I need every infosec person to understand that surveillance capitalism is structural, not individual, and we are not going to ethically-consume our way out of it please and thank

Like take whatever measures that help you reduce your and others' exposure to surveillance, share information, give advice and organize, that's all great work! But don't assume others who use insecure corporate services are ignorant sinners in need of a sermon and conversion. Harassing people who are just trying to live and organize, doing some little good in a horrible world, does Not make anyone safer or more secure.

and if you don't like the comparison to evangelism in the above post... then don't fucking act that way

So I don't have a Soundcloud but please send money to Black and Indigenous people!

Indigenous queer household of 4 in need of household expenses:

Help a Black Indigenous Caribeña artist get stable while they work on their Ph.D.:

Black, disabled, and cute enby in need of help to pay the bills:

@ljwrites A relevant post that I wrote a while ago, aimed at folks in the "privacy community": -- I've had *some* success with linking people to that when they're being pushy/insufferable evangelists.

@ljwrites In many cases you can't opt out. My university uses office 365. If I want university emails, even if I want to publish, my orcid has to linked to a uni account afaik.

@esty yup lots of workplaces have that kind of technological lock-in :( Even as a freelancer I've been ducking, weaving, and cheating around my clients' de facto requirement for Windows and MS Office.

@ljwrites I have always tried to avoid them in my personal life but I found that, particularly when I was in 'dire straits' (which happens once in a while) I can't afford to maintain my own servers etcetera. Plus I move between countries so frequently that I can't host at home. Now with free/cheap alternatives it is a little easier but for a long time the choice really was gmail or hotmail if you were poor.

@esty yeah the hardcore techbro insistence that "everyone" can maintain their own server is... oblivious at best.

@ljwrites Yes, and while I have friends who can host for me, not everyone has tech friends, plus in the absence of widespread and easy to use crypto, it almost feels less private than a corporation hosting you. And any falling out with the friend could leave you uncontactable. It's pretty precarious.

@ljwrites Back in the day a lot of stuff was hosted by the community. I am not sure what happened to that. E.g. things like "" ( ) would host sites for any squat activism and host a calendar too, from waaaay back. But these are all backed up by real life communities, with a long meatspace history prior to this more recent more virtual era

@esty @ljwrites there is still some stuff out there for example for hosting blogs or for email, pads and many other tools. Also was started up for sharing events and there's quite some activity there.
Here in germany there is who host bigbluebutton conferences for free and with data protection in mind.

Many thanks to all the people who are taking care of this infrastructure!

@ljwrites @esty My workplace is deeply embedded in the Google ecosystem.

@naga @ljwrites Is google really better? I remember do no evil but it's not been their slogan for a while now.

@esty @ljwrites the company isn't necessarily better. Outlook is horrible.

@naga @ljwrites I can see that. We have the lot, teams, onedrive, outlook etc. Thankfully there's tools/apps that can connect to it, but it's pretty bad.

But then the other half of my collaborators use google for everything, co-authored manuscripts, shared drives, etc.

And zoom, and slack and, and and.. I think especially in academia, it's impossible to work without selling yourself (your data) to all of them.

@esty @ljwrites An IT admin can also block outside apps from connecting to the work's Outlook, which has been more my experience with it, so yeah....

@naga @ljwrites Yeah I think smtp and imap etc have to be enabled and might be disabled by default, but half the campus uses apple mail so not sure that having it of was a feasible situation.

@esty @ljwrites My most recent context was a US government employer, so they had no problems forcing uniformity.

@naga @ljwrites

I can see that.. I mean, I don't believe in having everything accessible on home systems when it's HIPAA (or equivalent elsewhere) data or other sensitive stuff, but then they should also offer a device preinstalled and configured with whatever they want,, rather than you needing to modify your home setup.

Yup. HIPAA data were behind other layers of security, but they had filters on the email (this may have been why they locked it to Outlook) that blocked any outgoing messages that included anything that looked like it might be, say, a Social Security number.


> surveillance capitalism is structural, not individual

> Harassing people [...] does Not make anyone safer or more secure.

💯 More people need to hear this.

I would like to also offer a bit of my own rant and optimistic take on how the structural/systemic issues at hand here can be addressed.

IMO a lot of the "structure" at work here comes from economic forces that poured endless investment cash into research & effort on how to make client software and webapps usable by everyone.

