How to reduce corporate spying

on me, hopefully


Threat model: I think that perhaps massive corporate data collection is an empire of oily rags which threatens governance, or perhaps just leads to strangers knowing too much about my doctor appointments, my mental health, and where my kids are, or indeed lets anyone find me who knows my number. I regard social media as a new pollution the we have not yet regulated. I want to risk the amount of this ambient data pollution I emit so that businesses who feed upon it cannot be so prey upon me so.

I don’t feel like doing gratis market research for large multinationals, spilling my friends’ secrets, or facilitating media weaponization.

Good. We can mitigate that kind data leakage, and many steps are incredibly easy, so it would be embarrassing not to really.

Start with basic computer security

See how to reduce cyber crime.

Is macOS spyware?

Jeffrey Paul: Your Computer Isn’t Yours:

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.

It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. … This means that Apple knows when you're at home. When you're at work. What apps you open there, and how often. …

”Who cares?” I hear you asking.

Well, it’s not just Apple. This information doesn’t stay with them:

  1. These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.
  2. These requests go to a third-party CDN run by another company, Akamai.
  3. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns.

They do not learn everything about your computer by doing this, but also they probably learn more than they should about your computer this way. If you want an app which verifies executables by checking them against a list, which is what many antivirus programs effectively do, then is this better or worse than the existing approaches? I do not really know. Is your identity tied to this data? etc.

Which apps should I allow to use my voice?

The voice assistants have given us no reason to trust them. Be wary.

Which apps should I allow to track my location?

As few as possible. The New Your times interactive on the 2019 state of the art is grim indeed and has all kinds of implications for how people’s lives might be controlled. Relevant: contact tracing

Social networks

Do not trust anything Facebook does or says. They are a Spyware vendor. The same goes for Instagram, Google, TikTok etc.

But you need to watch your mum’s bread baking on Facebook. I get it.

See social media if you must.

VPNs and encrypted networks

See VPNs etc.

Browsers

The browser mediates a large portion of my interaction with the internet, so I should make sure it is ship shape.

Blacklight realtime privacy inspector. I Scanned the Websites I Visit with Blacklight, and It’s Horrifying. Now What?

  • Brave is a browser which claims to eliminate most tracking except for consensual-opt-in privacy-compatible tracking. I have many questions about that, but it is worth a try.
  • Privacy possum aims to be a successor to Privacy Badger which is more aggressive and (the creator argues) remedies certain shortcoming in Privacy Badger. The argument is something like “let us raise the cost of tracking people” and consider ourselves successful if it is probably too expensive to bother.
  • ClearURLs removes tracking crap from your URLs
  • Privacy badger is an open source non-profit low-configuration blocker of tracking advertisers
  • ublock origin offers fancy script blocking for the obsessive compulsive.
  • scriptsafe offers aggressive no frills script blocking.
  • The browser plugs suite comprises various browser plugs that hinder fingerprinting of the unique features of your browser.
  • Fuzzify automates and monitors clicking on the "delete my ad data" button in facebook.
  • HTTPS everywhere is vexing. It is a mass of code that plasters over certain security holes caused by the continued existence of HTTP-versus-Secure-HTTP. Every browser should implement this functionality, of being secure by default instead of writing your passwords on the lawn in big letters any time someone asks. That’s why it’s annoying that you have to install a plugin to make it work. And, worse, a horribly memory-hungry plugin. This is being gradually rendered irrelevant by some network technology called HSTS; hopefully we can forget it soon.
  • adblock plus and ublock origin reduce the number of tracking services which can view us online. I really need to tidy the info about these up a bit and explain, because they are so simple and so useful. However, they may be an endangered species.
  • torbrowser bundles all the ad-blocking conceivable, although it also makes browsing unpleasant and slow. There is some kind of lesson there.
  • Ghostery disables most of the social media spyware, although its a little opaque.

Chaff

Left-field solution idea : Obfuscate your activity. Get your browser to do meaningless nonsense that obscure the patterns.

