Hydroxide as a headless bridge for ProtonMail on Tailscale

I had fun setting up Hydroxide on the Tailscale network so that I can access my ProtonMail inbox from any IMAP client. If you are not familiar with ProtonMail, it’s an encrypted email provider. Given the nature of this product, they do not offer IMAP access as other standard email providers do. Rather, they require a paid account and a connector by the name ProtonMail Bridge for desktop IMAP clients to work.

That works great for most users, but what about IMAP clients on mobile devices? Access on the mobile devices is limited to the official ProtonMail app. As a ProtonMail customer of over 3 years, I haven’t seen any significant improvements in the mobile front. They did promise an update to the ProtonMail Android app, seemingly with support for threaded conversations, but that was a long time ago.

My favorite IMAP clients on Android are Nine Mail and K-9 Mail at the moment. I have been using K-9 Mail only since a week, and my experience so far has indicated that the two are not any different. Nine Mail has a free trial, but the latter is free forever and is donation-supported.

Tailscale to the rescue

Since I previously set up pi-hole on the Tailscale network, I started exploring the idea of using ProtonMail on the Tailscale network.

While ProtonMail Bridge is open source, it’s limited to Windows, Mac and Linux at the moment. That’s a GUI version. ProtonMail Bridge is not available in a headless format, but it appears to be planned.

An image showing a Proton staff's comment about a headless bridge.
Proton staff comment about a headless bridge

I wanted the headless version to run on my Raspberry Pi so that it’s accessible from any Tailscale-authenticated node.

In exploring for third-party Bridges, I found Hydroxide which seems open source and popular among users. It also seems to support any ProtonMail account, while the official ProtonMail Bridge is only for paid users.

Setting up the bridge

Setting up Hydroxide is rather simple, but I ran into some challenges along the way.

For starters, it appears Proton recently modified their authentication API endpoint that prevented generating the Bridge password on Hydroxide. Some users found workarounds, but updating to the old endpoint didn’t quite work for me.

An image showing a GitHub user's comment about updating the ProtonMail authentication endpoint on the Hydroxide code.
tomoqv’s GitHub comment about updating the ProtonMail authentication endpoint

I found another workaround that involves using a SessionID from a web-authenticated ProtonMail session, and that worked for me.

An image showing a GitHub user's comment about using a SessionID cookie for ProtonMail bridge authentication.
dvalter’s GitHub comment about using a SessionID cookie for ProtonMail bridge authentication
An image that shows a GitHub user's comment about using SessionID as an authentication parameter for Hydroxide.
dvalter’s GitHub comment about using Session ID as an authentication parameter for Hydroxide

Secondly, I had to get Hydroxide listening on the Tailscale network instead of 127.0.0.1, which would be a local address. There are flags that allow configuring a different network interface, but entering my Raspberry Pi Tailscale node address didn’t quite work. So, I ended up updating the default network interface within the Hydroxide code. The lines below had to be replaced with my Raspberry Pi node address.

An image that describes replacing the local host and ports with Tailscale node address.
Replacing the local host and ports with Tailscale node address

With this done, all that I had to do was enter my Raspberry Pi Tailscale node address as the IMAP and SMTP server on my mobile IMAP clients. The official ProtonMail Bridge documentation recommends adding a SSL exception for desktop clients. I couldn’t quite figure out how to configure a similar exception on the mobile clients. Also because both devices (my mobile device and Raspberry Pi running Hydroxide) are within the same Tailscale network, I chose to authenticate without SSL. That means my Bridge password being visible somewhere along the communication between the device and Raspberry Pi, but that’s alright as it’s a private network.

Preventing Hydroxide bridge access for others on my Tailnet

Since my friends and family use my Tailscale network (I share my pi-hole ad blocker with them) as well, I configured access control rules (Tailscale ACLs) on the Tailscale web admin.

