Everything about privacy (the confidentiality pillar of security) -- but not restricted to infosec. Offline privacy is also relevant here.
I'm checking out various "personal knowledge management" tools in a sandbox to see if it be an upgrade my ragtag collection of text file-based notes.
First candidate is #Logseq, supposedly "privacy-first".
How #privacy friendly is something based on Electron (aka Chrome)? Debatable, but then they also do this:
tcpdump and mitmproxy go wild when starting the program.
Even when turning "Send usage data" off, Sentry is being contacted each time I switch to another note, until I restart the program.
Not the hugest deal but it suggests to me that privacy is not what has the highest priority at this VC-backed company.
@loadhigh just in case you're not aware, the current release of LogSeq is pretty much abandoned. They've been developing a database version for the last year+ that's now in beta, I think. (I have not looked into the privacy claims or facts about that version though)
@tal@mastodon.social Interesting, I didn't know that. Logseq has quite a following so odd of them to go for a full rewrite.
But I guess that's a luxury you can afford with $4.1 million :P
@loadhigh@bitbang.social I've been trying to solve this issue myself for a while, and the conclusion I came to last time was that for every positive feature in a given application, there were at least two important parts missing.
(Spoilers, I ended up with Joplin even though I'm not super thrilled about it, but I just wanted a solution dangit)
@loadhigh@bitbang.social
Not sure you have a NextCloud to work with, but my current solution to a similar dilemma was a personal NC+Iotas on Linux.
@Brett_E_Carlock@mastodon.online Ah, no, I never got around to setting up a NextCloud.
Does Iotas or NextCloud Notes have some way or organizing notes with tags or some other attributes?
@loadhigh@bitbang.social Ah, no, not really. I take it this is a firm requirement for how you manage your data?
There is a Category feature, but that maps to folder hierarchy on storage, and is mostly similar to OneNote's structure with Pages/Subpages, I think. Not terribly complex.
Items can't belong to multiple groups/categories.
I am wondering if maybe QOwnNotes might be more appropriate, which also has an optional NextCloud backend?
@Brett_E_Carlock@mastodon.online
I currently have my text notes in a directory structure but I think/hope I can find them more easily if I can browse through them by tag or other attributes, and remove the need to decide each time which directory they fit in best.
I wish there was a "personal knowledge manager" that's a real, native application like QOwnNotes but it's Electron all the way down (so far, at least.)
@loadhigh@bitbang.social
My top-level is really broad and I stick hashtags into the body of notes I need to find easily as NC Notes search is full-text and pretty nice, so far.
But yeah, proper tags would be way better but less portable/strict MarkDown 🤔
@loadhigh@bitbang.social I'll be following this thread because I'd like something not locked in to a large company... but one of my requirements is it needs to be usable by a non technical person (I use Markdown files for myself).
In the past I used:
Next up is #Obsidian, a tool I'm hesitant to consider because of the developers' view on open source. Hence, the source is not available except the obfuscated JavaScript that's ran by Electron.
Despite that, Obsidian itself only does a version check (which can be disabled) and starts in "restricted mode" by default, which disallows third-party plugins (but does still embed external content when asked to.)
There's some phoning home by Chrome but far less than with Logseq.
Color me surprised.
Funnily enough, when it comes to code by other people the developers do see the value of open source.
@loadhigh@bitbang.social fwiw the developers of Obsidian also produce open source projects
and dozens of other open source projects under their own personal accounts
When installing plugins all bets are off.
Loading dependencies from CDNs, doing their own version checks, or showing a YouTube video on install, the most popular Obsidian plugin (Excalidraw) does it all without asking.
@loadhigh@bitbang.social ooh hey this thread seems really useful, any plans to check out been eying it up as a replacement for notion on my personal projects.
@BreoganHackett@mastodon.gamedev.place Thanks!
Yes, Anytype is next. I played around with it yesterday (without monitoring it) but its complexity was both alluring and also a reason to check other tools, despite my (initial) distrust of them.
@loadhigh@bitbang.social haha yeah that makes sense look forward to reading your thoughts on it.
@loadhigh@bitbang.social Huge fan of opensourse, but I do use Obsidian as my main notes tool these days. It's so pretty, just works, and while the core tooling isn't open, I have peace of mind that I can leave any time and move to any other text/markdown based tool.
That's a big win over other polished note-taking tools like Evernote, for instance.
I'd love to see open tools like Joplin get to the level of visual appeal Obsidian has.
