• Pretty Good Privacy (PGP): The first implementation of a set of methods used for signing, encrypting, and decrypting texts, emails and files that ultimately became a standard called “OpenPGP” (RFC 4880), the program itself was commercial/proprietary. Sometimes “PGP” is also used to call the standard itself for short.

• GNU Privacy Guard (GPG): A popular Free and Open Source program from the GNU project that uses/implements the OpenPGP standards

True. Also, it would be helpful to actually understand what kind of metadata is this referring to and specifically in which cases does this apply and which cases are exempt… because I expect that if the design of a service explicitly makes it so all the metadata you can collect is not helpful/reliable, then you wouldn’t be forced to redesign the service, you’ll just provide metadata that’s unreliable.

I feel these kind of measures never are really effective at stopping organized criminal activity (since those looking for a way will find it), what they are effective at is tracing/tracking non-criminal private use.

True, but then you have bigger problems than just the journal.

Then simply write it in a text editor without saving it into a file, it’ll be lost after closing the program.

Can you point to a specific law that the EU has passed in this direction?

Cos according to the article all attempts to pass something like this that have been presented in the EU have been blocked. By the EU.

An alternative title could have been: “EU Possibly The Only One Who Has Been Explicitly Rejecting Backdoor Mandates Until Now”

Sure, proposals keep being presented… but I feel it’s kind of a bit early to call the EU “greatest threat” just because yet another attempt has been made. Specially when you compare it with many other places where they apply things like this without batting an eye.

I’m not saying we (Europeans) shouldn’t push (yet again) to make sure this also fails… but the title of the article is a bit misplaced, and after a history of successful rejections I feel a lot more optimistic.

Thanks. I wasn’t planning to go there anyway…

It’s annoying how the title throws such a general open question and then they don’t clarify this at all… there isn’t even a single match for “USA” or “America” in the whole article, you have to sort of guess.

This might fool some scrapping, but at the expense of making it not very legible for humans too. Also while ti might work right now, if it ever became a popular approach the AI scrapping could easily adapt. I expect they already try to correct for spelling mistakes anyway.

It reminds me of leet-speak. The custom keyboard is not a bad idea though.

This is the full paragraph:

We collect certain device and network connection information when you access the Service. This information includes your device model, operating system, keystroke patterns or rhythms, IP address, and system language. We also collect service-related, diagnostic, and performance information, including crash reports and performance logs. We automatically assign you a device ID and user ID. Where you log-in from multiple devices, we use information such as your device ID and user ID to identify your activity across devices to give you a seamless log-in experience and for security purposes.

It looks to me that they are using it to identify the user uniquely, maybe also related to captcha to prevent bots (it’s common practice to capture mouse and keyboard while resolving captchas to see if the movement is human-like).

But that’s not what the terms on both Google/Meta and Deepseek say.

There’s no term in their ToS saying Google/Meta restricts the data collection to forms, which means that if the ToS allowed them to collect them from forms (and as you admitted, we do know for a fact that they do), then it also allows them to collect it outside of forms. The reason I put the search suggestions as example is because it’s one we CAN know (and thank you for agreeing on that), but that doesn’t mean they don’t do other captures at times we DON’T know… and also it’s not the only place, Google owns several captcha mechanisms and capturing input patterns is common on those too (and captchas capture outside forms too!). Another obvious example is Google docs, another is Google translate… and again, those are only the obvious ones, we don’t know if there are non-obvious ones.

In the other direction too, Deepseek terms don’t say it does it outside of forms either. You are jumping into assumptions by saying it acts the same as a traditional keylogger and that the keystrokes are captured for “anything typed”. For all we know the only place they might be capturing is when the user is in very specific steps of the login process, maybe for captcha purposes too, or specific forms for preloading results, etc. There’s no reason you should trust they do it any less/more than Google/Meta does, the ToS in both have the same lack of information in that respect.

You can only make assumptions one way or the other, since the terms are not specific on what exactly they allow themselves to do, in the case of Google/Meta they’re so sneaky that they avoid saying they do capture them (even though they do, as you yourself admitted), while in the case of Deepseek, even though they are a bit more specific by using the word “keystrokes”, they also don’t specify where/when/why (other than “to give you a seamless log-in experience and for security purposes” …but that’s also unclear wording).

Yes, it’s possible. To be honest, I find it very sad that we have grown so dependent on ISP and big telecom companies to have a working network.

In theory, you could have an infrastructure in your neighborhood and be able to play Quake with your neighbors without making use of the phone line at all, completely free of monthly fees and with a very efficient and fast connection too! you’d just need cabling connecting the apartments/houses and some decent routers controlling/restricting access on each subnet. It’s a pity that’s not a standard thing when designing residences.

