14.6k sats \ 32 comments \ @kepford 2 Aug 2023 tech

Looking for feedback on this article. I am trying to write with the less technical non-bitcoin audience in mind.

Why Everyone Should Care About Privacy

Privacy is one of those things we hear people talk about and depending upon factors like where you were born, your social status, race, and personal experiences you may have very different views on the subject. One of the most common reactions I hear from people on the topic of privacy is, "I don't have anything to hide". I believe this comes from a misunderstanding of what privacy is. Privacy is not secrecy. As Eric Hughes wrote many years ago.

A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world.

~ Eric Hughes - A Cypherpunk's Manifesto

I suspect most people do actually care about privacy but are not aware of what is at risk, who is watching, and what they can do about their own situation. Most people have blinds or curtains on their windows. Most people close the door when we go to the restroom. Most of us don't share everything we know and think with everyone. These are all privacy choices. Of course these choices involve trust and most of these are not conscience choices we mull over in our minds. We creatures of habit. You are probably thinking, of course. I'm not stupid. Why would anyone just share everything with everyone. OK, now lets talk about your digital life.

If you live in the affluent western world and especially the US you probably rarely intentionally think about digital privacy. But ask yourself this. Have you ever started to type something into Google search and paused for a moment to consider it? You probably have. That should tell you something. Your gut is telling you that someone is watching. What is harder to understand is the consequences of being watched. Maybe you've never really stopped to think about it but you are making many choices about privacy everyday with your phone and computer. The topic of privacy can be overwhelming. This is one reason why it is important to narrow our focus to a few things when we talk about it.

Why should I care?

Do you have credit or debt cards? Do have a bank account? Identity theft is often made possible by of mistakes we make with our personal private information. Have you every been asked to provide information online like your birth date or your high school? While this might not seem like a big deal at first, once you realize this info is often used as a component for securing your online accounts it becomes clear why this can be an issue? Many financial services require this info to reset your password for example. Have you ever shared this information online? What could happen is someone gained access to your email account. How many online accounts are connected to that email address? What if someone gained access to your social media accounts. What damage could they do to your reputation?

If you don't follow the information security news you may not be aware that there are data breaches on a daily basis. Hackers gain access to the databases of financial institutions, social media platforms, automotive dealerships, and pretty much any business that keeps its data in a digital format. This means that whatever data you have given these institutions may become publicly available at some point in the future. There are sites that collect data from these breaches and sell it to the highest bidder. The sad truth is that businesses do not take data security seriously enough. They also do not look out for your privacy. It is up to us to do what we can to reduce our own risk, but before we get into what we can do we should talk about what you have to lose. What are the stakes for you? Do you use the same password on every site? If even one of those sites you use leaks your password to hackers those same hackers could access all of your online accounts. You can see how this could quickly become a nightmare if you are caught up in an breach of one of your online accounts.

Where do we start

I hope you are beginning to see that maybe you should take personal privacy seriously. The best place to start with privacy is to think about what your personal risks are with data. The term used in the privacy and security world for this Threat Modeling. Put simply this the process of creating a model of the possible threats you face with a breach of privacy. Here are a few examples.

Journalist
High Wealth Individual
Politician
Political activist/dissident
Gun owner
Anyone living in an oppressive nation state
Employee with access to valuable information
Single adult
Someone leaving an abusive relationship
Parent

I could list many more but I hope you get the idea. The average person with modest means living in a relatively free nation has a very different set of risks than someone living in an oppressive nation. But, many of the same tools and approaches can help both decrease their risk.

Lets use the journalist example. A journalist might need to protect their privacy to varying degrees but I say a few threat would be.

Threats of violence
Impersonation
Swatting (Falsely reporting that there is a hostage situation to use SWAT teams as a weapon against a target.)
Doxing (Making private info like address and phone numbers public)
Hacking of phones/computers
Financial fraud

As you can see journalist must be very careful about their privacy. What about a young woman working at a large corporation. She's a professional in her late twenties living in an urban area. What are some of her risks?

