Midnight Pub

Privacy on Gemini

~gmund

I was randomly chatting with an AI Bot as part of my on-work training. I inquired about the "typical user groups of gemini protocol" and in turn it delivered me this:

Privacy advocates: Gemini's design, which emphasizes minimalism and limits features like tracking and scripting, appeals to individuals who prioritize online privacy and security.

Though, is that true? Is using gemini really more private? I would dispute it.

Yes, Gemini Protocol makes it impossible to track users based on cookies or similar tracking technologies. There are no scripts in Gemtext to communicate the user behaviour to some data hog advertisement company, etc.

But also consider this:

So we can sum up in my communication I have three sets of personal data:

If I was to post to some "Evil-Social-Media-Platform"-Page called "Midnight Pub" instead of using a Gemini Capsule, my Internet provider would only know I am doing "something" on "Evil-Social-Media-Platform". They would not know what exactly. "Evil-Social-Media-Platform" would know what my IP address is, but would lack the information who I am. They could only find out by inquiring my ISP, which would need a Court decision. The moderator of the "Midnight Pub" page on "Evil-Social-Media-Platform" would interact with me and see my comments, but would not know who I am or what my IP address is.

Am I mislead ?

Yes, "Evil-Social-Media-Platform" would have two of my three sets of secrets. But those are now hidden from anyone else and it is quite difficult for "Evil-Social-Media-Platform" to get the third. So, if I use a pseudonym to post on social media, it has higher level of privacy than using a pseudonym on a gemini capsule.

The same applies if I use a proxy or VPN or similar hiding technology instead of social media platform as an intermediary. The difference is, my ISP's Provider, which probably is a state actor, does now know I want to hide something and will want to watch my other behaviour. Whereas using social media in general is not suspicious, since anyone does it.

PS: Yes, gemini is also about content without presentation. It is not about privacy only. I get that part. This question is only about the privacy claim by the AI bot.


beefox

i think that imo gemini and similar stuff, that mimizes information given to a point, is more a case of "less if not all", where yeah its not explicitly private, but less information is being given and less people are getting that information.

reply

pandion

For someone fearing for their safety in a low democracy state, any on line activity that could be broblematic, should be routed through tor. There are other equivalent networks, but I thing only tor is considered safe enough.

I think Gemini does give the option to provide .onion services.

I know Gopher does for sure.

On the clear net, I don't think there is a way for a server to not know your IP. Weather a log is kept, is a different story, and depends on the server's owner-policy.

What is diferent on Gemini I think, is that there is no way to fingerprint you.

If you mask your IP through tor, and use a pseudonym, your ISP should have no idea what you are seeing, and the server can only know what a pseudonymous user with a fake IP does some bad things on their server but has no idea what the user does on any other server.

How can they connect your persona and its actions with your real IP?

reply

gmund
If you mask your IP through tor, and use a pseudonym, your ISP should have no idea what you are seeing, and the server can only know what a pseudonymous user with a fake IP does some bad things on their server but has no idea what the user does on any other server.

True, but then my ISP also knows that I use TOR. Which is telling already that I might be up to something mischievous. TOR is not something anyone uses. Alone the posession of TOR software might already be punished. (i.ex. Europe / Germany => 202c StGB)

Not so when I use some Group / Page on Facebook. The ISP doesn't know what I am up to, just that I use Facebook.

reply

pandion

Ok facebook is a legit site that raises no suspicions, but anything you write on Facebook is public.

I am not sure if there is any encryption on facebook groups, but I would really not trust it with my safety.

Plus, there is the matter of who you trust on those groups. Because anyone can leak the conversation, and then you really are a goner.

The tor project, also provides a way of connecting through snowflake proxies for those cases.

But if you run the risk of a random inspection for unauthorized software in your country, you REALLY should not be using the internet for any activism.

Or you should implement some elaborate dead man–panic button–kill switch, that would fry your hard drive.

Generally for activism tor is the go to method in countries with low democracy, but it should be employed with hardened software like tails OS, or something.

For the average user that does not like trackers on his browsing, and fingerprinting, by ad companies, Gemini is really better.

And combined with tor it is quite anonymous.

reply

ew
For someone fearing for their safety

ANY online activity is problematic.

TOR can add a few layers of indirection, hiding your IP addr from the server you contact. Using transport layer security can hide the content of the connection to some extent. But it cannot hide the content of your transaction from the admin of said server. Neither can it hide the fact, that a contact has taken place at some point in time. It just depends, where you look. The hop from your device to "the network" is the most problematic, in my opinion. My IP addr changes at least once per day, but my ISP knows my IP addr at any given time. They don't have to tell me, in case they were asked by $who_ever.

Any service can be put behind an .onion service, I serve my capsule this way as well.

Fingerprinting: an attacker can point their browser at a suspect server. From the pattern of data per time, dns lookups, called 3rd party websites etc, the attacker can observe your traffic pattern and conclude with some confidence, whether or not you visited a site on their observing list. This is why TOR to my knowledge collects a few things together before passing them on, in the hope to make time patterns less visible. There is an old talk of Roger Dingledine about this. And in there, that the timestamps in network traffic can be used to distinguish separate systems behind one IP address due to different rates of clock skew.

By the way, power outages can be correlated with the uptime of my capsule. They can be used to get the geographic location of my capsule with some confidence, if it is online for a lengthy time.

Pseudonyms: Anything that includes transfer of money (to pay for a service) is not going to be very pseudonymous. Even if you go through the trouble to add a working debit card for a pseudonym. You need to feed that card at some point with real currency.

If you want privacy, shut down your computer/phone/TV/car/camera --- anything that connects to the network or sends out radio signals. Pen and paper, in real life meetings and the like are not ensuring complete privacy either, its just that the observation is a bit more difficult.

Security/privacy are a very hard problem.

I'm not an expert.

reply

gmund
The hop from your device to "the network" is the most problematic, in my opinion.

Yes, I would agree. That's why I would prefer to use a service that anyone uses as the first hop.

If you want privacy, shut down your computer/phone/TV/car/camera --- anything that connects to the network or sends out radio signals.

Well, ok, but you would be back 50+ years with that. No communication.

Pen and paper, in real life meetings and the like are not ensuring complete privacy either, its just that the observation is a bit more difficult.

I have seen people that can very accurately match handwriting to a person, even if you try to write differently (ie. with your wrong hand). There are even technical means to match up Typewriters to typed pages. All has been there in the past.

Security/privacy are a very hard problem.

Yes, it is.

reply

pandion
I have seen people that can very accurately match handwriting to a person, even if you try to write differently (ie. with your wrong hand). There are even technical means to match up Typewriters to typed pages. All has been there in the past.

Typewriters and printers can be identified very accurately. That's why the iconic Hollywood ransom note, is a collage of letters cut out from different sources. 🤣

Seriously though. I am not an expert either, but I would strongly deter anyone from doing anything that is reprehensible in their coutry, in facebook or equivalent platforms. Hiding in the crowd is not possible in electronic form, and you can be sure that popular communication platforms, will be monitored by totalitarian regimes.

You just spare them the resources they need to invest, in targeting, monitoring, and compromizing servers, running exit nodes, honneybods, and analyzing traffic to determine your IP.

Facebook already does that for them, and would not bat an eye to hand them over.

If you have legitimate concerns, you should go the tinfoil hat way, all the way.

Tails, TOR, snowflake proxies, killswitch, and public internet access, (with public monitoring cameras in mind), or go sneekernet or something.

Be safe my friend

reply