Many EU countries have their own different laws about this stuff. The GDPR likely does not apply here because of the exception for “purely personal and household activities”, article 2(2)©.

If you’re deliberately belittling me I won’t engage. Goodbye.

“You criticize society yet you participate in it. Curious.”

To be clear, I am not minimizing the problems of scrapers. I am merely pointing out that this strategy of proof-of-work has nasty side effects and we need something better.

These issues are not short term. PoW means you are entering into an arms race against an adversary with bottomless pockets that inherently requires a ton of useless computations in the browser.

When it comes to moving towards something based on heuristics, which is what the developer was talking about there, that is much better. But that is basically what many others are already doing (like the “I am not a robot” checkmark) and fundamentally different from the PoW that I argue against.

Go do heuristics, not PoW.

It depends on the website’s setting. I have the same phone and there was one website where it took more than 20 seconds.

The power consumption is significant, because it needs to be. That is the entire point of this design. If it doesn’t take significant a significant number of CPU cycles, scrapers will just power through them. This may not be significant for an individual user, but it does add up when this reaches widespread adoption and everyone’s devices have to solve those challenges.

It is basically instantaneous on my 12 year old Keppler GPU Linux Box.

It depends on what the website admin sets, but I’ve had checks take more than 20 seconds on my reasonably modern phone. And as scrapers get more ruthless, that difficulty setting will have to go up.

The Cryptography happening is something almost all browsers from the last 10 years can do natively that Scrapers have to be individually programmed to do. Making it several orders of magnitude beyond impractical for every single corporate bot to be repurposed for.

At best these browsers are going to have some efficient CPU implementation. Scrapers can send these challenges off to dedicated GPU farms or even FPGAs, which are an order of magnitude faster and more efficient. This is also not complex, a team of engineers could set this up in a few days.

Only to then be rendered moot, because it’s an open-source project that someone will just update the cryptographic algorithm for.

There might be something in changing to a better, GPU resistant algorithm like argon2, but browsers don’t support those natively so you would rely on an even less efficient implementation in js or wasm. Quickly changing details of the algorithm in a game of whack-a-mole could work to an extent, but that would turn this into an arms race. And the scrapers can afford far more development time than the maintainers of Anubis.

These posts contain links to articles, if you read them you might answer some of your own questions and have more to contribute to the conversation.

This is very condescending. I would prefer if you would just engage with my arguments.

On the contrary, I’m hoping for a solution that is better than this.

Do you disagree with any part of my assessment? How do you think Anubis will work long term?

I get that website admins are desperate for a solution, but Anubis is fundamentally flawed.

It is hostile to the user, because it is very slow on older hardware andere forces you to use javascript.

It is bad for the environment, because it wastes energy on useless computations similar to mining crypto. If more websites start using this, that really adds up.

But most importantly, it won’t work in the end. These scraping tech companies have much deeper pockets and can use specialized hardware that is much more efficient at solving these challenges than a normal web browser.

Not disappear entirely, but most households won’t own desktop computers or HDDs.

You’re going to love Cyberchef

They can make it so much harder to do that, to the point where almost everyone just gives up.

If you’re upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I’d say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data.

Hard disagree. If you own the device, you should be in full control of what’s going on. Sure, attestation can give some extra security, but that decision should be up to the user. Everything else is just excuses for user hostile DRM: platforms levaraging technology to secure their own profit margin against the interests of user.

Websites do not have access to your IMEI. That’s only a concern when you use the app.

Sure. For the fact that many jurisdictions outside of the US also consider freedom of speech and other human rights to apply between private parties: this is called “horizontal effect” and covered extensively in case law by e.g. the European Court of Human Rights. See also this chapter for an international comparison and this paper for a European perspective.

As for the specific rules in the EU for platforms: Article 17 of the Digital Services Act requires that users who are banned or shadowbanned from any platform are provided with specific information of what rule they broke, which they can then appeal internally or in court. Article 34 and 35 requires very large platforms (such as X) to take broad measures to protect i.a. the users’ freedom of speech.

More to the point, one person who was shadowbanned by X in a similar way used the DSA and won in court

(Edited to add the last paragraph)

*in the US.

The EU recognizes that human right such as freedom of speech also should be protected against private parties. Platforms can’t ban or restrict you for arbitrary reasons here.

I’m of the opinion that having a lot of money shouldn’t, in fact, allow you to do what you want. No person should have this power to do mass censorship, not in the last place because manipulating online discourse means manipulating a fundamental aspect of democracy.

Musk specifically is meddling in elections, both in the EU and the US by e.g. bribing voters. Turning the dials of the algorithm lets him do this even more effectively.

As long as it’s not an exit node, nobody will be able to tell what the traffic is. It’s all encrypted including the metadata.

I think they mean uPnP

How does that increase the risk compared to something like JBOD or overlayfs? In both cases you will lose data if a drive fails. Keep in mind that this is btrfs raid0, not regular raid. If anything that decreases the chance of corruption because the metadata is redundantly stored on both drives.

No mention of systemd? This is unacceptable.