Financial fraud
Stalking
Hacking of phones/computers
Exposing private data publicly
Identity theft

What about a red blooded American male gun owner. Maybe he has a license to carry a concealed weapon. Maybe he is very bold about his second amendment rights and likes to post photos on social media shooting guns and making bold statements. One day he's at the gas station and he witnesses an armed robbery taking place and decided to intervene. He stops the perpetrator by shooting and wounding them. What are his risks? For one an attorney for the perpetrator will use his content from social media to build a case against this man. Depending on the jury his social media activity as well as text messages could be used against him in court.

So what is your threat model? The Electronic Frontier Foundation has a one page PDF that walks through how do create a threat model. I would recommend going through the process. After you do that take a look at the items I list below. Don't get overwhelmed. Take it one step at a time based on your threat model.

Easy Steps Everyone Should Do

Use a password manager like Bitwarden and use a different password for each account you have.
Be selective about who you share information with. Push back when you are asked to supply personal information.
Use a secure messaging app like Signal instead of SMS, Facebook, Apple messages, or WhatsApp
Use a privacy preserving VPN service like Mullvad or iVPN when you are out and about on public WiFi.

Steps most people should take

Delete social media apps off your phone. You can still use these apps but do it from your computer.
Use a privacy respecting email provider like Proton mail instead of Gmail.

Advanced Steps

Use a privacy respecting phone running GrapheneOS or CalyxOS.
Use an email alias service like SimpleLogin.

There is much more you can do but these items are a good starting point.

view all related items

63 sats \ 2 replies \ @victorieeman 3 Aug 2023

Great post. I would add https://simplex.chat/ to the list. It's good with chat alternatives that don't require government influenced sim card numbers. Especially for Journalists

11 sats \ 1 reply \ @kepford OP 3 Aug 2023

I haven't got around to trying SimpleX chat yet. On my list. I keep hearing people recommend it. Based on what I have heard it sounds really good. The phone number requirement with Signal is a problem. Signal is one of the few secure options I've been able to get people in my life to use though.

10 sats \ 0 replies \ @victorieeman 4 Aug 2023

Give it a try! ^^ It got the early onboarding problem, as usual for these kinds of things, before the networking effect reached enough critical mass.

Best early use cases I can come to think of is: *Journalism *Family chats *Telegram replacement

Not needing to exchange personal contact info is great, and profiles within the app makes it safe to publicly share contact info without fear of spamming. Here I created a contact link for sharing on stacker news: https://simplex.chat/contact#/?v=1-2&smp=smp%3A%2F%2FenEkec4hlR3UtKx2NMpOUK_K4ZuDxjWBO1d9Y4YXVaA%3D%40smp14.simplex.im%2FvO9SwJHDbMb5lq-XPhMLFkH90Vf_F3_d%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEA15UhLUQOh2PRlLqT13PuG-aZtch6NUcSh56W-S46Q3c%253D%26srv%3Daspkyu2sopsnizbyfabtsicikr2s4r3ti35jogbcekhm3fsoeyjvgrid.onion

The long links I think look a bit scary to normies, but it is what it is. If I want to have another share link for another context, I can fix that within the app without dealing with new account registrations etc.

40 sats \ 2 replies \ @Public_N_M_E 4 Aug 2023

Question regarding proton mail @kepford do you suggest for a first time user setting up a proton mail address to use an alias or does it not matter?

I'm also looking into installing grapheneOS (ironically the recommended phones to use are Google phones 😂) but I'd had experience of zero Google life before (when I had a Huawei phone and Google stopped supporting it) it became very difficult for me to use any of the apps I wanted to use. Eg ESPN for my fantasy football with friends, sleeper (same thing different platforms) Pokémon Go as another example some features didn't work without connection to Google fit, which wouldn't work on a non Google supported phone. So degoogling is very much more difficult and a giant inconvenience. (That's part of the problem, they've made themselves so intertwined with our needs/wants that removing them is hard work) what's your experience of using apps like these on grapheneOS?

I've been trying to move my WhatsApp groups to signal and the resistance is just mad, for no other reason than they can't be arsed to do it and "we're already here may as well stay here" means I'm sitting on signal with no one using it 🤣 and end up right back on WhatsApp to continue chatting with friends. What arguements/quick points would you make to convince people who aren't against better privacy, but are generally lazy ass SOBs to move. Because I am absolutely done with Zuck and his lot.

