https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md

Wish I could see it. www.onem.be seems to be dropping my packets.

“One more step…”

Nothing like a privacy abusing Cloudflare site to expose privacy abuse. If anyone has openly accessible Cloudflare-free links, or can post the info for the excluded people, plz post.

Visa, Mastercard, Amex, and Paypal famously colluded to block donations to wikileaks. That control was exercised at an international level.

Denmark, Netherlands, Belgium, France, and Spain. Banks in those places will freeze your account easily, like a doc on file expiring.

US banks are more trustworthy with your money than European banks, but US banks are less trustworthy with your data. Exceptionally, there is a pitfall where you can lose your money: dormancy. I recall a woman in California who had a safe deposit box that she did not access for a number of years. The bank declared it “dormant”, drilled it, and gave the property to the state’s unclaimed assets, who then auctioned off her stuff.

I cannot see how Paypal is GDPR compliant. Not sure why they have not been fined out of EU existence.

A cashless cafe recently had their “Square” terminal on the counter. I asked: is there a way to pay without using Square?

Answer: no, we use Square because it gives us the best deal.

Of course it does, because Paypal is behind Square and Paypal shares your data with 600 corporations so the fees are subsidized with the monetization of customer data. I walked out. Since I boycott Paypal, it means that small local shops using Square also lose my business.

They might as well go all the way. Anyone who gives the slightest shit about privacy has already cancelled #PayPal over the past ~10+ years anyway. Those still using PayPal are obviously pushovers who won’t change their habits over this.

This link is a bit more respectful of pro-privacy visitors:

https://thefinrate.com/paypal-to-launch-advanced-advertising-platform-using-customer-data/

Even from a narrow purely infosec-privacy PoV, how can people be so clueless this day in age with the fully enshitified web?

It’s not going to be a simple text email with your receipt attached. The email will be HTML with a tracker pixel (text MIME part broken or generally non-existent), so the seller can log the fact that you read the receipt, when, and with what IP address. Then when you get the email open, it won’t even contain the receipt because it will be used as an opportunity to get you on their website where they can get more sales. It will say “come to our website and pick up your receipt”. When you try to visit the site with the unique URL they send, Tor will be blocked (under the guise of “security” but in reality they want your browser print and IP again in case you used a text-only MUA). This will give them what makes it trivial to link your online identity to your offline purchase (cha-ching… mo money). Then a Google Plastore-only non-FOSS app will be shoved in your face as a more convenient way to fetch your receipts in the future. You will have to solve a CAPTCHA to reach your receipt, which generates more profit for them while steering people toward a shitty app.

It will be like London Heathrow or JFK airport, where you cannot simply walk to your gate without being long-hauled through a series of marketing opportunities.

And before you irrationally call this “paranoia” as well, I will preempt that by saying no, it’s capitalism. Which brings us the enshitified web.

NFC would encourage phone upgrading which is worse for the environment than the problem they think they are solving. Paper is biodegradable. Phones are not.

Android 2.3+¹ supports bluetooth file transfers. This would avoid both the problem of using cloud energy and privacy problem (but only for smartphone owners who carry their smartphones). The article mentioned PDF being rejected. PNG could work, though it’d be a missed opportunity to get a digitally signed receipt. In any case, the paper receipt cannot be wholly replaced if it requires consumers to have a phone and to carry it, or if it requires sharing email addresses.

¹ maybe even AOS 1.8… didn’t check

Privacy is about control.

You don’t understand privacy given your conflation with paranoia and oversight of my mention of a boycott. Privacy is not just about non-disclosure of sensitive information. It’s much more than infosec.

When you mislabel privacy as “paranoia”, you become part of the problem of advocating disempowerment of people in favor of control misappropriation.

If you don’t want to receive emails from servers belonging to Microsoft, Google, or Amazon, you better delete your mail account and ask them to mail you the receipt.

This absurd attempt at a false dichotomy showcases contempt for individuals having power to boycott selectively. What you suggest is wholly disempowering to people – to claim this all or nothing narrative… that people should either not have email access at all, or they should have zero control over who they connect with over email. Your stance represents a boot-licking wet dream for corporations and governments. It has no place in any privacy community.

