In this post, I'll explore my journey towards digital privacy, sharing both successful strategies and pitfalls, my thoughts on the future of privacy, and when trading privacy for security might be justified.
My foray into the world of privacy began in my young adult years, during the widespread adoption of smartphones. The emergence of apps like Instagram and Snapchat were transforming our lives. Everyone was divided between a mix of excitement and disillusionment over the power these platforms suddenly had over our lives.
Discontent with some aspects of these platforms led me to seek privacy from big tech. I decisively quit all social media platforms back around 2011. This was my first step towards taking back control of my digital life. However, as I'll explain later, it didn't really work, and other approaches to privacy proved to be much better.
Let's dive into it...
A much more successful approach to privacy was ditching proprietary operating systems. While my purge had eliminated social media, I still felt a lack of privacy (which likely collect massive amounts of data on end users). I eventually discovered Linux and realized I could live without big tech on my OS. I started with Linux Mint, a polished Debian derivative, but quickly adopted Arch Linux, which I fell in love with and still use today. Arch is A simple, lightweight distribution. It completely eliminates bloatware with a unique approach of building on a simple base operating system. If Arch is too hands-on, Manjaro and EndeavourOS are derivatives that focus on a simplified and user-friendly experience. Ditching the proprietary OS' may be the most critical step someone can take to control their digital footprint.
Protonmail, the Swiss email provider, was another significant discovery, as I had been previously relying on the big names Gmail, Yahoo, and Hotmail for the better part of my life. Though I eventually returned to Gmail, Protonmail was an excellent alternative, providing a free account and PGP-encrypted emails. I recommend that you give a privacy email a shot, and at least us it as a good backup.
I'm omitting essential details if I didn't explain that privacy email providers have a few issues.
- The whole process is encrypted and difficult to spy on only if a privacy email provider user sends another privacy email provider user all on the same platform. For example, if a Protonmail user sends another Protonmail user an email, the whole process is fully encrypted E2E (end-to-end).
- However, If a privacy email provider user sends an email from a different provider, e.g. Protonmail to Yahoo, the email must first be decrypted to be sent to the other provider. It can be assumed to be vulnerable to the same privacy issues as other platforms (which use regular email protocols such as SMTP, IMAP, or POP3).
- In the case of a privacy email provider user receiving an incoming email from another platform, it could be spied on and remain unencrypted until the PEP does so.
In my case, this really wasn't a deal breaker since Protonmail offers a much more private experience than Gmail will probably ever will, and my goal wasn't to cover up malicious activity just to have better privacy from big tech. If one did need to send a message, such as highly personal information or something of that nature, I recommend encrypting it with a quantum-hardened encryption before even opening the email client. That way, your data would still be private even if the email provider was compromised (turned out to be a honeypot, or even a capture now decrypt later scheme).
A few messaging apps that I love as an alternative to Big Tech are Telegram, which offers E2E encryption (but sadly not enabled by default), and Signal, which are both relatively much more private. They're great since they are free, available on multiple platforms, and have user bases outside of the privacy and security community. Other options exist, including privacy networks (which I will cover later), offline options like Bridgefy, and even other messenger platforms.
Duckduckgo became and still is my default search engine. Its uncensored and (mostly) unbiased algorithm has a superior site ranking, offering a refreshing change from big tech. However, Google has some incredibly powerful tools, and even it's main search functionality has always remained a backup for specific tasks like local business searches, reverse image searches, and licensed searches, where it's still superior.
Another thing I tried early on was ditching my phone and using a virtual phone provider (web based). Living without a physical phone was particularly tough. I struggled with messaging on the go. This made renting an apartment and finding a job very difficult and proved impractical in my circumstances (an overall theme of privacy is that if you are very wealthy, you can afford better privacy). Additionally, the reliance on phone numbers as proof of identity in 2FA for essential services like banking and social media made this choice impractical.
