Eartho: Open-Source, Privacy-Focused Alternative to Google Sign-In
26 comments
·October 25, 2024ziddoap
zephyreon
Laughably, the privacy policy states in several areas that they only collect, share, or retain data consistent with the privacy policy. E.g.
> The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.
And the privacy policy essentially provides for every purpose they would want to use your data. Sharing, for example:
> With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
> With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
Pretty egregious.
zephyreon
As an aside, I’ve started reviewing companies’ privacy policies, terms of service, etc. before I decide to sign up. This is coming from someone who has previously just clicked “I Agree” to whatever terms are there on signup (be nice).
ibejoeb
Aside-aside: I used to run a service called TOS Salad (probably even posted it here like 15 years ago) that monitored these policies and sent notifications when they changed. It was pretty crude stuff, mostly munging stuff with perl, but the notion was to detect key provisions that should be considered and material differences when things changed. With today's LLMs, it would be a lot better. I don't know if I'll pick it up again, but maybe someone else is inspired...
ziddoap
If you haven't heard of it, "Terms of Service; Didn't Read" (https://tosdr.org/) can be a helpful addition to your review process.
Obviously not every site is covered, and you may want to review the terms yourself anyways, but I've found it pretty useful when I'm not in the mood to read thousands of words of legalese.
zie
At least they are up-front about it. Most copmanies are as bad or worse but hide it in their privacy policy with weasel words and lawyer speak.
ziddoap
The title says "privacy-focused". The first bullet point of the features section in github says:
>Your personal data is yours alone. With Eartho, your information stays private—no tracking, no sharing.
Their opening paragraph claims "privacy-first" and "prioritizes user privacy".
Compare that to the privacy policy, and then please explain to me how they are up-front about it.
from-nibly
But they aren't, because they claim they are privacy focused.
VariousPrograms
What is the market for this? Users use Google/Facebook logins because it’s one easy click and no one cares about privacy. Users who care don’t want a unified identity tied to all of their online activity, regardless of Eartho’s current privacy policy.
dartos
> We don't track any personal information, including your IP address or balances
How can I trust you? You’re literally a company inserting yourself in between my auth providers and anything I do on the internet.
What else would you gain beside aggregate data?
I bet you already have my ip in your logs just by me visiting your landing page…
zephyreon
The privacy policy is a litany of statements about how they collect all sorts of data and may share it with pretty much anyone under the sun.
Some of the more egregious ones I found:
Regarding using a social media provider to log in.
> We may collect Personal data that is already associated with Your Third-Party Social Media Service's account, such as Your name, Your email address, Your activities or Your contact list associated with that account.
Kind of a given if you’re logging in with a social media provider but still.
Regarding collection of your location.
> While using Our Application, in order to provide features of Our Application, We may collect, with Your prior permission: Information regarding your location. We use this information to provide features of Our Service, to improve and customize Our Service. The information may be uploaded to the Company's servers and/or a Service Provider's server or it may be simply stored on Your device.
Regarding sharing of your data.
> With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
> With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
How we use your data section basically says we use it for everything and share it with everyone.
ibejoeb
It really is laughable. Was this posted here just to get dunked on?
madhacker
I was about to provide my credential via eartho create account but thought I should read HN comment first so no thanks Eartho - get lost!
dickhardt
Eartho sounds like a something a user wants. We have found that privacy is an added bonus, but that it is only one of many features a developer wants.
Adding yet another button that users don't understand confuses users.
I'm the founder of Hellō and we have a similar service that has cooperative governance. https://hello.coop/
FWIW it is a myth that Google uses where you login with Google for retargeting. Big Tech is always concerned about having to share user specific usage with US agencies. Google considers knowing where you login to be toxic data that they want to dump as quickly as possible. There are more than enough other signals from re-targetting.
BodyCulture
Can you please provide a source for your information about Google handling login data? Your words are very interesting, but they would have more impact if you could provide a source.
7bit
As far as I understand OIDC and OAuth, this means that any tokens (the passwords) have to go through Eartho, no? So while this may help reduce sensing PII to the SP you are trying to authenticate towards, you are now effectively doing what decades of IT security teaching told you not to do: giving 3rd parties your password -- only that now it's in transparent and the end user isn't aware of it.
api
The major challenge seems like it would be persuading companies to take any alternative to Google|Apple|Microsoft|GitHub for authentication.
293984j29384
I agree. It would seem something like this would be DOA.
7bit
Was the .io domain not deprecated?
WhatsName
If yes, please give me a link, that would affect us big.
rawfan
https://hackaday.com/2024/10/23/will-io-domain-names-survive...
.io is the country domain of the British Indian Ocean territories which will soon seize to exist.
293984j29384
cease*
gostsamo
not yet, but it is a possibility after the UK promised to return the territories
>Personally identifiable information may include, but is not limited to: Email address, First name and last name, Usage Data
>Usage Data is collected automatically when using the Service
>Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
>We may share Your information with Our business partners to offer You certain products, services or promotions.
https://www.eartho.io/legal/privacy-policy
And so on...
Where does this company get the audacity to claim they are privacy-focused?