Fight For Privacy

cross-posted from: https://infosec.pub/post/9048075

> I simply make a GDPR request. Write to a Tor-hostile data controller making an Article 15 request for a copy of all your data. Also ask for a list of all entities your data is shared with. > > The idea is that if a website blocks Tor (or worse, uses Cloudflare to also share all traffic with a privacy offender), then they don’t give a shit about privacy. So you punish them with some busy work and that busy work might lead to interesting discoveries about data abuses. > > Of course this only works in the EU and also only works with entities that have collected your personal data non-anonymously. After getting your data it generally makes sense to also file an Article 17 request to erase it and boycott that company.

Language is important. The corporate propagandists are winning the language branding battle. In fact there is no battle because the pushover public just accepts their terms. We need to organize and define their garbage with our terms. E.g.

• (smart → dependent) Homes and appliances dependent on a corporation and contract are perversely called smart. So we should refer to them as “contract-dependent” or simply “dependent”. It’s not a smart dryer or doorbell, it’s a dependent dryer or doorbell. Probably makes no progress to mess with “smartphone”, but anything that has an avoidable and needless dependency needs renaming. (smartphone is debatable.. maybe a degoogled or Postmarket OS phone is a smartphone while a stock Android is a dependent phone, but let’s not get too carried away). Initially it’s not effective to just start saying “dependent washer” because readers won’t understand. Say “‘smart’ (read: dependent) washer”. Credit for this terminology goes to @[email protected] for this post, which gives a bit more detail.

• (Meta→Facebook) Meta hi-jacks a common English word to benefit a surveillance advertiser. We can’t allow this. IMO Facebook is understood and clear enough, but note that it’s not technically accurate because Meta is a parent company which has Facebook and Threads as subsidiaries IIUC (just like Alphabet owns Google).

• (Threads→fbThreads™/®?) Since Threads is the original name of Facebook’s forum, there is no unambiguous past name to cling to. We must invent something here. Fuck those egocentric self-centered asshole fucks for hi-jacking a generic common word to describe their service. There are already confusing conversations where it’s unclear from context if someone means FB’s Threads or a generic forum (threads). It’s not just a confusion problem.. when you refer to a thread in the generic sense and it is understood, there is still a subconcious tie to that shitty company.. their brand benefits from conversation that does not even involve their brand.

• (X→Twitter) This is an easy one. Just keep with the old term.

• (Cloudflare→CF walled garden) I’ve not encountered a replacement term for Cloudflare that’s not overly hyperbolic. But we can often incorporate “walled garden” and “centralized” to stress the issues. Instead of just saying “it’s a Cloudflare site”, say some variant of “the site is jailed in Cloudflare’s exclusive centralized access-restricted discriminatory walled garden contrary to netneutrality principles of access equality”.

It’s worth nothing that hyperbole doesn’t help. E.g. we might want:

• Meta/Facebook→Fakebook
• Microsoft Windows→Microsnot Winblows

The problem is these terms are only accepted by fully committed digital rights folks. That’s not the crowd that needs to be swayed. Hyperbole does not catch on with moderates - the masses where it’s most important for rebranding to take hold. Good rebranding doesn’t deviate too much from neutrality.

• (user→pawn) Exceptionally, I refer to “users” of surveillance capitalists as “pawns”. It’s probably too edgy to catch on, but it is what it is. Users is neutral and understood so it can’t easily be rebranded anyway. I will just say pawns to stress the point: who is using who?

Anyway, this is just the start of a crowd-sourcing effort. Please contribute more rebrandings in this thread as well as improved alternatives to my effort above.

Suppose you’re fed up with being video surveilled in public and you object to your neighbor placing your home under 24/7 video surveillance which is fed to a surveillance advertiser (#Amazon). Or you want to kill the video surveillance in vending machines.

laser --- Is it practical and affordable to buy laser that can reach across the street and still have enough focus and power to burn a CCD? Can it be done from different angles without the CCD capturing the source before the damage manifests? There is some chatter here on power levels.

