Datafication & Technology

Datafication, Phantasmagoria of the 21st Century

Category: Security

Resources for Digital Privacy

28 June 2024 / / 0 Comments

A hacker friend sent me a number of resources that introduce and clearly but simply explain digital privacy. I am sharing these here without much comment.

General Resource

A good general resource: https://www.privacyguides.org/en

Why Privacy Is Important

Very short description of why privacy is important (I get SO MANY questions about why it’s important!) https://www.privacyguides.org/en/basics/why-privacy-matters

This is a blurb on why privacy is important by Mullvad VPN: https://mullvad.net/en/why-privacy-matters

NB: the pdf version is available here: https://mullvad.net/pdfs/Total_surveillance.pdf

Threat Modelling

These 3 articles explain the concept of threat modelling, to understand your own situation in order to know what to do/not do.

https://www.privacyguides.org/en/basics/threat-modeling
https://privsec.dev/posts/knowledge/threat-modeling
https://opsec101.org

Common Threats

A little bit more detail on what kinds of threats most people think about when threat modelling: https://www.privacyguides.org/en/basics/common-threats

And then, once the person has thought about their threat model and has a rough idea about it, then comes the part about choosing and deploying countermeasures.

Tools

This is a question people often ask me: what tools can I use? Here are some references for tools that can be used, depending on the threat model one has identified: https://www.privacyguides.org/en/tools

it is important to remember that it’s difficult to prescribe a one-size-fits-all solution for everyone, because each person’s threat model will be different.

Someone who is only concerned with surveillance capitalism will need to approach things differently vs. a high net worth individual or celebrity concerned about their physical and digital security vs. a political dissident or whistleblower.

Hope this helps!

How Data Companies Get Your Data

24 April 2024 / / 0 Comments

In the early days of the commercial internet, websites just used cookies to track.

Today, tracking has become much deeper and more sophisticated. The advertising tech industry has developed new ways to track users (NB: what I call the advertising tech industry is basically Facebook, google and all these data brokers or “consumer intelligence” companies).

The key to programmatic advertising, this entire ad industry upon which the entire internet as we know it today runs off of, is IDENTITY.

It monitors and scoops up all the information about everything people do on the internet, i.e., all the big data. But then they need to associate actions and data and insight with individual identities (if you visit YouTube everyday from your home, office, cafe and gym and also do so from your MacBook, mobile, tablets and computer, those are all disparate tidbits of info that need to be unified and linked under your identity for it to be valuable information).

So the key for a data industry players now is all about managing the unique user identities/profiles, each of which they will gather and add behavioral tracking and other data to.

In their systems, I have a profile, you have a profile, etc… but not a profile in the sense that we have made an account with the data company, but rather based on the dossiers they have on all of us.

Here is an interesting article listing out some key ID data companies. They are the ones that compile and maintain shadow identities of people.

The article outlines how each company creates an ID (by email address, IP address, postal address, cookies, device software/hardware information, combination of these, etc…).

Here is a graph summarising the sources contributing to building profiles.

This graph helps you to take action to protect your privacy for each of the items listed above.

  • Email: for as much as a cup of coffee a day, you can subscribe to ProtonMail, the most secure email on the planet. ProtonMail even allows you to create aliases email addresses connected to your main email. So you never have to reveal your real email anymore.
  • Phone Number: you can subscribe to services that give you alias phone numbers that you can use for online purchases.
  • Name: never give your full name when you subscribe to newsletter or browse the internet. Most of the time initials will suffice.
  • Postal address: this one is harder to
  • IP Address: use a reliable VPN, and remember, if you do not pay for the service, the currency is your data! So again, pay to get reliable, secure services. ProtonMail has a very good VPN. They have a package available that bundles email, VPN, aliases etc. Check their website, they often have special promotions.
  • Browser activity: use safe browsers such as TOR or Brave.
  • Device Data: check your privacy settings, disable location services for most apps, and only enable the one that REALLy need it when you use the app.
  • First party cookies: use safe browsers such as TOR or Brave.
  • Third-party cookies: most browsers allow you to stop third party cookies (although I would not trust any browser that belongs to a big tech company).

Check the previous posts on this blog for more privacy tips.

Privacy Guides – Restore Your Online Privacy

11 March 2024 / / 0 Comments

Privacy Guides is a cybersecurity resources and privacy-focused tools to protect yourself online.

Start your privacy journey here. Learn why privacy matters, the difference between Privacy, Secrecy, Anonymity and Security and how to determine what is the threat model that corresponds best to your needs.

For example, here are some examples of threats. You may want to protect from some but don’t care much about others.