@jack@social.jacklinke.com That's definitely a big plus for Obsidian (and the current version of Logseq.)
Anytype hides everything away in a database blob that can be somewhat exported, but when doing it in Markdown format the "relation" metadata (think Dataview) is lost, where with Obsidian Dataview's metadata is just there in the Markdown.
Despite the misgivings I had about Obsidian it's looking like a very good option indeed.
Candidate number 3, #Anytype, is a whole different beast conceptually. More than a Markdown editor, it's a database consisting of all kinds of document "objects" and templates (Notion-like, I'm told)
I don't have enough characters (500 is the limit on this instance...) to describe my surprise and disappointment about the difference between how they present themselves versus reality, so this will be multiple posts.
The attached pictures are a collage of my expectations for Anytype.
1/n
Reality: everything you do in the program is being tracked and there is *no opt-out*.
The program records all your actions and sends them every few minutes to Amplitude, a commercial analytics company.
Deep down in the documentation this is mentioned, but there is no consent or even a mention in the program itself or in the privacy policy.
It also communicates constantly with a few AWS EC2 instances, presumably the IPFS nodes it uses to backup your (encrypted) vault of documents.
2/n
So all your actions are being logged, fortunately (because who knows at this point) without the actual contents of what you type.
But everything else is there: did you add a page, did you click around, did you add some paragraphs of text. All neatly ordered, timestamped, and identified with a user and session ID.
There's also data about the machine you're using the app on.
Of course, being an Electron app, it also has Chrome phoning home. And there's a version check (cannot be disabled)
3/n
That there is no opt-out for this nor a consent dialog or even a warning is unacceptable in my view.
For a company that likes to talk about trust they sure have no idea about how to gain it.
4/4
Tested the fourth PKM: #SiYuan (https://b3log.org/siyuan/), which is pretty similar to Anytype feature-wise.
It's also a product that starts off with saying that it's "privacy-first", supported by what might be the world's shortest privacy policy, which clearly states: "Does not collect user personal information and usage data."
Unfortunately, the Google Analytics and Google Tag Manager scripts that are loaded on start are nowhere mentioned. No warning, no consent question, on by default.
1/n
What data is being collected? Mostly details about your machine: OS (name, kernel version), CPU architecture, screen resolution, a unique identifier, but also what's in the title bar of the program window, which can be problematic.
You see, the title of the note you had open when you quit the program last is also in the title bar, which might contain personal information like someone's name, or the name of an illness you have that you are taking notes about.
2/n
You might feel I'm nitpicking about a possible edge case here, but you are promised privacy.
Without sniffing the network traffic, or going through the source code, you have no idea that your note titles are being sent to Google Analytics. Even the opt-out toggle tells you that no user data is collected.
It's another example of a company (they sell premium services) using "privacy-first" as a buzzword instead of living by it as a guiding principle.
At least there is an opt-out, I guess
3/3
Ok then, number 5: the desktop version of #TiddlyWiki, #TiddlyDesktop.
The Chromium wrapper isn't as old as the wiki web software itself but still goes back to 2014.
Standard Chrome traffic and... a lot of calls to googleapis.com. Why? Because it calls the Google spell check API with everything you enter.
All your text is being sent to Google.
I couldn't turn it off and on top of that a dummy API key is used so the API returns an error, meaning the functionality is completely useless.
@loadhigh@bitbang.social I use the Node.js version of Tiddlywiki and see no such traffic. I don't use TiddlyDesktop, though, so can't comment on that.
@CrossEye@mstdn.plus This is definitely TiddlyDesktop only. It was added because people were missing the spell checking that their browser normally does ()
Correction: it is mentioned in a privacy policy, but not the first one you get to. You have to click through to the second privacy policy.
@loadhigh@bitbang.social Thanks for the great thread and analyses! ❤️ I'd love to get your take on @TiddlyWiki@fosstodon.org and @FeatherWiki@floss.social both are technically interesting takes on personal knowledge management #pkm:
@nacly@floss.social @TiddlyWiki@fosstodon.org @FeatherWiki@floss.social You're welcome :)
I tried to build personal wikis a long time ago but the ones I tried didn't do anything with tags or metadata, so it was up to you to collect topics in categories or with explicit, hand typed links. That was a hassle.
I guess I missed TiddlyWiki because it does go all-in on the relation metadata. I'm going to try it out, thanks :)
I'm unsure about Feather Wiki because it's not working with files on disk directly, but it's very neat for 58kb.