- Start with basic computer security
- Is macOS spyware?
- Which apps should I allow to use my voice?
- Which apps should I allow to track my location?
- Social networks
- VPNs and encrypted networks
- Search engines
- Minimising tracking of your online purchases
- Synchronising files
- Internet of things
- Going deeper
- Getting old school
Threat model: I think that perhaps massive corporate data collection is an empire of oily rags which threatens democracy, or perhaps just leads to strangers knowing too much about my doctor appointments and where my kids are, or indeed lets anyone find me who knows my number. I regard social media as a new pollution the we have not yet regulated. I want to risk the amount of this ambient data pollution I emit so that businesses who feed upon it cannot be so prey upon me so.
I don’t feel like doing gratis market research for large multinationals, spilling my friends’ secrets, or facilitating Cambridge Analytica voter manipulation.
Good. We can mitigate that kind data leakage damage, and many steps are so easy that we may as well.
Start with basic computer security
Is macOS spyware?
On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. … This means that Apple knows when you're at home. When you're at work. What apps you open there, and how often. …
"Who cares?" I hear you asking.
Well, it’s not just Apple. This information doesn’t stay with them:
- These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.
- These requests go to a third-party CDN run by another company, Akamai.
- Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.
This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns.
Which apps should I allow to use my voice?
The voice assistants have given us no reason to trust them. Be wary.
Which apps should I allow to track my location?
VPNs and encrypted networks
See VPNs etc.
The browser mediates a large portion of my interaction with the internet, so I should make sure it is ship shape.
- Brave is a browser which claims to eliminate most tracking except for consensual-opt-in privacy-compatible tracking. I have many questions about that, but it is worth a try.
- Privacy possum aims to be a successor to Privacy Badger which is more aggressive and (the creator argues) remedies certain shortcoming in Privacy Badger. The argument is something like “let us raise the cost of tracking people” and consider ourselves successful if it is probably too expensive to bother.
- Privacy badger is an open source non-profit low-configuration blocker of tracking advertisers
- ublock origin offers fancy script blocking for the obsessive compulsive.
- scriptsafe offers aggressive no frills script blocking.
- The browser plugs suite comprises various browser plugs that hinder fingerprinting of the unique features of your browser.
- Fuzzify automates and monitors clicking on the "delete my ad data" button in facebook.
- HTTPS everywhere is vexing. It is a mass of code that plasters over certain security holes caused by the continued existence of HTTP-versus-Secure-HTTP. Every browser should implement this functionality, of being secure by default instead of writing your passwords on the lawn in big letters any time someone asks. That’s why it’s annoying that you have to install a plugin to make it work. And, worse, a horribly memory-hungry plugin. This is being gradually rendered irrelevant by some network technology called HSTS; hopefully we can forget it soon.
- adblock plus and ublock origin reduce the number of tracking services which can view us online. I really need to tidy the info about these up a bit and explain, because they are so simple and so useful. However, they may be an endangered species.
- torbrowser bundles all the ad-blocking conceivable, although it also makes browsing unpleasant and slow. There is some kind of lesson there.
- Left-field solution idea automate the browser do stuff randomly in order to hide what you do deliberately. Random noise extensions attempt to make your browsing data useless to trackers by making your browser mindlessly visit lots of nonsense sites, thus confusing the paper trail. noiszy does this for browsing. trackmenot does this for search queries.
- Ghostery disables most of the social media spyware, although its a little opaque.
Firefox multi-user-containers are one low friction option; they compartmentalise our different online activities from each other so that each website lives in its own solipsist universe.
One could probably cobble together something similar for Chrome using multiple users, but that sounds boring. The Firefox solution is simpler. If you cannot use Firefox Containers, the below solutions might help.
Single Site Browser
I could use a Single-site browser to access Facebook because
- Otherwise Facebook would know even more about me than they do
- Facebook is a blackhole of timewaste that I don’t want to browse to by accident, so I should make it slightly more difficult for myself.
You can do this too, for social media, or for whatever other website you wish to.
Epichrome (macOS): An application (Epichrome.app) and Chrome extension (Epichrome Helper) to create and use Chrome-based SSBs on Mac macOS. So, full Chrome, custom configuration. Here is a walk-through.
The Browser UI is very minimal, just a toolbar (with site tabs) that disappears in Full-Screen mode.
MacPin apps are shown in macOS’s Dock, App Switcher, and Launchpad.
Custom URL schemes can also be registered to launch a MacPin App from any other app on your Mac.
So, minimal browserlets.
You don’t want large search businesses to know what you are searching for?
- Startpage repackages Google search results AFAIK anonymously.
- so does runaroo
- duckduckgo is a search engine that repackages… Yahoo searches (?). They are strident privacy advocates which is laudable I s’pose.
- Qwant promises to forget user data rapidly. There is not a lot of organisational transparency on their privacy guarantees AFAICS.
- search encrypt also claims to great privacy via encryption in the Perfect Forward Secrecy mode. Presumably this is supposed to prevent them from assembling a history of my searches? They do not explain exactly whom they wish to protect my search queries from, nor tell me how I would verify their claims.
- The searx family is a network of metasearch engine portals with the aim of protecting the privacy of users. Searx does not share users IP addresses or search history with the search engines from which it gathers results. Tracking cookies served by the search engines are blocked etc. The flagship instance is searx.me but there are many user-operated ones, since it is open source. Advanced: run your own DIY search anonymiser on your own server.
- Disconnect anonymises other search engines from their servers. Seems to have become unreliable for me?
trackmenot is an interesting alternate solution — it generates random nonsense search queries on search engines to muddy user profiling, much like noiszy, mentioned below, does for news consumption. I would be curious to know how effective that is, or even how one would discover how effective that is.
Minimising tracking of your online purchases
Whole other complicated story, 🏗 I think worth doing. Consider what Amazon knows about you.
In addition to knowing what people buy, Amazon also knows where people live, because they provide delivery addresses, and which credit cards they use. It knows how old their children are from their baby registries, and who has a cold, right now, from cough syrup ordered for two-hour delivery. And the company has been expanding a self-service option for ad agencies and brands to take advantage of its data on shoppers.
If you would like to avoid amazon tracking you, the way you do that is you do not use Amazon. Here is a list of non-Amazon online shopping. Some of these shops probably track you also, but the fact that there are many services means that none of them tracks every single purchase like Amazon does means that there is less information about to for any one entity to monetise. The calculus of privacy here is up to you of course; Is it worse if many organisations know more about you in separate domains or if one knows everything about you? I tend to the latter, plus also I am concerned that Amazon is a badly-behaved monopoly, but YMMV. FWIW I shop using a mix of retailers, with lean towards Ebay as my fallback option, but direct-from-supplier where possible. I uses depop to find recycled fashion and abebooks to find
See transferring money.
See Synchronising files.
Internet of things
You should be approximately aware of the nasty things that people can and will do to your computer. Don’t do them yourself.
Getting old school