Andrey Sitnik, Evil Martians

Privacy-first architecture

Why and how to care about the privacy of your users?

@sitnikcode

“Let’s focus on tech,
  not politics!”

@sitnikcode

Hackers, 1993

Section 1: Software development and politics

@sitnikcode

Hackers, 1993

Open Source is political

@sitnikcode

The word “free” in [free software] does not refer to price;
it refers to freedom. […]

The freedom to change a program, so that
you can control it instead of it controlling you.

 

 What is the Free Software Foundation? 1986

Cryptography is political

@sitnikcode

The decisions we make about communication security today will determine the kind of society we live in tomorrow

 

 Whitfield Diffied, 1993
co-creator of public key cryptography

Hacking is political

@sitnikcode

Mistrust authority—promote decentralization

 

 Hacker ethic by Steven Levy, 1984

Software development always
has been about politics

@sitnikcode

Always Has Been meme, unknown author

Apolitical views are new

@sitnikcode

1990s

2010s

Hackers, 1993

Silicon Valley, 2014

Section 2: Why I should care?

@sitnikcode

Hackers, 1993

Reason 1: You will live in the world you created

@sitnikcode

“Just because you do not take an interest in politics
doesn’t mean politics won’t take an interest in you.”

 Write code!

Russian meme from anonymous author

@sitnikcode

Reason 2: It creates meaning for life

Work just for money

Making the revolution for fun

DALL-E and Hackers, 1993

But there are many revolutions to make

@sitnikcode

Adventure Time

Section 3: Why is privacy important?

@sitnikcode

Hackers, 1993

Mistake 1: Is it just for Google for better ads?

@sitnikcode

😃

Mistake 1: Is it just for Google for better ads?

@sitnikcode

FAKE

Blue Coders

Analytics

Data brokers

Fact 1: It is for data brokers for resell

@sitnikcode

🕵️

Ads

Free
Analytics

Data brokers

Shady clients

Case: X-Mode data broker, 2020

@sitnikcode

“Over 100 apps that sold location data
to sketchy data broker X-Mode”

Quran app, Muslim dating app, Craigslist app, an app for following storms, and a level app that can be used to help install shelves

“X‑Mode had supplied location data to U.S. military contractors

@sitnikcode

Mistake 2: This company doesn’t sell data

We respect your privacy

AFP

Mistake 2: This company doesn’t sell data

FAKE

@sitnikcode

Fact 2: If data is stored it can be leaked

@sitnikcode

Case: Yandex Food Delivery data breach, 2022

@sitnikcode

Was leaked all deliveries 2021-2022:


— First & last name

Phone number

— Food delivery address

— Deliver time

Even public easy-to-use map app,
everyone can find your deliveries

@sitnikcode

Mistake 3: My email is not sensitive data

Windows 11 install wizard

@sitnikcode

Fact 3: Big data connects different leaks

Quran app

Muslim

Locations

Social app

Locations

E-mail

Old breach

E-mail

Full name

Google Analytics tracks >52.6% websites

@sitnikcode

a.com

b.com

c.com

d.com

e.com

f.com

g.com

See click

Referer

Only c.com is invisible for GA

Track connected to your Google account

@sitnikcode

Mistake 4: I have nothing to hide

Dolores Umbridge from Harry Potter

If you have nothing to hide

You have nothing to fear

@sitnikcode

Fact 4: Somebody else has something to hide

“… find personal details identifying critics of the Saudi monarchy who had been posting under anonymous Twitter handles”

“[Saudi Prince], who owns
>5% of Twitter

@sitnikcode

Fact 4: and to fear

54-year-old teacher, Mohammad bin Nasser al-Ghamdi, received
a death sentence for tweeting mild criticism of the authorities
to his 10 followers on Twitter.”

@sitnikcode

In the Netherlands too

“After Russia invaded Ukraine in February 2022, authorities began using facial recognition to prevent people from protesting in the first place”

VisionLabs’ algorithm has been used in Moscow’s facial recognition system”

VisionLabs Global HQ: Johan Cruijff Boulevard 65, Amsterdam

@sitnikcode

LLMs with private data can change your beliefs

We find that GPT-4 with personalization has the strongest effect, increasing the odds of higher post-treatment agreement
with opponents by 81.7%.

Without personalization, GPT-4 still outperforms humans,
but the effect is lower
 (+21.3%).