An image from my Tailscale admin that shows access control rules for my Hydroxide ports.
An image from my Tailscale admin that shows access control rules for my Hydroxide ports

This setup is safe in my understanding, as Hydroxide runs on a hardware that I control. And, it is available only within my Tailscale network. To authentication on this Tailscale network, one requires my approval. I use a GitHub organization as a multi-user tailnet. Even if someone manages to get in, ACLs must prevent them from accessing the Hydroxide IMAP and SMTP ports.

I am not a network engineer but enjoy hacking on things by self. Don’t treat this guide as a bulletproof workflow if you value secure, encrypted communication.

macOS Monterey, iOS 15: My Apple betas experience

macOS Montrey and iOS 15 are the latest versions of macOS and iOS. They were announced at WWDC 2021. The public beta was released a couple of days ago, and I downloaded it as soon as they were available. I wanted to download them when the developer beta was announced, but I don’t have an Apple developer account. And, admittedly, I was worried about how developer beta may fare. Glad I decided to wait for the public Apple betas.

I am quite happy with the experience so far. I installed both betas on my personal devices and on my work Mac as well. They seem rock solid, and I don’t see a hit on battery life either, which I hear is often the case on Apple beta rollouts.

I blogged about my favorite iCloud+ features previously, which I will be focussing on in this article.

Mail Privacy Protection

I have enabled it on my Mail app for now, but haven’t found if there are stats/analytics of how many trackers are blocked. As I am a pi-hole user, that must cover DNS-level blocks throughout my home but I am curious on seeing how this new feature complements pi-hole.

A screenshot from iOS 15 that shows the new Mail Privacy Protection feature. It blocks trackers on your mailboxes.

Private Relay on both Apple betas

Private Relay is Apple’s double-hop VPN-like service that prevents networks from monitoring your traffic, and prevents trackers and websites from identifying your IP addresses. It’s available on both Apple betas as of today.

My original understanding was that this is basically Apple-backed VPN service, but that doesn’t seem to be the case.

Is it basically a VPN service?

From a technical reading (I don’t have the link to it at the moment) of this service, it appears this is a double-hop tunneling system. Think of Tor, where there are 3 hops involved — entry node, middle node and exit node.

In Apple’s Private Relay case though, the first hop gets you an anonymous, shared IP address, while the second hop decrypts the website address. In this fashion, none of the parties in these tunnels are able to fully map the original address of the requester and the website address.

DNS leaks with Private Relay on these Apple betas?

Private Relay has assigned me a Cloudflare and Fastly address so far. I hear there are other providers that Apple has partnered with, but my experience so far has been limited to the two of them.

I have also noticed that my pi-hole on the Tailscale network doesn’t work when Private Relay is active. That’s alright in my opinion, because the very purpose of tunneled connections is to prevent leaks to other networks. Think of using a VPN, which assigns its own DNS resolvers, vs using the one assigned by your DHCP on the router. That’s precisely what’s happening here.

A screenshot from iOS 15 that shows the Private Relay functionality's settings.

Private Relay is limited to Safari. That works great for me. When I need to browse websites from my regular, ISP-based IP address, I can use a different browser like Firefox.

My pi-hole setup continues to work normally on other browsers, and other apps throughout the device.

A couple of other things that I noticed:

  • Private Relay on iOS 15 allows me to choose servers from the same geolocation, or from other areas of my country. That’s just a feature of iOS 15 though. I don’t see it on macOS Monterey.
  • Private Relay was enabled by default on my WiFi network. That wasn’t the case for a friend though.
  • As expected on a beta software, Private Relay disconnected a few times as I was browsing.

All in all, I am happy about this functionality, which is one of the many first steps that Apple is taking in privacy.

Hide My Email

Hide My Email is basically an email alias service that generates new addresses on demand. These aliases forward incoming email to your primary address, thus avoiding exposure of your actual email address from spam. I am a huge fan of this concept. I use SimpleLogin already for which I am a paying customer.

