Privacy

cross-posted from: https://jlai.lu/post/16968722

cross-posted from: https://europe.pub/post/33034

cross-posted from: https://lemmy.today/post/25826615

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

cross-posted from: https://lemmy.ca/post/40848536

In case you ever wanted to blur your house from google street view you can. A little privacy i suppose, its pretty easy. you dont need a reason to do it. This probaly the only thing google lets opt out of which is cool.

Originally posted on Reddit

cross-posted from: https://programming.dev/post/26984046

• All analyzed AI chatbot apps collect some form of user data. The average number of collected types of data is 11 out of a possible 35 for the analyzed apps. 40% of the apps collect users' locations. Additionally, 30% of these apps track user data. Tracking refers to linking user or device data collected from the app with third-party data for targeted advertising or advertising measurement purposes or sharing it with a data broker.
• Google Gemini collects the most information, gathering 22 out of 35 possible data types. This includes precise location data, which only Gemini, Copilot, and Perplexity collect. Gemini also collects a significant amount of data across various other categories, such as contact info (name, email address, phone number, etc.), user content, contacts (such as a list of contacts in the user’s phone), search history, browsing history, and several other types of data. This extensive data collection may be seen as excessive and intrusive by those concerned about data privacy and security.
• ChatGPT collects 10 types of data, such as contact information, user content, identifiers, usage data, and diagnostics, while avoiding tracking data or using third-party advertising within the app. While ChatGPT collects chat history, it is possible to use temporary chats, which auto-delete all data after 30 days, or to request the removal of personal data from training sets. Overall, ChatGPT collects slightly fewer types of data than some other analyzed apps, but users should still review the privacy policy to understand how this data is used and protected.
• Copilot, Poe, and Jasper are the three apps that collect data used to track you. This data could be sold to data brokers or used to display targeted advertisements in your app¹. While Copilot and Poe only collect device IDs, Jasper collects device IDs, product interaction data, advertising data, and other usage data, which refers to “any other data about user activity in the app”.
• DeepSeek's data collection practices stand comfortably in the middle ground among other AI chatbot apps. DeepSeek collects 11 unique types of data, such as user input, including chat history, and claims to retain information for as long as necessary, storing it on servers located in the People's Republic of China.
• Don't let your guard down, as chats stored on servers are always at risk of being breached. According to The Hacker News, DeepSeek has already experienced a breach where more than 1 million records of chat history, API keys, and other information were leaked. It is generally a good idea to be mindful of the information provided.

cross-posted from: https://lemmy.ml/post/27209720

I bought a Garmin Forerunner 255 watch that I want to use only with Gadgetbridge. There is an old software version on the watch and I want to update it and I don't want to connect it with Garmin Connect or Garmin Express app?

I have looked for the possibility to do an “offline” update but have not found it. Maybe the community will help?

cross-posted from: https://programming.dev/post/26949339

Source.