  • Anonymity – Shielding your online activity from your real identity, protecting you from people who are trying to uncover your identity specifically.
  • Targeted Attacks – Being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically.
  • Passive Attacks – Being protected from things like malware, data breaches, and other attacks that are made against many people at once.
  • Service Providers – Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server).
  • Mass Surveillance – Protection from government agencies, organisations, websites, and services which work together to track your activities.
  • Surveillance Capitalism – Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.
  • Public Exposure – Limiting the information about you that is accessible online—to search engines or the general public.
  • Censorship – Avoiding censored access to information or being censored yourself when speaking online.

Here, you can read about Privacy Guides recommendations for a whole range of online privacy tools, from browsers to service providers (cloud storage, email services, email aliasing services, payment, hosting, photo management, VPNs etc), softwares (sync, data redaction, encryption, files sharing, authentication tools, password managers, productivity tools, communication such as messaging platforms etc) and operating systems.

You can also understand some common misconceptions about online privacy (think: “VPN makes my browsing more secure”, “open source is always secure” or “complicated is better” amongst others).

You can also find valuable information about account creation: what happens when you create an account, understanding Terms of Services and Privacy Policies, how to secure an account (password managers, authentication software, email aliases etc). And just as important (maybe more), about account deletion (we leave A LOT of traces in the course of our digital life, and it’s important to become aware of what they are and how to reduce their number).

AND MUCH MORE!

I can’t recommend this website enough. Visit it, revisit it, bookmark it and share it with friends and enemies. 🙂

[HOW TO] Mitigating Tracking

20 February 2024 / / 0 Comments

This is from an exchange with a privacy and security expert friend. I am publishing his replies to my questions “as is” (no editing).

Many people ask me about tracking. What is it? Can we prevent it?

Meta/FB pixel and Google Analytics are the two most pervasive tracking tools that follow people all around the web. Vast majority of sites have either or both running silently in the background. And each can see down to the most minute detail everything a user does on a website – every link or page that gets clicked or accessed, your mouse movements, the data you enter into every form or text box or search bar, the credentials you input to sign up or register for a service, the time you spend viewing a certain piece of content on the site, and countless other things etc… (visit deviceinfo.me to see example of all the little things a site can track and recognise about your computer).

And then all that data gets recorded and associated with your identity, on either a 100% precise “deterministic” basis (meaning FB or Google know you personally are the user), or on a “probabilistic” basis (when they don’t know for a fact it is you but can infer that it is likely you based on a range of clues/patterns).

Tracking is deterministic for most internet users (i.e. those not taking precautions to prevent and block tracking). Tracking is probabilistic for the small segment that actively try to mitigate against the tracking with various techniques (someone like me).

The goal for someone who cares and is operating in the probabilistic bucket is to actively thwart the tracking to the extent where FB/Google is unable to, with a good degree of confidence, link your identity to the given activity.

But there is otherwise no way to 100% prevent such tracking, to fully escape all deterministic and probabilistic tracking of your activity, other than not owning digital devices and never accessing the internet.

The most basic + doable + minimal pain actions to take to move oneself away from being in the deterministic bucket and into the probabilistic category are:

  1. Practice “browser isolation“, meaning use one browser exclusively for Facebook/meta/Instagram + Google/Gmail things, and for nothing else. And then use another separate browser for all your other non-FB/Google internet activity. Key is to make sure you NEVER sign into your FB/Google/Gmail accounts on your non-FB/Google browser (as the moment this happens, FB/Google are able to immediately link that browser and all its future activity to your personal identity).
  1. Do NOT use Google Chrome Web browser as your non-FB/Google browser. Use Firefox or Brave Browser instead. And again, NEVER log into any FB/Google account on your Firefox/brave browser (and try to avoid as much as possible even visiting any FB/Google products or websites on that browser).
  1. Install and activate the browser extension uBlock Origin into your non-FB/Google browser.
  1. Do not use Google Search in your non-FB/Google browser, and don’t go to Google to make searches. Use privacy alternatives like DuckDuckGo (www.duckduckgo.com) or Brave Search. This preference can be toggled in the browser settings.

Of course one of the most effective actions is to fully delete your accounts with and entirely avoid using any Facebook/Meta + Google products/services, but this is too big a jump for most people and still doesn’t mitigate the tracking 100% (as even without a formal account on FB/Google, without further mitigations in place, they are still able to identify you as a unique user and track you using their created “shadow profile”).

All of this is only basic tracking mitigation for standard desktop web browser activity (i.e. just visiting websites on your computer). The many other ways our digital behaviour is tracked require their own other set of mitigations, so this only covers one part of it, but is an effective and easy start.