It is limited to 100 aliases per account (read so on a beta thread on reddit.) That can be limiting for power users. On SimpleLogin, I have over 1000 aliases, spread across website and apps signups, newsletters, shopping and everything in betwee.

A screenshot showing the new Hide My Email functionality on Apple's iOS 15.

If you start using Hide My Email, consider saving them on a password manager like 1Password or Bitwarden. Otherwise, it’s very easy to lose track of your alias usage across sites.

iCloud Mail with a custom domain

This is probably my most favorite feature announced at WWDC 2021. It’s not available on the beta just yet. Fingers crossed for its availability in the next release!

Safari re-design on both Apple betas

I hate it. Multiple things about this design are distracting:

  • The box-like layout of the tabs resize as I change tabs.
  • The background of the tabs change colors depending on the website’s background color. While it seemed interesting initially, I have noticed that it comes with illegible reading, especially on my non-retina MacBook Air.
  • The position of the search/address bar changes every time I navigate between tabs.

I am not a fan.

Other things I noticed

  • I was late to learning that Shortcuts is available as well! As someone that automates a lot of things with Keyboard Maestro, I am curious to see how Shortcuts can work with it, or how it can complement the former’s features.
  • Universal Control is not available on this beta either. It allows one to use the same input devices (mouse and keyboard) across multiple macOS or iOS devices. I can imagine myself using my MacBook Air’s (2015 model) keyboard for MacBook Pro (2019 model). The latter doesn’t have a butterfly keyboard, which is a good thing, but I still prefer my MacBook Air’s keyboard. There is a mechanical typing sensation which makes the typing experience rich.
  • Tailscale works okay on both betas!

If you want to enroll your devices for Apple betas, the signup program is available here.

Day One: My new private blogging app

I am a Day One user now!

The team joined Automattic this month. The acquisition is perfect. Automattic is a pioneer in the web publishing and blogging space, while Day One champions the private journaling experience. I am excited to see what the future holds for Day One, and how Automattic integrates its products with it. Publishing from the app to a WordPress site, the other way around and Gutenberg on the app are few examples of great things that can happen.

An image of the Day One app on a white iPhone
Day One on iPhone

Today on the company-wide townhall, the Day One team met the rest of Automattic. We had a quick overview of the Day One apps. They also offered a premium subscription for everyone working at Automattic. That’s very cool!

I have not been into private journaling most of my life. I have written pieces on and off though. The first time I started private blogging, it was during my college days. I remember maintaining a notebook. That was my first time away from home/neighborhood and writing was a great way to cope with the change. I remember moving to a Dropbox later, where I stored them as text files, encrypted with Cryptomator.

Day One, on the other hand, is a fully encrypted, cross-platform app. Android is an exception though. It does not support end-to-end encryption. I published a copy of this blog post as an entry as well. The Mac app seems polished with a great deal of features. I will not be using the Android app just yet. Hopefully an end-to-end encrypted version is available in the near future.

Download the app

If you are looking forward to trying the app, they do offer a 7 day free trial of the premium subscription. The premium version offers unlimited media storage, sync, and backup, amidst a whole bunch of other features. Get it on Google Play Store or the App Store.

First look at Among Us 15 players update

The popular, cross-platform, LAN and internet-based social deduction game Among Us is dropping a big update today! They are finally supporting lobbies with upto 15 players. This is a big news to me, as my team at work has 11 members. I know teams that are larger as well, and someone always had to sit out, or had to create two different games.

Along with the update to player count, there are a few other changes that I have noticed on the team stream that Innersloth is hosting at the moment.

Changes that stand out immediately:

  • New voting screen.
  • Voting animation gets a new look as well (video below)
  • Dead bodies look different. Is it the backpack which the beans carry that gives the rectangle appearance?

I got a chance to record the new voting animation as well. I think it’s a welcome change as it significantly improves the time taken to show all the votes, especially important in a lobby that’s sized 15.