On the Conversational Persuasiveness of Large Language Models: A Randomized Controlled Trial

Step 1: Remove GDPR popup

@sitnikcode

Hackers, 1993

The web became an awful place

@sitnikcode

The New York Times

React Amsterdam Meetup

@sitnikcode

Being the oldest ReactJS community in BeNeLux it gathers Front End developers across
the globe in the tech heart of Europe.

We made the web an awful place

@sitnikcode

The New York Times

But we need popups for GDPR, right?

@sitnikcode

Fireplugins

There is no “popup” in GDPR law

@sitnikcode

Why we added GDPR popups

@sitnikcode

Punish them with popups until they agree to give us personal data

Don’t

Track

Users

Don’t

Track

Users

Don’t track users

Friends s10, e13

Consent popup is just dark design pattern

@sitnikcode

😈  Popup blocks content
 

😈  UI is unclear
 

😈  The biggest button is Allow

Yes

Yes, but on red

We care about your privacy. Can we spy on you?

The real “We care about privacy” way

@sitnikcode

😻  GDPR compatible analytics
 

😻  No popup


😻  You ask users when you need data
        (for instance, in Sign Up form)

Analytics without popup

@sitnikcode

✅  Page view, browsers, countries
✅  Traffic sources
✅  Track website events
✅  Track campaigns
⛔  Can’t connect events with session/user ID
⛔  Can’t collect social network ID for ads (Remarketing)

Plausible

There are many Cookieless Tracking tools

@sitnikcode

But marketing manager is demanding GA

@sitnikcode

DALL-E

Irrational data collection obsession

@sitnikcode

Verleih Fair & Ugly Filmproduktion

Irrational vs rational data collection

@sitnikcode

What decision you have made in the last year
based on personal data?

You can’t trust data only from opt-in users

@sitnikcode

All users

Your data

Yes on GDPR popup

No on GDPR popup

32—64% of users press Yes
on GDPR banners, Statista

Popup only for EU is not an option

@sitnikcode

GDPR-like laws:

🇧🇷 Brazil: Lei Geral de Proteçao de Dados
🇨🇦 Canada: Digital Charter Implementation Act
🇨🇱 Chile: Ley 19,628
🇪🇬 Egypt: Law No. 151
🇮🇳 India: Personal Data Protection Bill
🇿🇦 South Africa: Protection of Personal Information Act
🇺🇸 USA, CA: California Consumer Privacy Act

It is time to change the industry

@sitnikcode

Hackers, 1993

Remember how we together killed IE

@sitnikcode

Ex-YouTube developer reveals how they ‘conspired to kill IE6’

Step 2: Reduce privacy data processors

@sitnikcode

Hackers, 1993

Not only you have access to private data

@sitnikcode

We Care About Your Privacy

We and our 618 partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.

@sitnikcode

Who has access to user data?

😈  Third-party JS scripts (especially from other domains)
         Public CDN for JS libs
         Analytics with JS

😈  Website hosting
😈  CDN (Cloudflare see 20% of traffic)
😈  All of their other partners
😈  Mail service, support
😈  etc

Load Third-Party JavaScript, web.dev

Every extra service is a risk

@sitnikcode

🧐

Hosting

🧐

CDN

🧐

Ads

🤤

Public JS CDN

🥸

JS script from CDN

🧐

Third-party database

→ Leak

→ Sell data

Less services = less risks

@sitnikcode

🧐

Hosting

🧐

CDN

🧐

Ads

🤤

Public JS CDN

🥸

JS script from CDN

🧐

Third-party database

How to reduce number of services?

@sitnikcode

✅  No public CDN for libs (also better performance)

✅  No public CDN for fonts (also better performance)

✅  Self-hosted tools (like analytics)

✅  Combine CDN and cloud

Step 3: Local-First

@sitnikcode

Hackers, 1993

Advanced

Advanced step: only for new projects

@sitnikcode

Hackers, 1993

What is Local-First?

@sitnikcode

Rich client keeps data and processing locally,
the server is just for sync

Server-First

Local-First

The idea was presented by Ink & Switch

@sitnikcode

Seven ideas:

  1. No spinners (local data fast to change)
  2. Sync between devices
  3. Offline-first
  4. Conflict-free collaboration
  5. App will work when company closes
  6. Privacy by default
  7. User owns data

Notion vs Obsidian

@sitnikcode

Notion
Server-First

Obsidian
Local-First

🗒️

Local files
notes/Shopping.md
notes/Ideas.md

Obsidian Sync & Publish

💻

📱

💻

🗒️

📱

🗒️

GitHub repo

Any Cloud Sync

How to make Local-First in web?

