The New Oil

“There’s A Problem With Your Package From Amazon”

December 12, 2020

Security researchers at Check Point have warned that phishing attacks related to online shopping and shipping of goods has risen 440% in November, indicating a huge rise as people are shopping for the holidays – even moreso online with the global pandemic this year. As such, this seems like a great time for all of us take a moment to remember the basics of phishing and how to protect ourselves.

What is Phishing?

Phishing is a technique almost as old as the internet itself. Phishing is when a malicious actor attempts to get someone to click on a link for malicious reasons. A few common examples you may have seen may include “there’s a problem with your PayPal account, login here to resolve it” and then it takes you a login page that looks real but actually forwards your login credentials to the attacker, or an email that says “here’s those files you wanted” and then includes what appears to be a Word document but it’s actually a virus. Typically, the goal of phishing is to get access to a person’s account, but sometimes the goal can be to plant ransomware, make a botnet, or pretty much any nefarious purpose. Don't underestimate phishing: it may seem silly and hard to fall for, but it's been one of the top methods of “hacking” since forever. I forget where I read this so I won't quote it as fact, but I do remember reading once that a former NSA officer admitted that it was the NSA's primary method of gaining access to a targeted account, even over all the other fancy hacks and resources available to the agency.

So What are the Defenses?

The main defenses against phishing come down to three major principles:

1. Vet your emails. If you get an email from FedEx about a problem with your package, first off did you order a package? Second, did it get shipped FedEx? As a more year-round example, if you get an email from a coworker with an attachment, were you actually expecting that attachment? Don’t be afraid to ask questions. If you weren’t expecting that email, call them and ask to make sure it was them.

2. Don’t click the link. Instead, go directly to the website and log in. For example, if you get an email from Amazon saying there’s a problem, go directly to Amazon and log in there. If the email was legit and there really was a problem, you’ll be alerted to it as soon as you log in. If you click the link, it might take you to a page that looks exactly the same but isn’t and scammers have gotten real good at faking it. Don’t trust yourself to catch it. These guys get rich off scamming people smarter than both you and me. Don’t risk it. If it’s an attachment, I think most of the time it’s probably safe to open (assuming you verified you were expecting it), but if you’re fairly tech savvy it could be a good idea to set up a virtual machine that you use strictly for opening email attachments to ensure that they’re safe.

3. Keep your antivirus updated. New malware is being built and discovered constantly, and no matter what antivirus service you use, they are doing their best to keep their definitions updated. By keeping your antivirus software up to date, you ensure it that it has the most recent definitions and it has the best chance of spotting a virus before it even gets in.

Advanced Defense

As with almost anything in privacy, there’s also a higher level of work you can do. For starters, using Linux greatly reduces the number of threats aimed at you. This is not a silver bullet. Malwares targeting Linux do exist. However, since Windows has over 75% of the market share (and is most commonly used by governments, educators, and other industries), most attackers focus their attention there. This means that just by using Linux, a great number of malware isn’t compatible.

Another advanced technique would be to use Virtual Machines. You can create a Fedora virtual machine for free in minutes and it will not only provide you with the excellent security of the Fedora Linux distribution, but also the additional advanced security of having a virtual machine. Think of a virtual machine as a computer within a computer, totally isolated from the device that it’s actually running in. While breaking outside of a virtual machine is not impossible for malware, it is incredibly difficult. You can create a virtual machine that you use exclusively for opening suspicious emails and attachments and further enhance your security.

Of course, whether you stick to the basics or try some advanced techniques, you should be using strong passwords and two-factor authentication on all your accounts. That way, even with the virtual machine strategy, your email account is unlikely to be compromised or taken over by malware. Remember to be on guard this holiday season, and I hope all your packages arrive on time and unbroken.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

“Open Source” Does Not Always Equal “Safe”

December 5, 2020

On this website, and on many other privacy and security websites, you will find people espousing the gospel of open source technology. This is an important thing. This year, Switzerland suffered two separate scandals where the US Central Intelligence Agency was found to be operating shell corporations within the country who sold tech equipment to foreign governments and armies that were equipped with encryption backdoors, giving the American intelligence community easy, front-row access to the sensitive communications of other nations. Open source could’ve prevented this. Open source software would’ve allowed anyone to look at the programming and operating system on the device and say “hey, something’s not right here.” However, I think that sometimes the privacy community oversells open source.

I often see privacy newbies espousing open source without knowing why. I see people say things like “I heard [X Service] is bad because it’s not open source,” but they don’t actually know why that is. The answer is that open source – as a general rule – tends to respect your privacy more than the average person. Because the code is open, anyone can examine it to ensure that it does what it says. Additionally, because anyone can examine it, people are more likely to find bugs and offer fixes that can be quickly implemented. However, the operative word in there was “can.”

A recent study from GitHub found that on average, vulnerabilities exist in open source software for over four years before being patched. Now it’s important to understand the context of this study: GitHub examined 56 million developers and over 60 million repositories. Out of those 60 million codes I'm certain that many of them are just hobbies, uploaded by the creator as a backup, abandoned, or even as a “I made this for myself but if anyone else wants here, it is” thing. Those all probably came with “buyer beware” terms. But even that can only account for maybe a few ten thousand, at the most. Most of these codes were probably uploaded with the intention of being shared and spread around.

Here is where we run into an interesting issue. I believe in supporting the little guy. Everyone was once a little guy. Walmart, Starbucks, Microsoft, everyone. And you can believe that those big guys have since lost their way, and maybe that’s true, but the point is that they were once little guys. Even in the open source communities, the rockstars – Ubuntu, Bitwarden, Signal – they were all once nobodies. The little guys need our support to become sustainable and successful. I firmly believe and respect that. But the little guys come with risks that need to be recognized. Security researchers are people, too. They have day jobs (usually, some of them are lucky enough to be full time researchers), they have personal lives, and they only have so much time they can devote to examining code. The smaller the developer, the less popular the code, and that means the less eyes on it examining it for weaknesses. In a big, well known project like Signal and Mastodon, there’s thousands or even millions of people using it and laying eyes on it – not to mention many of them can afford to pay for proper security audits. But in smaller, lesser popular projects not so much.

So no, open source doesn’t automatically mean privacy respecting or secure. Most malware is, by definition, open source. Once a malware gets discovered, there’s websites where researches can share it so that other researchers can examine it, pick it apart, update their own virus definitions, and otherwise study it. Malware is literally “malicious software.” It’s a perfect example of how open source does not automatically mean private, secure, or safe. So does it still matter? Yes! All things being equal, open source is always better. The potential still exists for the code to be reviewed by someone who understands this stuff and to be improved upon. The potential also exists for someone else to come along and go “hey, this is a great project but this particular thing could be better, here’s my fork of it.” This is why there’s a billion web browsers out there, because someone saw something open source like Firefox and Chromium and said “could be better.”

