this post was submitted on 07 Jan 2025
1 points (100.0% liked)

Privacy

6 readers
8 users here now

Everything about privacy (the confidentiality pillar of security) -- but not restricted to infosec. Offline privacy is also relevant here.

founded 1 year ago
MODERATORS
ciferecaNinjo@fedia.io
1
I'm checking out various "personal knowledge management" tools in a sandbox to see if it be an upgrade my ragtag collection of text file-based notes. (fedia.io)
submitted 2 months ago by loadhigh@bitbang.social to c/privacy@fedia.io
32 comments fedilink hide all child comments
 

I'm checking out various "personal knowledge management" tools in a sandbox to see if it be an upgrade my ragtag collection of text file-based notes.

First candidate is #Logseq, supposedly "privacy-first".

How #privacy friendly is something based on Electron (aka Chrome)? Debatable, but then they also do this:

  1. Have "Send usage data" on by default
  2. Start with an example page that embeds a YouTube video, and accepts all cookies

tcpdump and mitmproxy go wild when starting the program.

Shows that the "Send usage data and diagnostics to Logseq" setting is enabled by default.
Shows the services being contacted by Logseq over HTTPS right after starting it for the first time. Hosts that are being contact: www.youtube.com, googleads.g.doubleclick.net, jnn-pa-googleapis.com, play.google.com, app.posthog.com, o416451.ingest.sentry.io

you are viewing a single comment's thread
view the rest of the comments
[–] loadhigh@bitbang.social 1 points 2 months ago (23 children)

Next up is #Obsidian, a tool I'm hesitant to consider because of the developers' view on open source. Hence, the source is not available except the obfuscated JavaScript that's ran by Electron.

Despite that, Obsidian itself only does a version check (which can be disabled) and starts in "restricted mode" by default, which disallows third-party plugins (but does still embed external content when asked to.)

There's some phoning home by Chrome but far less than with Logseq.

Color me surprised.

The program defaults to "restricted mode." "Would you like to exit Restricted Mode to enable community plugins? We strongly recommend making backups of your data before doing so."

[–] loadhigh@bitbang.social 1 points 2 months ago (13 children)

Candidate number 3, #Anytype, is a whole different beast conceptually. More than a Markdown editor, it's a database consisting of all kinds of document "objects" and templates (Notion-like, I'm told)

I don't have enough characters (500 is the limit on this instance...) to describe my surprise and disappointment about the difference between how they present themselves versus reality, so this will be multiple posts.

The attached pictures are a collage of my expectations for Anytype.

1/n

On the left: "Enjoy true privacy" On the right: "Nobody can see what's in your vault, except for you Local, on-device encryption. Only you have encryption keys"
image/png

[–] loadhigh@bitbang.social 1 points 2 months ago* (last edited 2 months ago) (12 children)

Reality: everything you do in the program is being tracked and there is *no opt-out*.

The program records all your actions and sends them every few minutes to Amplitude, a commercial analytics company.

Deep down in the documentation this is mentioned, but there is no consent or even a mention in the program itself or in the privacy policy.

It also communicates constantly with a few AWS EC2 instances, presumably the IPFS nodes it uses to backup your (encrypted) vault of documents.

2/n

[–] loadhigh@bitbang.social 1 points 1 month ago

Correction: it is mentioned in a privacy policy, but not the first one you get to. You have to click through to the second privacy policy.

https://anytype.io/app_privacy

load more comments (11 replies)
load more comments (11 replies)
load more comments (20 replies)