Archive for December 9, 2020

Wednesday, December 9, 2020

Oblivious DNS-over-HTTPS

Tanya Verma and Sudheesh Singanamalla (Hacker News, MacRumors):

Today we are announcing support for a new proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time. Even better, we’ve made source code available, so anyone can try out ODoH, or run their own ODoH service!


To safeguard DNS from onlookers and third parties, the IETF standardized DNS encryption with DNS over HTTPS (DoH) and DNS over TLS (DoT). Both protocols prevent queries from being intercepted, redirected, or modified between the client and resolver. Client support for DoT and DoH is growing, having been implemented in recent versions of Firefox, iOS, and more. Even so, until there is wider deployment among Internet service providers, Cloudflare is one of only a few providers to offer a public DoH/DoT service. This has raised two main concerns. One concern is that the centralization of DNS introduces single points of failure (although, with data centers in more than 100 countries, Cloudflare is designed to always be reachable). The other concern is that the resolver can still link all queries to client IP addresses.


ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time.


Cloudflare Web Analytics for Everyone

Jon Levine (Hacker News):

In September, we announced that we’re building a new, free Web Analytics product for the whole web. Today, I’m excited to announce that anyone can now sign up to use our new Web Analytics — even without changing your DNS settings. In other words, Cloudflare Web Analytics can now be deployed by adding an HTML snippet (in the same way many other popular web analytics tools are) making it easier than ever to use privacy-first tools to understand visitor behavior.


The new Web Analytics works like most other measurement tools: by tracking visitors on the client.


Being privacy-first means we don’t track individual users for the purposes of serving analytics. We don’t use any client-side state (like cookies or localStorage) for analytics purposes. Cloudflare also doesn’t track users over time via their IP address, User Agent string, or any other immutable attributes for the purposes of displaying analytics — we consider “fingerprinting” even more intrusive than cookies, because users have no way to opt out.

The concept of a “visit” is key to this approach. Rather than count unique IP addresses, which would require storing state about what each visitor does, we can simply count the number of page views that come from a different site. This provides a perfectly usable metric that doesn’t compromise on privacy.

Sergi Isasi (Hacker News):

Cloudflare is deprecating the __cfduid cookie. Starting on 10 May 2021, we will stop adding a “Set-Cookie” header on all HTTP responses. The last __cfduid cookies will expire 30 days after that.

We never used the __cfduid cookie for any purpose other than providing critical performance and security services on behalf of our customers. Although, we must admit, calling it something with “uid” in it really made it sound like it was some sort of user ID. It wasn’t. Cloudflare never tracks end users across sites or sells their personal data. However, we didn’t want there to be any questions about our cookie use, and we don’t want any customer to think they need a cookie banner because of what we do.

Update (2020-12-16): Matt Birchler:

The first problem I ran into was that I needed to update my nameservers with my registrar to get anything at all from Cloudflare.


Well, thanks to Marko Saric for pointing this out, these “visitors” count bots that hit your site for indexing and the like. Cloudflare explains this decision like so[…]


That is…not a lot of information. I don’t get to see what pages are getting the most traffic, or where that traffic is coming from. I don’t need a ton of stuff, and I personally use maybe 2% of Google Analytics’ suite of information, but this is incredibly sparse.

Jon Alper:

This is a potentially useful alternative for devs wanting analytics w/out Google:

HoudahSpot 6.0

Houdah Software:

Starting with macOS 10.15 Catalina, Apple Mail messages are no longer available through the Spotlight index used by HoudahSpot.

HoudahSpot 6.0 can nonetheless find your Apple Mail messages. HoudahSpot installs a plug-in that runs within the Mail application. This plug-in allows HoudahSpot to include Mail message files in your search results.


Filters help you focus on relevant files by only showing you a subset of your search results. HoudahSpot can filter files to show only those that share a common property. E.g., files modified the same day.


iOS App Privacy Labels

Juli Clover:

As part of iOS 14, Apple is introducing a new App Store feature that will provide privacy details for each app that you’re downloading, which the company has said can be likened to a “nutrition label” for apps.

In a new Developer Support document, Apple outlines the information that developers will need to provide on their App Store pages for customers. Apple is relying on developers to offer up their own privacy policies, and developers will need to start adding this information to App Store Connect starting in the fall.