Is it actually better? That’s a tough question. That’s where threat modeling comes in. But it’s important that you be educated when building your threat model. Open source is better, unarguably, but it doesn’t mean you should blindly trust it anymore than the use of the word “encrypted.” It’s how the encryption is implemented that matters, and it’s how the open source nature of the software is used to better the software that determines if it can be trusted. You still need to consider what information you’re planning to entrust to that software, what could go wrong, as well as a host of other considerations like update frequency, reputation, and more. As a fellow little guy, I’m not saying don’t trust the little guys. But I am saying to exercise caution.

Five Privacy Respecting Gift Ideas

November 28, 2020

It’s the gift-giving season, and so this week I think I’ll stay on topic. Now of course, your mileage may vary. Not everyone will appreciate these or have the tech savvy to use them. It’s up to you to know what gifts are right for what person and what would actually make a good gift. But below are some items that I personally have dealt with or have my eye on that might also make good gifts for yourself, your home, or a tech-loving loved one around you. These gifts are not listed in any specific order.

iPhone SE: $400

I’m gonna piss off a lot of privacy people right off the bat with this one, so let me remind my readers that this site is aimed at normal, not-tech savvy people. If you can convince your friend or family member to use CalyxOS or a Pinephone – or you yourself are willing to do so – please do. But chances are that if you’re reading this, you’re either not comfortable flashing a phone yourself or you have family members who wouldn’t be comfortable using a flashed phone. When it comes to stock operating systems, I personally preach iOS over Android every single time simply because iOS has better security. They’re both pretty abysmal for privacy, so iOS has the edge in the security department. As such, if someone you know is in the market for a new mobile device, the iPhone SE series is my recommendation. It’s inexpensive (for a smart phone), and unless your loved one is a heavy app user it’ll do the job perfectly.

Silent Pocket Products: $10-$400

Silent Pocket sells a wide variety of items that help keep your devices off the grid to various degrees. This could include wallets that resist RFID tracking and wireless credit card chip skimming all the way up to full-on Faraday bags for laptops that black ALL wireless signals. If you’re reading this, you probably don’t see the need for a Faraday bag and personally I think that’s outside my own threat level, too, but like I said they have a lot of other really amazing products like phone cases, wallets, passport card holders, backpacks, and a multitool that has spots for your keys. If you or someone know is really into gifts that have a practical use, definitely check this site out.

A Better Router: $150-$515

The internet in our homes is something we typically don’t think about until it goes out. But it’s also one of the most critical things we have these days. Most people don’t think about their router or the settings, but you can do your family a huge favor by getting them a new router and securing it for them. They’ll probably never even notice, but you’ll rest easier knowing they’ve gained a new level of privacy and security. The routers I’ve linked here come pre-loaded with DD-WRT, an open-source firmware that allows you to do all kinds of powerful things like a load a VPN or a firewall or VLANs onto the router itself, meaning that any device that connects to it will automatically be protected. This is probably the most technical suggestion on this list, but if you can figure out your own router settings you can definitely figure out these ones, too. All the hard work has already been done for you.

A Pinebook Pro: $200

Pine64 is a nonprofit that aims to make ethical, open source Linux machines accessible and affordable to the masses. To that end, they have released the Pinebook Pro, a $200 laptop that ships with Debian, which is an operating system I recommend anyways. Just like the routers above, this is a device that you don’t have to worry about installing or setting up yourself. Debian is incredibly user friendly and there’s a ton of support online if you have any questions about it. However, it should be noted that the specs on this computer are slightly below average (in my opinion). If you or your intended gift recipient only uses your laptop for browsing the net, checking your email, and streaming Netflix this is more than enough. But if you use it for any kind of photo editing, video editing, gaming, or highly specific and specialized software that can only run on a Mac or Windows, this may not be the best gift idea.

Books

If you or someone you know is a big reader, there’s a wide range of privacy and security related books, ranging from philosophical to “how-to” to fiction. In the nonfiction category, we have “Click Here to Kill Everybody” by Bruce Schneier and “The Age of Surveillance Capitalism” by Shoshana Zuboff. In the How-To books, try “Extreme Privacy” by Michael Bazzell or “The Personal Digital Resilience Handbook” by David Wild. And for fiction, popular recommendations in the privacy community include Cory Doctorow’s “Little Brother” series and “The Circle” by Dave Eggers.

Like I said, not all of these are great ideas. It’s up to you to know the people in your life. But even if you know people who aren’t crazy about privacy, some of these ideas might still work. You could buy your sister a phone case or a wallet from Silent Pocket. You could get your brother “Little Brother” from Cory Doctorow. You could get your mom a Pinebook or an iPhone. Granted, the Pinebook may require some getting used to, so first make sure they’re willing to learn a new operating system, but it’s not hard to get used to once you get over that initial learning curve. Hopefully this list has at least given you a few ideas. Good luck on your gift shopping, and remember to shop smart.

Does the Country a Service is Headquartered in Matter?

November 21, 2020

On my website, I list the country a service is located in as either a point for or against them. As a sort-of explanation, I also link to the Wikipedia page about the Five Eyes intelligence community. Likewise, you will often see people in the privacy community asking questions or debating about the location of a company and why it pertains to the privacy of a specific product. So this week I ask: does it really matter?

What is “Five Eyes”?

If you didn’t click the link above – or just didn’t understand it – the “Five Eyes” refers to an intelligence agreement between the US, UK, Australia, Canada, and New Zealand. It was originally born out of the cold war as a way for democratic countries to keep an eye on the spread of communism, but the agreement lives on to this day. The basic premise of Five Eyes is that those five countries share intelligence with each other generously. The agreement is primarily aimed at “signals intelligence,” which means basically any form of electronic or telephony communication, but they're known to share other intelligence as well.

The problem that pertains particularly to privacy is what Edward Snowden revealed about the Five Eyes agreement in 2013, which basically boils down to “the Five Eyes countries spy on each other’s citizens then share with each other as a loophole.” In the US, the US intelligence agencies aren’t supposed to spy on US citizens without a reason. Same thing in the UK. But the US is totally free to spy on UK citizens and then share that data with the UK, and vice versa. That’s a simplified version of how it works.

There are also other “Eyes,” such as Nine and Fourteen, as well as specific “Eyes” aimed at certain counties (ex: “Five Eyes Plus Three Against North Korea”). All this really means is how many countries are involved. Typically the wider the Eyes, the less comprehensive the data sharing. So the Five Eyes are the most invasive countries and share the most openly, while the Fourteen eyes are less invasive and share less (but still invasive).

How Does This Relate to Privacy and Services?

