Are we under attack?

Before I start I just want to say this is not aimed at anyone, or anything specifically, more an observation of a growing pattern not just on here (although definitely on here), but regards privacy accounts and companies large.

Over the last year or so I have noticed a massive increase in argumentative behaviour and a push of defeatist mindset. The most common things I see over and over are:

If company A makes money then they have sold out and should be avoided, but if company B doesn’t have a clear business plan that satisfies the community then they should also be avoided just in case.

If a company who offers a very good product but isn’t “perfect” in every way uses sales verbiage they are dragged through the mud to an almost obsessive level, but excuses are made for their competitors as they are trying to build something better. But at the same time we will also attack a new build of an app so aggressively it’s like we want them to give up trying? No chance to grow and improve it

And then there are the defeatists who will either outright say, or continually hint at it all being pointless.

So I guess my question is, is it us, are we getting frustrated ourselves, is ai helping people be “smart”, or is potentially a little more coordinated than that and we have been infiltrated by trolls and bots in somewhat of an attack on the community as a whole?

Do you have real examples of what you’re talking about? That would provide more context necessary to better comment on your post because I think it’s an interesting observation.

The defeatist part of this is probably one of the worst. Privacy nihilism has got to be like, the dream customer mindset for theses places. Tired enough to stop resisting, cynical enough to mock people who are still going for it, and comfortable enough to conflate surrender for intelligence.

That is why the all or nothing privacy stuff works so well. I do know that the ftc already talks about dark patterns for consumers, and the nist has talked about security fatigue. Wear people down and make privacy choices sometimes annoying, make the defaults wicked easy, and a lot of people give up.

So to me, I can see how surveillance companies would benefit from pushing that mindset on social media. “Privacy is dead” is basically free advertising for them. The worst part of something like this is they barely have to create that attitude. People already and naturally move toward status quo bias and learned helplessness. Into a certain degree in what studies that I’ve read have showed, Gen Z is kind of getting worse for this kind of thing. So for these companies, it becomes a win win. People drift toward the easiest option, while the industry gets to rebrand surrender as common sense.

If these surveillance companies are doing targeted social media campaigns, or any kind of astroturfing, I would imagine they wouldn’t have to put much work into it.

I think this is just the privacy community, and PG as a part of that, actually gaining momentum and attracting more people.

When a community is a small group of early adopters there is space and time available for nuance. Everyone is well versed in the technical aspects and the history of how we got where we are.

Then the community grows. This causes two problems. The first is that more people who haven’t spent the time to become deeply knowledgeable about the topic start to become the majority…and they therefore start to get loud.

This leads to the second problem, social dynamics of large groups. This includes both tribalism as people break into factions and then competition for attention…which leads to decibel level often beating out quality. This is where you get the people wanting to sound hip by calling everyone else a sellout.

Again this is a human dynamic and not specific to the privacy community. But the privacy community growing means it attracts larger numbers of people and well…quality of commentary drops fast.

Sure. So if we are talking about the “money” issue. Companies like proton are dragged over the coals for making money, and providing services that appeal to the masses (like that’s a bad thing). People within the community won’t be happy until companies go broke and close their doors. But when a service like simplex chat comes out and starts to be adopted, all I saw people asking was “what is your business model and how will you make money. I don’t want to use you if you won’t be around for long”. So they are damned if they do, damned if they don’t.

The amount of hate proton gets, full stop, seems abnormal. We have a decent service that has actually reached the masses and offers a genuine increase in privacy and security, which we should celebrate.

The more you see it, the more you see it everywhere.

I cannot answer for you or others, but I can certainly say that talking about trolls and bots is fueling the fire of misinformation.

The “privacy is dead and since we’re being spied on there, therefore there’s no point preventing it here” types. These people piss me off so much.

The truth is, their arguments are full of logical fallacies.

It’s like arguing there’s no point enjoying life or being healthy, because everyone dies eventually. It makes no sense. They put themself in a position of weakness on purpose and portray the the situation as worse than it is.

I am an optimist and I see more people than ever caring about privacy and digital rights and more people pushing back against this flawed way of thinking.

