- Start with basic computer security
- Is macOS spyware?
- Which apps should I allow to use my voice?
- Which apps should I allow to track my location?
- Social networks
- VPNs and encrypted networks
- Searching engines
- Minimising tracking of your online purchases
- Synchronising files
- Internet of things
- Going deeper
- Getting old school
Threat model: I think that perhaps massive corporate data collection is an empire of oily rags which threatens governance, or perhaps just leads to strangers knowing too much about my doctor appointments, my mental health, and where my kids are, or indeed lets anyone find me who knows my number. I regard social media as a new pollution the we have not yet regulated. I want to risk the amount of this ambient data pollution I emit so that businesses who feed upon it cannot be so prey upon me so.
I don’t feel like doing gratis market research for large multinationals, spilling my friends’ secrets, or facilitating media weaponization.
Good. We can mitigate that kind data leakage, and many steps are incredibly easy, so it would be embarrassing not to really.
Start with basic computer security
Is macOS spyware?
On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. … This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. …
”Who cares?” I hear you asking.
Well, it’s not just Apple. This information doesn’t stay with them:
- These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.
- These requests go to a third-party CDN run by another company, Akamai.
- Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.
This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns.
They do not learn everything about your computer by doing this, but also they probably learn more than they should about your computer this way. If you want an app which verifies executables by checking them against a list, which is what many antivirus programs effectively do, then is this better or worse than the existing approaches? I do not really know. Is your identity tied to this data? etc.
Which apps should I allow to use my voice?
The voice assistants have given us no reason to trust them. Be wary.
Which apps should I allow to track my location?
VPNs and encrypted networks
See VPNs etc.
The browser mediates a large portion of my interaction with the internet, so I should make sure it is ship shape.
- Brave is a browser which claims to eliminate most tracking except for consensual-opt-in privacy-compatible tracking. I have many questions about that, but it is worth a try.
- Privacy possum aims to be a successor to Privacy Badger which is more aggressive and (the creator argues) remedies certain shortcoming in Privacy Badger. The argument is something like “let us raise the cost of tracking people” and consider ourselves successful if it is probably too expensive to bother.
- ClearURLs removes tracking crap from your URLs
- Privacy badger is an open source non-profit low-configuration blocker of tracking advertisers
- ublock origin offers fancy script blocking for the obsessive compulsive. NB: It works best on firefox. That essay is also an intersting insight into various superios firefox features.
- scriptsafe offers aggressive no frills script blocking.
- The browser plugs suite comprises various browser plugs that hinder fingerprinting of the unique features of your browser.
- Fuzzify automates and monitors clicking on the “delete my ad data” button in facebook.
- HTTPS everywhere is vexing. It is a mass of code that plasters over certain security holes caused by the continued existence of HTTP-versus-Secure-HTTP. Every browser should implement this functionality, of being secure by default instead of writing your passwords on the lawn in big letters any time someone asks. That’s why it’s annoying that you have to install a plugin to make it work. And, worse, a horribly memory-hungry plugin. This is being gradually rendered irrelevant by some network technology called HSTS; hopefully we can forget it soon.
- adblock plus and ublock origin reduce the number of tracking services which can view us online. I really need to tidy the info about these up a bit and explain, because they are so simple and so useful. However, they may be an endangered species.
- torbrowser bundles all the ad-blocking conceivable, although it also makes browsing unpleasant and slow. There is some kind of lesson there.
- Ghostery disables most of the social media spyware, although its a little opaque.
Left-field solution idea : Obfuscate your activity. Get your browser to do meaningless nonsense that obscure the patterns. I would be curious to know how effective that is, or even how one would discover how effective that is. Certainly I can imagine some strategies for an adversary to minimise the usefulness of this method.
Random noise extensions attempt to make your browsing data useless to trackers by making your browser mindlessly visit lots of nonsense sites, thus confusing the paper trail. noiszy, mentioned below, does for news consumption. trackmenot does this for search queries. AdNauseam is the latest one:
AdNauseam works to complete the cycle by automating ad clicks universally and blindly on behalf of its users. Built atop uBlock Origin, AdNauseam quietly clicks on every blocked ad, registering a visit on ad networks’ databases. As the collected data gathered shows an omnivorous click-stream, user tracking, targeting and surveillance become futile. Read more about AdNauseam in this paper.