Country of origin determines the laws and practices a company is subject to. A company based in the United States will be subject to US law – taxes, worker rights, and even surveillance. A US-based company will be caught up in the Five Eyes dragnet, and a US company will have to turn over any data requested by a warrant from a US law enforcement agency such as the FBI. For example: I run a Nextcloud server out of my home. It’s small and it’s only for friends and family. If my city, county, or state police or the FBI came to my door with a warrant and said “we need you to clone your mom’s data and give us a copy,” legally I’d be forced to comply. But if I move to Canada, the situation changes. My mother – who still lives in the US – is under investigation. If it’s a local investigation, police aren’t going to bother with the international red tape of asking me to hand over her data. They might ask, but since it crosses international lines and their resources are limited, they probably won’t bother making it an official, legally-binding request (unless they suspect the data I possess is key to their case). Even the FBI will meet a few more roadblocks in the process. Not many. They have the resources, and Canada is a friendly country with the US, so they’d probably get the approval. But it’s not as easy as it was before when I lived in the US.

As such, a lot of people in the privacy community prefer to pick services that are run by companies that are based outside of the various Eyes communities. The further outside, the better. A company in Germany is superior to a company in America because Germany is part of the Fourteen Eyes, which is better than the Five Eyes. But a company based in Switzerland or Finland is even better because those companies aren’t part of any Eyes. The roadblocks required to get the data – from both a legal and a surveillance perspective – are much higher.

Is This Actually Effective?

The short answer, in my opinion, is no. This stuff doesn’t really matter. As my long-time readers know, I don’t encourage breaking the law. Ideally you shouldn’t be doing anything that gets you on the law-enforcement radar in the first place (I’ll come back to that in a moment). But first let’s talk about surveillance: the Five Eyes are spying on EVERYONE. The idea that your data is somehow magically safe because the server is in Finland is as ridiculous as saying that I’m somehow magically safe because I put my seatbelt on when I drive. Obviously I do, seatbelts dramatically increase my odds of survival in a traffic collision, but the seatbelts don’t do a thing to stop someone from hitting me. Likewise, putting my data in Switzerland helps, but it's not a magic bullet.

Before I go on, I need to explain how the internet works at the global level. At the very top of the network food chain are “Tier 1 networks,” which are basically the internet service providers of the internet service providers you and I know and use like Comcast or Time Warner. According to Wikipedia, most Tier 1 networks are headquartered in Western countries like France, Germany, the UK, and the US. A couple are in places like India and Hong Kong. If you remember the list of eyes from before, this means that virtually every single Tier 1 provider is based in an eyes country, over half of them in Five Eyes alone. Choosing a country that’s outside Eyes jurisdiction does make surveillance slightly harder, but considering that literally all network traffic needs to route through a Tier 1 network and 88% of them belong to the Eyes, it also makes that surveillance relatively trivial. The Eyes own the internet. Not to mention there's absolutely nothing to stop state actors from setting up totally legal shell corporations in foreign, non-Eyes countries and then using those to spy on the locals.

So does that mean you shouldn’t care at all? Of course not. As I said, picking a country outside the Eyes does make surveillance a little bit harder. While the traffic still passes through Eyes infrastructure and into Eyes territory on your device, if you're doing it right that traffic is encrypted and the data itself rests outside of Eyes jurisdiction. That does count for something. Earlier I mentioned not to get yourself caught in the crosshairs of law enforcement, but we all know that law enforcement is not perfect and mistakes happen. People get wrongfully targeted, arrested, and convicted all the time. Putting your potentially-incriminating data outside the hands of the law so that they can’t use it against you is a great consideration.

However, you should consider the location of a service a lot like the color of a car: ideally you’d like to have one color, but it shouldn’t be the deciding factor. The deciding factors should be the other things I discuss when I list services on my site: how strong is the encryption? Is the company transparent? How is the privacy policy? What information do they log? Can they access your data? Under what circumstances will they hand over their logs/data? I fully expect any legitimate company to comply with a lawful warrant or request, but I also take comfort in knowing that a company will push back on a request it considers unfair (Tutanota and ProtonMail both have a documented history of this, by the way). So rather than “where are they located?” you should ask “what kinds of requests will they push back on?” How is the company’s reputation? And then, once all factors have been weighed, that’s when you should give the country of origin a thought. One reason a lot of people prefer companies based in Germany and Switzerland is because those countries have privacy laws that are superior to the US (though also not perfect). But if you're using companies who are zero-knowledge, don't log data (or log as little as possible for as short a time as possible), and use strong encryption, then the country means almost nothing.

Safe Shopping: 2020 Edition

November 14, 2020

Last year, I posted the below blog. After “Black Friday.” Whoops. This year, I thought it worth posting again – this time beforehand! – since my audience has grown dramatically (thank you so much! Seriously, I am so humbled!), but updated to reflect both advances in technology and the global pandemic where necessary. So without further adieu, the 2020 guide to safe holiday shopping!

With gift-giving season officially beginning in the United States (and at least a few other places, I presume), I figured this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

Pay with cash in person. There’s a large push for card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-crazy, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.
Of course, online shopping has long been popular, and even moreso this year. For online transactions, use pre-paid cards (such as the Vanilla card) or card-masking services like Privacy.com, Blur, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. Blur is a little less invasive, but you’re basically just creating digital pre-paid cards. Personally I’m a fan of Privacy.com for a lot of reasons, but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.
Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. Just this month I tried to order some food for takeout and the webmaster had accidentally let the certificate lapse, so they didn’t have HTTPS. Thanks to the browser plugin HTTPS Everywhere, I was alerted and avoiding sending my card information on a potentially unsecured website. This plugin will automatically ensure an HTTPS connection wherever it’s offered, regardless of search engine or browser settings, and alert you if one isn’t found so you can decide if you still want to use the site or not.
Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the hacker who hopefully didn’t steal your information because you already implemented the above bullet points.
Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random hacker just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few minutes to set up and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

A Detour into Diet Apps

November 7, 2020

One thing I really envy Android users on is their access to alternate app stores, like F-Droid and Aurora. My partner approached me earlier this week and asked if I’d be willing to go on a diet with her as a show of solidarity. Not the same diet, just a diet. As I stepped on the scale to begin, I begrudgingly admitted that she was on to something and I’ve put on more weight than I realized. Ever the one to look for a silver lining though, I figured this might be a good time to dig through some of the most popular diet-tracking apps in the iOS app store and see which one was the least offensive. So this week, I’m sharing that with you.

I chose my apps based on a combination of “top” lists found on DuckDuckGo and which apps popped up first when I searched in the app store. I am rating them based on their privacy policies, specifically “information we collect.” I have organized them by alphabetical order. I also only highlighted things that stuck out to me specifically. I’m not really surprised with stuff like “cookies, things you willingly add to your profile, and IP address.” That’s all pretty standard. I was looking for anything out of the ordinary or alarming.