Of course it must be precisely controllable as well; obviously no one wants to inadvertently hit an eyeball and blind someone. Which I suppose implies that the laser either needs a well calibrated scope or it needs to be in the visible spectrum so you can see where it lands.

I would really love it if someone would rig up a drone to do this, which could then go down the street and knock out many Amazon Rings.

cyber attack --- (Amazon Ring only) A simple cyber attack: if you can find out (social engineer?) the username of the Ring pawn¹, you can deliberately submit wrong passwords until the acct locks. When an Amazon account is suspended, the doorbell no longer functions. Funnily enough. So people with smart homes must constantly obey Amazon’s wishes if they want their home to continue to function. Would love to see that backfire. But it’s unclear if an account locked due to failed passwords goes into the same state of suspension that breaks the doorbell. I just recall a story where someone’s Amazon account was suspended due to some dispute or misunderstanding with Amazon which then broke their doorbell and probably other “smart” (read: dependent) appliances to go out of service.

1. I don’t say “user” because they are being used by Amazon. That means they are a “pawn”.

cross-posted from: https://lemmy.world/post/11992277

> European Court of Human Rights declares backdoored encryption is illegal::Surprising third-act twist as Russian case means more freedom for all

cross-posted from: https://sopuli.xyz/post/8481789

> #poll

Hi all, a shy try to awake this community again :)

Whats your daily-routine for privacy, what are you using, what are you not doing?

Short summary of me:

• Phone -> LineageOS
• VPN -> Per perimeter (LAN, Mobile) -> different VPN providers
• Home network (More for security but also helps detecting privacy invasive applications) -> Firewall, IDS and ISP router is bridged
• Payment -> Cash where possible (Saved me some trouble when card machines were offline and most had to go somewhere else to have a meal)
• Browser -> Three to four different ones, per usage I use a different (Media, communication, bank etc)
• Browser extensions -> UblockOrigin, Decentraleyes, User-AGent-Switcher and NoScript
• Browser cache/history -> deleted once a month (I do not use credentials saved inside browsers)
• Online Calls -> Matrix
• OS -> Linux only household
• Mail -> Different providers and own domain with catch-all, so if a company sells my mail I will see it because it is [email protected]

Thats on top of my head, what are your takes?

A public service started blocking access from Tor users. Blocks like this almost never have the courtesy to acknowledge why you are blocked (Tor) much less why they decided to exclude Tor users from public access. The blockades seem to always be implemented by an asshole.

So I play dumb: “your site is no longer working… here is my screenshot…('Unable to connect')”. I submit that as a complaint.

The response I would hope for: “Oh, we are sorry sir, we will send you a link to our bulletin page that publishes a chronology of all changes we make to the site and have a technician call you to troubleshoot the problem.”

My goal is to burden those behind unjustified/undocumented anti-Tor configs so they spend some time investigating as a consequence of their unannounced change and their useless error messages.

What really happens:

They reply saying: “the server works. No problems were reported. The problem is with your browser. Try another computer/browser”.

So indeed, they double-down on being assholes. They give this snap response having no idea what could have gone wrong. There is no escalation procedure in government when you reach an incompetent person. So what’s the counter-move?

Proposal: network with other Tor users in the region. When one user reports a tor-hostile, everyone else in the group should verify the block and complain at the same time; everyone taking care not to mention Tor. It should remove the the knee-jerk “there have been no complaints” response.

Has anyone tried this?

If you have a defensive browser that runs over Tor and blocks popups, CAPTCHAs, dark-pattern-loaded cookie walls, and various garbage, we still end up at the losing end of the arms race. The heart of the problem is that privacy enthusiasts are exposed to the same search engine rankings that serve the privacy-naïve/unconcerned masses.

Would it make sense for the browser to autodetect various kinds of enshitification, add the hostname to a local db for future use, then report the hostname anonymously over Tor to central db that serves as an enshitification tracker? The local and centralized DBs could be used to down-rank those sites in future results. And if a link to enshitified sites appears on a page unrelated to searches it could be cautioned with a “⚠”. Some forms of enshitification would probably need manual detection but I could see people being motivated to contribute.