Though less efficient and more limited in range, you can technically do it with Wifi and mesh networking too… there are projects like B.A.T.M.A.N (https://www.open-mesh.org/), however, it’s not very user-friendly to set up. I believe there have been some projects that attempted to launch embedded devices to act as mini routers for this, but the spread has not been wide enough to make it worth it, sadly.

Thanks, I did not know. I think you are referring to this: https://www.freevacy.com/news/noyb/trumps-actions-to-dismantle-pclob-threatens-eu-us-data-transfers/6088

To be completely honest… as an European I would be happy if they actually did make it so that no EU-US data transfer were allowed… we need to stop depending on all these US-based services… but like you said, they probably don’t have the balls to pull the plug. Which makes me wonder if that board was actually really any protection at all for privacy or it had always been an empty shell used as an excuse on both sides just to keep up appearances and maintain the plug on.

I honestly think this could be a win for us. Worst case scenario, nothing really changes but some masks fall off and at least some people would stop acting under false pretense (which could open the doors for change). So I’m actually glad he did that.

The last thin veil of privacy for Eurpeans has been ripped to shreds by Trump last week.

What did he do? I know Trump does not like the GDPR, but did he sign something affecting it last week?

The argument stands, though.

Yes, not ALL other apps do that, but the comment was specifically talking about companies like Google and Meta… they definitely do collect incomplete strings from search forms (down to individual characters) when they display search suggestions, for example. They might not mention “keystrokes” in the legal text, but I don’t see why they wouldn’t be able to extrapolate your typing pattern since they do have the timing information which should be enough data to, at some level, profile it.

Most methods for syncing a file also let you sync a whole directory of files (for example syncthing).

So if your main issue is keeping them on sync across devices, keep different kdbx files in the same directory and sync that.

However, I’ve found that switching between databases is not very convenient with most keepass clients. So I tend to only keep separate files when the context is really different and I won’t need to be switching back and forth (eg. personal vs work).

This specific comment thread is focused on that because that was the topic started by the choice of words of the first comment.

The conversation would not have continued in that direction if instead of doubling down there simply were an admission that what really was meant to say is not that Proton betrayed some hypothetical anti-Trump principles they had, but that they have proven now being sympathetic towards Trump and this made people feel unsafe (and some branches of the thread implied that conclusion).

What’s being argued is that this is not surprising. This is as silly as thinking that Zuckerberg is a betrayer because of the recent changes in moderation policy, as if Facebook was ever on the side of any particular political ideology other than their own interests.

What makes you think tuta is against all and every policy coming from the far-right including the ones that align with their stated goal of digital privacy? If (hypothetically) tuta had some level of relationship with a left-wing party (pick your favorite) and made a post about how they are happy about certain changes that party is pushing that are beneficial to privacy, would that be a betrayal of their own principles? I would say it’s not, regardless how many alt-right customers might “feel betrayed” if they had some parasocial alt-right image of tuta.

I think the “he” there was @anonymous@lemm.ee, not the CEO of Proton.

The comment from anonymous implied that there was no real betrayal. Just because someone fights for digital privacy does not mean he’s on the same side for other topics. Feeling betrayed and actually being betrayed are not the same thing.

The reality is that being “anti-Nazi” is also a neutral stand. This is in the terms of service of Proton:

Unauthorized activities include, but are not limited to:

[…] 4. Harassing, abusing, insulting, harming, defaming, slandering, disparaging, intimidating or discriminating against someone based on gender, sexual orientation, religion, ethnicity, race, age, nationality or disability;

I don’t think Proton is ok with Nazis, but I feel people wanted them to be also “anti-Trump”, even if Trump does something to benefit privacy (which, as you hinted, is a neutral action that also benefits anti-Nazis).

Is “staying out of politics” even possible for a company?

I feel even just the creation of a company already has political repercussions (and I don’t mean that as in them being necessarily bad).

It’s true that they say both things out of comfort.

Though to be completely honest, both statements are not contradictory. They are not necessarily accepting that they do have something worth hiding, but just stating that hiding is too difficult these days anyway. That does not mean (sadly) that they would start doing it were it easier, just that they have even less of a motive to care about it now that hiding is so much harder (to the point of almost being “a myth”).

I’m not saying they are right, I’m saying that lack of consistency is not the problem with that attitude. It’s not a “shift”, just a consistent continuation of a lazy attitude towards comfort.

You share public keys when registering the passkey on a third party service, but for the portability of the keys to other password managers (what the article is about) the private ones do need to be transferred (that’s the whole point of making them portable).

I think the phishing concerns are about attackers using this new portability feature to get a user (via phishing / social engineering) to export/move their passkeys to the attacker’s store. The point is that portability shouldn’t be so user-friendly / transparent that it becomes exploitable.

That said, I don’t know if this new protocol makes things THAT easy to port (probably not?).