "gets it" and has resources and brains beyond.some people believe supply chain attacks are rare and hard to pull off and expensive and only valuable in extreme cases but if you ever worked at a local delivery service or pharmacy or something other where people and the necessary machines are being aggregated in some basements or even backrooms for all use cases from all times for wholesale forgery and fiddling with people, you know that the situation is ugly, not bad. throw in the many coders, network engineers and hardware specialists with ties to above entities and bombaclat, Jahmunkey, we fucked!#TheEconomicsOfPunchedDrugs #Automation #DataAnalysis #SituationalAssessment #HeyIsThatATurdNuggetAtTheTopOfThatPyramid
  • metalman
    "privacy" or not sharing your space with a creepy room mate, and reading the internet without adds ar3 parallelrunning three flavors of the same off brand browser, each optimised for different segments of online content is what seems to be the minimum.they are so desperate to sell me something, (a truck) that it's wild, as it is one of the few monitisable things I consistently look for (parts, service procedures), the , pause, when I do certain searches gives me time to predict that yes, the machinery is grinding hard, and will ,shortly, triumphantly, produce, a ,truck.
  • vladyslavfox
    > Privacy is Marketing. Anonymity is Architecture.But in order to read the article you need to enable JS. What a joke.
  • derelicta
    Good luck guys, you will surely attract the attention of Feds very quickly.
  • fithisux
    Is this a joke?
  • zwnow
    How tf are you supposed to provide working authentication without storing the email somewhere? Should i just disable password resets and tell the users to fuck off if they forget theirs? Cant even use passkeys as they make users identifiable too.
  • 123sereusername
    [dead]
  • udev4096
    [dead]
  • anal_reactor
    The battle on privacy/anonymity/whatever is lost. Get over it. What we need is a new social paradigm where everyone is happy despite the lack of privacy.
  • p4bl0
    The very premise is false, privacy does mean something, and anonymity doesn't really exists. This is an advertisement.
  • mnw21cam
    Apparently neither does spelling. "anymore" -> "any more"