> Server Logs > Like all web services, our servers may log: > IP addresses of visitors > Request timestamps > User agent strings > These logs are used for security and debugging purposes and are not linked to your account.

That's already a huge breach in comparison to mullvad privacy page. (https://mullvad.net/en/help/no-logging-data-policy)

Here on datacenters you say your are ISO27001 and SOC2 certified.

"We're ISO 27001 certified and maintain SOC 2 Type II compliance."

You do not have any certificate that I can find: https://www.iafcertsearch.org/search/certified-entities?sear...

https://www.iafcertsearch.org/search/certified-entities?sear...

Who is the company who certified you? What is the certification number?

[1] https://coveryourtracks.eff.org

Informational terrorism, a dysphemism that describes the manner by which certain data is abused to "re-rank content" for a "personalized experience," is encoded into the DNA of certain large tech companies.

I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so. It also means they can avoid all the lawyers writing complicated and confusing privacy policies, or cookie approval pop-ups.

You can have cryptocurrencies in your wallet, (on most chains) you are anonymous but have no privacy, your transaction history can be accessed by anyone.

It’s all fine and dandy, you can enjoy your anonymity, about as long as you make your first transaction.

You might be anonymous, but basically you hand over your full transaction history and balance anytime you pay for a coffee or tshirt.

Relatedly, this is why I think every "new" social media service that isn't Mastodon is barking up the most wrong tree with "take everything with you," you're essentially helping to build an even harder to erase social history.

Mastodon's individual server model, like email's, is better PRECISELY because each node is a point of "failure." That makes erasure easier. Which is good.

What you need instead is to make it easy and common for people to use browsers that resist fingerprinting, VPNs/Tor, custom email addresses per-account, etc. Because then instead of claiming to not log your information, they simply do not have it.

The biggest thing we need is a better way to pay someone over the internet without them knowing who you are.

talk about anonymity but uses cloudflare. you threw away your tls and allow cloudflare to sit in the middle of the user and your web page. you're a hypocrite.

Please do not to rely on fingerprinters or CDNs that does TLS-termination for you.

Many people online seem to think that they are anonymous and so were emboldened to do stuff that they might not have done if they had realized this. They continued to feel extremely good at this right up until the knock on the door.

There is no anonymity, there is always someone you have to trust in the chain of WAN networking (DNS,ISP,VPN). If you want anonymity and privacy, you selfhost (examining the code is also a prerequisite). There is no other way to do it.

A lot of our intuitions about both are based on obscurity: nobody is interested enough to devote their lives to you. That's not the case any more. You are exposed to every person on the planet, and they have the tools to automate attacks on every single person.

That's not to say "give up", but we need to find a new understanding of how our lives work. It's like we're all hunter-gatherers who find ourselves instantly in the largest and fastest city, with nobody to teach us the ropes.

> ...

>5. Confirm identity for "fraud prevention" (now we have your ID)

I can't tell whether OP is being hyperbolic but it's certainly not representative of the average "privacy-focused" service I've came across. The typical service only asks for an email and maybe billing information (can be prepaid card or crypto). The only exception is protonmail, which might require SMS verification[1], but given the problem of email spam I'm sympathetic, and it's bypassble by paying. It's certainly not the "average" service, and no service asked to "Confirm identity".

[1] https://proton.me/support/human-verification

be confident that the service is not keeping logs? JÁ!

This is very cool. I have wondered for a very long time why such a site does not exist. What pops to mind is that you could get better unit economics reselling really small VMs to the privacy obsessed. I know some netizens who would pay a dollar a month for, say, a tiny NetBSD VM and 64 MB of RAM to serve their tiny static demoscene website of yore. There are some real wizards of there.

Not sure if that's in your roadmap but definitely something to consider in this space.

running three flavors of the same off brand browser, each optimised for different segments of online content is what seems to be the minimum.

they are so desperate to sell me something, (a truck) that it's wild, as it is one of the few monitisable things I consistently look for (parts, service procedures), the , pause, when I do certain searches gives me time to predict that yes, the machinery is grinding hard, and will ,shortly, triumphantly, produce, a ,truck.

You're going to have a tussle with law enforcement, and you're going to lose. Your service will last < 2 years because you will not be able to afford the lawyers you need to defend against even one muscle move by the government.

Good luck!

Wasn't Crypto recently revealed to be used by FBI (or similar) to track major criminals? They don't broadcast it, since they want people to continue thinking it's anonymous.

Ideally, an argument about privacy would start with its notion of privacy.

https://en.wikipedia.org/wiki/Privacy#Conceptions_of_privacy

Honest question, but did you add the Cloudflare proxy to solve an actual problem, or did you deploy it a priori without an actual justification?

“Anonymity” = the data is public but not linked to its owner’s identity.

If you’re sharing your data with a website (e.g. storing it unencrypted), but they promise not to leak it, the data is only “private” between you and them…which doesn’t mean much, because they may not (and sometimes cannot) keep that promise. But if the website doesn’t attribute the data except to a randomly-generated identifier (or e.g. RSA public key), the data is anonymous. That’s the article.

Although a server does provide real privacy if it stores user data encrypted and doesn’t store the key, and you can verify this if you have the client’s unobfuscated source.

Also note that anonymity is less secure than privacy because the information provides clues to the owner. e.g. if it’s a detailed report on a niche topic with a specific bias and one person is known to be super interested in that topic with that bias, or if it contains parts of the owner’s PII. But it’s much better than nothing.

Can we have just better things or are we going to reject everything that’s not perfect and by doing so concede the whole point and just give up?

Well done OP for the right approach and your business. This has always been my design (when possible) to approach data security. When you don’t have data you don’t have to worry about its security.

Best of luck, ignore the naysayers.

some people believe supply chain attacks are rare and hard to pull off and expensive and only valuable in extreme cases but if you ever worked at a local delivery service or pharmacy or something other where people and the necessary machines are being aggregated in some basements or even backrooms for all use cases from all times for wholesale forgery and fiddling with people, you know that the situation is ugly, not bad. throw in the many coders, network engineers and hardware specialists with ties to above entities and bombaclat, Jahmunkey, we fucked!

#TheEconomicsOfPunchedDrugs #Automation #DataAnalysis #SituationalAssessment #HeyIsThatATurdNuggetAtTheTopOfThatPyramid

Smells like it was written by an LLM so I stopped reading.

But in order to read the article you need to enable JS. What a joke.

anonymity in your product could be a sensible design choice that your customers could value. fine. go nuts.

but in general? hard disagree. anonymity is fragile and can't be guaranteed, privacy is a legal obligation which can actually be enforced if push comes to shove.

also that page reads like slop : it's not X, it's Y. blah blah blah. this is a marketing piece trying to go viral.

Email is fine when it is an option. Mullvad have even option to pay with a credit card & PayPal. That's more sensitive data than Email.