On 2022-11-04 Adam Thompson wrote:

My personal opinion is that privacy is an illusion and the faster you get over that, the easier your life will be. *Should* that be the case? Hell, no! But what options do I have other than how I vote, and how I communicate with my various elected representatives?

I don't like to be completely defeatist in a "throw up your hands and give up" sense when it comes to your statement: "privacy is an illusion". When we do that we are, in effect, saying to everyone "don't even try".

Privacy isn't a binary thing. It's a matter of degrees. Yes, you are 100% correct that we can't be completely "private". But there a ton of little things we can do to regain control of various aspects of our privacy and/or make "the borg's" life more difficult.

For people who care about privacy (say Brian and myself) we should learn about and do things that help us improve along the privacy scale. And we should encourage that. There are some people (hehe you know who you are) who have completely given up or even welcomed every tracking / privacy-invading thing known to man. I don't think that's the correct thing to encourage in those who are showing concern.

We're a bit of a special case here in MUUG because we're basically the at the pinnacle of all this technology stuff and if anyone should "know better", it should be us. (Some of us even program stuff that uses all this anti-privacy ecosystem stuff and are well aware of how egregious the info leaks are.) If we can't offer hints and solutions, who can? I agree, it's all rather depressing.

If I had to make a top-3 list of privacy things you should do today, it would be:

1. Your browsers should have a NoScript (or similar) plugin and at the very least perma-block google-analytics and doubleclick (et al), and FB if you don't use it. That garbage is embedded in like 80% of pages out there.

2. Disable location services on your phone, basically always (ya they can triangulate, blah blah, but this makes it harder).

3. Use Linux, not Windbloze.

On 2022-11-04 John Lange wrote:

...

3. Use Linux, not Windbloze.

Despite the fact that your post and the entire thread is railing against Android (which runs on Linux) you manage to blame Windows for violating your privacy?

Not sure where you're going with this. I offered, as an aside, 3 of my top tips to, in general, protect your privacy. Someone already mentioned don't use Windows (especially 11), and I agree, and thus it's in my top-3 things people should do if they are privacy-conscious.

As for me personally, I don't use any Windows 7, 8, 10 or 11, so I'm not blaming it for violating *my* privacy. But if someone asks me "what can I do", I would definitely say don't use Win 11. Why? Because of the telemetry and all the tracking and app store that has basically turned it into the same thing as a cell phone OS (Android or iOS) vis a vis privacy.

I'm not sure what's controversial here? If you think MS and Win 11 is honoring your privacy more than an install of Fedora 35 is, then I have some news for you...

And I don't think anyone is "railing against Android", as iOS is equally as bad, if not worse. And it's not the linux-ness that makes Android a problem, it's all the google-proprietary stuff they've forced on the world that invades your privacy. That's like saying iOS is somehow also innocent because it runs on BSD. The underlying technology on these phones is irrelevant to privacy. I use Android every day, and I do my best to maintain a semblance of privacy as per my previous post. Doesn't mean I have to like the status quo and not yearn for something better.

Brian makes a great point: "ANDROID IS SUPPOSED TO BE OPEN". Yes, and it is, and you can load the base of Android onto some phones. The problem is, everything that makes your phone useful is a proprietary google add-on, and they've engineered it this way on purpose. That is (part of) what is holding back a truly FLOSS phone.

On 2022-11-05 12:09, John Lange wrote:

I'm simply pointing out the irony that in a thread dedicated to the gratuitous privacy violations perpetrated on Linux (via its most popular "desktop" Android), your recommendation is to "use Linux" for better privacy(?).

This would be like me using a Ford F-150 on a hit and run, then turning around and arguing that Ford makes the worst trucks, seeing that they are involved in hit and runs.

Linux is just a kernel. It has nuts and bolts to do pretty much anything, but the assembly of those nuts and bolts is up to the user/developer.

Yes, I know, this argument sounds like grasping at straws more often than not. Yet, here, we are *really* talking about specific distribution/OS here (e.g. Fedora, Android, Ubuntu) *NOT* Linux.