As you may be able to tell, I am kinda new to this so please forgive my previous privacy disgression such as owning a Chinese spy device (Huawei P40, great phone, useless real world usage due to lack of Google functionality).

Thanks for your suggestions in the main post, I've taken a lot of them onboard.

1 sat \ 1 reply \ @kepford OP 4 Aug 2023

Are you meaning use an email address that doesn't use your real name or an alias for your real name? Honestly it just depends on what you are using it for. If you are using the address for friends and family and things attached to your real identity I guess you could use your real name for both. If you are are paying from proton with fiat you will have to use your real name as well for the billing I believe. However if you have a more private use then yeah use an alias.

The main difference between Proton and Gmail is that with Proton your email is encrypted at rest. Gmail reads your email to show you ads. Unless you use PGP or Proton's secure message feature the email is sent just like any other email service.

Also, you are of course trusting Proton or whoever you use for email. Email is not a secure messaging system. It can be more or less secure and private but it is important to understand the limitations.

As far as Graphene, yes they recommend the phones manufactured by Google. This is because of the hardware's quality and open design allowing for modifying the bootloader. These phones are high quality and as far as we know they are not compromised. Google does their tracking in the OS and apps and they do a ton of it.

Hope that helps. Others can add to what I have here I'm sure.

10 sats \ 0 replies \ @Public_N_M_E 4 Aug 2023

Thank you for your response and advice. I've found it all very helpful. Much appreciated.

Ofcourse as you mentioned there are always limitations to just how private you can be. But like you also said. At least proton isn't reading my mail to show me ads. Or reading my mail at all really.

43 sats \ 3 replies \ @Bear 3 Aug 2023

I would mention KeePass that is open source and doesn't require an email.

18 sats \ 2 replies \ @kepford OP 3 Aug 2023

I haven't tried KeePass yet. Do you think it is accessible to the less technical folks?

23 sats \ 0 replies \ @Bear 3 Aug 2023

Yes I use keepass xc on windows and Linux and Keepass2Android on the phone.

0 sats \ 0 replies \ @Hypnagog 4 Aug 2023

Keepass is on fdroid app market and 100% free safe and open source. Fdroid is my go to source for apps now, I got there before google or anything else to see of there's an open source app for anything

31 sats \ 1 reply \ @Hypnagog 3 Aug 2023

I love this thread, thanks for posting. I'm fully aware the most used argument for privacy is hacking and theft, but for me its 100% about government censorship. Democracy needs a free society in order to thrive. ... The more a citizenship knows about its government, the more you get democracy... The more a government knows abouts its citizens, the more you have tyrany.

Privacy is at a fundamental crossroads and is under threat. I really wish more people woke up to this point!

0 sats \ 0 replies \ @kepford OP 3 Aug 2023

Yes, state actors are the most dangerous and abuse our privacy in many ways. A part of reclaiming your freedom is getting a handle on your privacy from both state, business, and individual attackers.

23 sats \ 1 reply \ @l0k18 3 Aug 2023

I want to just add that cult manipulation techniques usually include the stripping of privacy from of victims, particularly in the form of public confession.

"If you have done nothing wrong, you have nothing to hide" is an example of the false premise of a cult manipulator. Oh, where else did I hear that one? On the TV news?

I seem to recall it being used as a way to sell millimetre wave weapons detection systems, which essentially show you naked. Like how a cult manipulator induces confession.

They think because they use mind control and it's not about an overt cult of personality that the same psychological manipulation isn't taking place, oh, cult busters wouldn't go after the mainstream media????!!!!

Mind control is just hypnosis via media. The panic of War of the Worlds predates television and we are supposed to believe that the media is not still engaged in hoaxing.

The whole reason they were able to stop the whole world for practically two years was because they are so practised at hoaxing that still nobody has been arrested, even though the body count is epic.