@sitnikcode

  1. Offline-first → PWA & Service Worker
  2. Local data → client-side high-level database

What kind of client-side DB do we need?

@sitnikcode

  1. All data on the client → fast and rich API
  2. Sync changes changes log (much easier to sync, but not necessary)
  3. Client owns data → DB migrations are in client JS bundle
const log = [
  { type: 'posts/change', title: 'A' }
  { type: 'posts/change', title: 'B' }
  { type: 'posts/create', post: { … } } // last synced
  { type: 'comments/add', postId: 'fdj43knl4'  }
]

CRDT* to revolve conflicts

@sitnikcode

One source of truth

Everyone is a “server”

* — simple Map/Set is enough.
        No need for complex Google Docs-like collaboration.

id: nanoid() random ID, no sequence ID

What kind of server do we need?

@sitnikcode

  1. Sync between devices → standard auth
  2. Privacy → store and re-sync encrypted changed
  3. Privacy → second password for end-to-end encryption

You will need desktop app for everything

@sitnikcode

  1. Works if you close cloud
  2. Have a folder with files

Benefit 1: Very simple server

@sitnikcode

Sync changes
Auth
Check access for collaboration

All business logic

All data management

Benefit 2: No server in prototype stage

@sitnikcode

project/
  client/

Benefit 3: Try app without creating account

@sitnikcode

Local demo

Sign-Up for sync between devices

Benefit 4: No private data → no problem

@sitnikcode

DALL-E

Benefit 5: No cache complexity on the client

@sitnikcode

Benefit 6: No spinners, no interruptions

@sitnikcode

Continue to work

Save

Benefit 7: There are frameworks for LoFi

@sitnikcode

Evolu

ElectricSQL

RxDB

Hard part 1: Frameworks are not 100% ready

@sitnikcode

April 2019

No common patterns yet

Hard part 2: Client’s database migrations

@sitnikcode

const migrations = {
  1: action => {
    if (action.type === 'posts/created') {
      return { type: 'news/created', news: action.post }
    }
  }
}

Hard part 3: DB could be too big for client

@sitnikcode

The simplest way: client has all data

Partial replication is possible, but there is no good out of the box solutions yet

Hard part 4: complex access control

@sitnikcode

It is possible too, but we need some
out-of-the box solution.

 

Creating it manually is hard.

Hard part 5: password recovery

@sitnikcode

With great privacy comes great responsibility

Spider-Man

Read Guides

@sitnikcode

Step 4: Privacy from non-US perspective

@sitnikcode

Hackers, 1993

Advanced

Risks are different in different countries

@sitnikcode

India

WhiteEmperor420 on Reddit

Advanced step: for big & popular projects

@sitnikcode

Hackers, 1993

Different privacy risks

@sitnikcode

🕵️  Government’s Secret Service
🪤  Surveillance for regime critics
📶  Internet provider
☁️  Data brokers
🏬  International companies collecting private data
👮  Phone check by the local police officer
⛪  Local community with ethical standards
👪  Family members

US media focus mostly on

@sitnikcode

🕵️  Government’s Secret Service
      Surveillance for regime critics
      Internet provider
☁️  Data brokers
🏬  International companies collecting private data
      Phone check by the local police officer
      Local community with ethical standards
      Family members

Different risks need opposite solutions

@sitnikcode

RSS Reader privacy risks

🇺🇸 US: local-first
don’t trust cloud

🇷🇺 Russia: US cloud proxy
to hide you from Internet provider

🤫

🏯

🏥

🕌

☁️

🤫

🏯

🏥

🕌

☁️

🔒

🕵️

📶

🕵️

🔓

Chat check by local police check in 🇷🇺 🇧🇾

@sitnikcode

“Unlock your phone and show Telegram”

Andrey Lukovsky

“I have rights”

1234

🧑‍⚖️

🧑‍🦽

Navalny

Following

Telegram fork by Belarusian Cyber-Partisans

@sitnikcode

1234

Navalny

Following

1984

You can have 2 PINs

CSS hacks

GitHub trends

Following

CSS hacks

GitHub trends

Summary

@sitnikcode

Hackers, 1993

For next working day

@sitnikcode

❤️  Remove GDPR popup by using cookieless analytics
❤️  Reduce services with access to private data
🌟  Think of Local-First in next project
🤔  Think of other privacy risks if you make a social tool

Thanks

Privacy-first architecture

By Andrey Sitnik

Privacy-first architecture

  • 808