Meanwhile the usability of the server applications / web infrastructure stuff is still stuck in the 80/90s for the most part.

I think tech folks with the resources and time can (and should!!) strike at the root of the problem. To me that mostly means trying to improve the usability of server software and make it more accessible to more people.

I don't mean everyone should run a server.

But as servers become more and more like web browsers (they "just work" on the first try and don't break when they update themselves automatically) it will become more and more likely that everyone will know someone, or a friend of a friend in their community who _does_ run a server.

I liked the "TL;DR" from

> Take the ‘home’ in homebrew literally and the ‘self’ in self-hosting figuratively

> That means we try to host from our homes rather than from data centres - a.k.a. ‘the cloud’ - and we try to host for and with our communities rather than just for ourselves.

I think the fediverse software and similar networks have sorta succeeded in that regard despite continued rampant usability problems on the server/admin side. Its encouraging to me that something like mastodon which is far from perfect can still gain traction and continues to attract new users and inspire new projects.

Basically I want to be a home server evangelist but if the thing I would be evangelizing still costs money, takes time to set up, and still fails 99% of the time, what's the point?

Just need to get the software / systems to a point where they don't annoy ppl much, they can be easily shared with friends, and they fulfill a need. For example they provide a sense of data custody and belonging within a local community, something folks'll never get from Google, Facebook or AWS.

Yes, its a tall order, its insanely hard / no one knows if this is even possible. But I feel like I would be doing myself and everyone else a disservice if I didn't try.

@forestjohnson I think something like YunoHost is a great step in that direction. When I used it I was amazed by how it made the admin experience more browser-like, literally an interface in the browser. I ended up uninstalling it because it felt like another layer of complexity when I needed to debug something, but getting to install and try out multiple apps in several clicks was a big help and I know experienced admins who swear by it.


Yeah I feel similar about YunoHost. My two biggest wishes for a system like YunoHost are

1. Built to support replication/failover
2. Built to support multiple users

By "support multiple users" I mean similar to how Mastodon/Matrix servers do the "1 admin per ~100 users" model.

So for example I can share my server with my friend, create an account for them, and then they can get their feet wet and try out hosting something themselves without expending too much effort.

But at the same time, since it supports replication & failover, there's a reasonable path to those "experiments" becoming well loved and frequented destinations with reliability / longevity. When one admin falls (loses interest) another can rise to take their place without much fuss.

So I think that's what I'll work on next :)

@s0 I draw the line at harassing Summer/Winter School organizers 😤

@ljwrites maybe infosec techbros should spend more time concentrating on their Bitcoin-brain-broiled compatriots, who continue to demonstrate just how structural these problems are by being highly technical and still getting scammed

@s0 even after the crash?! At this point they're just scamming themselves jfc

@ljwrites Sort of. Ethical consumption is required (by those who can) but is not sufficient.

@LovesTha saying it's "required" seems to justify harassment, though, since the people who are doing the pestering no doubt assume the people they're hounding are able to consume ethically.

@ljwrites yeah, nuance is hard there.

It's required that some are (at least trying), not that everyone does.


The main thing from my PoV is that if you're going to talk up this stuff, you need to be ready to back it up with action.

If they're using something for free because they have no budget, and it takes labor to do the "ethical" thing, then providing that labor (one way or another) is the cost of your activism.

Otherwise STFU and mind your own business. A little humility and compassion goes a long way.


@TerryHancock @ljwrites Harass evil corp all one wants, but when talking to community groups don't ask them to change, offer to do it for them. (And if you aren't part of the community expect them to tell you to fuck off)

@LovesTha @ljwrites

To avoid ambiguity (which I just noticed), the notional target of my comment ("you") was the would-be FLOSS activist.

It's perfectly fine to suggest a FLOSS solution to a problem, rather than sticking with proprietary options.

But if the proprietary option is *$0* and that's why they're using it, that's clear enough.

Either you have to find a way to make the FLOSS option *$0* as well, or just walk on and mind your business.

@TerryHancock @ljwrites Most of the FLOSS options are more labour so even when they are $0 they are more expensive in the thing most volunteer orgs have even less of than $.

(Yes, for an online conference the hosting of a video platform is going to take some $ as it wont fit onto someones pi in their basement. But other situations do have solutions that will run on that pi, but it takes time to do it)

@LovesTha @ljwrites

Yes. Time is money. From the organization's PoV, *$0* includes time cost.

