Andrey Sitnik, Evil Martians
Privacy-first architecture
Why and how to care about the privacy of your users?
@sitnikcode
“Let’s focus on tech,
not politics!”
@sitnikcode
Hackers, 1993
Section 1: Software development and politics
@sitnikcode
Hackers, 1993
Open Source is political
@sitnikcode
The word “free” in [free software] does not refer to price;
it refers to freedom. […]
The freedom to change a program, so that
you can control it instead of it controlling you.
Cryptography is political
@sitnikcode
The decisions we make about communication security today will determine the kind of society we live in tomorrow
— Whitfield Diffied, 1993
co-creator of public key cryptography
Hacking is political
@sitnikcode
Mistrust authority—promote decentralization
— Hacker ethic by Steven Levy, 1984
Software development always
has been about politics
@sitnikcode
Always Has Been meme, unknown author
Apolitical views are new
@sitnikcode
1990s
2010s
Hackers, 1993
Silicon Valley, 2014
Section 2: Why I should care?
@sitnikcode
Hackers, 1993
Reason 1: You will live in the world you created
@sitnikcode
“Just because you do not take an interest in politics
doesn’t mean politics won’t take an interest in you.”
Write code!
Russian meme from anonymous author
@sitnikcode
Reason 2: It creates meaning for life
Work just for money
Making the revolution for fun
DALL-E and Hackers, 1993
But there are many revolutions to make
@sitnikcode
Adventure Time
Section 3: Why is privacy important?
@sitnikcode
Hackers, 1993
Mistake 1: Is it just for Google for better ads?
@sitnikcode
😃
Mistake 1: Is it just for Google for better ads?
@sitnikcode
FAKE
Blue Coders
Analytics
Data brokers
Fact 1: It is for data brokers for resell
@sitnikcode
🕵️
Ads
Free
Analytics
Data brokers
Shady clients
Case: X-Mode data broker, 2020
@sitnikcode
“Over 100 apps that sold location data
to sketchy data broker X-Mode”
“Quran app, Muslim dating app, Craigslist app, an app for following storms, and a level app that can be used to help install shelves”
“X‑Mode had supplied location data to U.S. military contractors”
@sitnikcode
Mistake 2: This company doesn’t sell data
We respect your privacy
AFP
Mistake 2: This company doesn’t sell data
FAKE
@sitnikcode
Fact 2: If data is stored it can be leaked
@sitnikcode
Case: Yandex Food Delivery data breach, 2022
@sitnikcode
Was leaked all deliveries 2021-2022:
— First & last name
— Phone number
— Food delivery address
— Deliver time
Even public easy-to-use map app,
everyone can find your deliveries
@sitnikcode
Mistake 3: My email is not sensitive data
Windows 11 install wizard
@sitnikcode
Fact 3: Big data connects different leaks
Quran app
Muslim
Locations
Social app
Locations
Old breach
Full name
Google Analytics tracks >52.6% websites
@sitnikcode
a.com
b.com
c.com
d.com
e.com
f.com
g.com
See click
Referer
Only c.com is invisible for GA
Track connected to your Google account
@sitnikcode
Mistake 4: I have nothing to hide
Dolores Umbridge from Harry Potter
If you have nothing to hide
You have nothing to fear
@sitnikcode
Fact 4: Somebody else has something to hide
“… find personal details identifying critics of the Saudi monarchy who had been posting under anonymous Twitter handles”
“[Saudi Prince], who owns
>5% of Twitter”
@sitnikcode
Fact 4: … and to fear
“54-year-old teacher, Mohammad bin Nasser al-Ghamdi, received
a death sentence for tweeting mild criticism of the authorities
to his 10 followers on Twitter.”
@sitnikcode
In the Netherlands too
“After Russia invaded Ukraine in February 2022, authorities began using facial recognition to prevent people from protesting in the first place”
“VisionLabs’ algorithm has been used in Moscow’s facial recognition system”
VisionLabs Global HQ: Johan Cruijff Boulevard 65, Amsterdam
@sitnikcode
LLMs with private data can change your beliefs
We find that GPT-4 with personalization has the strongest effect, increasing the odds of higher post-treatment agreement
with opponents by 81.7%.
Without personalization, GPT-4 still outperforms humans,
but the effect is lower (+21.3%).