The security and integrity of a centralized db would perhaps be the hardest part of the effort. But if that could be sorted out, we could get search results to prioritize (pro-user) resources. In principle the DB could also track access methods by which a website is garbage-free (e.g. if the garbage does not manifest when viewed in Lynx, then that should be captured in the DB as well).

cross-posted from: https://links.hackliberty.org/post/435505

> A data controller responded to a #GDPR request under art.15 & 17 (thus, an access request coupled with erasure request). They responded with a refusal, demanding ID card. They probably demanded it be in color, but I responded with a black and white copy of my ID. They refused again, affirming that the ID card must be in color. So then I sent them a color copy, but I used black boxes to redact my facial image and all personal text except my name. They again refused to honor my request, saying “zonder vlekken en met een goede resolutie om te worden geaccepteerd”. That translates into “without spots or stains”, correct? I don’t think that means without redactions. > > Anyway, I would like a GDPR expert to confirm or deny whether the controller’s refusal and demands are lawful. > > The relevant GDPR text is: > > * https://gdpr-text.com/read/recital-64/ > * https://gdpr-text.com/read/article-12/#para_gdpr-a-12_6 > > My request (via post) included my residential address and also mentioned a unique email address that only that controller knows me by (though they would not necessarily know it’s unique). Shouldn’t that be sufficient?

UPDATE

This abstract covers some of my questions. Indeed redactions on the ID card are allowed when making requests.

cross-posted from: https://sopuli.xyz/post/5888507

> Cloudflare blocking medical information > > I was having some medical problems involving increasing pain coupled with a somewhat terrifying symptom. I did a web search to work out what I might be dealing with & whether going to the ER was essential or whether it was just a matter of pain tolerance. I use Tor for everything -- but especially for healthcare matters. It would be foolish to step outside of Tor and compromise sensitive medical data. Most of the search hits that looked useful were sites giving medical information from behind anti-tor firewalls, many of which are Cloudflare. My usual circumvention of using archive.org was broken. For some reason archive.org simply gives a “cannot connect” msg, lately. I get the impression archive.org has started blacklisting fingerprints of frequent users because changing browsers and window geometry often solves the problem. > > I found one article saying the need for ER is really just a matter of pain but I would have liked to see more articles saying the same thing. During my search which was mostly thwarted by an enshitified tor-hostile web, the pain intensified to a point where I simply had to go to the ER. > > Security nannying interferes with family comms > > I’m only connected to my family over Wire & XMPP. The iPhone version of the xmpp app my family uses drops the ball on notifications, so #XMPP was effectively a black hole. (This is possibly a defect in the iPhone system and may not even be an app-specific issue.. an honest bug regardless) > > The #Wire app developers decided at some point that my AOS version was unacceptable so they coded a self-destruction mechanism in the app. The incompetence of their nannying manifested into a mostly broken app. If someone msgs me on Wire, the app shows just as much text of each msg that fits on the notifications screen in one line. Effectively, the first 5 or so words on inbound msgs and no way to see the whole msg and no way to send an outbound msg of any kind. > > So I could not notify my family due to #securityNannying. There are often cases where a developer appoints themselves as an authority on security and decides for everyone (who they effectively perceive as children) whether the user’s unknown security model is compatible with the level of security the app gives. E.g. a typical manifestation of security nannying is when a project removes an encryption algorithm because they arbitrarily think it’s too old. Too weak for what use-case? They cannot know all the ways the tool is used. Sometimes the two endpoints are both on the LAN (or potentially over a sufficiently secure VPN tunnel), in which case app-level encryption is often not even needed. Yet a project will decide to nix an algo and two differing implementations lose interoperability. Why not have a popup warning and allow adults to make an adult decision as to whether the security circumstances are suitable for the situation? > > Hospital staff insist on using Google > > Anyway, in ER I’m asked for my email address by someone who handles finances. I supplied it without thinking (mind was elsewhere). When I got out of the hospital I did an MX lookup on her address before she could send a msg. Google! WTF… no, I do not consent to Google having a view of my health records. So before she sent anything I requested erasure of my email address and supplied my snail mail address (which she likely already had). She was supposed to followup with financial aid information. But she never did. I can only guess that her take was apparently that if I’m unwilling to make it easy on her by allowing her to use Gmail, then she’s not willing to cooperate on the financing situation. > > Human rights > > Healthcare and privacy (esp. privacy OF heath data) are both human rights. When we are forced to choose between two obviously human rights are not being protected.