Calorie Counter +

Information collected: “first name, email address, encrypted password, personal profile (your age, sex, height, start weight, goal weight, activity levels and any other boxes you tick during sign up), Photo (if you upload this to the forum or Live Club weigh-in on the website), IP address, Mobile device ID, Your browsing behaviour (when using the Nutracheck App and website).” Uses Google Analytics. Shares information with Google and Facebook to advertise “as you browse around the internet.”

The alarming parts to me here were the fact that they shared with Google and Facebook so they could advertise to you off-site. No thanks. Other than that, pretty standard stuff although I did notice that a lot of sites require information like gender and age. I guess that’s medically relevant, but it still makes me a bit uneasy. Also what does “encrypted password” mean? Do they actually store my encrypted password, or are they dumbing down “hashed” for readers? Cause frankly, storing my actual password – even encrypted – is unacceptable.

FatSecret

Information collected: “age, gender, postal code, current and goal weight.” “IP, ISP, browser type, OS, language, profile information, profile info, food and exercise, and “general use.” “integration with other services such as Apple’s HealthKit…other services such as Apple’s HealthKit API’s and Google’s Fit APIs (all together “Health Data Services”). FatSecret will not use or disclose health data gained through Health Data Services to third parties for advertising, marketing or other use-based data mining purposes other than improving health or for the purpose of health research.”

I found a few things in particular problematic here. Let’s go in order. First, “postal code.” I realize than IP address is as good as a physical address, but why go out of your way to collect that? Next, “ISP, browser type,” and “OS.” Again, I realize that knowing my IP address is enough to correlate who my ISP is, but why go out of your way? I also know that browser type is helpful to know to make sure your site is working correctly with that browser, but why OS? And also, with the rise of CSS, I feel like “browser compatibility” isn’t really a thing as much as it used to be (but I could be wrong, I'm clearly not a web developer). “Integration with other services” combined with “FatSecret will not use that data...” means that not only will they submit the data to your HealthKit, but they’ll collect data from it, too. Finally, “for the purpose of health research.” Um, no thanks. Please don’t take my health data and then share it.

Lifesum

Information collected: “your email address, first and last name, height, weight, date of birth, and gender” upon registration. “Device identifiers (i.e. information on what device, IP-address, etc. you use to register and log on to the Services), and technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements) which is used to provide the Services and to allow Lifesum to market to you in accordance with this Privacy Policy.” You can opt out of marketing but not collection.

This is a pretty standard privacy policy, and if it seems like a lot, that’s because it is. Most privacy policies are this invasive at a base level. You’d be hard pressed to find a policy less invasive. Except for one part: “technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements).” So from what I understand, that means Lifesum is monitoring not just the app, but the device: my searches on Firefox, my location, what other apps I use, and other ads, just so they can advertise to me even more. Unacceptable.

Lose It!

Information Collected: “We may also use and allow third parties to track your browsing history profile.” “Personal Diet Data”, including, birthdate, height and weight, sex, and specific details of the foods and drinks that you consume and your exercise, and genetic results. Test results generated from a user’s genetic data. Email address and Lose It! Password. IP addresses, browser type and your operating system. Pages visited on the Websites referring and exit pages, and the dates and times of the visits. Financial information, such as your credit/debit card number or other billing information for purchases and product upgrades. Any additional information relating to you and your use of the Websites, Apps or Lose It! Services that you provide to use directly through the Websites, Apps or Lose It! Services. Location data and other information about devices used to access and interact with the Websites or App. Information that you make publicly available or publicly post using tools made available on the Websites or via the App. Information you may provide in user-to-user messages. Information collected from promotions with third party companies.”

So once again, nothing terribly bad here except that they specifically cover genetic data. If I get a genetic test, they collect the results (I assume the test has to be done through them or with one of the parties they work with). No thanks. They also collect Browser type and OS, yet again. And Location data, why? Why do dieting apps want to know my location? What are you gonna send me a push notification? “We noticed you just entered a Wendy’s. Don’t do it, bro!” C’mon.

Nutrients

Information collected: None

So this app claims that they don’t collect ANY information and furthermore than all information you enter stays on your device and never gets transmitted. But I was a little put-off by the fact that there’s no HTTPS on their website. It’s 2020. There’s no excuse for that. Also, personal opinion territory here, I noticed that in the app store the developer has another app called Donald J Trump, which seems to be just a hub for all his social media posts or something like that. I don’t know, I didn’t pay for it. Personally, I don’t support Trump, and since the Nutrients app is paid, I wanted to do a little digging and make sure that I’m okay giving my money to an organization that obviously does support him. Once I started digging on that front, I quickly noticed that there is zero mention of the Donald J Trump app on their website, which to me is kind of questionable. At the time of my research this week, the app had been updated less than two months ago, so clearly this isn’t something they just put out once and have since abandoned. This is an app they actively maintain. Why aren’t they owning up to it? Personally, I found that alone shady enough to not want to give over my money. I don’t mind if a company wants to publicly endorse a candidate, but the fact that they weren’t being fully forthcoming with it in a situation where they should’ve (in this case, not listing the app on their site alongside all the others), that personally didn’t sit right with me.

MyFitnessPal

Information collected: ? But it is collected through third party or “publicly available” sources.

So this is the one thing that bugs me more than a generic privacy policy. Their privacy policy doesn’t even exactly state what they collected. It’s already bad enough when you say “IP address, Device ID, and other information,” but when you just straight up say “we collect information that cannot be used to identify you” (first off, that’s a lie) “but is used to determine aggregate data such as usage, blah blah blah,” that’s even worse. Now you’re not even saying what’s collected. If it’s not a big deal then why won’t you say what it is? Furthermore, you collect additional data through third party and “publicly available” sources? Why are you going out of your way to collect more information about me outside the app? Just tell me how many calories my damn burger has.

MyNetDiary

Information collected: ?

This service was equally as opaque as MyFitnessPal. The only saving difference was this service didn’t claim to collect additional information from outside the app, and they also claim they never share it. Personally I find a blanket “we never share your info” claim to be suspect – especially if they do admit to collect information – because I fully expect any remotely not-shady organization to share my information with law enforcement with a warrant. So to just flat out say “we never share your information ever” already means that at best you’re telling a half-truth.

MyPlate

Information collected: device registration data (for example, the type of mobile device you use, your mobile device’s unique device or advertising ID, IP address, operating system and browser type), device settings (for example, your language preference), mobile carrier, information about how you use the Services (for example, how many times you use the Services each day), requested and referring URLs, location data collected through your device (including, for example, precise location data such as GPS and WiFi information), information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.”