— On the Conversational Persuasiveness of Large Language Models: A Randomized Controlled Trial
Step 1: Remove GDPR popup
@sitnikcode
Hackers, 1993
The web became an awful place
@sitnikcode
The New York Times
React Amsterdam Meetup
@sitnikcode
Being the oldest ReactJS community in BeNeLux it gathers Front End developers across
the globe in the tech heart of Europe.
We made the web an awful place
@sitnikcode
The New York Times
But we need popups for GDPR, right?
@sitnikcode
Fireplugins
There is no “popup” in GDPR law
@sitnikcode
Why we added GDPR popups
@sitnikcode
Punish them with popups until they agree to give us personal data
Don’t
Track
Users
Don’t
Track
Users
Don’t track users
Friends s10, e13
Consent popup is just dark design pattern
@sitnikcode
😈 Popup blocks content
😈 UI is unclear
😈 The biggest button is Allow
Yes
Yes, but on red
We care about your privacy. Can we spy on you?
The real “We care about privacy” way
@sitnikcode
😻 GDPR compatible analytics
😻 No popup
😻 You ask users when you need data
(for instance, in Sign Up form)
Analytics without popup
@sitnikcode
✅ Page view, browsers, countries
✅ Traffic sources
✅ Track website events
✅ Track campaigns
⛔ Can’t connect events with session/user ID
⛔ Can’t collect social network ID for ads (Remarketing)
Plausible
There are many Cookieless Tracking tools
@sitnikcode
But marketing manager is demanding GA
@sitnikcode
DALL-E
Irrational data collection obsession
@sitnikcode
Verleih Fair & Ugly Filmproduktion
Irrational vs rational data collection
@sitnikcode
What decision you have made in the last year
based on personal data?
You can’t trust data only from opt-in users
@sitnikcode
All users
Your data
Yes on GDPR popup
No on GDPR popup
32—64% of users press Yes
on GDPR banners, Statista
Popup only for EU is not an option
@sitnikcode
GDPR-like laws:
🇧🇷 Brazil: Lei Geral de Proteçao de Dados
🇨🇦 Canada: Digital Charter Implementation Act
🇨🇱 Chile: Ley 19,628
🇪🇬 Egypt: Law No. 151
🇮🇳 India: Personal Data Protection Bill
🇿🇦 South Africa: Protection of Personal Information Act
🇺🇸 USA, CA: California Consumer Privacy Act
It is time to change the industry
@sitnikcode
Hackers, 1993
Remember how we together killed IE
@sitnikcode
Ex-YouTube developer reveals how they ‘conspired to kill IE6’
Step 2: Reduce privacy data processors
@sitnikcode
Hackers, 1993
Not only you have access to private data
@sitnikcode
We Care About Your Privacy
We and our 618 partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.
@sitnikcode
Who has access to user data?
😈 Third-party JS scripts (especially from other domains)
Public CDN for JS libs
Analytics with JS
😈 Website hosting
😈 CDN (Cloudflare see 20% of traffic)
😈 All of their other partners
😈 Mail service, support
😈 etc
Load Third-Party JavaScript, web.dev
Every extra service is a risk
@sitnikcode
🧐
Hosting
🧐
CDN
🧐
Ads
🤤
Public JS CDN
🥸
JS script from CDN
🧐
Third-party database
→ Leak
→ Sell data
Less services = less risks
@sitnikcode
🧐
Hosting
🧐
CDN
🧐
Ads
🤤
Public JS CDN
🥸
JS script from CDN
🧐
Third-party database
How to reduce number of services?
@sitnikcode
✅ No public CDN for libs (also better performance)
✅ No public CDN for fonts (also better performance)
✅ Self-hosted tools (like analytics)
✅ Combine CDN and cloud
Step 3: Local-First
@sitnikcode
Hackers, 1993
Advanced
Advanced step: only for new projects
@sitnikcode
Hackers, 1993
What is Local-First?
@sitnikcode
Rich client keeps data and processing locally,
the server is just for sync
Server-First
Local-First
The idea was presented by Ink & Switch
@sitnikcode
Seven ideas:
- No spinners (local data fast to change)
- Sync between devices
- Offline-first
- Conflict-free collaboration
- App will work when company closes
- Privacy by default
- User owns data
Notion vs Obsidian
@sitnikcode
Notion
Server-First
Obsidian
Local-First
🗒️
Local files
notes/Shopping.md
notes/Ideas.md
Obsidian Sync & Publish
💻
📱
💻
🗒️
📱
🗒️
GitHub repo
Any Cloud Sync
How to make Local-First in web?
