Nostr Web Client

What the fuck nostr:npub1a00wj229auzjswlq4s77y4u8eqdx5k9ppatgl8rtv8va65f6mwksum9q3h ? Are you out of your minds? If you're going to "collect my reading activity and personal notes", at least end-to-end encrypt them and don't harvest them for targeted advertising.

There is absolutely no way I'll be continuing to use you "Reader" software in this context, and you can be sure that if you release a custom OS that has this level of privacy invasion I will not be using it. If that means I can't use the hardware either, then so be it.

This is coming from someone who said the hardware is completely revolutionary and life-changing.

https://support.daylightcomputer.com/privacy-policy-march-2025#block-1850b673e0bf80798d1ceaa41d9030d4

> Personal information we collect:

> ...Your reading materials, links, and other content you choose to save in the Service, and any notes added to saved documents.

> Automatic collection. As you navigate the Service, our communications, and other online services, we, our service providers and advertising partners may automatically collect identifiable information about you, your computer or device, and your browsing actions and use patterns, such as:

> Page views, pen strokes, reading history, search terms, what videos and other content you view, how long you spent on a page, the website you visited before browsing to the Service, navigation paths between pages, information about your activity on a page

> We, our service providers, and third party advertising partners may collect and use your personal information for the following purposes:

> Direct marketing

> Targeted advertising

daylightco 11mo ago

Hi nostr:nprofile1qy0hwue69uhngve5xpkkz6tw9ej82cmtv3h8xtn0wfnn5dpcxsuz7q22waehxw309um8yemhvd6xxdfn09e8qmt4wac8smehdemngdp5ddshzcfjdpuksdm00yekc7r8xahhxdr2d358ja3jw9nxgmrkw9jzummwd9hkuw358qmrjtcqyqh04fc4hw6xm4d7dd7634msqfndz9n5hyfms9u2mk6u9e3anpenzccjrdl , this is Drew, head of software at Daylight. Just want to clear up some misconceptions here.

Everything in Reader *IS* end-to-end encrypted, and we do not, and will never, sell any such data to any third party. We have crash logs and things of this kind that are only used for internal development. Another example is that, just physically, our servers have to detect that your tablet is trying to update. In practice we collect less data than any device you have likely ever owned, and will continue to make things more and more paranoiacally secure and private to the greatest extent we can.

If anyone has questions about what we do, how it compares with other devices, and so on, feel free to message.

I'll also add that we openly encourage you to use the device however you wish and even help with things like custom ROMs and so on, through the https://www.daylighthacker.wiki.

In my non-expert, non-legal opinion, the policy update doesn't substantially change anything from the previous version, but does add more detail that our lawyers have told us we need. Overall it's fairly standard. As our tech improves and the business grows, we will be able to afford more specificity and bespokeness in these kinds of documents. For now it's good that the notice we sent is sparking a discussion.

Long-term, a totally custom operating system that isn't based on Android, and incorporates things like homomorphic encryption at rest and so on is still the goal, but it will take time to get there.

Reply to this note

Please Login to reply.

Discussion

vinney...axkl 11mo ago

I appreciate the response and I'm looking forward to being convinced (and convincing the rest of nostr) that you're correct!

can you explain why the privacy policy says what it says (especially about sharing data with affiliates for the purpose of targeted advertisement) if that's explicitly not something you do, plan to do, nor have the capability to do (if user data, handwriting, reading activity, etc is well encrypted you wouldn't even be capable of sharing it).

the last thing I want to do is spread misconceptions , especially malignant ones. But I can't square the difference between what you're saying here and what the policy email stated.

arkinox 11mo ago

nostr:nprofile1qqswhhhf99z77pfg80s2c00z27rusxn2tzss7450n34krkwa2yadhtgpp4mhxue69uhkummn9ekx7mqpz3mhxue69uhkummnw3ezuerkv36zuer9wcq3vamnwvaz7tmpw5h8yetvv9ukzcnvv5hx7un8lpntld I want to believe what you're saying but your operating system, which is effectively your hardware, is lumped in with everything else in your business, and this privacy policy states that it collects personally identifiable information from nearly every interaction possible including pen strokes and will share this personally identifiable info with anybody for any reason, including marketers and law enforcement.

If your hardware/OS is private in any capacity, you need to separate it from the rest of your business legalese. I get that websites will track mouse movements, etc, from anon visits and use it for marketing optimization; I've seen this type of privacy policy for websites and other apps. But that shit is unacceptable if it's baked into the OS, and your privacy policy makes no distinction.

crimsonleaf363 11mo ago

We're discussing closed source hardware and software?

Owen Gregory 10mo ago

Out of my league on this but the display is revolutionary, that’s all. Would it be possible to “jailbreak” and go Linux? I understand Linux isn’t for everyone, but to make this a sweet little workhorse?