In future, it will be easier to trace anonymous bomb threat calls in Switzerland and locate people at risk more quickly during emergency searches.

The Federal Council has introduced changes to the monitoring of telephone and internet data with effect from 1 January 2024.

The aim of the amendment is to enable more precise positioning of telephone and internet data and to continue to ensure effective criminal prosecution, the Federal Council announced on Wednesday.

During the consultation process, however, digital-savvy and left-wing circles criticised the fact that the amendment to the Act on the Surveillance of Postal and Telecommunications Traffic would lead to an expansion of surveillance.

Due to the criticism, the Federal Council has now decided not to force providers of services such as Whatsapp, Threema or Signal to remove the encryption from their chats when surveillance is ordered. ...

These are the steps I take against companies who block Tor (e.g. a grocery store, bank, DNS provider.. whoever you do business with who have started using Cloudflare):

1. GDPR art.17 request to delete my email address & any other electronic means to reach me, but nothing else.
2. Wait 30 days for them to comply.
3. GDPR art.13 & 14 request to disclose all entities personal data was shared with + art.15 request for all my data (if I am interested) + art.17 request to erase all records. These requests are sent together along with criticisms for their lack of respect for privacy and human rights and shaming for treating humans like robots (if that’s the case).

The reason for step 1 & 2 is to neuter the data controller’s option to respond electronically so they are forced to pay postage. It’s a good idea as well because they would otherwise likely use Microsoft for email and you obviously don’t want to feed MS. It may be feasible to skip steps 1 & 2 by withdrawing consent to use the email address (untested).

A few people doing this won’t make a dent but there is a threshold by which a critical mass of requests would offset their (likely uncalculated) cost savings by arbitrarily marginalizing the Tor community. It’s a way to send a message that cannot be ignored.

cross-posted from: https://links.hackliberty.org/post/285435

> When a private sector company blocks Tor, I simply boycott. No private entity is so important that I cannot live well enough without them. But when a public service blocks Tor, that’s a problem because we are increasingly forced to use the online services of the public sector who have gone down the path of assuming offline people do not exist. > > They simply block Tor without discussion. It’s not even clear who at what level makes these decisions.. could even be an IT admin at the bottom of the org chart. They don’t even say they’re blocking Tor. They don’t even give Tor users a block message that admits that they block Tor. They don’t disclose in their privacy policies that they exclude Tor. > > Just a 403 error. That’s all we get. As if it needs no justification. Why is the Tor community so readily willing to play the pushover? Even the Tor project itself will not stand up for their own supporters. > > The lack of justification is damaging because it essentially sends the message: “you Tor-using privacy seekers are such scum we don’t even have to explain why you are outcast. We don’t even have to ask permission to exclude you from participating in society” This reinforces the myth that Tor users are criminals and encourages non-criminal Tor users to abandon Tor, thus shrinking the Tor userbase. The civilized world has evolved to a point of realizing the injustice of #collectivePunishment. At best this is a case of punishing many because of a few. I say “at best” because I’m skeptical that a bad actor provokes the arbitrary denial of service. > > When the question is publicly asked “why did service X start blocking Tor” answers always come as speculation from people who don’t really know, who say they were probably attacked.

> Dozens of cross-party MPs and peers have joined a campaign for an “immediate stop” to the use of live facial recognition surveillance by police and private companies.

> The statement said: “We hold differing views about live facial recognition surveillance, ranging from serious concerns about its incompatibility with human rights, to the potential for discriminatory impact, the lack of safeguards, the lack of an evidence base, an unproven case of necessity or proportionality, the lack of a sufficient legal basis, the lack of parliamentary consideration, and the lack of a democratic mandate.

