← Back to context

Comment by theturtletalks

5 days ago

What scares me is that the more privacy oriented you are, the easier you are to fingerprint. At what point does privacy mean blending in with the crowd and not sticking out?

24 comments

theturtletalks

Reply
ybceo  5 days ago

You're thinking about browser fingerprinting (client-side), but my post is about service-level anonymity (server-side).

Browser fingerprinting: "Your unique combination of extensions/settings makes you identifiable among other users."

Service anonymity: "There are no other users to compare you against because we don't collect identifying data."

When you sign up with just a random 32-char string, there's nothing to fingerprint. No email to correlate. No IP logs to analyze. No usage patterns to build a profile from.

Fingerprinting matters when services collect behavioral data. We architected our way out of having that data to begin with.

  • integralid  5 days ago

    >When you sign up with just a random 32-char string...

    There's STILL a browser fingerprint, IP logs to analyze, usage patterns to build a profile from. You may claim you don't collect it, but users need to take your word for it. This is just pseudonymity, which (as many BTC users found out) only gets you halfway there. Real anonymity is way harder, often impossible.

    Don't get me wrong, it's good to see organisations that care about privacy and in fact this blog post encouraged me to consider your services in the future. We have some use cases for that at work.

    Though by using cloudflare you're NOT putting your money where your mouth is.

    • ybceo  5 days ago

      I was going to say making the platform open source might solve this problem, but then users would have to trust that we are actually running the open source version and not some fork with logging and tracking. This would be an interesting problem / paradox to try to crack.

      But you are 100% right, I will look into alternatives for Cloudflare, which we are using because it seems like the cloud hosting industry LOVES to DDoS new players.

      6 replies →

matheusmoreira  4 days ago

> At what point does privacy mean blending in with the crowd and not sticking out?

It's basically rule number one. Tor is all about making all users look like the same user. The so called anonymity set. They all look the same, so you can't tell them apart from each other.

It's also part of the rules of proper OPSEC.

https://en.wikipedia.org/wiki/The_Moscow_rules

> Do not look back; you are never completely alone.

> Go with the flow, blend in.

> Vary your pattern and stay within your cover.

  • theturtletalks  4 days ago

    I read here that most of the Tor exit nodes are operated by governments and governments are using parallel construction to keep that information out of legal documents.

    • matheusmoreira  4 days ago

      Well, yes. They control ISPs and exit nodes, therefore they can correlate entries into and exits out of the Tor network, narrowing down candidate lists until only one user remains. Essentially a nation scale version of the Harvard bomb threat correlation:

      https://buttondown.com/grugq/archive/bad-opsec-considered-ha...

      As noted in the article, it wasn't the failure of Tor that led to arrest, it was poor OPSEC. Failure to cover, failure to conceal and failure to compartment.

anal_reactor  5 days ago

Reminds me of this guy who used Tor to send a fake bomb threat to his school but he was the only person on the whole campus connecting to Tor.

  • immibis  4 days ago

    There were 4 people, but he confessed when questioned.

    I guess the lesson there is that if you don't want to be convicted of a crime, don't confess to a crime? They won't give you a lighter sentence for confessing.

    • lo_zamoyski  4 days ago

      > I guess the lesson there is that if you don't want to be convicted of a crime, don't confess to a crime? They won't give you a lighter sentence for confessing.

      Ever hear of moral integrity?

      Unless the penalty is unjust (say, execution for a minor crime), a just man will confess and accept his punishment as right as just. He himself will want justice to be done and will want to pay for his crime.

      A remorseful murderer knows he deserves death. He might ask for mercy, but failing that, he will accept the penalty with dignity and grace.

      5 replies →

  • hilbert42  4 days ago

    "...the only person on the whole campus connecting to Tor."

    Talk about doubly stupid, first sending the threat, second using Tor on campus. I often wonder what goes (or doesn't go) through the mind of such people.

bauruine  5 days ago

Blending in with the crowd doesn't work. If you use Chrome on Windows you're part of a very large group and "don't stick out". But it's also very easy to fingerprint so you're also part of the "theturtletalks" group with the size of one.