Besides these, the team announced support for mobile controllers and a certain new “honk” system on Airship. I am not curious about the mobile controller as I am a desktop player, but I am keen on seeing what the honk system is about. The update drops by 3PM EST, which is 12.30am IST. I am hoping to download the release tomorrow morning the first thing. πŸŽ‰

Among Us is available for Windows, Android and iOS.

Opt out WiFi from Google and Microsoft location tracking

I was reading a Hacker News piece about Amazon opting out of Google’s FLoC and I learned something even more interesting. Google and Microsoft have been using information of WiFi networks, including residential properties, for location tracking purposes. It’s mind blowing that companies are able to make decisions as such. These requests must be opt-in, vs being an opt-out which is the case today.

A stock image showing a lock on a fence

Apparently this has been a thing for over a decade, and the earliest article that I could find on this is this blog post from Google where they outline a way to opt-out one’s access points and routers from this location tracking service. It’s fairly straightforward — one has to append _nomap to their router SSID.

As for Microsoft’s equivalent of opting-out, one may add _optout to any part of the router’s SSID.

To chain both opt-outs, _optout_nomap must do the trick. I did so on both bands on router – 2.4 Ghz and 5 Ghz.

This is generally done by accessing the web-based software for your WiFi router and somewhere on the settings menu, you will see an option to change its name.

Related: Setting up pihole on the Tailscale network to block ads and telemetry on the go.

My favorite WWDC21 announcements: all new iCloud+

Last night was fun. Apple’s WWDC21 event announced multiple software updates across their iOS, MacOS, iPadOS and watchOS platforms. I enjoyed the full keynote, particularly the part where they announced the new iCloud+ subscription. The Health-related segments were arduously long though.

It was disappointing that the new 16 inch MacBook wasn’t announced as well.

My most favorite announcement is probably the new iCloud+ subscription that includes privacy-focussed services like “Hide My Email”, “Private Relay” and the new pixel blocking functionality on the Apple Mail app. Other favorite announcements include:

  • TestFlight for Mac.
  • SharePlay for watch party with friends and family.
  • FaceTime on Android, Windows and Linux using web browsers. This brings end-to-end encrypted video calling across all platforms.
  • Universal Control. I can finally use my 2015 MacBook Air keyboard on 2019 MacBook Pro.
  • App Privacy Report. It’s like a mini pi-hole report, for your iOS device.

iCloud+ subscription

I am not an iCloud member at the moment, but with the new functionalities announced last night, I might end up choosing the lowest iCloud tier. It costs 75 INR a month in India, which is roughly about 1 USD. That’s a great price for something that includes,

  • Private Relay, a browser-specific VPN that works on Safari.
  • Hide My Email, to generate random email aliases that redirect all incoming email to your primary email inbox.
  • Custom domain support for iCloud.com email.

It’s not clear what Private Relay is just yet, but in reading beta user experiences on Reddit, it seems that it’s a Safari-specific VPN. The idea seems to be that the customer’s IP address isn’t visible to the websites that they are browsing and their internet service provider. That’s pretty much what commercial VPNs like NordVPN and Mullvad do, and they apply throughout your device. Apple’s service is restricted to the Safari usage though.

I am a devoted Firefox user, but considering that I recently cancelled my NordVPN subscription, switching to Safari for Private Relay feels like a good idea. It boils down to how performant Private Relay is though. VPNs are known to throttle your browsing speeds as they encrypt your data/route traffic through the VPN provider’s node. Private Relay routes your traffic through two hops instead, which is even better privacy-wise but I wonder if performance would take a hit.

I am a huge fan of SimpleLogin and Anonaddy, of which I am a paying customer of the former. They are open source, can be self-hosted, offer API access and offer custom domain support. I wouldn’t be cancelling my SimpleLogin subscription, but using Apple’s “Hide My Email” functionality alongside feels like a good idea. Maybe compartmentalize usage for different purposes?

