In the second part of this series, I'll look at how to identify the level of threat your online presence could present and how you address that.
Define the threat
A common misconception many people have is to assume that the greatest or only threat comes from 'Big Tech', this is not the case. There is every chance that a smaller operation could easily be involved in nefarious actions, that they could be stretched technically whilst trying to keep up with security updates or simply growing too fast. The real issues here is to look at the service provider rather than apply a blanket ban on the big guys.
Essentially, the following represent the principal threats against which protection is required:
- Providers actively spying
- Service providers tracking and data sharing
- App developers spying through malicious software
- Hackers gaining access to users’ computers and data
Additionally, anyone working in counter-operations and attempting to identify threats will need to hide their identity.
Protection from service providers
In a typical setup, messages, emails and other communications are stored on a server. The threat here is the provider or a hacker being able to interrogate your communications at will, without your knowledge. This can apply to many commonly used services such as SMS messaging, Telegram, Discord etc.
This can be addressed by applying end-to-end encryption (E2EE) before the communications are even sent to the server. The confidentiality of your messages is guaranteed, so long as the service provider does not have access to the private keys of either party.
In practice, the effectiveness of different end-to-end encryptions programs will vary. Apps such as Signal run this natively on your device. If a service provider were to attempt to backdoor your app, this could be detectable later.
So, when relying on end-to-end encryption, try to select a native application over web clients, if possible.
Even with end-to-end encryption, service providers can still profile you based on your metadata, which is not normally protected. The service provider can't read your messages directly but will be able to see who you’re talking to, how often and at what times. Protection of metadata is uncommon so you should check the technical documentation of the software to see if there is any.
Protection from cross site or service tracking
There are various identifiers that can be used to track you across websites and services including the following:
- IP address
- Browser cookies
- Browser fingerprint
- Data submitted online
- Payment methods
The aim here should be to differentiate your online identities from one another, blend in with the 'online crowd' and avoid giving out any identifying information as much as possible.
Be wary of the protections offered by privacy policies, try, instead, to differentiate your online data in such a way that it becomes difficult for malicious providers to correlate that data and build a profile on you.
You could achieve this by using an encryption tool such as Cryptomator prior to uploading your data to cloud services, using prepaid cards or cryptocurrencies to avoid using your credit/debit cards, using a VPN to hide your IP address etc. Check out privacy.do for further suggestions.
Limit Public Information
One of the best ways to ensure your data is kept private is to simply not put it online in the first place. Likewise, deleting information you find online about yourself is one sensible measure you should take.
On sites where you need or chose to share information, check the privacy settings to limit how widely that data is spread. Your account settings may have a 'private mode' which will stop your account being indexed by search engines and viewed by unauthorised people.
As an extreme reaction against sites already holding your information, you could submit alternative versions in order to obscure your identity e.g. change phone numbers or addresses.
Protection from malware and hackers
Using privacy tools is pointless if they can easily exploit or cracked. When considering application security, it is often not possible to know if the software does not have a serious vulnerability that could be exploited.
To minimize potential damage, you can improve security by employing compartmentalization. This could be by using different devices for different tasks, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control.
Mobile operating systems are generally safer than desktop operating systems when it comes to application sandboxing. Apps cannot obtain root access and only have access to system resources which you grant them.
ChromeOS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications. These operating systems do transmit identifying information to their respective OEMs.
Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated with specialized distros which make use of virtual machines or containers, such as QubesOS.
Desktop operating systems generally lag behind on effective sandboxing.
Web browsers, email clients, and office applications typically run untrusted code sent to you by 3rd parties. Running multiple virtual machines to separate applications from your host system as well as each other is one way you can use to avoid any exploition of these applications.
You should use an operating system with a secure verified boot implementation, Android, iOS, ChromeOS, or macOS, for instance. You can also ensure that your drive is encrypted, and that the operating system uses a TPM or Secure Enclave or Secure Element for rate-limiting attempts to enter the encryption passphrase.
You should avoid sharing your computer with people you don’t know or can trust, as most desktop operating systems do not encrypt data separately by user.
Avoid Bad Practices
- Over reliance on privacy policies, they often aren't very effective
- Shifting trust from one service provider to another or over reliance on badness enumeration instead of systematically solving the problem
- Trusting open-source software, as it is not necessarily private or secure
When threat modeling, it is vital that you evaluate the privacy and security properties of each piece of software being used, rather than just blindly trusting it because it is open-source or from a 'reliable' developer.
So let's walk through some living examples of defining your individual threat level and how you could react:
First thing first: know your treat level. What are you looking for? Are you someone who has invested heavily in Apple before? Are you comfortable with the trackers Apple or Google give you? Are you on Social Media, and, most of all, are you afraid of what happens down the road with your data? Remember that what may be totally OK in today's world might not be OK (or even legal) 10 years from now.