Your posts are easy to read and are cleanly separated in English, I would struggle if you did run-on sentences or used a different language instead.

Won’t mention the video, but a reasonably popular YouTuber I watch did a cover of Android 17 and its Ai features. One person commented about the privacy concerns, and was absolutely bombarded with replies with similar thoughts.

It does feel these “attacks” for the lack of a better word, are more common than they use to be.

Privacy Guides surely is being targeted, but not just in the way that you describe. I don’t want to disclose too much but we have recently had a incident of an attempt to distribute malware via the forum which we stopped beforehand.

We of course do monitor and take action on defeatism on the forum as well as creating dissent, although it is not always easy to distingiush from deliberatly concerned or anxious people. If ever in doubt just use the flag option so we keep track of it. It can also help us build insight if some accounts are flagged more often.

The “perfect or nothing” mindset is definitely exhausting. It kills momentum for projects that are actually making real progress. And yeah, the defeatist “it’s all pointless” attitude feels like it’s amplified lately could be AI generated noise, could be genuine burnout, or yeah, maybe some coordinated trolling.

At the end of the day, privacy is a journey, not a destination. We should be supporting tools that are moving in the right direction, even if they’re not flawless. If we only use “perfect” tools, we’ll be using nothing.

Or creating/developing it ourselves.

Wasnt much interresting. We got post request with vibecoded website linking to malicious application hosted on google drive. Reached out to github security and they took it down after couple days. More than that i don’t think we will share.

It feels coordinated to me. As soon as the masses started learning about privacy and getting into it, the demoralization posts exploded. You’ll see essentially the same posts phrased the same way over and over again. They imply (or directly state) that it’s pointless to take measures to protect your privacy. It’s not logical. The tone is kinda off. I think posters who talk like that are usually trolls or bots, or sometimes a normal person who fell for it.

These posts are especially prevalent on large platforms like YouTube and Reddit, and it’s reached somewhat smaller places like /g/ too. Putting all of this together, it sounds like a classic misinformation and demoralization campaign. But the fact that this is happening also shows that privacy is gaining serious traction, because someone felt it was worth trying to interfere.

As someone who’s generally quite vocally criticizing privacy projects, I want to give some perspective.

There are no bad products, only badly communicated threat models. You can have a messaging app that leaks all messages to your government, and if it’s honest and open upfront about that, then it’s not exactly an issue.

It’s also ok to be a novice or to have a business model, even around the data if you manage to anonymize it in reasonable way on user’s end. But you need to again be upfront and open about that. Transparency will invite people to share their expertise and help you grow.

The first step needs to be a stern warning that the company or developer is doing something dangerous out of ignorance. If they can take that in and fix the mistakes, that is a massive boost to their project.

But every once in a while you run into projects that have no intention of walking the talk. You see projects like Telegram that attack WhatsApp to try to grab as many users as they can, lie by omission about the security and just try to get the network effects to kick in. It was never about creating the best product, or even adequate product. It was about hoarding users so that nobody can leave because it’s too difficult to get everyone to leave with you. You see these products claim there is no marketing, when in reality there’s massive grass roots marketing masquerading as fanboys.

All projects deserve the benefit of the doubt at first, but some projects have been around long enough for veterans to know it’s snake oil. A newcomer might feel it’s not warranted, when it really is. So it’s a good idea to check the track record before judging those doing the judging.

I’m not a defeatist, nor do I expect perfect security from any project. The UX/convenience is still often a trade-off with privacy. Ingenious privacy-by-design can create wonderful features nobody thought even possible. My favorite example being Signal’s managed v2 group chats where the server doesn’t get to control group. But again it boils down to communicating the threat model. Every business wants to grow and they are hard pressed to upsell their products because the competition is. But that’s not valid excuse.

Tools are made for a purpose, and you don’t always need the best one. But you always need to know the tool is good enough. When you’re open about the limitations I feel you have respect for your users and that makes me a return customer. Do the opposite and I’ll call you out as snake oil.

There definitely is some push for apathy like the famous quote from Scott McNealy: “Privacy is dead. Get over it.” But these are just noise, and privacy community goes brr regardless. Arguing over it is pointless. Those pushing the message have vested interest to push the message so you’re not convincing them. Don’t try to convince the people sitting on the fence, make something for them.