“Hide My Email” had been a feature that’s part of “Sign in with Apple” functionality but that changes today because “Hide My Email” becomes a standalone app/functionality.

Custom domain support on iCloud.com is very cool as well! In fact, I never signed up for iCloud.com mail until today. I am a ProtonMail user today and I am happy with it in most respects. The end-to-end encryption functionality of ProtonMail isn’t all that useful to me though, as 99% of the communication that I make are with non-ProtonMail customers.

Email, in general, is known to be a protocol that isn’t secure. For anyone that’s looking for secure, private communication, Signal must be the goto option. That brings me to the idea that ProtonMail subscription isn’t necessary for my use case. When it ends in 11 months, I plan on canceling the subscription. Also because iCloud Mail allows usage on third-party apps and platforms, it’s not any different from other IMAP-offerings. This enables me to use the new iCloud mailbox on Android and Windows. Pretty cool for the price it comes at.

TestFlight for Mac

I am very happy with this announcement, mostly because I test Tailscale and Signal releases. Until today, beta testing on Mac has been a waiting game because developers have to submit the release on the App Store, which takes multiple days to be available to the customers. TestFlight speeds up the availability tremendously. I am looking forward to seeing whether Tailscale and Signal devs adopt TestFlight in the coming months. There is no reason not to.

FaceTime

FaceTime’s new link generation functionality is quite nice, which allows inviting non-FaceTime users to join the call using their desktop and mobile browsers. I haven’t used FaceTime ever, but considering that it offers end-to-end encrypted communication (this time even on browsers), I could give it a shot. Performance on browsers is a question though, especially in slow networks.

Signal is my choice of communication today, and it became even better recently because it offers screen sharing, which replaces my occasional need for Zoom. It’s in beta at the moment.

I look forward to trying FaceTime but convincing friends and families to use it is a challenge. Most are devoted WhatsApp users because their social circles are on it. Signal saw an increase in usage briefly in January 2021, which is when WhatsApp announced new terms (they have reversed that decision, by the way) but most of gone back to using WhatsApp because of the lack of social circles.

Overall, WWDC21 was quite nice. I hope to test the betas in the coming days.

Breeze

It had been a busy few days at my end.

VALORANT greeted with a pleasant surprise tonight though. There’s a new map! Breeze! I have no clue how old this is, but I am definitely enjoy the new view.

Picture of a gameplay from VALORANT.
Picture of a gameplay from VALORANT.
Picture of a gameplay from VALORANT.
Picture of a gameplay from VALORANT.
Picture of a gameplay from VALORANT.
Picture of a gameplay from VALORANT.
Picture of a gameplay from VALORANT.

Facebook must be deleted

Look at this.

Facebook tracks your web presence and activities even outside of their “Facebook.com” domain. Facebook is not a social networking website anymore. They are a data mining corporation, focused on showing targeted ads. They are minting money based on your interests.

That Twitter thread has examples of the level of data that Facebook can collect. They can be so precise that they will know of the time you ordered pizza, what page of a website you are at, what kind of action you are taking on that website, what college you are applying to, and everything inΒ between!

Facebook must be deleted. Today.

At the least, you must be turning off their “Off-Facebook activity”Β settings. Get a copy of your data before you turn that off.

Setting up Pi-hole on the Tailscale network

I have been a fan of NextDNS for the last year or so. It’s easy to use, is cheap, and makes it incredibly easy to manage my ad-block lists. The configuration functionality of NextDNS is great as well, as it allows for compartmentalized setup.

However, I have always wanted to start using Pi-hole as it offers more data control (self-hosted) and because it’s open source. While Pi-hole setup is straightforward and can act as a network-wide ad-blocker within your house, extending that to mobile/other networks, for on-the-go usage is not easy. Pi-hole docs have this guide about setting up that extension, using OpenVPN protocol but I hear Wireguard has superior performance.