Owen Gregory 10mo ago

Currently loaded some Kindle content, articles, web content, PDFs for study, then planning to run mainly off-net. JUST started use and beginning to find and try apps for this purpose. Extracting, annotating and writing on this is sweet!

vinney...axkl 10mo ago

"mainly off-net" is feasible with GrapheneOS because you have granular control over everything (including optional Google Play Services). other versions of Android do shit you don't realize they're doing. ...like potentially phoning home to Daylight about all your activity ..

maybe you just mean "with WiFi off" in which case you'd be safe for as long as it's off.

Owen Gregory 10mo ago

Thank you!

daylightco 10mo ago

Basically, we've legally been advised by our lawyers that we had to update the policy for specific different regions (Switzerland, Europe, California) and because we've reached a critical mass of people, and to cover our bases for fundraising. As part of this, we had to be more specific about all the data that lives on our servers is. We never intended to imply this kind of data gets used for any other purpose than error logging and loading and syncing the content in your library. Nor will it ever be used for any other purpose.

If you compare it with the prior policy, you will see they are identical on this point. It's inconvenient that the standardized nature of these policies has implications other than what I'm describing, but it's very expensive to change and we have to be judicious about where we direct our resources. When the time is right, I'm sure we will make all these distinctions more explicit. Again, I'm not a lawyer, but I can assure you that as a technical fact, and in terms of the 13 people who work at this company, there isn't any intent or implementation that behaves the way you're concerned about.

A last statement about encryption since you also mention it: the data is not encrypted at rest, so that we can process it for title-generation, length, PDF generation and so on, and so backups and syncs are easy. Every piece of data is e2e encrypted in the same way Signal messages and so on are: over https, the same way your banking information is protected. To encrypt at rest is a major technical undertaking we do intend to get to eventually, and we have put in work there, but it's going to take more time. If you're curious, see https://en.wikipedia.org/wiki/Homomorphic_encryption

vinney...axkl 10mo ago

Re: privacy, you're saying "trust us". (at the same time as you're on nostr attempting to appeal to a "don't trust, verify" crowd). I understand the legal and resource reasons why you are doing so, but at the end of the day it's still "trust us, we'll be good".

> the data is not encrypted at rest, so that we can process it for title-generation, length, PDF generation and so on, and so backups and syncs are easy

Why not do that generation on-device and sync encrypted data? Is processing data for "title-generation" and "length" really so resource intensive that it must be done in centralized servers? If so, why not allow users to self-host their own services for providing this computation to themselves? Obsidian Sync works this way - that is, you either sync _encrypted-at-rest_ data with the for a fee, or you provider your own sync service - and I've noticed you guys like to be seen as travelling the same seas as Obsidian.

vinney...axkl 10mo ago

with THEM* for a fee (Obsidian's sync service)

vinney...axkl 10mo ago

You still haven't addressed, head-on, why the new privacy policy explicitly states that personal data will be shared with affiliates for the purpose of targeted advertising.

If you have no intention of ever doing this, there is no reason to say you _do_ currently do this in your privacy policy.

arkinox 10mo ago

I appreciate the response. Your small team needs to discuss how your efforts at providing a private and secure device are being totally undermined by your lawyers. This privacy policy is a decisove step in the wrong direction for a company that claims to care about privacy. Unfortunately, your concessions on nostr aren't going to mean much to other privacy conscious people who examine this policy. It's a real problem and I hope you remedy it.

Here is a much better privacy policy for a privacy-oriented hardware device

https://unplugged.com/policies/privacy-policy

vinney...axkl 11mo ago

I should add: if this settles out such that it's clear I was wrong and I owe you an apology, I pledge to reply to every single comment on this thread with a reference to a clarification note.

It's easy for people to see a nostr thread, comment on it, and then never see any important updates to the thread. I'll personally make sure anyone who saw the original note also sees the conclusion, if necessary.

Really not trying to baselessly stir shit here.

nostr:nevent1qqsr50rd3e6ta3mafzysdfw7ldpsmpe9ghxjtjjdw49jr8q6s7rh0sqpramhxw309u6rxdpsd4skjm3wv36kx6mydeejummjvuargwp58qhsyg8tmm5jj300q55rhc9v8h390p7grf493gg0268ec6mpm8w4zwkm45psgqqqqqqs9a4dd6

Bitasso 9mo ago

The proper response to this particular case would have been: “We should have been more diligent in checking our lawyers recommendations, it’s not in line with our ethos. We are amending the policy now and will post the amendment to more accurately reflect how the data is used”

Not…

“it’s a standard contract”

“our lawyers told us”

Please.

Can everybody trying to break into this community try to understand this community first.