How to reduce corporate spying

on me, hopefully

2018-12-11 — 2026-03-05

Wherein ambient data leakage is reduced by permissions, browsers, and networks, and wherein macOS app launches are noted by unencrypted OCSP hashes sent via Akamai, with purchases dispersed beyond Amazon.

computers are awful

computers are awful together

confidentiality

security

wonk

Threat model: I think massive corporate data collection is an empire of oily rags which threatens governance, or just leads to strangers knowing too much about my doctor appointments, my mental health, and where my kids are, or indeed lets anyone find me who knows my number. I regard social media as a new pollution that we have not yet regulated. I want to reduce the amount of this ambient data pollution I emit so that businesses that feed on it cannot prey upon me.

I don’t feel like doing gratis market research for large multinationals, spilling my friends’ secrets, or facilitating media weaponization.

Good. We can mitigate that kind of data leakage. Many steps are incredibly easy, so it would be embarrassing not to, really.

This is old, and needs updating for the new wave of ubiquitous AI, networked surveillance cameras and so forth.

1 Start with basic computer security

See how to reduce cybercrime.

2 Is macOS spyware?

Jeffrey Paul: Your Computer Isn’t Yours:

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.

It turns out that in the current version of macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. … This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. …

”Who cares?” I hear you asking.

Well, it’s not just Apple. This information doesn’t stay with them:

These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.

These requests go to a third-party CDN run by another company, Akamai.

Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns.

They do not learn everything about your computer by doing this, but they probably learn more than they should about your computer this way. If you want an app that verifies executables by checking them against a list, which is what many antivirus programs effectively do, then is this better or worse than the existing approaches? I do not really know. Is your identity tied to this data? etc.

3 Which apps should I allow to use my voice?

Voice assistants have given us no reason to trust them. Be wary.

4 Which apps should I allow to track my location?

As few as possible. The New York Times interactive on the 2019 state of the art is grim, and it has all kinds of implications for how people’s lives might be controlled. Relevant: contact tracing

6 VPNs and encrypted networks

See VPNs etc.

7 Browsers

See browser confidentiality.

8 Search engines

See internet search.

9 Minimizing tracking of my online purchases

That’s a whole other complicated story, 🏗 I think it’s worth doing. Consider what Amazon knows about us.

In addition to knowing what people buy, Amazon also knows where people live, because they provide delivery addresses, and which credit cards they use. It knows how old their children are from their baby registries, and who has a cold, right now, from cough syrup ordered for two-hour delivery. And the company has been expanding a self-service option for ad agencies and brands to take advantage of its data on shoppers.

If we want to avoid Amazon tracking us, we should not use Amazon. Here is a list of non-Amazon online shops. Some of these shops probably also track us, but the fact that there are many services means that none of them track every single purchase like Amazon does. That means there is less information about us for any one entity to monetize. The calculus of privacy is up to us, of course. Is it worse if many organizations know more about us in separate domains, or if one organization knows everything about us? I worry more about one organization knowing everything about us. I am also concerned that Amazon is a badly behaved monopoly, but YMMV. FWIW I shop using a mix of retailers, leaning towards eBay as my fallback option, but direct-from-supplier where possible.