So this is another one that’s not AWFUL but still not great. Let’s pick apart the more alarming parts. First, “OS and Browser, as well as mobile carrier.” Why? Does whether I use AT&T or Sprint or Verizon really affect how the app experience is for me as a user? “Requested and referring URLs,” so I admittedly am not an expert on this stuff and I have to do more learning in this area, but from what I understand this means that they can track where I came from and go to on the internet before and after their site. Why? “Location data, including GPS and WiFi information.” So in addition to my usual “why do you need my location” rant, this also suggests (or at least doesn’t rule out the possibility) that they might collect additional information about my WiFi network specifically, like SSID (aka “wifi name”), router info, and possibly even WiFi password and other devices on the network. Seems a bit unnecessary just to tell me I’m fat. Finally, “Traffic data, web logs, and other communication data.” Man that’s broad. Are you gonna access my browser history? What other traffic goes over the network? My text messages? This one is way overreaching.

SparkPeople

Information collected: We may collect your name, address, email address, telephone number and other contact information...” “We do not share your information with third parties except as set forth in this Privacy Policy.” You can opt out of direct marketing but not out of collection. “We may collect information automatically about the use of the Website, through, for example, “cookies” or “IP addresses” (as described below). SparkPeople also archives log files and uses non-personally identifying information in aggregate form to” blah blah blah, improve the website.

Sorry, but at this point in my research I was getting tired. The short version is, SparkPeople’s privacy policy is super generic. Nothing alarming, but nothing great either. Contact information, information you willingly fill out, cookies, IP address, etc.

Summary

So the moral of the story here is that everyone is tracking you. This could be an entire blog post in and of itself – and it is on many other great sites – but cookies alone were the first real way of tracking people across the web back in the early days and while new, more sophisticated ways exist, the old ones haven’t gone away. So even the most generic, inoffensive privacy policy still has a way to track you and pass that information along to data brokers, and quite frankly I’d be surprised if they didn’t. That’s easy money. I think what I found most alarming was not the generic tracking – I fully expected that – but rather how invasive some of the others get. Location data? Other device info? Network info? Why, man? Just why?

So what did I ultimately decide to go with? A spreadsheet made with LibreOffice. It’s not sexy. It doesn’t give me pie charts or histograms (I know, it could if I wanted to). It doesn’t automatically tabulate my weekly total. It doesn’t have a cute animal encouraging me or recommending tips to keep on track. That’s fine. I took it upon myself to go out and do research and use online calculators to see what my daily calorie intake is based on my goals and my body. I decided what metrics were important to me, then I went and found the daily recommendations. In fact, I got a few premium features that way. For example, one app I used in the past (which is on this list) charged extra to set goals (instead of simply counting) and to monitor my sodium and sugar. I have all those things now, plus more. It’s a little more work. I can’t just scan a barcode. But that’s okay. It works for me, and it forces me to be conscious and put in the work myself.

I hope someday that Apple will be more forgiving and allow us to include privacy-respecting apps or app stores. I know, I can dream at least. But I guess the main reason I wanted to share this – in addition to being relevant and interesting – was to remind you to read the privacy policy. You don’t have to take five hours and read the entire thing top to bottom along with the terms of service. But at least skim. What are the parts that matter to you? Look for those parts. Get a general idea of what they’re doing with your data. And not to end on a depressing note, but just remember that 99% of the time those – according to themselves – can change at any time without notice. So be on your guard.

Should You Use Biometric Locks on Your Devices?

October 31, 2020

I considered buying a fingerprint-based door lock the other week. It was not cloud-connected or “smart” or anything like that, and ultimately I decided $200 was a bit too much to spend on a whim, but I did stare at it and read the box for quite some time. When I told this to various friends and family, they all seemed floored that I even considered an electronic lock. Truthfully, I know how to pick locks so I’m painfully aware of how grossly insecure my traditional cylinder lock is. I’ve spent many hours pondering the better solution with the appropriate balance of risk and reward.

The fact is that just like cylinder locks, our common digital locks (aka passwords) suck. They’re hard to remember. If you can remember them, they're too weak. If you can't, you're placing your trust in a password manager to not get hacked or corrupted. Furthermore, they have no real guarantee of safety. My significant other can log into this account and post a blog just as easily as I can, provided she has my password and any multifactor devices. As such, many cybersecurity experts actually recommend biometric locks like fingerprint, face scan, or retina scan instead. There’s a reason they were so popular back in 90’s spy movies. And honestly, that's not wrong. But there’s also a myriad of studies and evidence out there to prove that they’re not without risk, either. So this week I thought this might be a good topic to tackle.

What’s A Biometric Lock?

For those who haven’t figured it out based on context clues, a biometric lock is a lock that only opens when it confirms your biological identity: fingerprint, face scan, and iris being some of the most common. Almost all modern phones come with the capability.

On its face (no pun intended), a biometric lock is unarguably more secure. A social engineer can guess my password or security questions (unless you’re using the techniques I recommend on my website) and similarly, an attacker can steal my password and decrypt it using rainbow tables and brute forcing. But the odds that a malicious hacker or social engineer can chop off my finger or somehow copy my fingerprint? Sure, it’s possible. Again, I reference the 90’s spy movies. But that’s relatively advanced stuff – even by today's standards – and honestly this comes down to threat model. I’ve said before that this website is not designed for the hardcore Snowden-level whistleblower who needs to disappear. It’s for the average person who just wants to regain some privacy and security. The odds that anyone is going to go through those kinds of hoops to get their hands on your biometric identity is almost nonexistant. Having said that, I encourage you to ask yourself what the odds of that are. Even if you’re not a journalist, you might have a really driven stalker who would go to some pretty extreme lengths.

Not All Biometrics Are Equal

Despite what I said just a moment ago, not all biometrics are equal when it comes to how well they can protect you. I’m not even talking about click-baity articles that talk about how the iPhone can be unlocked in less than two minutes (]by pointing it at the sleeping owner’s face](https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/)). It’s important to note that literally everything is hackable and finding out that any system can be hacked by using twelve Androids, a home-cooked app, and direct access to a user’s device is kind of a no-brainer. It’s a real-life version of the infinite monkey theorem (except much more likely). Anybody with sufficient time and resources can hack anything.

No, I’m not talking about theoretical hacks and advanced exploits. I’m talking about actual, legitimate threats that could be posed to the average user. Consider this story about a woman who unlocked her husband’s phone while he was sleeping via his fingerprint scan and discovered he was cheating. Or this clip from sitcom Brooklyn Nine-Nine where one character unlocks another’s phone simply by pointing the camera at her face. Now it should go without saying that I’m neither endorsing nor encouraging cheating or any kind of illegal or unethical activity. But suppose my partner unlocks my phone while I’m napping and sees what I’m getting her for Christmas? There’s plenty of valid, legal reasons for you to want to control who has access to your device. If you’re a parent and you have small children, do you want just anyone to be able to pick up your phone and look through it at pictures of your kids or texts with them? I understand that in an ideal world, you would maintain positive control of your device but that’s not always possible. People make mistakes, get wrapped up and leave things laying around on their desks while they run to the bathroom. I leave my phone plugged in to charge overnight in another room. Or even at work sometimes I'll leave it plugged in while I work in another spot far away from an outlet.