@sitnikcode
- Offline-first → PWA & Service Worker
- Local data → client-side high-level database
What kind of client-side DB do we need?
@sitnikcode
- All data on the client → fast and rich API
- Sync changes → changes log (much easier to sync, but not necessary)
- Client owns data → DB migrations are in client JS bundle
const log = [
{ type: 'posts/change', title: 'A' }
{ type: 'posts/change', title: 'B' }
{ type: 'posts/create', post: { … } } // last synced
{ type: 'comments/add', postId: 'fdj43knl4' }
]
CRDT* to revolve conflicts
@sitnikcode
One source of truth
Everyone is a “server”
* — simple Map/Set is enough.
No need for complex Google Docs-like collaboration.
id: nanoid() random ID, no sequence ID
What kind of server do we need?
@sitnikcode
- Sync between devices → standard auth
- Privacy → store and re-sync encrypted changed
- Privacy → second password for end-to-end encryption
You will need desktop app for everything
@sitnikcode
- Works if you close cloud
- Have a folder with files
Benefit 1: Very simple server
@sitnikcode
Sync changes
Auth
Check access for collaboration
All business logic
All data management
Benefit 2: No server in prototype stage
@sitnikcode
project/
client/
Benefit 3: Try app without creating account
@sitnikcode
Local demo
Sign-Up for sync between devices
Benefit 4: No private data → no problem
@sitnikcode
DALL-E
Benefit 5: No cache complexity on the client
@sitnikcode
Benefit 6: No spinners, no interruptions
@sitnikcode
Continue to work
Save
Benefit 7: There are frameworks for LoFi
@sitnikcode
Evolu
ElectricSQL
RxDB
Hard part 1: Frameworks are not 100% ready
@sitnikcode
→ April 2019
No common patterns yet
Hard part 2: Client’s database migrations
@sitnikcode
const migrations = {
1: action => {
if (action.type === 'posts/created') {
return { type: 'news/created', news: action.post }
}
}
}
Hard part 3: DB could be too big for client
@sitnikcode
The simplest way: client has all data
Partial replication is possible, but there is no good out of the box solutions yet
Hard part 4: complex access control
@sitnikcode
It is possible too, but we need some
out-of-the box solution.
Creating it manually is hard.
Hard part 5: password recovery
@sitnikcode
With great privacy comes great responsibility
Spider-Man
Read Guides
@sitnikcode
Step 4: Privacy from non-US perspective
@sitnikcode
Hackers, 1993
Advanced
Risks are different in different countries
@sitnikcode
India
WhiteEmperor420 on Reddit
Advanced step: for big & popular projects
@sitnikcode
Hackers, 1993
Different privacy risks
@sitnikcode
🕵️ Government’s Secret Service
🪤 Surveillance for regime critics
📶 Internet provider
☁️ Data brokers
🏬 International companies collecting private data
👮 Phone check by the local police officer
⛪ Local community with ethical standards
👪 Family members
US media focus mostly on
@sitnikcode
🕵️ Government’s Secret Service
Surveillance for regime critics
Internet provider
☁️ Data brokers
🏬 International companies collecting private data
Phone check by the local police officer
Local community with ethical standards
Family members
Different risks need opposite solutions
@sitnikcode
RSS Reader privacy risks
🇺🇸 US: local-first
don’t trust cloud
🇷🇺 Russia: US cloud proxy
to hide you from Internet provider
🤫
🏯
🏥
🕌
☁️
🤫
🏯
🏥
🕌
☁️
🔒
🕵️
📶
🕵️
🔓
Chat check by local police check in 🇷🇺 🇧🇾
@sitnikcode
“Unlock your phone and show Telegram”
Andrey Lukovsky
“I have rights”
1234
🧑⚖️
🧑🦽
Navalny
Following
Telegram fork by Belarusian Cyber-Partisans
@sitnikcode
1234
Navalny
Following
1984
You can have 2 PINs
CSS hacks
GitHub trends
Following
CSS hacks
GitHub trends
Summary
@sitnikcode
Hackers, 1993
For next working day
@sitnikcode
❤️ Remove GDPR popup by using cookieless analytics
❤️ Reduce services with access to private data
🌟 Think of Local-First in next project
🤔 Think of other privacy risks if you make a social tool
Thanks
Privacy-first architecture
By Andrey Sitnik
Privacy-first architecture
- 716