I tried Rajan’s guide involving Wireguard, and later came Tailscale which makes VPNs stupidly easy.

Tailscale is built on the top of the Wireguard protocol as well.

Once you have installed and logged into your Tailscale account on your devices, they will basically be available on a flat network, thus allowing your devices to talk to each other. Talk in this context refers to setting up a service/server on one device, making it listen on the Tailscale network and making the other devices connect to it.

For the purpose of this post, I will explain how I set up my Pi-hole to listen on the Tailscale network, allowing for network-wide ad blocking.

Get Tailscale on your devices and log with a Google or Microsoft account

  • Tailscale is available for download on Android, iOS, Windows, Mac and Linux. You can get your copy here.
  • Once you have installed it, log into each device using your Google or Microsoft account.
  • Do so on the Linux device that you are about to use for your Pi-hole as well. If you have a Windows device, you can install Linux on it using Windows Subsystem for Linux.
  • Once that’s completed, you can find your devices on this Tailscale admin page.

Set up Pi-hole on a Linux device

It’s time to install Pi-hole on your Raspberry Pi or the Linux device.

Work through the Pi-hole setup guide here. The basic installer at the top of the page can work.

Note:

While setting that up, you will be prompted to choose a “listening interface”. Choose “tailscale0”, not “eth0”.

Once the set up is done, you can visit Settings > DNS tab of your Pi-hole settings to verify that Listen only on interface tailscale0 is selected under Interface listening behavior.

Image to indicate the "Interface Listening Behavior" setting on Pi-hole
Indicates the “Interface Listening Behavior” setting on my Pi-hole

At this stage, Pi-hole set up is all done!

Marking Pi-hole as DNS resolver for all Tailscale devices

Log into your Tailscale admin dashboard. Under the Name servers section, enter the Tailscale node address for the device you installed Pi-hole on.

Magic DNS

Make sure that you do not enable magic DNS. I am fuzzy on what it’s supposed to do, but I have noticed that non-Tailscale traffic doesn’t work when magic DNS is enabled. It’s probably being discussed on this GitHub issue.

In my case, I have two Pi-holes. One on my Raspberry Pi at home, and one on the Google Cloud. As such, the two addresses that I entered on my Tailscale name servers section are 100.112.92.63 and 100.127.221.120.

An image to indicate the DNS name servers settings on the Tailscale website
Name servers entered on my Tailscale account

Once your name servers are added, enable Tailscale on your computer/mobile devices. By doing so, your VPN configuration will be enabled, and all DNS queries will be tunneled to your Pi-hole. This will work even when you are on a mobile network, outside of your house!

Disable private DNS on Android

If you have a private DNS address added on your Android settings, turn it off.

Things to note

One of the things that Tailscale promises is that the Tailscale node address never changes for your device. This ensures that the name servers that you just entered always work, thus not leaving you without a DNS resolver.

Are apps/websites not loading?

It’s possible that you enabled Tailscale on your computer/mobile before adding the Pi-hole’s node address on Tailscale DNS page. In such a case, restart Tailscale on your device and it must fetch the name servers from your admin.

Do not enable Block connections without a VPN setting on your Android VPN settings. Brad explains why here.

You can share your Tailscale node where Pi-hole is running (your Raspberry Pi device or the Linux device) with other Tailscale users. Once they accept the invite, they can add your Tailscale node address as the name server on their DNS page. By doing so, they will get the benefit of your Pi-hole as well.

This is not an open resolver. This Pi-hole DNS resolver will be accessible only by Tailscale nodes on your Tailscale network, and by those that you invite to that device.

Kudos to Apple for privacy-focussed features

I have been using ProtonMail, Signal, DuckDuckGo and SimpleLogin for a fairly long time. These make up an integral part of my online presence, and I cannot go back to a time where these didn’t exist.

