00:00:00.080
How many people here use open source? Definitely all of them, because Ruby is open source. The funny part is that open source is not primarily about free software; it’s about the political idea that you should control your laptop and know what software is running and how it operates. Open source is inherently political. If you use open source, you're already involved in politics. Hacking culture is not only about stealing money; it's about mistrust of authorities and is thus very political.
00:00:30.000
My favorite example comes from cryptography. Right now, when we go to any website, we see HTTPS, which means security and encryption. The people who created these protocols wrote very good code. The decisions we make about communication security today will determine the kind of society we live in tomorrow, so cryptography is not just a mathematical problem; it's a political one. It was created to make us free. Software has always been about politics.
00:00:54.000
Currently, the young generation often perceives software in terms of money. For instance, there are two movies you should know. One is from the '90s called 'Hackers'; if you haven't seen it, I highly recommend it, as it's a really nice movie. The other one is 'Silicon Valley,' which exemplifies how our software development scene has changed—how people viewed us before and how they perceive us now.
00:01:14.960
So why should you care about politics? First, because the software you're creating now may be used against you in the future. If you're creating some time tracker that takes screenshots of workers' laptops, then your company could use it against you, forcing you to work 60 hours per week. Moreover, having political ideas and principles is essential for a meaningful life. Without principles, working solely for money can create an emptiness inside of you.
00:01:51.960
Having principles is not just about making friends; it gives meaning to your work. However, there are many principles and lots of politics, and privacy is just one aspect of it. Everyone should have their own principles. There’s no way to determine which principle is better, but I’ll argue for the importance of privacy. There are many misconceptions about privacy; people often think it’s unimportant, believing that all privacy issues revolve around companies wanting to track us to improve advertisements.
00:02:34.080
Unfortunately, this is not true. The main problem with privacy is not Google—it’s data brokers. These are companies that buy data from many small applications, collecting this data from various sources and selling it to questionable clients. It's not just about advertisements; it's a dark business. A good example is a data broker called Xtend. In 2020, journalists discovered that they had purchased data from about 100 applications, including a Quran app, a Muslim dating app, and Craigslist, and sold this data to US military contractors. What could be more shady than selling data about Muslims to the US military?
00:03:03.800
You might think, 'My company doesn't sell data; we don't work with data brokers, so we are fine.' However, the problem is not just about selling the data but also about leaking it. If you store any data in your database, there’s a good chance that, at some point in the future, this database will end up on the torrents of the darknet. We are witnessing more data leaks every year, and if you save any data to your database, there's a high probability that it will be on the darknet within five years.
00:03:58.720
For instance, a popular food delivery service in Russia, similar to Uber Eats, called Yandex, leaked all data about food deliveries for years in 2022. Each record contained the client's first and last names, phone numbers, and delivery addresses, which made it possible to track where someone was at any time if they ordered food to their home. What’s even crazier is that they created a user-friendly application that allowed people to access this data. Imagine your grandmother asking if you want some amazing food and you say, 'No, I'm not hungry.' She could then go to this website and discover that you lied to her because you ordered Chinese food that evening.
00:04:40.639
This is a real problem—data leakage. You might say, 'Well, we are not collecting private data; we only work with emails.' However, this is already a flawed understanding of privacy because we have extensive data systems capable of analyzing the data. The most dangerous aspect is combining different data points. For instance, there is a common application for Muslims that shows directions to Mecca. It doesn't ask for your name or email; it just identifies that you are Muslim based on your usage, and it knows your location to provide directions. Meanwhile, if the same user also uses a social media app like Instagram—which can track location via photographs—this data can be combined to reveal sensitive information about their identity.
00:05:37.760
The most dangerous kind of data processing occurs with tools like Google Analytics. How many people here use Google Analytics? Approximately half the audience. The danger of Google Analytics is that it tracks users not only on your website but across the entire internet using global user IDs. Google knows where you go after you leave your website, creating a comprehensive path of your internet usage. Even if only about 50% of users have Google Analytics, we can use referrals and clicks to trace where users go next, even if the next website doesn't have Google Analytics installed. As a result, I believe Google can track about 70% of the websites you visit daily, and this presents a significant risk.
00:06:56.000
You might have heard someone say, 'If you have nothing to hide, you have nothing to fear.' This claim overlooks the fact that not everyone is in the same position. For example, a Twitter employee sold user data to the Saudi government, resulting in a girl being imprisoned and an old teacher being killed. If Twitter had not stored user data in a database, this information could not have been sold. It's not only a matter of foreign governments; in Europe, companies have created facial recognition systems used in protests. These systems do not grab individuals off the street; instead, they record faces, store them in a database, and later have police visit you if you protested. It is a strategy to suppress dissent.
00:08:43.760
The same applies to Spain, where the government pressured ProtonMail and Apple to open user data, resulting in a peaceful protestor being jailed for supporting Catalonian independence. The privacy problems are not just limited to certain countries; they exist everywhere, including Europe. The risk of artificial intelligence knowing your private data is also real, as it could easily influence your political views.
00:09:14.640
But what can we do about all of this? Let’s switch to another topic. About ten years ago, the internet was a much better place. It was more user-friendly and less cluttered. Nowadays, it feels like a city full of pop-ups, making the internet a worse place. Am I at a developer conference? We are the ones who made the internet a frustrating place, creating annoying interruptions. The first step to improving privacy is to finally remove these pesky pop-ups.
00:09:35.760
You might argue that European bureaucrats are forcing you to implement these pop-ups due to GDPR laws, but the amusing part is that the term 'pop-up' does not appear in the GDPR documents. The law states very simply: do not track users. Instead, we have created a system where website visitors are punished with pop-ups until they agree to be tracked; this is a dark design pattern that coerces users into agreement by blocking vital information.