I’m fine with all that. I’ve mostly abandoned #email anyway because I do not accept the terms Google has imposed on the world. I send most messages by postal mail when recipients have only exclusive and restrictive receiving options.

The inability of the recipient to reply to an onion address using their normal service is actually part of the idea. I would not want a gmail user to be able to use gmail to reply, for example. While Google drags people into their walled garden, I’m happy to exert pressure in the opposite direction.

(edit)
If I were to send a msg to gmail user in a way that they could simply reply from Google, then I become part of the problem by reinforcing the use of Gmail and helping Google get fed. That’s not going to happen. It’s a non-starter.

Do you know who does care? The email server you’re sending messages to, because spammers and scammers love to try and send email with fake from addresses.

The receiving servers do not generally care what’s in the FROM field. They care that the sending server they are connected to is authorized and has their SPF, DKIM, and DMARC shit together. It’s not for the receiving server to control the email aliases of individual senders. Some rare over-zealous servers will look at the FROM field and expect the domain to match but if I encounter that, the collateral damage is what it is. I can always still decide from there whether it’s worthwhile to go through extra hoops.

People are pushovers and tend not to give a shit about banks excessively following the know-your-customer protocol well beyond what the law even requires. So why not mirror that success in the telecom domain? Followed by grocery stores and car mechanics next…

Are you wanting to have a .onion TLD email address,

Yes, and that much exists. There are onion email providers, but when you email a clearnet recipient, they typically convert your onion email address to a clearnet address. That’s useful in most situations but there are also several use cases for not doing the conversion. But finding a service that accommodates the other use cases is hard, considering onion email is rare in itself.

and be able to communicate with non-TOR web servers?

No, nothing to do with the web. Just email.

The host needs to be able to look up addresses, and resolve them to a location.

Only for replies. But not all messages need a reply. See my other msg.

It would require having clearnet servers also connected to the TOR network which I would imagine is incredibly unlikely.

Those exist already (danwin, riseup, onionmail, etc). But they operate on the assumption that senders always want replies from the recipient to be possible via their receiving server. That’s not always desirable.

In the same way you can browse non onion sites through TOR but not the other way around,

There is a service that enables clearnet users to reach onion services (onion.to, onion.cat, etc), but this is unrelated. Web is unrelated.

you would likely be able to send email but not receive them

Bingo. That’s the point in some of the use cases.

Delete hosted cloud. Move back to hosting your own.

How does that address the problem or promote privacy? Self-hosting makes it even more trivially easy to identify you. E.g. if I run my own Lemmy server, it would transact on an IP address that points to me. By anonymously creating an acct sopuli.xyz and using Tor, doxxing becomes harder.

Ah right… that too. I forgot about that shit. I think California banned gift cards that lose value. So the plaintiff would have to buy the gift card from California. But then it would need to be free shipping. So the more we discuss this, the harder the state’s case gets.

What data controller is that?

Grocery store loyalty card. I actually quit all grocer loyalty cards because the 1% savings or whatever is a lousy insignificant amount for being tracked in such detail. And I switched to cash. The grocer’s website started blocking Tor so I started boycotting them and I’m just digging around on the principle that if they don’t have enough privacy respect to serve Tor users then they should be probed.

The whole point of the loyalty card is to do market research. They would likely claim that processing birth date is lawful under Art.6¶1(b) (“processing is necessary for the performance of a contract”). But is it? I mean, buying the food doesn’t even need a contract. One could argue that offering exclusive promos to cardholders does not require any data collection. But it would defeat the grocer’s purpose for entering into the contract. I guess I should read up on EDPB guidelines 2019/02… that should have the answer.

I’ll probably use a different DoB for each but keep it in a password file and treat it like a password of sorts.

The data controller was actually being quite responsible in this case by verifying a simple piece of info that should have been mutually known. Many data controllers are reckless and demand a full copy of an ID card (entirely against GDPR rules).

but it comes with a price (the bank takes a cut of every transaction).

Actually Visa offered small businesses a $10k incentive for refusing cash for a year. I’m sure that more than offsets their fees.

However, I strongly object to having my data being included in any form of advertising profile.

It’s worse than that. You probably wouldn’t like them to tell your auto and health insurance how much you spend on booze and smokes either. Or sell info to your spouse about any hotels you checked into in the same city you live in.

There is no GDPR in the US, so cash is extremely important.