So Should You Use Biometrics?

This as a question I’ve wrestled with for a while now. The answer is I don’t know. First off, it depends on your threat model. I think my threat model is very low. I don’t think anyone will go out of their way to lift my fingerprint and make a rubber copy. On the other hand, I am politically active and I wouldn’t feel comfortable with face lock because I know that if I ever got detained a cop could simply flash the phone at my face to unlock it. So personally, I’m comfortable with fingerprint lock but facial ID. But then there’s the question of who has access to my biometrics and what are they doing with it? I use an iPhone. Apple claims they never have a copy of my fingerprint and that what they store is simply a digital signature – sort of like a password hash. However Apple has also claimed that they don’t have humans listen to Siri recordings, which turned out to be a lie, so I don’t know how much I trust them. Would I use biometrics like fingerprint on an air-gapped machine like the lock I mentioned earlier or a laptop I use for backups? Probably.

I wish I could give a more concrete answer. Usually I can at least say “here’s what I’d do, but you do you.” In this case, I don’t think that applies. There’s just too many variables. But so many people in the privacy community are opposed to biometrics (and often for good reason) that I wanted to discuss them in a more in-depth fashion. As with almost all technology, biometric identification isn’t bad. Who uses it, how, and what they do with the data can be. No matter what protection you go with for your devices – be it password, PIN, or biometric lock – make sure that you’ve done your research. Know the shortcomings both technologically, practically, and legally. Know what the risks and benefits are, know the company and how it’s supported, and most importantly make sure it’s secure. Fingerprint is unarguably more secure than a phone PIN of “0000.” But a 16-character alphanumeric passphrase might be more secure than a face print if you’re a celebrity. As with many things I discuss, there is no one size fits all, only education so you can decide what size you need.

How I’ve Convinced People Around Me to Care About Privacy

October 24, 2020

As many of my long-time readers know, I love to write about personal experiences as a way to give real-world context to many of the subjects I cover. This week, I want to talk about my successes in getting the people around me to care about privacy. In the past I’ve mentioned how one of the recurring questions I see in the privacy community is “how do I get my friends/family/significant other/etc to care about privacy?” My partner has gone from publicly posting everything online to using encrypted messengers, using a VPN on all her devices, almost completely eliminating Facebook (she still needs it to connect with one specific group), and slowly transitioning to ProtonMail. Just this week alone, both of my coworkers stated their intentions to start taking their privacy more seriously after Chrome’s move to give advertisers full access to your device files. And in a move I never thought I’d see, my own brother said he wants to move away from using GAFAM (Google, Amazon, Facebook, Apple, Microsoft) products so heavily. I doubt I’ll see him completely abandon said products, but he did ask me if ProtonMail has a free tier and said he was switching to DuckDuckGo and Firefox. So this week, I want to take a moment to report what I think worked on all of these success stories.

Disclaimer: Before I dive in, I want to say that you should never do anything expecting to change someone’s mind. That’s just asking for disappointment and hurt feelings. You should enter into these discussions with the mindset that you’re here to exchange and consider ideas and viewpoints. If you approach subjects attempting to change someone’s mind, they’ll often feel attacked, get defensive, and double down. But if you go into it going “we’re equals, whatever you believe is up to you, but here’s what I believe and why” they’re much more open to listen to you and what you have to say. That’s not guaranteeing success, but it does guarantee a much better time in my experience.

Respect

On that note, I respect people’s choices even if I disagree with them. I really got on my brother’s case. He claims to be an ally of minorities, the oppressed, and other such groups. So, I made it no secret that he was perpetuating that same oppression by using services like Amazon, Facebook, and Google. It’s not enough to vote Democrat when you’re perpetuating systems that allow right wing extremism to flourish and shopping at companies that oppress their workers. That’s an argument for another day that I’m currently working on, but the point is that while I made these opinions known to my brother I was always quick to follow it up with “I love you, you do what you want, these are just my views.” Same thing with my partner. I have never forced her to use a password manager, I simply presented her with password managers as a tool of convenience and security, explaining what they do and how they can improve your life, and left it up to her. Don’t get me wrong, there’s still a lot of things I wish the people around me would do differently. I wish my partner would stop using TikTok. I wish my mom would switch to Linux (there's nothing she does on Windows that Linux can't do). But I respect that everybody is at a different place and I can’t force them to do anything. I can only present them with the facts and let them make that decision (it’s almost like I made an entire website out of that philosophy).

Time: Mere Exposure

I think most often when people ask that question, what they’re asking for is the epiphany moment. Chances are that very few of us reading this were introduced to the concept of privacy the same day we started taking it seriously. Think hard. I know I can vaguely remember some conversations I had with a friend about how the founding fathers never could’ve successfully revolted if they were subjected to the same level of surveillance in 1775 that we are today. I also did some time in the military, meaning that I was very familiar with the concept of having my communications monitored at some level. The point is, privacy was not a new concept to me. I heard at least a few arguments about why it matters and as an avid sci-fi fan, I was well aware of some of the potential negative ramifications of not having it.

It can be frustrating repeating yourself over and over as it falls on deaf ears. I live with my partner, and therefore she hears me rant about privacy constantly. As she’s begun to care more in recent months, we frequently have conversations where I rant about something privacy-related that upsets me, she says she didn't know that, and I remind her that I've definitely mentioned this before. I don’t rant with the expectation of changing my partner’s mind, I just rant to get it off my chest and I’ve made that very clear to her. But it’s still frustrating to know that most of it doesn’t stick. I think that’s why most people ask the question. “How can I trigger that ‘a-ha!’ moment that finally makes my family care?” And the fact is you can’t. It’s impossible to tell.

So instead of viewing these discussion as “this might be the moment,” view them as just general discussion like I mentioned at the top. If I’m talking to someone who complains about passwords, I throw out password managers. Just the other day someone on a job site mentioned that they do a lot of online shopping, so I encouraged them to check out Privacy.com. The goal is to expose them to it repeatedly. It’s called “The Mere Exposure Effect.” Basically the idea is that just by being exposed to something, your opinions on it strengthen. If there’s someone you sort of like, working around them frequently will make them like you more. The idea is to expose them to the ideas of privacy more and more so it grows on them. I know it sounds kind of manipulative, but that’s not my intention. That’s just a fact. The fact is that Mere Exposure can go the other way: working around someone you sort of dislike can make you grow to hate them, so if someone is clearly pushing back on privacy stuff and gets vocally upset by it, drop it. You’re not gonna win them over with Stockholm Syndrome. You’re going to push them away.