00:10:54.399
In fact, it is possible to operate without pop-ups by eliminating Google Analytics and opting for GDPR-compatible analytics tools. You don't need pop-ups if you request private data only when users sign up, explaining clearly why you need access to their information. This integration can be done seamlessly as just another checkbox. GDPR-compatible analytics are indeed powerful, allowing tracking of campaigns and sources without compromising user privacy.
00:11:37.760
Remember, when engaging in remarketing, it’s crucial to understand the implications. Remarketing is the practice where, for example, after visiting a shoe store, you see shoe advertisements on Facebook. This is a shady practice that is prohibited by GDPR. There are several good GDPR-compatible analytics options available; I personally use Plausible but highly recommend exploring all of them.
00:12:10.640
If your manager insists on using Google Analytics, often it's not because they need that information, but rather out of an obsession with data collection. A simple test can clarify this: ask them what decisions they made based on private data last year. If they cannot cite any, it means they don’t genuinely require that data.
00:12:57.600
Moreover, if you implement Google Analytics and a privacy pop-up, some users will opt-out—about 30% to 60%. As a consequence, the private data you collect will only come from a small fraction of users, leading to skewed data that might result in false conclusions because it doesn’t represent your entire user base.
00:14:04.399
The issue of privacy and data tracking is not limited to Europe. Other regions, including California, are seeing similar regulations arise, indicating this is a global issue. We have the potential to change industry standards collectively. Consider the time when we had to develop websites for Internet Explorer, which was notoriously difficult. The business demanded us to support it, but we united as developers and managed to convince businesses to stop that support.
00:14:52.760
If we could abolish support for Internet Explorer, why not aim for a similar outcome with GDPR pop-ups? Reducing the number of data processors is another way to enhance privacy. When you visit a website, you often see a GDPR pop-up asking for consent over dozens of companies having access to your data. This isn't genuine privacy; it’s simply a facade. We have many services on our websites—Google fonts, various CDNs, cloud databases, and more—that increase the probability of data leaks.
00:15:47.040
To mitigate this, you should reduce the number of companies accessing your data. For example, stop using CDNs for JavaScript because it’s not only bad for privacy but also performance. Hosting resources on your server rather than utilizing separate cloud services—the same goes for when handling data storage—is a more secure and efficient approach.
00:16:29.760
A more complex step is adopting a 'local-first' architecture for new projects. This approach is challenging to implement in existing projects but very important. When cloud services exploded, we shifted from local data storage to relying on the cloud for synchronization. However, I propose another route: keep your data on the local machine, using the cloud solely for sync rather than storage.
00:17:30.960
Local-first applications maintain all data locally, utilizing the cloud for uploads and downloads. A popular application exemplifying this is 'Notion', which stores data in the cloud openly and can use it for other purposes. Conversely, 'Obsidian' keeps users' notes locally in simple markdown files while allowing for synchronization across any cloud service. This model is a great example of local-first applications—options that prioritize storing data locally while leveraging the cloud for syncing.
00:18:29.600
When creating a local-first application, you need robust storage options on the client side, like a good database engine such as SQLite or Postgres running in the browser. There's an exciting project called 'Pelite' that enables you to run Postgres directly in your browser. This can allow you to streamline your work and create a more efficient architecture overall. Adding an action log is essential, too; this component tracks user changes without immediately altering the database, ensuring synchronization across local and cloud storage.
00:19:54.079
Next, you’ll want to resolve conflicts naturally when multiple users are editing the same information. Solutions like Conflict-free Replicated Data Types (CRDTs) handle this gracefully. Many libraries exist to facilitate this, and you’ll need two different passwords for each user—one for cloud access and another to encrypt actions synchronized to the cloud. This approach ensures that your cloud infrastructure can't read client data, thus crafting a genuinely local-first application.
00:20:39.760
Creating local-first applications adheres to principles that not only serve a political purpose but also provide business advantages. For instance, when operating a local-first app, we can reduce our server costs significantly by minimizing the need for backend developers. Your prototype could operate offline by default, leading to quicker investment opportunities. Furthermore, scaling is no longer an issue since client machines handle more of the workload, which can lower your operational costs over time.
00:21:38.760
Moving to local-first allows flexibility and better data handling since it stays secure and encrypted. Users frequently report faster feature delivery rates once switching to the syncing model or a local-first architecture, as it streamlines development processes tremendously. Improved user experience is a critical business advantage, illustrated by how platforms like 'Linear' compete with larger companies by providing a more efficient and enjoyable interface, enhancing their market position.
00:22:48.360
So, as we wrap up, consider that the final step in discussing privacy leads us into more complex territories, especially regarding different countries and privacy risks. It's crucial to understand the nuances of risks that aren’t just governmental or related to tech companies. In some places, family or community members pose significant threats, and being aware of local and global dynamics in privacy is essential for developing frameworks that genuinely address these challenges.
00:23:52.760
In summary, first, identify your principles; it's better to develop with principles in mind rather than purely for profit. Eliminating pop-ups by leveraging cookie-less analytics is a good starting point. Second, reduce the number of services you rely on. Third, incorporate local-first paradigms into your projects whenever possible. Lastly, don’t neglect privacy issues that are not as widely recognized in the United States.
00:24:00.640
I want to leave you with a crucial reminder from the creator of encryption: the decisions we make regarding privacy in our applications today will shape the society we live in tomorrow. This is a significant thought to carry forward. Thank you!
