Thread

Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.

Replies (88)

You literally can't stress this enough, because no matter how much you explain it, people will remain blissfully ignorant. I don't know Elon Musk or trust him but I still have an X account. I couldn't even tell you who owns Reddit. It was Ycombinator but I know Tencent is invested in Reddit and Discord. No clue who operates any Lemmy instance I have tried in recent weeks. No trust there. Users are not going to solidify trust externally to the system, except in their own personal interfacing with that system. Nostr is no different. I've used almost every known client- do I trust the creators? Absolutely not, as I don't know anyone behind the npub. Do I trust the internet to secure my content unless I am the authority above said content? No. Do I even trust a sovereign system without backups? Nope. Can anyone really trust backups without several layers of redundancy? That depends on the **importance of the data**. Because the underlying technology does not require trust. It requires cohesion and function. Transacting between entities is where trust comes into play. Transactional trust has been outsourced to verified protocols, like TradFi systems and Bitcoin/LN/XMR/crypto. Verification is where trust is native to networks. I can verify the code of the applications I install. I can verify how "well known" a developer is. I can verify their past experience if it is available. I can verify their sentiment by exploring their public identities. This is totally devolving but I'll leave it at that and invite others to argue about trust/verification/authentication in my wake.
Stay out of my drafts or we'll be fighting
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →
Nostr isn’t private by default. A few things that help: – Use trusted relays – Keep your relay list lean – Separate read/write relays – Choose privacy-conscious clients – Don’t treat Nostr like Tor And most importantly…support the folks working on better privacy tools in the protocol. We need it.
↩ replying to Vitor Pamplona
What about if you're on iOS? Is there a website that lists available paid relays? Even with a paid relay, I assume it can still see your trafficβ€”it would have to log it. I bring up VPNs because they mask your IP address. While relays might still have access to your data, they likely wouldn't be able to determine your geolocation from the IP, which is probably the main concern for most people.
↩ replying to Vitor Pamplona
In your OP you wrote: > Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. I understand that the relay data is public by design and that is what makes the accountability impossible. You also wrote. > So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. How would a user know who is running the relay and why would you trust them with your data?
there are currently so many factors that make this whole process near impossible to achieve: - it's not only about trust in relays, but also trust in end users as they could re-broadcast what they see. - clients have default big pre-defined relays users are told they "own" their data which is kind of true only under very specific conditions among other major onboarding issues, nostr is advertised with crazy statements: "you own your data" but as many others also mentioned before, data ownership is not real, it has never been. and you can't ever have true control over where your data is going. for this to be real, each user would have their own household relay, all clients would use outbox model and, even then, it would only work for protected events while also hoping your posts don't end up broadcasted to relays that don't care about nip-70. this makes me think there could be data crawlers all over nostr that will find your data and possibly just sell it. PoW and paid relays are solutions yet to be, for the former, deployed on more clients, and for the latter, accepted by people (no one wants to pay) - there's basically no information on the biggest relays rn and who owns them as far as i know what relays to use in order to have the broadest view possible or to help with discoverability? nostr.wine looks okay... but what else is there? if your client doesn't use the outbox model, setting main big relays is the only way for you to discover new content. at this point i have accepted that anything posted on nostr is automatically freely accessible to everyone on earth by default. and we should expect all the companies in the world to track everyone's data. the censorship-resistant aspect is real though.
↩ replying to richard
Great comment, want to add that "owning data" doesn't mean "restricting access". Nostr clients could potentially backup locally all the events that are published by the user as an extra "home relay". Then if I decide to move to another relay, perhaps I purchased a paid one, the Nostr client could re-publish my entire archive to this new relay. Clients should also do outbox model, only publishing profile and other events to a small set of relays, except from the Relay List, which should be published on "Discovery Relays" so everyone can be discovered.
Been saying for ever #nostr and #bitcoin are open public network .. If you are sharing your real Identity.. behave well If you are anonymous..there is no reason for you to NOT behave well :-)
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →
This will enable social media feed scrolling as a spectator. Twitch for doomscrolling πŸ˜‚ Jokes aside, good to remind yourself of. Also something to fix for sure. Can’t we just fix this with smokescreen data? The app asks for way more than it actually is looking for? Separating the calls between relays? Maybe not absolute protection but a lot better than nothing?
It is true, but we already agree to make our actions here public. The only concern is about privacy if the relay can get more information associate to it like ip address... And another interesting point, how can you be sure about "who they are" ? A KYC exist for relays ? It is interesting anyway to remind us this point, thank you for that.
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →
Reminder that store owners can see you walking into their store, and can notice how long you stand infront of what products. Their eyeballs can also observe everything you buy at that store. I can't stress this enough
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →
There is no way that we would ever know who is behind relays and even if we do, there is no way of knowing wether or not they do nefarious things with our data. The very nature of Nostr is that everything is open and once posted potentially online forever if you like it or not. Therefore, we must be VERY cautious with what we post, no matter what.
This is important for people to understand.
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →
It's not just the relays you use. It's ALL relays that are publicly writeable. If you care about privacy, use a VPN or TOR.
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →
What Vitor is pointing out here is extremely important, BUT it is very easy to misinterpret it as: "RELAYS ARE TRACKING YOUR NPUB AGAINST EVERY QUERY YOU MAKE" which is just false, since they can't. They can however see every write that you do. So can everyone else, but they can also associate your IP to it. So use a VPN. Now what this post is hinting at is that relays CAN do meta analysis to figure out who is querying these posts(by looking at follow lists and author filters) or which IP is browsing what content, so they can create a profile to some degree. Which is why you SHOULD connect to trusted relays. Just pointing out the hidden details so people don't get the wrong ideas from it.
Vitor Pamplona's avatar Vitor Pamplona
Periodic reminder that your relays see absolutely EVERYTHING you do on Nostr. Regardless of which Client you use. They literally see the app downloading zaps, replies, and reactions when you scroll your posts in real time. So... MAKE SURE TO KNOW WHO THEY ARE and that you TRUST THEM with that information. Nostr is just like a browser. The server has to know what you want to see to send it to you, and that gives them the power to track you and see what you are asking for. There is no way around it. I can't stress this enough.
View quoted note →