Damus
Open in Damus
Gzuuus profile picture
Gzuuus
@Gzuuus
There is a generalized over reliance on plain text application specific data published by Nostr clients, which is really concerning. Loads of apps publish this data every time you read notifications, set settings, check your home feed, or manage a premium subscription, among other things. All of this is normally published in plain text to your relays. This data is quite revealing, and the current default behavior of some signers is to sign these events by default, so they get published without the user noticing it. I don't know if you realize this, but it's pretty leaky. I would say it's even worse than centralized platforms collecting data because all of this information is public and in plain text. It's a privacy concern that exposes usage habits and other metadata to everyone, and all of this data can be used by anyone. Are you interested in the last time someone checked Nostr, or profiling an user? Just query for their latest events with kind 30078. This has to improve. Developers should be conscious of how this harms user privacy, and users should recognize how exposed they are. The first thing you can do if you care is go to your signer and disable signing these events automatically. The apps you use might feel a bit broken, and you'll have to sign these events manually, but at least you wouldn't be publishing these leaky events automatically. Now, I'm going to share a little list of what you can find out there... for free

- YakihonneAppSettings
- store-settings
- seen_notifications_at
- ride_request
- routstr-chat-api-keys-v1
- plebs/watch-history
- plebs-settings
- Primal-Android-App
- Primal-Web App
- Primal-Web App | get_app_settings
- Primal-Web App | get_membership_status
- nym-settings
- nym-shop-active
- lumi-settings
- ghostr-publish-history
- ghostr-processed-submissions
- fanfares/purchases
- AmethystSettings

And this is just some of them. If you want to inspect this yourself, you can use and modify this `nak` command:

```sh
nak req -k 30078 wss://relay.nostr.net wss://relay.damus.io wss://relay.primal.net wss://nos.lol | jq -r '.tags[] | select(.[0] == "d") | .[1]' | sort -u
```
234❤️5👀1
mleku · 5w
they should always be encrypted wth. i've seen this and constantly scratching my head "why isn't this using an application specific data wrapper with encryption?"
balas · 5w
yeah, no one cares.. I stopped giving a fuck about what other clients do and try to call them out long ago. focus on your stuff, make it good so you have a better alternative when someone comes looking for it
il_lost_ · 5w
I noticed that it doesn't even get overwritten for the same app, so the relays are also wrong
Richi · 5w
How do I modify the command? I replace the d with my pubkey?
Richi · 5w
Is there a way to improve it?!
Kayne · 5w
Is nostr actually just a psyop to make us share our opinions uncensored along with all of our other information so that it becomes easier to hunt down people they see as a threat? Or is this just Devs not actually caring about users privacy?
jb55 · 4w
they should use private note storage spec for things like this