Without doubt, I truly enjoy and recommend using privacy-respecting products.

In a recent conference, Tim Cook committed to advancing user privacy by giving them tools to control where their data is shared. Especially in today’s world, it’s important to understand the implications of online data tracking, and it’s necessary to be informed about ways to prevent that. Apple’s recent release of an illustration explaining implications of data tracking will be a great read. While the conclusion of that report focusses on Apple-centric tools to prevent data tracking, the content of the report holds true, that companies profit by monitoring users.

At Apple, we made our choice a long time ago. We believe that ethical technology is technology that works for you. It’s technology that helps you sleep, not keeps you up. It tells you when you’ve had enough, it gives you space to create, or draw, or write or learn, not refresh just one more time. It’s technology that can fade into the background when you’re on a hike or going for a swim but is there to warn you when your heart rate spikes or help you when you’ve had a nasty fall. And with all of this, always, it’s privacy and security first, because no-one needs to trade away the rights of their users to deliver a great product.

Tim Cook at the Computers, Privacy and Data Protection conference, MacRumors

Starting with the next beta release of iOS 14, Apple will be launching a new tool called App Tracking Transparency that will enable users of apps to control sharing of data with app makers. By taking away data tracking functionality within the iOS ecosystem, Apple is definitely making a sizeable dent in businesses that primarily focus on monetizing user data, read Facebook.

An image showing Apple's new App Tracking Transparency feature
Apple’s new App Tracking Transparency feature that will be available in the next beta release of iOS 14

Open-source software like Pi-hole has existed for a while, and recently, online services like NextDNS and AdGuard have emerged that offer similar controls. I am a happy user of these products and services, but I particularly like how Apple is championing this effort.

iOS takes up 50% of the market share in the US, which is Facebook’s largest market. If Facebook is feeling threatened by Apple iOS 14’s new privacy features, we are moving in the right direction.

It’s also worth noting that WhatsApp will be sharing user data with Facebook group of companies. It’s particularly worse for those WhatsApp Business API users as their messages wouldn’t be end-to-end encrypted. Differently put, they will be visible to third-party Business Solutions Providers, including cloud-based version of the API hosted by Facebook:

Some organizations may choose to delegate management of their WhatsApp Business API endpoint to a third-party Business Solution Provider. In these instances, communication still uses the same Signal protocol encryption. However, because the WhatsApp Business API user has chosen a third party to manage their endpoint, WhatsApp does not consider these messages end-to-end encrypted. In the future, in 2021, this will also apply to businesses that choose to leverage the cloud-based version of the API hosted by Facebook.

Gizmodo – This Was WhatsApp’s Plan All Along

On the flip side, Apple is fighting back, highlighting that this will impact small businesses that depend on personalized ads for sales. Facebook also highlights that Apple’s own apps will be exempted from App Tracking Transparency, but it’s not clear if that’s true, based on Apple’s press release.

Other privacy efforts by Apple that I appreciate

In June of 2020, Apple announced support for native encrypted DNS throughout the device. This is a big deal for users like me that have a NextDNS subscription.

In iOS 14 and iPad OS 14, Apple also launched a new App Store functionality, called the privacy nutrition labels. It gives users a quick overview of the apps’ privacy practices — as in, what level of data is obtained by the app, what these details are used for, and also outlines how they may be linked to an individual. Apple’s own apps, like Apple Music, are required to show these labels; they are not exempted.

An image showing the new privacy nutrition labels feature on the Apple App Store
An image showing the new privacy nutrition labels feature on the Apple App Store

If you are not aware, the messaging app Signal collects only your mobile number. It doesn’t link that mobile number to your identity either! If you are a WhatsApp or Telegram user, it’s time to consider switching to Signal.

An image highlighting the data that the messaging app Signal may collect and link to your identity
Signal’s privacy nutrition labels on the App Store

I am keen on seeing where things head from here!