> Today, the Colorado Supreme Court became the first state supreme court in the country to address the constitutionality of a keyword warrant—a digital dragnet tool that allows law enforcement to identify everyone who searched the internet for a specific term or phrase. In a weak and ultimately confusing opinion, the court upheld the warrant, finding the police relied on it in good faith. EFF filed two amicus briefs and was heavily involved in the case.

...

> Keyword warrants rely on the fact that it is virtually impossible to navigate the modern Internet without entering search queries into a search engine. By some accounts, there are over 1.15 billion websites, and tens of billions of webpages. Google Search processes as many as 100,000 queries every second. Many users have come to rely on search engines to such a degree that they routinely search for the answers to sensitive or unflattering questions that they might never feel comfortable asking a human confidant, even friends, family members, doctors, or clergy. Over the course of months and years, there is little about a user’s life that will not be reflected in their search keywords, from the mundane to the most intimate. The result is a vast record of some of users’ most private and personal thoughts, opinions, and associations.

cross-posted from: https://lemmy.dbzer0.com/post/6251633

> LemmyWorld is a terrible place for communities to exist. Rationale: > > * Lemmy World is centralized by disproportionately high user count > * Lemmy World is centralized by #Cloudflare > * Lemmy World is exclusive because Cloudflare is exclusive > > It’s antithetical to the #decentralized #fediverse for one node to be positioned so centrally & revolting that it all happens on the network of a privacy-offender (CF). If #Lemmy World were to go down, a huge number of communities would go with it. > > So what’s the solution? My individual action idea is to avoid posting an original thread to #LemmyWorld. I find a non-Cloudflare decentralized instance to post new threads. I create one if needed. Then I cross-post to the relevant Lemmy World community. This gets some exposure to my content while also tipping off readers of the LW community of alternative venues. > > Better ideas? Would this work as a collective movement?

cross-posted from: https://fedia.io/m/disabled/t/346115

> Banks have started capturing customers voice prints without consent. You call the bank and the robot’s greeting contains “your voice will be saved for verification purposes”. IIUC, these voice prints can be used artificially reconstruct your voice. So they could be exfiltrated by criminals who would then impersonate you. > > I could be wrong about impersonation potential.. just fragments of my memory from what I’ve read. In any case, I don’t like my biometrics being collected without my control. > > The countermeasure I have in mind is to call your bank using #Teletext (TTY). This is (was?) typically a special hardware appliance. As a linux user, TTY is what the text terminal is based on. So I have questions: > > 1. can a linux machine with a modem be used to convert a voice conversation to text? (edit: perhaps minimodem or asterisk?) > > 2. how widespread are TTY services? Do most banks support that, or is it just a few giant banks? > > 3. if street-wise privacy enthusiasts would theoretically start using TTY in substantial numbers, would it help the deaf community by increasing demand for TTY service, thus increasing the number of businesses that support it? > > (update) > > Another privacy benefit that comes to mind: bankers will sometimes start an unprovoked interrogation of intrusive questions irrelevant to your reason for calling, such as who you work for, how much you earn, career skill, etc. The realtime nature of a voice call puts you at a disadvantage whereby a delayed response can create suspicion. So you must answer quick and without stumbling. Quick answers also invite many questions. In a text conversation, a delay can simply mean that you stepped away for a moment. And presumabley a CSR is handling multiple conversations at once. > > Some banks only have on file where I worked 2+ jobs ago. I don’t want to keep them up to date with more data, so I can take a moment to check my notes for where they think I still work.

Excerpt of feed:

Today I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far

Google Docs exports automatically infected with tracking links:

• txt - unaffected
• html + AFFECTED
• odt - unaffected
• pdf - unaffected
• epub + AFFECTED
• rtf - unaffected
• docx - unaffected

When I call my bank, the greeting now says my voice will be recorded for verification purposes. There is no opt-out.

I remain silent and refuse to speak to the bot now. I sometimes need to push buttons to get a human. The question is-- are they also recording my chatter with the human in order to collect a #voiceprint?