100 sats \ 0 replies \ @Public_N_M_E 4 Aug 2023

I always hated "if you've done nothing wrong, you've got nothing to hide.". Nope how about. "I've done nothing wrong so you have no grounds on which to investigate me, so you don't need access to my information". If you're asking questions about me then you suspect something's wrong. What ever happened to innocent until proven guilty. Investigate first is assume guilty prove innocence.

10 sats \ 0 replies \ @ssaurel 3 Aug 2023

The problem of privacy is the same as that of freedom.

Everyone takes it for granted until it's too late because it has been stolen by the powerful at the head of today's system.

The reality is that the right to privacy is a daily battle, and we must never let up.

10 sats \ 6 replies \ @mallardshead 3 Aug 2023

Solid. Been thinking about this more lately and researching some of the tools you mentioned. Hardened email is a given. VPN's are great. I forgot about deleting the apps entirely and going browser. Graphene I'm really considering as my next phone/OS.

Chilling point there about typing something into Google before backing out... That's all of us, and we felt that line; it's such a damn habit for some, and until Chrome is deleted and a privacy browser front and center with DuckDuck et al as the home page... Keep hammering the privacy brother. Never gets old.

34 sats \ 4 replies \ @l0k18 3 Aug 2023

DuckDuckGo has long now confessed to taking instructions on its search engine results.

I use Brave's search primarily now. Brave also has a semi-centralised, 25 word key for syncing between multiple instances of Brave (mobile, desktop, etc). I had mine breached a few months ago, definitely a good idea to roll over the thing every few months and strip out logins you aren't using any more, or better still, give them strong, long passwords and then delete them from your password manager (brave has one built in, that can be part of the sync).

I remember it wasn't that long ago there was a thing called "sailfish OS" whatever happened to that? Is that what became Graphene?

I haven't studied it closely because since about Android 8 or so, it's virtually impossible to find a non-google device that can be reflashed with an alternative OS ROM (I ran Cyanogen in the past on several devices). Rooted one of my motorola devices and all I won out of that was it being impossible to install DRM dependent "trusted" apps like banking wallets.

I don't even want a phone. In the future I will get a dump phone, I mean, an old, GSM only nokia or something, and stop all possible phone 2FA usage and switch it over to TOTP and FIDO2.

30 sats \ 3 replies \ @mallardshead 3 Aug 2023

Going to install and try Brave. I probably should have already. I've used Yubikeys for awhile and definitely would recommend them. @siggy47 has a great series on his Graphene OS experience.

20 sats \ 2 replies \ @l0k18 3 Aug 2023

It's based on the chrome engine but they have forked a lot of core elements now too. The only downside to the thing is the shitcoin pimping their stupid BAT. It's easy to disable the buttons for the wallet and BAT "rewards" though.

10 sats \ 1 reply \ @mallardshead 3 Aug 2023

You just made me realize with the BAT shitcoin that I was thinking Brave was Impervious. Mixed them up. I actually meant Impervious. Any opinions on that?

30 sats \ 0 replies \ @l0k18 3 Aug 2023

Impervious seems to be mainly trying to launch a platform for DIDs. They aren't so much focused on privacy.

That project got off on a bad foot with me, with ToS claiming copyright of content published through the browser. They walked that back but that was too much for me.

10 sats \ 0 replies \ @kepford OP 3 Aug 2023

Thanks. I have more planned.

21 sats \ 3 replies \ @frostdragon 3 Aug 2023

It’s interesting that privacy gets brought up so much in bitcoin circles like this one. Not that this post talks about bitcoin, but I want to point out a couple of things:

Bitcoin doesn’t solve the privacy problem. It’s a public ledger, and the hoops you’d need to jump through to avoid being detected by digital forensics are massively extreme, if not impossible for most people

We need to think about the internet differently. If you want privacy, get off the internet. There are things you can do to help cover your tracks, and that’s where this post is helpful, but it’s important to acknowledge that this isn’t a complete fix.

For example, VPN’s aren’t a complete fix. First off, your traffic is already encrypted without a VPN, and the only thing an attacker in the same network can view is the domain of the website you’re visiting. If that’s concerning to you, you should be aware that by using a VPN, you’re giving that info to them instead. It’s still a trust relationship, and if you have trust in their integrity, you also have to have trust that their cyber security and grasp on complex cryptographic protocols is bullet proof (spoiler alert, it’s not).