Time: The Epiphany

You know what made my brother care? The same argument I’ve made a hundred times before. Maybe I worded it a little differently but there was nothing new in my argument. No new concepts, no new information. It was just timing. This happened to be the time that my brother was in the right headspace, the right frame of mind, with the right set of pressures, information, and circumstances to decide “you know what? Nate’s right. I can’t be part of this system anymore.” I mentioned before in a different blog that my partner made the full-time jump to Signal after her boss informed her that the company reads text messages. When she told me this, we had another “I told you this a long time ago” conversation which actually ended with her going “yeah but somehow it felt different being told by the company themselves.”

The fact is you can’t predict what’s going to finally get through to someone. There’s no use in trying to guess what that magic epiphany will be. When I told my coworkers about the new Chrome “feature,” I actually made a point of saying “I don’t even care about the privacy aspect, this is a serious security risk.” I then explained drive-by malvertising. The next day, one coworker mentioned his plans to switch to ProtonMail this weekend and the other said he had removed as many Google apps off his phone as he could (he still kept Drive and Gmail for work stuff, but he removed other stuff like Maps). I would’ve never guessed that would be the story that would’ve got through to them, although honestly it probably wasn’t.

Honestly, most epiphany moments are straws that break the camel’s back. I don’t know if my own was or what. But in all my time of winning people over, it usually comes down to them hearing enough stories (usually from me, guilty as charged) that they finally go “I’m over this, I’m willing to make some changes.” This could be another blog topic in itself but when you get that win, be sure not to push it too hard. I've learned that when somebody tells me they want to start taking their privacy more seriously, the best response is to go “I'm happy to hear that. Let me know if I can help.” (That's actually when my brother asked if Proton had a free tier.) Don't get excited and go “ohmygosh! Now you have to check out Wire and Mullvad and XMPP and this and that and switch to Linux and...” Just let them know you support them and you're happy to share whatever you know.

I want to reiterate that you should never go into this expecting people to change. Also, it’s healthy to have other topics. While I frequently return to the topic of surveillance and privacy, I’m also capable of talking about music, video games, movies, TV shows, politics, and sharing personal stories of my time living in various other places. It’s not like all I can talk about is surveillance. Basic people skills come into play here. The best way to get the people around you to care is to not force it on them and let them come to their own decisions. But hopefully my experience will help you see how that can happen.

Interacting With Non-Privacy People

October 17, 2020

For some people, like myself, jumping into something new is exhilarating and you sink yourself into it 100%. This is where I found myself a few years ago when I first got into privacy, and where you might find yourself. In time, I eventually dialed back a bit and relaxed as I got more comfortable with this stuff, figured out what did and didn’t work, and made convenience adjustments as my threat model allowed. Regardless of where you end up settling on the privacy spectrum, it can sometimes be difficult interacting with people who aren’t privacy-minded. It can be hard to explain why you don’t have a Facebook, why you don’t want them posting your picture online, or asking loved ones to use an encrypted messenger. So this week I wanted to talk about how to interact with non-privacy-minded people. Specifically, I want to talk about how to decide where to draw the line and demand who does or doesn’t need to be using privacy techniques.

Preaching Privacy

Let’s go ahead and start with the hard truth. You can’t evangelize privacy to people like a pastor on the street. Most people just don’t care and beating them over the head with it repeatedly isn’t going to give them Stockholm Syndrome for your message. Furthermore, people aren’t logical. I’ve seen ridiculous suggestions like to hack your friends, start browsing their phone without asking, or start recording them. Nobody is going to go “wow, you’re right, I’m being a hypocrite and I do value my privacy.” They’re going to call you an asshole and stop talking to you. I’ve personally found that the best strategy is just to live your life, make your opinions known respectfully, and let people come to you. A few months ago I wrote a blog post about Ron and his dating conundrum. Ron wasn’t actually my friend, he was a friend of my partner. He had a problem, and my partner knew that I was the most qualified person she knew to solve it. When your friends have problems, they’ll know they come to you to ask. That’s when you can offer solutions. And it doesn’t hurt to ask your friends “hey, are you familiar with password managers?” and offer some advice, but don’t repeatedly bash them with it. They’ll move at their own pace, and quite frankly their security isn’t your problem.

Levels of Closeness

It’s important to remember that not everyone in your life has the same level of closeness with you. Your significant other is closer to you than your coworkers. Your family is closer than your friends (for most people). And your friends are closer than your barber. This should be an important factor when you decide how to deal with people who aren’t privacy-minded. Do you need your significant other using an encrypted messenger as you text throughout the day? Yes. Especially if they like to send you risque stuff and you use company WiFi. Do you need your favorite barber to use encrypted messaging? Probably not. They probably don’t even need your phone number. It’s important to pick your battles.

Context of Power

Do your coworkers need to use encrypted messengers? This becomes a gray area. I mentioned once that when the pandemic started in the US, I asked my boss if we could not use Zoom but I also realized that we have to do what’s best for the company. My coworkers – and my boss – are used to me being tin-foil hat crazy. They don’t mind me suggesting things like Privacy.com, Bitwarden, or Signal. But I also realize that I have no power there. I’m not the IT guy. I’m not the VP or COO. I’m at the bottom of the ladder, and I keep that in check whenever I suggest anything. My coworkers and I chat fairly frequently outside of work – we send each other memes or articles we found interesting and stuff like that – so I don’t think there would be any issue if I said “hey, could we move this conversation to Signal” or “Can we set up PGP keys for stuff like this that isn’t company-related?” I don’t even think anyone would really complain if I suggested setting up PGP keys for inter-office email and opened that option to the outside world (though, for the record, I highly doubt anyone would be on board). But the point is, I realize that when it comes to company policy I have no power, and while I am free to voice my opinion I have to realize that it is not my way or the highway.

Additional Context

I think those two things are the biggest deciding factors when deciding where to draw your privacy line, but there is additional context. When dealing with medical or financial professionals, I don’t see anything wrong in seeking a person who is willing to use encrypted email. I also think age and tech-savvy plays a factor. I mentioned in a prior blog that I was able to switch my mother to ProtonMail by offering to set it up for her and let her take over, and she has been using it ever since. My grandmother, on the other hand, is in her 90s. I love her and I mean no disrespect, but she has one foot in the grave. We also speak about twice a year. I see absolutely no value in fighting over her about using ProtonMail, Signal, or anything else. Think about that: I just said you should get your doctor – who you probably see once or twice a year if you’re healthy – to use encryption but not your grandma. Obviously this varies from person to person. For some people, their grandparents raised them as if they were the actual parents, and those same grandparents are fairly tech competent and can be trained to use encryption reasonably. The point is to measure things with context. It’s impossible to draw a universal line in the sand and say “family MUST use encryption while strangers you only talk to once a month don’t have to.” What you’re communicating, frequency, and audience all matter.