That's the commitment, if you want to make that happen with FLOSS solutions. It isn't just the software license, it's the hosting and the support.

And you can bitch about how your labor should be paid, etc -- but the corporate platform was covering all that. That was the trade-off.

@LovesTha @ljwrites

Though to be fair, the corporate option has a time cost, as well. So it's not _really_ *$0* either. It's more properly considered a "sunk cost".

Anyway, I've had to make a lot of choices like this, myself. It's a make/buy/borrow decision.

MANY FLOSS projects do that as well -- with Github, for example.

And with some things, like e-commerce, I can't really see that it matters all that much, as you can't avoid the proprietary bank services, even if the software is free.

@TerryHancock @ljwrites I'd actually put the free corporate option as more of a risk cost. If it fails you have no options to fix it.

@LovesTha @TerryHancock over the long term and at scale, sure, the free-with-an-asterisk corporate option can't be fixed, but if it's someone using Zoom or Google Docs at small scale and short-term? The risks of malfunction become small enough to ignore for most applications, not because these companies give a shit about individual users but because their shitty data-mining business model is threatened if there are widespread breakages.

There are of course horrifying and heartbreaking stories ranging from people losing hours of work on Google Docs to a company losing their entire data migrating their GSuite account and not being able to do a thing about it (and the company was a paying customer, too). It is likely imperative for some users, like the company in the example, to adapt transparent open-source solutions and pay for individual, accountable support. With an individual occasional user, though, it may well be more efficient to write off a rare loss than sink money/time into a comparable open-source alternative. There's no one-size-fits-all.


Well, I've had failures with self-hosted FOSS software, too. Plone became unusable due to poor support and no longer available packages, which forced me to spend time switching to Wordpress, etc.

Can be an unpredictable time sink, and often there is no one to turn to, because it's not "what everyone is using". So you face expensive consulting costs, stopping everything else to DIY, or just switching.

Often the fastest and easiest is to go back to a corporate platform.


@TerryHancock @ljwrites Yeah, not such a concern when thinking about the platform for an event such as this discussion was spawned by.

(and can be somewhat mitigated by sticking to the bigger FOSS options, I'd never heard of Plone but it does sound big)

@TerryHancock @ljwrites When group reaches out for assistance, a price on that assistance is reasonable. And while I have ~0 details, $1000 is probably a pretty fair price, no shade on them.

It's the fossbros who act so entitled that all the shade is for.

@ljwrites Same issue with free vs proprietary software/hardware: people don't use Bad© stuff because they are stupid, but because they have a life to live and the environment makes it easier for them to fall for the comfortable path. As soon as it will be profitable, and we live in a capitalistic society, this will win

@rakoo and arguably surveillance capitalism is a case study in making "free" (paid for in data and tracking) profitable. tbqh a lot of infosec types absolutely love anything that improves "security" no matter the effect to fundamental rights

@evelyn and I have serious doubts about some of the security gains. Encrypted e-mail like Proton Mail, for instance. If they're never going to make the address public and only going to use it for correspondence with other trusted Proton Mail accounts, fine. If they're going to use it publicly like any other email, forget about it. Email headers with users off the network can't be encrypted and it's the contact list that gets them, not the content of the email.

@ljwrites this explains why infosec warnings tempt me to feel demoralized and helpless the same way coverage of how every corporation is evil do, doesn't it?

@firebird Yeah there is no individual solution to structural problems, so any discussion of privacy and surveillance that focuses exclusively on individual behavior can feel like an exhortation to plug an open floodgate with one's own body. No matter how heroically devoted one is, no matter what extraordinary (and, at some point, kinda doubtful and counterproductive) measures one takes, it's never going to be enough :(

@ljwrites I can get off Gmail but I apparently can't even get my HOA Board to stop using a single shared Gmail address we all have to log into. (This is the sound of me screaming "who keeps putting things in the trash???" into the void.)

@firebird Oh no 😂 😭 shared email is the worst, can't impose any consistent structure on it without some heavy on-boarding that people won't follow anyway, and there's no record or audit of who did what.

@ljwrites We just had an election and two people are leaving the board. One of them is the person whose phone number is attached to the gmail account. Do I have any real way of knowing they aren't accessing it anymore? No I do not.

Sign in to participate in the conversation

Generalist Hometown instance with a strong focus on community standards. No TERF, no SWERF, no Nazi, no Centrist.