Datafication & Technology

Datafication, Phantasmagoria of the 21st Century

Category: HOW TO

[HOW TO] Mitigating Tracking

20 February 2024 / / 0 Comments

This is from an exchange with a privacy and security expert friend. I am publishing his replies to my questions “as is” (no editing).

Many people ask me about tracking. What is it? Can we prevent it?

Meta/FB pixel and Google Analytics are the two most pervasive tracking tools that follow people all around the web. Vast majority of sites have either or both running silently in the background. And each can see down to the most minute detail everything a user does on a website – every link or page that gets clicked or accessed, your mouse movements, the data you enter into every form or text box or search bar, the credentials you input to sign up or register for a service, the time you spend viewing a certain piece of content on the site, and countless other things etc… (visit deviceinfo.me to see example of all the little things a site can track and recognise about your computer).

And then all that data gets recorded and associated with your identity, on either a 100% precise “deterministic” basis (meaning FB or Google know you personally are the user), or on a “probabilistic” basis (when they don’t know for a fact it is you but can infer that it is likely you based on a range of clues/patterns).

Tracking is deterministic for most internet users (i.e. those not taking precautions to prevent and block tracking). Tracking is probabilistic for the small segment that actively try to mitigate against the tracking with various techniques (someone like me).

The goal for someone who cares and is operating in the probabilistic bucket is to actively thwart the tracking to the extent where FB/Google is unable to, with a good degree of confidence, link your identity to the given activity.

But there is otherwise no way to 100% prevent such tracking, to fully escape all deterministic and probabilistic tracking of your activity, other than not owning digital devices and never accessing the internet.

The most basic + doable + minimal pain actions to take to move oneself away from being in the deterministic bucket and into the probabilistic category are:

  1. Practice “browser isolation“, meaning use one browser exclusively for Facebook/meta/Instagram + Google/Gmail things, and for nothing else. And then use another separate browser for all your other non-FB/Google internet activity. Key is to make sure you NEVER sign into your FB/Google/Gmail accounts on your non-FB/Google browser (as the moment this happens, FB/Google are able to immediately link that browser and all its future activity to your personal identity).
  1. Do NOT use Google Chrome Web browser as your non-FB/Google browser. Use Firefox or Brave Browser instead. And again, NEVER log into any FB/Google account on your Firefox/brave browser (and try to avoid as much as possible even visiting any FB/Google products or websites on that browser).
  1. Install and activate the browser extension uBlock Origin into your non-FB/Google browser.
  1. Do not use Google Search in your non-FB/Google browser, and don’t go to Google to make searches. Use privacy alternatives like DuckDuckGo (www.duckduckgo.com) or Brave Search. This preference can be toggled in the browser settings.

Of course one of the most effective actions is to fully delete your accounts with and entirely avoid using any Facebook/Meta + Google products/services, but this is too big a jump for most people and still doesn’t mitigate the tracking 100% (as even without a formal account on FB/Google, without further mitigations in place, they are still able to identify you as a unique user and track you using their created “shadow profile”).

All of this is only basic tracking mitigation for standard desktop web browser activity (i.e. just visiting websites on your computer). The many other ways our digital behaviour is tracked require their own other set of mitigations, so this only covers one part of it, but is an effective and easy start.

Can you outline a complete strategy to mitigate tracking?

I’d say overall there are a few key domains to look at:

  • Web browsing (basic mitigation as above).
  • Mobile devices because these are one of the biggest sources of privacy leakage in most people’s lives (mitigation being switching to a de-googled android device instead of iPhone or regular android + limiting installed apps to only vital ones).
  • Social media for obvious reasons (deleting and avoiding social media, or at least Facebook or generally be sparing in use and minimise data consciously shared on platform).
  • Email because all email on traditional providers is not private, all content can be and is actively read and analysed by provider (migrate away from Gmail, outlook, yahoo, apple etc and move to trustworthy privacy respecting email providers like protonmail or tutanota).
  • Cloud storage services, for the same reason as email (migrate away from Dropbox/other big tech cloud storage providers, also move to privacy friendly ones like proton).
  • Communications, because normal communications are either not private or secure or both (try to use Signal www.signal.org over WhatsApp, try to use Signal call/message over regular phone call or SMS, even WhatsApp is better for voice calls/messaging compared to traditional phone call/SMS as at least it is end to end encrypted).
  • Use unique account credentials for each of your online accounts, with different complex password for each. Avoid using the same password (or the same password with only minor variations) for all services (more for general security but still important as cannot have privacy without security, for basic use recommend Bitwarden www.bitwarden.com with a very strong master password that you keep close guard over).
  • Use multi-factor or two-factor (MFA or 2FA) authentication to secure accounts wherever possible (ideally use TOTP time based codes via an app like Aegis or enteAuthenticator).