Hartley Charlton:

WhatsApp, which is owned by Facebook, has accused Apple of anti-competitive behavior because iMessage is preinstalled on iPhones and does not need to be downloaded from the App Store, where the new privacy labels will be shown.


WhatsApp submitted the required information to Apple on Monday, but said in a blog post that “Apple’s template does not shed light on the lengths apps may go to protect sensitive information.” The spokesperson told Axios, “while WhatsApp cannot see people’s messages or precise location, we’re stuck using the same broad labels with apps that do.”

Joe Rossignol:

Apple today assured that its new requirement for privacy information on the App Store will apply equally to all iOS apps, including its own.

This means that the dozens of Apple apps available through the App Store, such as Apple Books and Apple Podcasts, will display the same privacy “nutritional labels” as third-party apps. And for built-in iOS apps, like Messages, Apple says that it will make the same privacy information available to users on its website. Apple says this information will be presented in the same way as it appears on the App Store.

Ben Thompson:

What makes that Apple advertisement so misleading is the level of individuality it implies in terms of data collection and application.


The Internet offers two clear alternatives: either a million blooming flowers, or all-encompassing behemoths that succeed by controlling access to customers. In the case of information, that alternative is Google, and in the case of products, it is Amazon.

What is notable about both is how relatively untouched they are by Apple’s privacy campaign. Yes, Google has app SDKs, but they also have an even larger presence on the web than Facebook, have somewhat less need for data given the directed nature of search advertising, and oh yeah, are the default search engine on Apple devices, which makes it that much easier to ensure that information flows via Google’s channels (like AMP pages, which get around Apple’s recent cookie-crackdowns by being served from Google’s own URLs). […]

Amazon, meanwhile, is increasingly where shopping searches start, particularly for Prime customers, and the company’s ad business is exploding. Needless to say, Amazon doesn’t need to request special permission for IDFAs or to share emails with 3rd parties to finely target its ads: everything is self-contained, and to the extent the company advertises on platforms like Google, it can still keep information about customer interests and conversions to itself. That means that in the long run, independent merchants who wish to actually find their customers will have no choice but to be an Amazon third-party merchant instead of setting up an independent shop on a platform like Shopify.


Update (2020-12-16): Apple (Hacker News):

The App Store now helps users better understand an app’s privacy practices before they download the app on any Apple platform. On each app’s product page, users can learn about some of the data types an app may collect, and whether that data is linked to them or used to track them. As a reminder, your app’s privacy information is required to submit new apps and app updates to the App Store, and some data is optional to disclose if it meets specific criteria, such as certain data from health research apps and regulated financial services. You may update your answers at any time without resubmitting your app or going through App Review.

Khaos Tian:

Guess HI didn’t get a chance to partipate in designing this, what’s up with this shadow when there is a proper card design just right above it 😝

Update (2021-01-04): Dev:

The difference between WhatsApp and Signal (both end-to-end encrypted) in the new App Store privacy section is stark


Update (2021-01-05): Dave Wood:

I think the Signal labels just show that developers don’t know how to answer the questions, or that at least they’re using different measuring sticks. How is it possible that ‘Contact Info’ is collected, but not ‘Linked to you’. It is you.

Dan Frakes:

These privacy labels 😳

Update (2021-01-12): Dave Wood:

More evidence that Signal’s App Privacy response is bullshit. Not only do they collect your contact info, they upload your address book to their servers, and then expose you to other users.

Glenn Fleishman:

As always, the question is whether disclosure prompts changes by individuals. The App Privacy listing is just a disclosure: users can’t opt in or out of different kinds of data collection—it’s all or nothing. But unlike a standard software EULA (end-user license agreement) or dense privacy policy, Apple’s requirements and presentation make it quite clear what’s up, assuming the developer has been truthful, of course. Then you take it or leave it: you either buy or install the app or don’t.

However, Apple is about to enable an option that will give you choice over one set of items disclosed in App Privacy. Sometime soon—the company hasn’t yet said when—Apple will require that you opt into third-party tracking. That’s what has Facebook quaking, and what I’ll explain next.

Update (2021-01-22): Juli Clover:

On January 5, Google told TechCrunch that the data would be added to its iOS apps “this week or the next week,” but both this week and the next week have come and gone with no update. It has now been well over a month since Google last updated its apps.

Update (2021-02-05): Thomasbcn:

Google’s iOS apps release cycle before & after Apple asks to disclose privacy labels.

Thie pattern is probably just a coincidence.