How much does SN know about me?
717 sats \ 14 comments \ @south_korea_ln 21 May meta
Just some random questions, mostly out of curiosity more than anything else:
  • Does SN (or its devs) know who tips who (amounts, time of tipping, etc)?
  • Does SN know when I am logged in?
  • Does SN know when I log out of my main account and log into a throw-away account?
  • Related, does IP get tracked?
I think reading somewhere that SN follows a stateless approach, but I am not fully sure what this means other than that the server does not retain any information about the user's interactions between different requests. Would this imply that the answer to all my questions is no?
write
preview
related posts
560 sats \ 2 replies \ @ek 21 May
Does SN (or its devs) know who tips who (amounts, time of tipping, etc)?
Yes, we need that for the ranking, trust graph, rewards etc.
Does SN know when I am logged in?
The frontend polls your user every 5 seconds, so you should assume yes.
Does SN know when I log out of my main account and log into a throw-away account?
We could correlate logouts and login to make educated guesses. For example, if the switch from account A to account B always happens within a few seconds, it's highly likely that's your alt.
A while ago, I wrote code for account switching but the code was messy in parts where we certainly don't want to be messy (the authentication layer) so we didn't ship it. But when we release account switching, you don't have to logout anymore.
But since we didn't find a secure way to only send the cookie of the account that you switched to (since the actual cookie used for authentication is HTTP only as it should be), we could look at the request cookies since they will contain all accounts that you can switch to. So it would actually be easier then to link accounts if you use the account switching feature.
When I take another look at the code, I might find an approach that works that keeps accounts unlinked. Open for ideas on this.
Related, does IP get tracked?
No, we never store IPs on purpose but they might get stored in some rotating AWS logs but @k00b would know more about that.
reply
10 sats \ 0 replies \ @zuspotirko 22 May
who tips who (amounts, time of tipping, etc)?
Yes, we need that for the ranking, trust graph, rewards etc.
I assume people wouldn't like themselves to be outed like that but one could make like a 3d network graph about this. I bet there would be clusters like in the wikipedia graph (#528996). But feels like some sort of privacy violation...
reply
0 sats \ 0 replies \ @south_korea_ln OP 21 May
Thanks for detailed answer.
reply
350 sats \ 0 replies \ @k00b 22 May
Does SN (or its devs) know who tips who (amounts, time of tipping, etc)?
Yes.
Does SN know when I am logged in?
Yes, roughly. We know when you last visited as a certain nym, but we don't know if you're logged in/out otherwise. e.g. we can see that someone last visited a week ago but we don't know if they've logged out or simply haven't returned.
Does SN know when I log out of my main account and log into a throw-away account?
No. We don't do any cross-account tracking. Alt with abandon.
Related, does IP get tracked?
No, we do not store IPs, certainly don't track them, and never associate them with your account. But, importantly, your IP could be logged by things outside of our control or by tools that we aren't aware of. I recommend using a VPN if your IP address is sensitive.
I think reading somewhere that SN follows a stateless approach, but I am not fully sure what this means other than that the server does not retain any information about the user's interactions between different requests. Would this imply that the answer to all my questions is no?
Our authentication uses stateless tokens, which is what I think this is getting at, but we do store your posts/comments/etc (ie state) for obvious reasons.
reply
229 sats \ 2 replies \ @anon 21 May
reply
109 sats \ 0 replies \ @south_korea_ln OP 21 May
Good guy @k00b. Logging out of his main account and using the @anon account to warn us about him working for the FBI~~
reply
0 sats \ 0 replies \ @carlosfandango 22 May
Love this meme.. a Darth favourite as well.
reply
120 sats \ 0 replies \ @WeAreAllSatoshi 22 May
This comment is more for other readers than yourself, since you're already acquainted with the source code.
It's great to ask these questions. It's even better that verified team members answered them in a detailed fashion. I still recommend that one goes and reviews the source code (see link in page footer), since it's open source.
It's been discussed before, but how do we verify that the code running at https://stacker.news is the same code in the referenced GitHub repo? I guess we can't. But in the spirit of bitcoin: don't trust, verify.
reply
110 sats \ 0 replies \ @Satosora 22 May
Interesting. @ek, how do I find out about my trust graph? Im a bit curious if I am doing an okay job.
reply
10 sats \ 0 replies \ @zuspotirko 22 May
What you didn't mention is how much one can learn about you from scraping the 1400 items you wrote on here.
Most people would be surprised with how little information you can already be sorted into cohorts. Google/Facebooks do this for ads. Even stuff like your writing style or words used can extrapolate/guesswork a lot.
And in 2024 it's even much more easy than it was 2 years ago - scrape the website, load it into a vector store and ask an LLM AI to guess some stats.
reply
10 sats \ 0 replies \ @TheBTCManual 22 May
Lol wait till koob strikes a deal with OpenAI and Google to sell our data, then we we can just ask an LLM what they know about us
reply
10 sats \ 0 replies \ @ContraMundum 22 May
You’re always trackable to SOME degree. Especially if your on mobile and utilizing cell towers
reply
0 sats \ 1 reply \ @0xIlmari 22 May
Ulitmately, the user is responsible for their own security. You cannot entrust this with the service operators.
  • There is no way of proving that the software actually running on SN servers is the one that's on GitHub, and not a forked version that FBI made them run. (You can only theoretically verify the client yourself.)
    • Does it make sense for you guys to have a canary page? @ek @k00b
  • If you want to use multiple identities and hide that fact from the service, use a different Tor/VPN exit node for each. Use separate browsers or browser profiles too, to avoid fingerprinting.
  • ALWAYS assume someone (could be your ISP) logs your IP and the fact that you connected to this or that website.
  • Be conscious of "social fingerprinting" - activity hours, writing style, tipping patterns.
reply
10 sats \ 0 replies \ @ek 22 May
Does it make sense for you guys to have a canary page?
Yes, it's planned
reply