Actually yes I do think Windows 11 is doing more to honour your privacy. Windows11 discloses what it is doing and has privacy controls that give you the ability to shut off all the data collection that it does if you like.

Those toggles don't really do what you expect, I am afraid. They do "tune it down", so to say, but they're far from turning it *off*.

And yes, all of that is outlined in the Policy. Not a secret, and most people don't care, which is fine.

Still, that doesn't mean you turn telemetry *off*. You can't. Enterprise versions give you more control but as far as I remember, it also does not have the ability to turn it off completely. That may have changed.

With that said, I do not think "privacy violations" are the main issue with Windows. I do agree that Android is far worse, for example. But Android - the complete, functional OS that runs on phones - is *not* Linux. It *uses* the Linux kernel, just like many other things that are far from being a bastion of virtue on the privacy department.

Fedora, Ubuntu and most linux distros don't say anything about the data that gets sent home by default and offer NO Privacy Controls. There is no built-in way to shut off telemetry, you have to figure out which applications are calling home and manually uninstall them.

Fedora presents it on the first boot experience, at least for the default Gnome installation. Last I checked, the Settings application has all the toggles there too, with related Privacy Policies linked.

Most of the Fedora Spins don't have much for telemetry other than Firefox - which does present its terms on first use.

Ubuntu had an incident with this eons ago, but last I checked, it does present the terms as well.

Debian is opt-out by default on the very few things it collects data on - the main one (only one?) being popularity-contest, which, as the name suggests, transmits data every so often about what packages are installed on the system.

It's not a conspiracy, no. But that does not mean all choices are equal. It also doesn't mean Windows is the absolute worst.

I get it that Windows is everyone's favourite OS to hate

I must say I am far from a blind Windows hater. It does some things really well.

, but I think it's reasonable to point out the fact that Linux itself does absolutely nothing to protect your privacy. Anyone can make a distribution of Linux that steals your user data (e.g. Android).

It does not, indeed... just like my screwdriver doesn't do much on its own.

I would be amused if Microsoft stuck all their telemetry on their ntoskrnl.exe, or whatever it's called these days. I am also reasonably sure that Android has the telemetry bits far from the main kernel.

The same is likely on whatever telemetry is embedded on things that leverage the Linux kernel.

Let's be real here; the majority of privacy loss happens through the applications you have installed (e.g. browsers) regardless of the OS. For those that care about privacy that is where the focus should be.

That is true. 80-20 rule and all that.

Kind regards, Alberto Abrao

On Fri, 2022-11-04 at 08:11 -0500, Brian Lowe wrote:

On Thursday, November 3, 2022 10:08:15 P.M. CDT J. King wrote:

...

If you're not worried about violating Google's terms of service you can use Aurora Store (available from F-Droid) to download and install software from Google Play without a Google account associated to you.

Unfortunately the last time I tried the Aurora Store and it didn't work on my phone. Maybe it''s time for another go.

There was some trouble with logging in historically, yes. It's been working well in the last year or so, though, and I have had no trouble with it as recently as yesterday.

I really appreciate Hartmut's contribution here because I've been thinking of asking Shaw for new equipment after many years, so I'm glad to know the Hitron's are still a thing.

On the credit union front, I'm just glad that my credit union still has a web interface. Possibly I'm missing out on mobile cheque deposit via photographing and some other mobile specific features but the web interface gets the job done and I can do that from my all floss Power9 Raptor Computing systems Blackbird. (housed in an ATX case that Frantic Films threw away.)

If I had to go mobile only I'll be looking for another bank that still has a web interface. Hopefully we can count on that existing for decades to come given how slow banks can be to change.

I'm living day to day with a feature phone in my pocket instead of a smartphone, will be interesting to see how far and how long I can push that.

Got my first aftermarket, user-serviceable battery a few months ago. (battery life on this replacement has been disappointing, but I'm at least living the dream)

To the conversation I'll contribute two other cases of the push towards mobile devices that have irritated me in recent years.