Can you outline a complete strategy to mitigate tracking?

I’d say overall there are a few key domains to look at:

  • Web browsing (basic mitigation as above).
  • Mobile devices because these are one of the biggest sources of privacy leakage in most people’s lives (mitigation being switching to a de-googled android device instead of iPhone or regular android + limiting installed apps to only vital ones).
  • Social media for obvious reasons (deleting and avoiding social media, or at least Facebook or generally be sparing in use and minimise data consciously shared on platform).
  • Email because all email on traditional providers is not private, all content can be and is actively read and analysed by provider (migrate away from Gmail, outlook, yahoo, apple etc and move to trustworthy privacy respecting email providers like protonmail or tutanota).
  • Cloud storage services, for the same reason as email (migrate away from Dropbox/other big tech cloud storage providers, also move to privacy friendly ones like proton).
  • Communications, because normal communications are either not private or secure or both (try to use Signal www.signal.org over WhatsApp, try to use Signal call/message over regular phone call or SMS, even WhatsApp is better for voice calls/messaging compared to traditional phone call/SMS as at least it is end to end encrypted).
  • Use unique account credentials for each of your online accounts, with different complex password for each. Avoid using the same password (or the same password with only minor variations) for all services (more for general security but still important as cannot have privacy without security, for basic use recommend Bitwarden www.bitwarden.com with a very strong master password that you keep close guard over).
  • Use multi-factor or two-factor (MFA or 2FA) authentication to secure accounts wherever possible (ideally use TOTP time based codes via an app like Aegis or enteAuthenticator).

NB: The links above are clean (i.e., not affiliated links), I do not get any reward when you subscribe to those services.

Leaving Traces Online, Identifiers.

11 February 2024 / / 0 Comments

Visit this website (or copy and paste https://www.deviceinfo.me) and it will show you a long list of all the identifiers that every website you visit can find out about you, your location, your device etc… All these different data points then used to create a “fingerprint” of your web browser, allowing the rest of your web activity on that same browser/device to be trackable.

NB: You can visit this website from any of your devices (mobile or desktop/laptop).

[HOW TO] Manipulate Photos That Can’t be Reversed Engineered Using Signal.

26 March 2023 / / 0 Comments

You want to send or post a photo, but don’t want to show the whole image. Maybe it’s a screenshot and you do not want to tell the world about your mobile provider and other personal visible details on a screenshot, or you may want to blur your background to hide your location, or or or…

Did you know that it is easy to reverse engineer cropped, blurred or manipulated photos back to their original state, thereby revealing what you wanted to hide by manipulating the photo in the first place? It is called an “exploit” (as in exploiting a loophole or weakness in a programme or app). Recently, such a weakness has been found in the built-in cropping feature on Google Pixel phones, but the weakness is also present in iPhones and other Android phones (read this Wired article to know more).

While companies can patch the exploits, all redacted photos already online (and if you use a cloud service, your photos are most likely already online) are vulnerable to it. When you crop a photo, what happens is the process tells the file to pretend that the cropped out section is not there, but it actually is still there.

As we all now know (and if you don’t, you should), if there is anything you do not want to make public, do not post it online. It is safe to consider that anything you have posted online is now in one way or another known to someone. And deleting what you have already posted does not help. You are just removing it from your view. Your photos are probably already in multiple datasets.

One way to really crop photos is to use… SIGNAL! Yes. You may know Signal as one of the most secure and private messaging platform, but it is also a great tool to REALLY crop out stuff from your photos so they can’t be reversed engineered. How to do that? Open Signal, take a photo, open the editing tool, crop, change as needed and save. Then send to “Note To Self” (another great feature of Signal for storing info).

If you have not downloaded Signal yet, you can find it in your app store, or here.

[Podcasts Series] Surveillance Report Podcast

25 March 2023 / / 0 Comments

In the Podcast Series, I am going to start posting links to interesting podcasts that cover topics we are interested in.

One of those is the Surveillance Report Podcast, described on their website as a “weekly security and privacy news – Presented by Techlore & The New Oil”. Every week, you get about 50 minutes of news on topics around privacy and security, including news about data breaches, exploits, new research etc. Each episode presents and analyses a highlight story, usually a piece of news that has gone viral in the privacy and security community. It is quite informative although sometimes a bit technical. Each episode also presents a list of sources for what is discussed.

The Surveillance Report Podcast is available on Youtube, RSS, Apple podcasts and Spotify.

© 2024 Datafication & Technology

Theme by Anders NorénUp ↑