Aside from my hiking ambitions, another goal for this year has been to develop some critical software and programming skills, many of which involve aspects of computer security. This has led me down a rabbit-hole of YouTube videos about online privacy, and I have some reflections on the things I’ve learned.
First of all, it’s important to note that economics applies to online privacy, because privacy has tradeoffs. Making your online interactions private takes a ridiculous amount of effort and education, and as such, it means that some actions have a larger marginal impact than others. This is really where you have to find the sweet-spot that works for you. Doing absolutely everything in your power to be absolutely anonymous online is known as going “full tin-hat”, and requires a critical degree of education in almost every aspect of computers and networking, as well as knowledge of hardware and probably psychology. It’s unfeasible for the vast majority of people. Moreover, it’s entirely possible for much of this effort to be wasted, considering the fact that the big Three Letter Agencies probably couldn’t care less about your edgy social tweets and tube searches.
That being said, most people can very profitably learn some of the basics. Things like not not putting all of your personal information on Facebook, reducing your app usage, clearing cookies, not being logged into Google when performing searches, reducing your dependence on “free” cloud services, etc, etc. I would even argue that basic operating system hardening techniques are valuable, like uninstalling programs you don’t need or want, in order to reduce your attack surface (unused binaries are exploits waiting to happen).
Of course, some people go beyond this, such as using a VPN, but this obscures your ip address from the destination host, not from the middle-men like your ISP. It helps prevent websites from advertising to you, or building a secret profile of you for advertising, but it won’t stop Big Brother from issuing a subpoena to your ISP, seeing what VPN you use, then issuing a subpoena to your VPN to see what sites you used. Unless, of course, you use a fancy service that erases your logs, but VPN companies have a reputation of saying they do this but not actually doing it, so pick your poison. You could use the Tor network, but it’s slow as hell (at least it was 10 years ago when I played around with it), there are attacks that have worked effectively against it, and at one point in time, in the early 2010s, doing a search for “Tor” put you on a special list (albeit a low-profile list, if I understand correctly).
If you assume that nothing you do online is truly private, you’re probably way ahead of the game. And TLS encryption only hides the body data of an http request, while the entire rest of the network protocols are technically exposed at some point [though I think I read something about DNS encryption? I don’t understand that one, yet]
So yeah, how deep do you want to go?
I think it matters to some extent, because all you have to do is say something stupid online at age 20 and it can be held against you by the Mob of Humanity 20 years later. Most people know that holding people to account for something they said 20 years ago is stupid, but if you haven’t been paying attention to the news, there is no shortage of stupid people in the world who will play dirty to bolster their own opinions. It’s also incredibly creepy to me when I buy something at WalMart that I rarely buy, only to see advertisements for such a thing on Facebook the next day, even when I don’t use the Facebook app on my phone and have the setting specifically set to not advertise to me based on the data Facebook has. Yeah, that was creepy. These big tech companies are all in cahoots, and they sell your data back and forth constantly. Facebook’s new Terms of Service even said they might collect outside data about what you buy. It’s really pretty disturbing.
So yeah, I think privacy is a good thing.
Nonetheless, how far do I want to go down the rabbit hole? One YouTuber mentioned that if you really want to go full tin-hat, you need to be able to understand all the elements of your motherboard to ensure nothing spooky was added, because this has actually happened before, I think to a foreign government. A big order went out to some large manufacturer, but the products they receive had an extra little something built into the hardware. Great. But the chance that Dell is going to spike your new laptop is pretty slim unless you’re a foreign politician, so, again, how deep do you want to go?
I for one am considering switching back to Linux. Windows 10 sends data and you can’t stop it, and Windows 11 sends even more data and tries to bully people into setting up a Microsoft account. It doesn’t matter if you can log out after that first login, they have a record of you owning that computer and can sink their tendrils in from there. Fuck Microsoft. I only use Windows because I’m familiar with it, it’s easy, and it’s often been necessary for work. I tried to be a Linux bro for a few years some time ago, but got really frustrated with a big distro update I did and gave up, but a little bit of sweat equity might have solved those problems, too. Quite frankly, I don’t actually use the computer for very much aside from the browser, a little bit of programming, a little bit of office-related stuff, and maybe Google Earth.
Personally, I don’t feel the need to go full-tin hat. But I am sick and tired of creepy advertisements turning up. I’m also sick and tired of the advertising business model of the internet and how companies skirt around privacy through tricky legal loopholes, which is the absolute, constant threat that these businesses pose: you can absolutely, never trust what they say, because it is designed to be deceitful. Sure, Google doesn’t actually sell your data, but they do expose it to advertisers and auction off ad space to companies based on your profile. This happens programmatically, so it’s almost seamless on the webpage, but make no mistake, they are making money off of their profile of you. This bothers me and I want to keep companies from collecting my data and building a profile of me.
I’m not one to rant against capitalism, but it’s pretty creepy that the largest tech companies in existence are all so profitable because they collect your information. Like, these companies help my investment values go up, but is that really a good thing? Do I really want these companies to succeed? In a sense, no. Fuck those guys. They shouldn’t be profiting off of people’s information, or at least, they should only be profiting commensurate with the value of the services they offer, a value which should be made clear to the end-user but never is.
Of course, I’m also learning more about networking to become a better software developer. It occurs to me that if you really want to be secure, you need think in terms of security existing at almost every level of the OSI model. Who you are exposed to at each level may differ, but make no mistake, you’re still exposed to someone.
Also…a cashless society is a dystopia waiting to happen.
Anyway, just some thoughts.
(On a side note, I think it’s smart to be in the habit of turning your phone off at various times. When I go to the store these days, I try to at least put my phone in airplane mode to prevent stores from tracking my movements in the store itself, information which can, believe it not, be used to advertise to you, or at least run analytics to improve store layout, meaning to get people to spend more. But if you have a legitimate security concern for which you turn your phone off but it’s the first time you’ve turned your phone off all year, that might be pretty conspicuous when the records are reviewed. Whereas, if you are simply in the habit of occasionally turning your phone off, it’s not so conspicuous. This could be valuable if you want to visit a remote coffee shop to make a donation to an organization that is, uh, disliked by powerful people [probably the only reason I would ever buy a cryptocurrency]. It also doesn’t hurt to have old laptops around that don’t have Bluetooth or a wifi card, but what do I know?)