I often see people ask “how do I get my family/friends/significant other/coworkers/etc to care about privacy,” but I rarely see anyone ask “should you get them to care at all?” It’s an important question. Before you ask how to convince them, you should start by asking if you even need to. Now obviously, I would prefer a world where everyone defaults to encryption whenever possible, but that’s not the world we live in right now and I have to pick my battles. It’s just like threat modeling: obviously it’d be nice if we could protect against all threats, but first you have to ask what threats are actually pressing and need to be addressed first and which ones can wait (if be dealt with at all).

I’m sorry this blog was a little scattered, I try to keep my blogs somewhere between 1,000 and 1,500 words and this topic is huge and complex. As I said, I can’t simply say “here’s when you should and shouldn’t demand privacy from others.” It’s almost all one big gray area that varies from person to person. But I hope I’ve at least given you some thoughts and tools to figure out where they gray area ends and the black and white lie for you.

School-Issued Chromebooks and Privacy

October 10, 2020

Lately students have been returning to school, but as I’m sure I don’t need to tell my readers, things are a little different this year. Many schools are looking to online or hybrid classes as a way to protect students and staff from the still-ongoing pandemic. Unfortunately, schools are often underfunded. Unfortunately, Google has stepped in and offered Chromebooks at low prices to schools to offset this problem. Personally, I don’t blame the schools. Teaching is a difficult thing, and the US federal government certainly isn’t making that problem any easier. Schools are doing their best. But I am pretty upset at Google. We all know that Google is one of the largest and most aggressive privacy offenders, which means that there is no doubt in my mind that Google has an ulterior motive with their charitable donation: they want to get kids rooted in the Google ecosystem early so they stay there. Income stream for life. Sadly this isn’t much of a conspiracy theory, it’s basically a given in the tech community (source, source, source, source). As students have begun to return to school, I’ve seen a lot of questions – and even had a few directed at me – regarding the privacy implications of these devices, including what’s possible and how to use them as privately as possible. So this week, I’m going to discuss that.

What Can It See?

The most common question I get/see regarding Chromebooks and privacy is what else they can see on the network. If I get issued a Chromebook and use it at home, can the school/Google see other devices and network traffic? The short answer is no. Technically it is possible, but once again schools are highly underfunded and they really have no motivation and nothing to gain from such intrusive programs. I have no doubt that the school can see almost everything you do on the device itself, but that’s probably where the school’s eyes end.

Google, on the other hand, is a bit more invasive but not as invasive as some might think. Without having any sources to back me up, but based on what I know about how surveillance capitalism currently works, Google can see everything the school can, as well as network information. For example, Google can probably see your SSID, information about your network (such as password encryption protocol, router info, IP address, and more), and I wouldn’t be surprised if Google can also see what other devices are on that network, such as a Roku TV, a Windows 10 machine, an iPhone, etc. However, as for the actual traffic, I would be surprise if Google sees the traffic from those other devices. The technical ability exists, but I suspect Google’s tentacles on every type of device are already so deep that they gain nothing from that kind of spying. It’s easier just to have each device report individually and connect the dots on Google’s end. After all, if you have two devices reporting from the same IP, then obviously they’re on the same network, and you can be much more invasive tracking the device locally than spying from the router.

Best Practices

In a moment, I’m going to list a bunch of settings I recommend changing, but first let’s talk about how to use your Chromebook in the most privacy-respecting and secure way possible. It should go without saying that you should consider everything you do on the device compromised. Google’s Chrome OS is proprietary, so we don’t fully know what goes on behind the scenes. You should assume anything you do on the device can be seen by Google, just to be safe. Of course, I want us all to have a sanity check: I highly doubt Google is waiting for you to log into your bank on their device so they can screenshot your balance or steal your account numbers. Don’t get overly paranoid about using the device and run yourself ragged. But at the same time, be aware that you’re giving up some privacy by using it. If you are truly concerned about the traffic issue I talked about above, then you can put the device on a separate subnet or VLAN, but again I personally don’t think that’s much of an issue.

I also encourage you to use a dedicated account on the machine. If the device was issued by a school and you have an account with the school, I think it’s safe to use that account. The school already knows the device was issued to you, and as mentioned before I don’t think they have any interest in making sure the IP address you used matches the records on your paperwork (though I would use a VPN in case of data breach). If the school did not issue you a Google account, I would make a new one.

I want it to be noted that Google has some of the best security out there. The privacy is virtually nonexistent, but the security is top notch. However, we should never get complacent. It should go without saying that all of my usual advice applies here. Strong passwords, two-factor authentication, VPNs, all are still useful here.

There are additional challenges and considerations for people attempting to lead a “Google-free,” lifestyle. At that point, it’s really an individual question. I’ve heard people consider only using the device on public networks (such as libraries and coffee shops) or using a phone hotspot. I don’t think those are bad ideas, but they can still create a pattern that Google can make use of. Of course, a pattern of using the public library every day at 2 pm is far less revealing than an IP address and what other devices are on the network in my opinion. You’ll have to make the decision for yourself on the lesser evil.

Settings

Google Chrome OS: Version 76.0.3809.136

Bluetooth: Off

Connected Evices: None

People: Don't sign in if possible, use a unique or school account if you must

Screen lock: Show lock screen when waking from sleep

Screen lock: Screen lock options: either

Autofill: All off

Device: Storage Management: Browsing Data: Advanced: Clear All

Search and Assitant: Search Engine: DuckDuckGo, Searx, or MetaGer

Search and Assitant: Google Assistant: Disabled

Privacy & Security: Disable all settings

Privacy and Security: Manage Security Key: Create PIN

Privacy and Security: Site Settings: Cookies: Keep local data only until you quit your browser: enabled

Privacy and Security: Site Settings: Cookies:Block third party cookies: enabled

Privacy and Security: Site Settings: Location: Off

Privacy and Security: Site Settings: Camera: Ask before accessing

Privacy and Security: Site Settings: Microphone: Ask before accessing

Privacy and Security: Site Settings: Motion sensors: Off

Privacy and Security: Site Settings: Notifications: Off

Privacy and Security: Site Settings: Flash: Off

Privacy and Security: Site Settings: Pop-ups and redirects: Off

Privacy and Security: Site Settings: Ads: Off

Privacy and Security: Site Settings: Unsanboxed plugin access: Off

Privacy and Security: Site Settings: Handlers: Off

Privacy and Security: Site Settings: MIDI devices: Off

Privacy and Security: Site Settings: Payment handlers: Off

Language and input: Spell check: Off

Downloads: Ask where to save each file before downloading

Downloads: Disconnect Google Drive account: enable

When returning it, Powerwash it under the “About Chrome OS” page.