Random noise extensions attempt to make your browsing data useless to trackers by making your browser mindlessly visit lots of nonsense sites, thus confusing the paper trail. noiszy does this for browsing. trackmenot does this for search queries. AdNauseam

AdNauseam works to complete the cycle by automating ad clicks universally and blindly on behalf of its users. Built atop uBlock Origin, AdNauseam quietly clicks on every blocked ad, registering a visit on ad networks’ databases. As the collected data gathered shows an omnivorous click-stream, user tracking, targeting and surveillance become futile. Read more about AdNauseam in this paper.

Browser containers

Firefox multi-user-containers are one low friction option; they compartmentalise our different online activities from each other so that each website lives in its own solipsist universe.

One could probably cobble together something similar for Chrome using multiple users, but that sounds boring. The Firefox solution is simpler. If you cannot use Firefox Containers, the below solutions might help.

Single Site Browser

I could use a Single-site browser to access Facebook because

  • Otherwise Facebook would know even more about me than they do
  • Facebook is a blackhole of timewaste that I don’t want to browse to by accident, so I should make it slightly more difficult for myself.

You can do this too, for social media, or for whatever other website you wish to.

Searching engines

You don’t want large search businesses to know what you are searching for?

  • Startpage repackages Google search results AFAIK anonymously.
  • so does runaroo
  • duckduckgo is a search engine that repackages… Yahoo searches (?). They are strident privacy advocates which is laudable I s’pose.
  • Qwant promises to forget user data rapidly. There is not a lot of organisational transparency on their privacy guarantees AFAICS.
  • search encrypt also claims to great privacy via encryption in the Perfect Forward Secrecy mode. Presumably this is supposed to prevent them from assembling a history of my searches? They do not explain exactly whom they wish to protect my search queries from, nor tell me how I would verify their claims.
  • The searx family is a network of metasearch engine portals with the aim of protecting the privacy of users. Searx does not share users IP addresses or search history with the search engines from which it gathers results. Tracking cookies served by the search engines are blocked etc. The flagship instance is searx.me but there are many user-operated ones, since it is open source. Advanced: run your own DIY search anonymiser on your own server.
  • Disconnect anonymises other search engines from their servers. Seems to have become unreliable for me?

trackmenot is an interesting alternate solution — it generates random nonsense search queries on search engines to muddy user profiling, much like noiszy, mentioned below, does for news consumption. I would be curious to know how effective that is, or even how one would discover how effective that is.

Minimising tracking of your online purchases

Whole other complicated story, 🏗 I think worth doing. Consider what Amazon knows about you.

In addition to knowing what people buy, Amazon also knows where people live, because they provide delivery addresses, and which credit cards they use. It knows how old their children are from their baby registries, and who has a cold, right now, from cough syrup ordered for two-hour delivery. And the company has been expanding a self-service option for ad agencies and brands to take advantage of its data on shoppers.

If you would like to avoid amazon tracking you, the way you do that is you do not use Amazon. Here is a list of non-Amazon online shopping. Some of these shops probably track you also, but the fact that there are many services means that none of them tracks every single purchase like Amazon does means that there is less information about to for any one entity to monetise. The calculus of privacy here is up to you of course; Is it worse if many organisations know more about you in separate domains or if one knows everything about you? I tend to the latter, plus also I am concerned that Amazon is a badly-behaved monopoly, but YMMV. FWIW I shop using a mix of retailers, with lean towards Ebay as my fallback option, but direct-from-supplier where possible. I uses depop to find recycled fashion and abebooks to find

Chat

See chat.

Email

See email.

Money

See transferring money.

Synchronising files

See Synchronising files.

Going deeper

You should be approximately aware of the nasty things that people can and will do to your computer. Don’t do them yourself.

Getting old school


Warning! Experimental comments system! If is does not work for you, let me know via the contact form.

No comments yet!

GitHub-flavored Markdown & a sane subset of HTML is supported.