“Private Browsing mode revised and improved”. Firefox multi-user-containers are one low friction option; they compartmentalise our different online activities from each other so that each website lives in its own solipsist universe. These have obvious privacy implications — keep all your sites isolated from one another! Why does google need to know about your facebook usage? They are also generally useful.
Single Site Browser
I could use a Single-site browser for spyware sites such as Facebook. because
- Otherwise Facebook would know even more about me than they do
- Facebook is a blackhole of timewaste that I don’t want to browse to by accident, so I should make it slightly easier to segregate that activity from other ones.
You can do this too, for social media, or for whatever other website you wish to.
nativefier/nativefier: Make any web page a desktop application is I think the mos popular method currently? Cross platform.
Epichrome (macOS): An application (Epichrome.app) and Chrome extension (Epichrome Helper) to create and use Chrome-based SSBs on Mac macOS. So, full Chrome, custom configuration. Here is a walk-through.
The Browser UI is very minimal, just a toolbar (with site tabs) that disappears in Full-Screen mode.
MacPin apps are shown in macOS’s Dock, App Switcher, and Launchpad.
Custom URL schemes can also be registered to launch a MacPin App from any other app on your Mac.
So, minimal browserlets.
There are more manual methods.
You don’t want large search businesses to know what you are searching for?
- Startpage repackages Google search results AFAIK anonymously.
- so does runaroo
- duckduckgo is a search engine that repackages… Yahoo searches (?). They are strident privacy advocates which is laudable I s’pose. The search is… OK. Usually not as good as google. Every now and again it is serendipitously wonderful, but this cannot be relied upon.
- Qwant promises to forget user data rapidly. There is not a lot of organisational transparency on their privacy guarantees AFAICS.
- search encrypt also claims to great privacy via encryption in the Perfect Forward Secrecy mode. Presumably this is supposed to prevent them from assembling a history of my searches? They do not explain exactly whom they wish to protect my search queries from, nor tell me how I would verify their claims.
- The searx family is a network of metasearch engine portals with the aim of protecting the privacy of users. Searx does not share users IP addresses or search history with the search engines from which it gathers results. Tracking cookies served by the search engines are blocked etc. The flagship instance is searx.me but there are many user-operated ones, since it is open source. Advanced: run your own DIY search anonymiser on your own server. I suspect this has some maintenance overhead as the search companies attempt to circumvent this circumvention of their business model. Effectively, you would be participating in an arms race.
- Disconnect anonymises other search engines from their servers. Seems to have become unreliable for me?
Minimising tracking of your online purchases
Whole other complicated story, 🏗 I think worth doing. Consider what Amazon knows about you.
In addition to knowing what people buy, Amazon also knows where people live, because they provide delivery addresses, and which credit cards they use. It knows how old their children are from their baby registries, and who has a cold, right now, from cough syrup ordered for two-hour delivery. And the company has been expanding a self-service option for ad agencies and brands to take advantage of its data on shoppers.
If you would like to avoid amazon tracking you, the way you do that is you do not use Amazon. Here is a list of non-Amazon online shopping. Some of these shops probably track you also, but the fact that there are many services means that none of them tracks every single purchase like Amazon does means that there is less information about to for any one entity to monetise. The calculus of privacy here is up to you of course; Is it worse if many organisations know more about you in separate domains or if one knows everything about you? I tend to the latter, plus also I am concerned that Amazon is a badly-behaved monopoly, but YMMV. FWIW I shop using a mix of retailers, with lean towards Ebay as my fallback option, but direct-from-supplier where possible. I uses depop to find recycled fashion and abebooks to find
See transferring money.
See Synchronising files.
Internet of things
You should be approximately aware of the nasty things that people can and will do to your computer. Don’t do them yourself.
Getting old school