What’s the counter measure? Should we all use a voice disquising tool to sound like Abraham Lincoln or Elvis?

cross-posted from: https://links.hackliberty.org/post/125466

> My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants -- and rightfully so. The statement just shows the shop name, location, and amount. > > Exceptionally, if I purchase airfare the bank statement reveals disclosures: > * airline who sold the ticket > * carrier > * passenger name > * ticket number > * city pairs > > So that’s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesn’t this violate the data minimization principle? > > Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions). > > Has anyone switched to using a travel agent just to be able to pay cash for airfare?

UPDATE

A relatively convincing theory has been suggested in this other cross-posted community:

https://links.hackliberty.org/comment/414338

Apparently it’s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.

Hi all

I decided to add some new post categories because there where some discussion posts where it does not make sense to tag a country. To further organize the community the following tags can now be used:

• [ARTICLE] or [CH], etc: Sharing articles, blog posts etc, as before use country tags, or if not country specifig declare as article.
• [DISCUSSION]: Everything, that as the name suggests, should or will be discussed.
• [SEARCHING]: Looking for activists or supporters for privacy events/initiatives/referendums etc. If country specific combine with country tag.
• [GUIDE]: Explaining processes, laws or other how to's.
• [UPDATE]: News for our community, at the moment only for me as I'm the only moderator.

If there are other categories you would like to see, leave a comment.

The collection of DNA and other biometric idendity data can lead to a scary reach of surveillance.

What are the laws in other (your) countries regarding this? In 2008 the EU court of human rights already mentioned concerns regarding laws: > A summary of the current global situation and issues for debate highlights: (1) a growing global consensus on the need for legislative provisions for the destruction of biological samples and deletion of innocent people’s DNA profiles, following the European Court of Human Rights’ judgement on this issue in 2008; (2) emerging best practice on scientific standards and standards for the use of DNA in court which are necessary to prevent miscarriages of justice; (3) ongoing debate regarding the appropriate safeguards for DNA collection from suspects; restrictions on access, use and data sharing across borders; and data protection standards. Conclusion: There is an ongoing need for greater public and policy d

Source: Forensic DNA databases–Ethical and legal standards: A global review

cross-posted from: https://fedia.io/m/privacy/t/312963

> There’s a huge chain of ATMs in Netherlands called Geldmaat which is a partnership of Ing, Rabobank, ABN AMRO, possibly others. > > So I have several questions w.r.t privacy: > > * when you draw money out, do all those banks have access to the transaction? > > * if you use a Rabobank card, does Ing see the transaction? > > * if you use a foreign card that is not associated to any of the partnered banks, which bank handles the transaction? > > This trend is picking up in other countries as well and it seems no articles that announce these changes are talking about the #privacy consequences.

I went to a cafe in Amsterdam which turned out to not only be cashless, but their payment processor was “Zettle”. Zettle is owned by #PayPal (who shares customer data with over 600 corporations).

So my question is, apart from the expected privacy consequence of your bank & the recipient’s bank recording your transaction, what does Paypal walk away with? Paypal is a data-abusing US-based company. But OTOH the shop is in a #GDPR region. Does the GDPR give any protection in this case?

IIUC, customers consent by default to their data being processed by the merchant & whoever the merchant hires (Paypal), and from there whoever paypal shares with & on down the endless chain. The only notable GDPR protection I can think of is that the data must remain in the EU. So the transaction data cannot be sent to Paypal’s servers in the USA -- correct?

BTW, I asked the owner why he trusts Zettle & also why he does not accept cash. He conceded right away that he didn’t like it either. He said he’s cashless for security and that when he looked at a number of electronic payment systems, Zettle was the cheapest. For me, “cheapest” is a red flag. It’s probably cheap because the data is probably being monetized.

Concrete question: if an American feeds a US-issued credit card into a #Zettle terminal to buy a creme-filled artery-hardening pastry in Amsterdam, is there anything to stop Paypal from doing the processing on the US-side of the transaction before selling that info to a US health insurance company?