And - even with a VPN - that traffic is still going somewhere. You’re almost certainly interacting with a server and database controlled by someone you can’t fully trust to keep your data safe.

Yes - do what you can to mitigate this stuff - use a password manager, etc.

But think of it this way - everything you send or receive over the internet is going or coming from somewhere you can’t fully trust.

We need to think about the internet differently. Complete internet privacy is all but non-existent.

0 sats \ 2 replies \ @kepford OP 3 Aug 2023

You make some good points. There are tons of tradeoffs. You cannot use the Internet with bullet proof privacy. I can't go out of my house without breaking privacy. This is why you have to start with your risk profile first. Many people I have talked to about privacy that are knowledgeable about things you describe have just given up. Their mindset is what is the point. That's defeatist and we have to be careful to find the line of making priorities and being honest about the effectiveness of our efforts.

30 sats \ 1 reply \ @frostdragon 3 Aug 2023

Yeah, definitely don’t want to be defeatist, but I don’t see transitioning our lives off the internet as defeatism.

There are things you can do to help privacy online, and everyone should do those things. I just think the default mindset should be “if it’s on the internet, it’s likely not private”, and adjust their interactions with it accordingly.

0 sats \ 0 replies \ @kepford OP 3 Aug 2023

I don't think getting offline is defeatist. I was saying people that hear things like that often become defeatist. As if privacy is a boolean. Either you use a phone or the Internet or you have privacy. Privacy isn't yes/no. If people can disconnect I don't consider that defeatism.

0 sats \ 0 replies \ @watchmancbiz 30 Mar

This is a GREAT write-up. Would you mind if I published it on Eternal Affairs Media? we're always looking for really great content. It's hard to come by like this! I'd actually like to talk to you if you'd like to reach out to me!! WE NEED WRITERS!! 🤗

0 sats \ 0 replies \ @Tjacten 8 Aug 2023

Manyverse is a good privacy app. Its like twitter, but its decentralised and does not require email to login. Another app that I like is Gadgetbridge, an app that uses some compatible tracking devices such as some smartwatches which keeps your health fit goals private by intercepting it.

0 sats \ 0 replies \ @kepford OP 3 Aug 2023

FWIW I've been using CalyxOS for almost two years I think, before that I was on Graphene. Considering going back to Graphene to give it another try as I have heard it has improved and I've narrowed my needs from a phone.

If you want to have more privacy obviously the best option is no internet or phone but for most folks the trade off is just not worth it.

0 sats \ 1 reply \ @0260378aef 3 Aug 2023

I've never understood why people are so enamoured with the Hughes quote, I think it actually doesn't help at all. See the last paragraph I wrote here: #166329

For me the key narrative that keeps getting missed is it's not really about what you might be ashamed of. It's about your personal security, which is to say it's ultimately about the power others may be able to exert over you. So think cameras in your driveway that a hacker/thief might use to know when they can safely rob your house, not cameras in your bathroom (both valid examples, but only one really matters).

I expand on the point about power in the above post.

0 sats \ 0 replies \ @l0k18 3 Aug 2023

The root of all power is the control of information, and the narrative justifying it. I haven't read the whole thing yet, but most of the first 15 or so of the "48 Laws of Power" by Robert Greene, these elements all hinge upon controlling perception and poisoning/restricting information flow. The Art of War by Sun Tzu also repeatedly dwells on the point of controlling perception - to seek to always appear the opposite to the real internal state, makes the enemy always step wrong.

This also brings up the whole game theory part of it, and that is why one of the key acts of a manipulator is to demand the victim become psychically naked using public confession. It creates a false sense of membership that the gullible normies don't even realise is motivating them.

I think that if you are in a position where you are justifying it to someone who is trying to exert power over you, you are already within the primary parts of the cage they are making for your mind. First rule of privacy is that none should know a secret that gives them control of property they have not honestly acquired.

10 sats \ 0 replies \ @Ahmed131901 7 Aug 2023

I think privacy matter too but in nowadays developpements and rechnology achievements it is somewhat get the sens of just a theory.