So If you use Social Media like Facebook and WhatsApp, you don't really have to bother asking if Samsung or Apple is the better option — You will get tracked! And your data will get used!
If you use Alexa, Siri, or Google Nest at home, and you use it connected to the same account you use for your cellphone, well then why bother? Take the phone you like most or buy the phone which has the best camera, etc.
If you separate your WireTab smart speaker from your main account, and don't have it on your family link, you have achieved a little more privacy. They'll probably figure out that it's you in the same house, but still separate those two, if you can.
If you are one of the people in this first category, you can use DNS and block some trackers with a DNS blocklist at the DNS level. You will get more privacy out of this, even when using Social Media and with all the tracking devices installed at your home. Use any DNS you trust, I recommend NextDNS as you can block a lot at a DNS level. This goes for iOS users too.
So go to Settings - Network & Internet - Advanced - Private DNS and set anything you trust and like. Maybe even just something like:
dns.quad9.net or fdns1.dismail.de
Consider switching off Location Services, as you do not need this on all the time.
As you see in Category 4, you do not have to worry about what brand of device you buy.
You've quit Social Media or have replaced Facebook, Twitter and co with Mastodon and other suitable replacements. Furthermore, you understand about surveillance capitalism and do not want to receive targeted ads and have your information shared around among the internet data sharks. So now go to a stronger DNS level setup. Like NextDNS and even RethinkDNS on Android. Consider AdGuard Pro on iOS.
You should use open-source software and perhaps replace your Google PlayStore with F-Droid. If you are on iOS, log out of the iCloud! Use encrypted messaging like Signal, Element or Threema.
Even in Level 3 you do not need to bother about what cellphone you get, just get rid of the intrusive apps and do not log in to Apple or Google. Switch off Location Services! And remove the most intrusive apps, like Facebook and co., via ADB.
Just as in all categories:
Settings - Network & Internet - Advanced - Private DNS and set anything you trust and like. Even just something like:
dns.quad9.net or fdns1.dismail.de
You would like to be as private as possible, yet still rely heavily on Google Play Services and co. Well, you have some great options, get a Pixel Phone and load CalyxOS or GrapheneOS.
With Calyx you can have MicroG (if you so choose), and you won't have much trouble even with banking apps and co. You will have a pretty good setup.
With GrapheneOS you can even have a more hardened setup and with the new implementation of the Google Play service (fully isolated) in a work profile you can install anything that is on the Playstore from the Playstore!
I would still recommend, for both CalyxOS and GrapheneOS, not to use the Playstore, and if you need an app from the store that has no FOSS alternative, well, then use Aurora anonymously.
This category is excellent, and will work for many people and with the upcoming Pixel 6, you will even be able to use a true flagship phone in this category. I know…the irony…get a Google phone to leave Google for good!
As always, use a DNS or even RethinkDNS and lockdown every app that doesn't need Internet access. GrapheneOS has its settings to block network access for each app. It works as advertised! So RethinkDNS is not needed, but I would still use it on top!
Other than that — Settings - Network & Internet - Advanced - Private DNS and set anything you trust and like. Even just something like:
dns.quad9.net or fdns1.dismail.de
These are the activists! The journalists and people who truly need privacy. The question "iPhone or Samsung?" should not even cross your mind! I'll even go so far as to say MicroG should not even cross your mind!
Get a Laptop, perhaps from System76 (which has laptops with coreboot). Install SchildiChat or Element, perhaps install Signal and verify the number on a burner phone. You can also get numbers on textverify or other services. Use an email forwarding service and have your email PGP encrypted.
If you do need a cellphone, get a Pixel and use GrapheneOS. Do not use Play Services. Use a secure DNS, perhaps use RethinkDNS and block all apps, but the few you really need online from the internet, combined with the RethinkDNS service and block all trackers and services you do not use! Use only F-Droid as your App store, only download apps you need on to your phone. Do the rest on your laptop.
Use the Tor browser and/or RethinkDNS orbit setup. This, and not 'iPhone vs Samsung'. Should be the only consideration for an activist.
Regardless of which category you are in, there is no reason to buy apps with your credit card, you can use Bitrefill to get Play Services and Apple load. You also have no reason to use your real country of origin or your real name!
One final issue is that you need to recognize that there are often several 'right' ways to achieve the desired outcome. So, there are multiple sources of information and you'll need to look around and educate yourself as to the various options available,
To this end, I'm going to close with a short vid from Techlore on all the above:
Stay safe, stay secure
The Privacy Advocate