>The U.K. Parliament has passed the Online Safety Bill (OSB), which says it will make the U.K. “the safest place” in the world to be online. In reality, the OSB will lead to a much more censored, locked-down internet for British users. The bill could empower the government to undermine not just the privacy and security of U.K. residents, but internet users worldwide.

It was clear that the parlament would pass this terrible bill. The only thing to do now, is to hope that the EU does not follow the UK, but I'm rather pessimistic.

Time to prepare fallback technologies in case the now used services are delcared unlawfull and get forbidden or are forces to put backdoors in place.

Today I got a notification from WhatsApp about the new Privacy Policy. for the European Region.

In that notification it mentions: >When we rely on legitimate interests, you have a right to object to our use of your information. You can do this here. You can also find out more information on how to exercise your rights.

For the fun of it, I filled out the form to object. Now I received a Mail asking for:

• Against which type of data processing are you objecting?
• How does this data processing affect you?
• Add more information which should be considered in this request

People with experience with data privacy, what basis and argumentation can I add here to support my request?

P.S.: I have no confidence that this will prevent WhatsApp to spy on me and I know I need to get rid of it. I am objecting because I feel people should do and if nothing else, then just to keep the WhatsApp Lawyer busy.

A privacy policy can lay out a lot of important information that you cannot find anywhere else. Here’s a breakdown of the most useful details contained in most policies, and how to find them.

What information are they collecting?

Look for a section with a title like “Personal information we collect” or “How We Collect and Use Your Personal Data.” This will list types of data the company gathers both “automatically” and from you directly. You may see disclosures that the company collects your location, IP address, biometrics, or information from your web browser, such as cookies or trackers. Be on the lookout for hints that the company uses a tracking technique called fingerprinting, which can identify you even when you go out of your way to decline cookies or block trackers. It does so based on information about your device such as the operating system, manufacturer, or even screen resolution, so keep an eye out for whether that data is being collected.

It is sometimes impossible to know whether the collection described in sections like this is actually happening, said Sebastian Zimmeck, an assistant professor of computer science at Wesleyan University, who studies privacy. “The reason why many privacy policies are not meaningful is because companies ‘may’ collect your information. Or they may not,” Zimmeck wrote in an email.

Location, location, location

In the information collection section, you may see terms related to your whereabouts such as “geolocation,” “geofencing,” or “geotargeting.” This signals that the company is collecting one of the most sensitive categories of data. Researchers have repeatedly shown that the unique nature of our movements can reveal private information about our lives that we may not want others to have, including places of worship, medical providers, or even political protests.

Keep an especially close eye out for the term “precise geolocation,” which the California Consumer Privacy Act defines as “a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.”

Why are they collecting this information, and how do they use it?

Anonymization/aggregation might not be as good as it sounds. Sometimes a company might say that any data it shares has all identifying information removed. Its privacy policy might use terms like “de-identified” data in addition to “anonymous” or “aggregated” data. This sounds as if it makes information sharing more private, but there has been a great deal of research showing that it is possible and in some cases quite easy to re-identify personal data even after it has been masked or combined. It doesn’t matter if a company anonymizes your data if its “business partners” are just going to undo that work when they get it.

Code words for “ad targeting”

When a company says it uses your data to “personalize” or “enhance” your experience or “improve our services,” that can often mean it is analyzing your data for ad targeting. “Measuring the effectiveness” of advertisements or other activities can mean tracking what you click on or buy. Also look out for mentions of “interest-based advertising,” which means the company is analyzing your activity on the service and allowing third parties to infer your interests for the purpose of targeted advertising, in some cases even away from the site you’re on. If the policy talks about tracking you on other online services, this also means the company is tracking your browsing activity across the internet, not just on its service. It might do this directly or purchase the information from a third party.

...

Ordinance on the Protection of Minors in the Fields of Film and Video Games (JSFVV)

The law for the protection of minors, which was passed last year, caused a lot of controversy afterwards. Unfortunately, however, the referendum did not materialize. An interpellation by National Councilor Jörg Mäder also failed to provide more clarity. Now, the preliminary draft for an ordinance on the Protection of Minors Act has been published.

Edit: translation of summary from German to English by deepl.com