---------

First, Ticketmaster and the Blue Bombers have made it very irritating to attend a football or soccer game without a smartphone running the proprietary Ticketmaster, "Blue Bomber" (a ticketmaster whitelabel) or Google Pay apps. I imagine True North (Jets/Moose) with Ticketmaster has done the same thing at their venue.

I believe it's possible to stand in a long customer service line on game day for a printed ticket, but I've just bent over and just used a casual (not day to day) smartphone to avoid that.

They use a time based token that updates on screen, making it non-printable by folks at home. I appreciate the business reason for this, there have been too many people victimized by ticket sale scams, and so there's going to be less victims when it's known that transfer of the time based code is required. I haven't heard of anybody transferring these time based codes outside the blessed system.

And at least I was savvy enough to figure out that I didn't need a data plan on said smartphone, that the time based ticket-token can be transferred to the Google Pay app which works entirely offline. Others may not have been prepared for that and landed in the long customer service line. There are people who own smartphones as their day to day phone and don't have data plans, believe it or not. (I know several).

I would just appreciate it if the protocols/standards for these time based tokens were open so they could be transferred to a fully floss stack token-wallet. Maybe this is already documented or reverse engineered out there, I haven't looked into it.

Though, can you imagine me popping open my Pinebook at the stadium gate and saying "scan this"?

Probably it would be more principled to just not attend. Can use my ears and take in the game free to air on 680 AM or walk into a sports bar. I could certainly find things to complain about if using a cable box and cable subscription or DRM streaming at tsn.ca .

--------

Second situation that irritated me was the required mobile app for verifying Manitoba vaccine cards.

(I think I posted this before).

It wasn't truly my itch to scratch because I didn't personally operate a venue required to perform verifications, but I felt sorry for this imposition of proprietary software and mobile devices on Manitoba restaurants and so forth.

With help from my fellow folks at Skullspace, we reverse engineered the Manitoba app. Which basically boiled down to discovering that the magic API URL was GET https://immunizationcard.manitoba.ca/api/verification/UUID with a simple JSON response payload.

(plus a redundant login auth layer that ends with a "authorization: Bearer " http header being included in the above)

Our work was featured on hackaday.com, including my proof of concept demo video https://hackaday.com/2021/08/19/manitoban-makes-open-software-demo-of-propri... https://github.com/markjenkins/immunizedshellscriptmb/blob/mainline/verifica...

But I never went further to document the login auth protocols or to make a full replacement app. As is the case for many hobby projects, I was satisfied to just get the proof of concept and key information out there for anyone else that wanted to take it further.

Adjacent to this was my experience as a card holder.

I didn't opt to receive a government printed card in the mail. I considered that a waste and had heard how they were scarce at first, so I said to myself, save it for others. Figured it wouldn't matter as well because the program would not be part of mainstream domestic life in Manitoba for very long. (was under a year in the end)

Though I didn't want to use a smartphone as a way to display my QR either.

There was no print button in the government website UI. I self-printed my QR anyway. Much later in the program they recognized that choice of card by mail or smartphone was a barrier for some people and added an official print button with a nice Manitoba logo in the design.

But, long before self-printing was officially recognized, I took myself as an experiment to see what life would be like as a weirdo with a self-printed QR instead of a government printed card or smartphone displayed QR.

There were three classes of experience.

1. To my pleasant surprise, the vast majority of venues that were actively verifying QR codes didn't treat me as a weirdo for self-printing a QR. Venue staff understood that optically scanning a QR printed on paper was no different than optically scanning a QR displayed on a phone or card. They scanned, they cross verified the name on my ID card and life was somewhat normal.

2. The other really common experience was venues not operating scanning equipment at all. They eyeballed the font and layout of my self printed QR just like they eyeballed the font and layout of anybody presenting a smartphone, just like they eyeballed the font and layout of anybody presenting a piece of plastic.