Wrt. attacking projects: That’s intentional. True security withstands any scrutiny, and we need people who want to make a name for themselves for picking this stuff apart, and calling out snake oil when they find it. That way users learn to detect crappy products, and makers of those crappy products face pressure to improve their products.

I should also point out that almost any project can in principle restore their reputation, but humans are often fallible and the CEOs double down because it’s a job security and/or ego thing for them. It’s up to them to show humility. You might get better results by offering them a route that let’s them save face, but if the motivation is anything but pure, they won’t seize the opportunity.

I’ll also point that privacy software usually revolves around applied cryptography. Not always: you can have just FOSS tool that stores data in plaintext on your own device and it’s fine. Tool that relies heavily on cryptography isn’t something that should be your first big project. I say this of course as someone whose first bigger project relied heavily on cryptography, and as someone who to the surprise of absolutely no one, got it terribly wrong at first. I got called out, and I felt immense shame. What I got right was I blamed myself and took a course on the topic and started reading the literature. That was 12 years ago. I now know enough to know what I’m doing (protocol design) and I know enough to know I don’t know nearly enough to do anything lower level (like implement even existing ciphers).

What doesn’t get said often enough is that new projects should start as research prototypes that in their GitHub readme explicitly forbid use of the code in production, until it has received some attention and feedback. That’s definitely something that would draw positive attention.

Here’s a password hashing function with provable memory hardness by a world famous professional cryptographer, Dan Boneh. Balloon Hashing | Stanford Applied Crypto Group It’s been in “do not use in production” state for 10 years now. There’s NO shame in saying you need to work on your project more before you can say it’s safe to use.

I get that people need to get paid to buy pizza to not starve to death so that they can make privacy tools. It’s difficult. But you can release projects as incomplete, just, again, be upfront about it. The roadmap and delivering on promises is better marketing than security claims that turn out to be bogus.

Whether or not “we” are being “attacked” does not matter. It’s all speculation and armchair theorizing without testable, falsifiable, scientific investigation.^[1] A rise in argumentative behavior and defeatist attitudes is possibly causally explained by a combination of many things. To say that there are people with malevolent intentions who are actively colluding with each other to promote unhelpful discussion on this forum does not help us in any capacity.^[2] Why? Because there is nothing new to be done with that information, even if it were true.

For example, you might say that this information teaches users to stay on high alert for defeatist attitudes and argumentative behaviors, but we don’t actually need to assert a conspiracy for that. Users should already be on high alert. It’s called critical thinking. And there is already an expectation to engage with others with respect. You might also say that this allows maintainers to be on high alert for such attitudes and behaviors, but it’s already a part of their function to filter that out, as well as anything else not helpful for discussion.

TL;DR: I’m all for criticizing argumentative behaviors and defeatist attitudes. I’m also all for fighting against its rise in the forum, because it does indeed derail threads. But I do not need to assert some armchair conspiracy theory that there are people colluding with each other and that this collusion causally accounts for the unfortunate behaviors and attitudes we see on the forum. That requires investigation to confirm. Not only this, but nothing would change were it confirmed. We would still have to act and respond in the same way either way.

1. … and the only people who can do such an investigation are the people who can collect the relevant data: the Privacy Guides organization. They can probably do an investigation without violating their privacy policy if they are inclined to. ↩︎

2. In fact, it can be true that there is, as you describe, a conspiracy at hand. But again, without investigation, you cannot say that that conspiracy actually caused the observations you are seeing. ↩︎

3. … where the X term “conspiracy” refers to the claim that there are people colluding with each other, and where the Y term “observations” refers to the observable rise in defeatist attitudes and argumentative behaviors. ↩︎

I was just having a similar discussion with a guy who thought that 3 letter orgs are poisoning privacy discussion. I argued that it could just as easily be regular people in good faith that are new and don’t understand the problems with their reasoning.

My takeaway is that it doesn’t matter and you might just be making it worse by focusing on conspiracies, the solution is the same whether it’s psyops or defeatists: education and moderation.

What? No. Telling someone you are doing something nefarious does not make it less nefarious.