NB: The links above are clean (i.e., not affiliated links), I do not get any reward when you subscribe to those services.

[HOW TO] Manipulate Photos That Can’t be Reversed Engineered Using Signal.

26 March 2023 / / 0 Comments

You want to send or post a photo, but don’t want to show the whole image. Maybe it’s a screenshot and you do not want to tell the world about your mobile provider and other personal visible details on a screenshot, or you may want to blur your background to hide your location, or or or…

Did you know that it is easy to reverse engineer cropped, blurred or manipulated photos back to their original state, thereby revealing what you wanted to hide by manipulating the photo in the first place? It is called an “exploit” (as in exploiting a loophole or weakness in a programme or app). Recently, such a weakness has been found in the built-in cropping feature on Google Pixel phones, but the weakness is also present in iPhones and other Android phones (read this Wired article to know more).

While companies can patch the exploits, all redacted photos already online (and if you use a cloud service, your photos are most likely already online) are vulnerable to it. When you crop a photo, what happens is the process tells the file to pretend that the cropped out section is not there, but it actually is still there.

As we all now know (and if you don’t, you should), if there is anything you do not want to make public, do not post it online. It is safe to consider that anything you have posted online is now in one way or another known to someone. And deleting what you have already posted does not help. You are just removing it from your view. Your photos are probably already in multiple datasets.

One way to really crop photos is to use… SIGNAL! Yes. You may know Signal as one of the most secure and private messaging platform, but it is also a great tool to REALLY crop out stuff from your photos so they can’t be reversed engineered. How to do that? Open Signal, take a photo, open the editing tool, crop, change as needed and save. Then send to “Note To Self” (another great feature of Signal for storing info).

If you have not downloaded Signal yet, you can find it in your app store, or here.

[HOW TO] Protect From Data Theft? (Privacy)

31 January 2023 / / 0 Comments

Many people ask me how to protect from data theft from Big Tech. This is a really important question, so I asked a digital security expert friend of mine. This is his (unedited) reply. Some of those are more directly actionable than others. I will regularly add to the list.

Use a *trustworthy* VPN for all devices like Mullvad or ProtonVPN (or tor/I2P for truly sensitive things) with reliable DNS protection (but also aware VPN has own risks, strictly only to mask your true IP + mask your web activity from your ISP + provide more secure internet when connected to public or unsafe networks).

Use Linux on desktop (or any open source privacy friendly version, just avoid MacOS, Windows and ChromeOS).

Use de-googled android (grapheneOS) on mobile. Neither Androids not iPhones are safe. A mobile phone is most invasive and privacy leaking device in our lives.

Delete all social media and big tech accounts.

Replace the services/apps one uses with open source/libre software alternatives. Email, contacts, calendar, cloud storage, apps on phone etc… Especially avoid any products or services by big tech (e.g. Google docs, Gmail, drive, youtube, search, Chrome, WhatsApp etc…).

Use privacy friendly web browser (recommend “brave” browser) with disabled telemetry and tracking blocking and fingerprinting resistance settings set to maximum.

Use privacy friendly search engine (duckduckgo is OK), do not use Google search, Microsoft Bing, etc.

Understand how internet and web infrastructure works (networking basics) as this is key to knowing how to manage own data trail and emissions. Key part is understanding that every single action taken in relation to internet or digital anything leaves a permanent record and digital trail of breadcrumbs. So to know how to get by using alias information when possible, and to be extremely judicious in providing any true personal data in any digital context. Doesn’t matter that one uses the most private and secure computer system if they just go and share their personal life story and details by posting such on the internet. Disclose as little as possible online, and if needed use false/alias data.

Use end to end encrypted and metadata minimising methods of online communication (e.g. Signal is not perfect but probably best balance between privacy/security and usability/widespread use).

Generally opt to use software and services that rely on well-implemented encryption technology and *end to end* and *zero knowledge* encryption wherever possible.

Do not use regular phone call or SMS (use secure WiFi call or message via secure apps instead).

© 2024 Datafication & Technology

Theme by Anders NorénUp ↑