I had a private joke about this. I joked that maybe it was true that there was a microchip in the vaccines because serving staff showed remarkable computational power to eyeball a QR code, decode it and converse with the Manitoba government server.

Clearly many Manitoba businesses were not eager to roll out a fleet of smart phones to their staff. No enforcement effort was ever directed at small venues that asked customers for proof but didn't verify said proofs.

3. I can only remember two exceptions where self-printing my QR broke down. At one venue the lighting wasn't great and they just couldn't get a scan. Perhaps my self-print out was starting to wear at that point, (though with all the error correction in QRs that shouldn't have been a problem). It may have also been a network outage of some kind. I don't know. They were nice and admitted me. I later offered to dig up and boot up the casual smartphone in my bag to have that scanned instead.

Occasionally I would say to venues of type 2. "you're not going to scan that?".

This backfired on me only once.

I came back to a certain place on a different day and they grinded my gears back at me, saying they now would only accept the government printed card. I explained how the government printed card was opt-in and how it was an official part of the system that people could display QR codes and that it is up to venues to scan them. They gave me the business about how anybody could just print that and I was like "yes, that's right, anybody can replicate the look of these printed cards and QRs and you need to scan it if you're serious about verification".

That wasn't enough so I pivoted to "would it make you happy if I showed it to you on a smartphone through the official government app" and after much fumbling with a smartphone that I don't use day to day I was having trouble getting things open and finally they acknowledged that they now had a device of their own on site that they could use to scan. My paper copy got scanned, and I was able to stop feeling like a criminal.

Anyway, I could have avoided these two oddball experiences by just taking delivery of a government printed card, but it was interesting to see life without that or smartphone. I perhaps successfully educated one venue along the way as to how things worked, though with their veneration of the government printed cards I doubt they ever ended up scanning those.

Mark

On 2022-11-05 Mark Jenkins wrote:

First, Ticketmaster and the Blue Bombers have made it very irritating to attend a football or soccer game without a smartphone running the proprietary Ticketmaster, "Blue Bomber" (a ticketmaster whitelabel) or Google Pay apps. I imagine True North (Jets/Moose) with Ticketmaster has done the same thing at their venue.

I believe it's possible to stand in a long customer service line on game day for a printed ticket, but I've just bent over and just used a casual (not day to day) smartphone to avoid that.

Great, detailed reply, I really appreciated it. I just wanted to chime in on the Bombers thing:

1. You don't need the Bomber app to get in to games @IGF (nor Mosaic either). They have a normal web page, also just a rebranded TM site. The best way to reach it is through the blue bombers season ticket "portal". Then the usual "my events", etc. Shows the exact same mobile ticket with the moving line. I'm pretty sure that portal works for any TM account holder: you don't have to be a Bomber STH.

So that's really great for not being forced into an app, which is just a glorified html wrapper anyhow.

I'm going to the GC in a few days and I was able to access my GC tickets through the Riders' portal. Weird, but it won't show up in my Bomber nor vanilla TM methods of access. But this proves that (probably) all CFL venues are accessible without an app.

2. I remember reading you can get printed tickets and I think that includes getting them all ahead of time (if you're STH) for a set fee. I don't know if it's a per-ticket fee (probably is) or a per-batch/season fee. But it wasn't much, compared to what you'll spend on a ST.

3. I've personally gone to games this year with older friends or game-day buddies who couldn't get their ticket to show on their phones. I couldn't help them as I went through the gate first. So we had to yell back and forth through the gates like something out of a WWII movie as they are told to leave, and walk off to the ticket office to waste 30 mins of their life and miss kickoff. The staff are under instructions not to help people with their phones.

None of these new things take into account the elderly and technophobes. Just having the web site or app ask for the user/pass again right when they are at the gate vs when they loaded it at home is enough to make it impossible for many people.

For STHs there is no reason they can't still mail out 1 ticket + lanyard for the whole year like they used to, if a fan requests it. Only a small percentage would require it.