In general, I wish phone numbers would die. It seems like dated technology and a massive cash grab (at least in Canada, where cell providers are expensive). In addition to communication, 2FA as SMS text or phone call is a sad excuse for better security. SMS is unencrypted, leaving it vulnerable to bad actors. Additionally, a telecom employee could swap sim, or a telecom app/account could be hacked. It may slow down a script kiddie but won't prevent a state actor. Unfortunately, phone numbers are highly integrated into everything from social media to banking with limited options for OTP RSA Authenticator Apps (which is much stronger 2FA security). Anyway, for now, I pay 55$ a month for something that I hate and that spies on me.
I experimented with old-fashioned flip phones and rooted Android devices, but neither was the perfect solution. The game-changer for me was GrapheneOS. This allowed me to use still use apps like Google Maps and Reddit but in a sandbox environment. Graphene has excellent security and privacy features, including:
- Auditor app that allows you can confirm the integrity of other GrapheneOs devices by scanning QR codes.
- Hardened memory and system
- Completely deGoogle (except hardware). You choose whether or not to install Google Play services
- Vanadium is a more secure version of mobile chromium
- Randomized Mac addresses for wifi
- 2G network blocking and support for eSim
- No geo location in photo metadata great convince for sharing images
- I'm not even doing it justice it has a lot of features
I now enjoy a version of Android with solid security and privacy and the same convenience as every other smartphone user.
There are still a few privacy concerns with any physical phone, whereas a virtual phone is much better. Cell phone carriers, at least in Canada, all clearly state in TOS (terms and services) that they are geolocation tracking at all times. Tracking cell phones is an issue at the forefront of privacy and security, with multiple companies tracking cell phone metadata internationally. They use this data to record everywhere you go and predict where you are going in the future. The only solution to this is either a virtual phone doesn't require a physical cellular modem (therefore is not able to easily track your precise geolocation), ditching your phone, or practicing self-control by leaving it at home once and while (I have an excellent device for this below). With all considered, a physical phone offers too much convenience to entirely give up on.
Rethinking my stance on social media was also necessary. Having no social media presence made me vulnerable to impersonation and unaware of the potential misuse of my identity, which can lead to catastrophe. Maintaining a minimal presence could benefit security and even privacy. Furthermore, I wanted some control over my narrative online as people can be, for lack of better words, dicks.
Leaving social media early created an awkward situation where, for a while, large companies didn't know who I was. To get back on some sites, I had to scan my face and provide multiple photos, which obviously isn't very private. You should consider this reality before leaving social media sites if you later decide that you want back on.
An excellent counterargument to rejoining/staying on social media may be that a face scan may be required for all users to log in in the future. I completely agree with this argument; however, you may want to consider how ubiquitous this tech will be (my friends in China know all about this) and that hiding from it will only be accessible to the extremely wealthy.
Another valid counterargument to embracing social media is that you may agree to malicious terms and services (TOS) by signing up and maintaining an account. Considering how telecom companies force you to surrender your location to use their product, I wouldn't be surprised by malicious legal vectors in social media TOS are being used to help spy on people legally.
In a later section, I discuss some other alternatives and emerging technologies that will one day replace the current social media giants.
Navigating the proprietary ecosystem was another area of compromise as I could not live without some software suites. While alternatives to Gsuite and MS Word, such as LibreOffice, are great, sometimes the proprietary options are more suited to advanced workflows. I refrained from using these all together for a brief period, but ultimately, I use these services with the understanding that some level of monitoring is inevitable. I do try to limit my footprint by using proprietary-only apps like Fusion360 and Adobe Photoshop in a virtual box and turning it off when I'm done (if you need help with passing a graphics card, though, I have done it before with Qmeu and IOMMU supported motherboard; maybe I can write a simple guide later on let me know in the comments if you're interested).
VPNs and Tor
Another technology I only use in a limited manner is VPN. Unfortunately, using a VPN results in being bombarded with captchas, which isn't feasible. Some sites I have used, such as local marketplaces, ultimately failed to work with a VPN (probably blacklisted it). Unfortunately, I can't use VPNs for all my internet uses. I use them whenever I can. If I were to use one, I would choose Mullvad since it's logless, accepts XMR payments, and has an anonymous signup.
An easy and fantastic way to increase privacy from an ISP (internet service provider) is DNSCrypt. This way, your DNS requests aren't being stored by ISP. It's a partial solution, as the ISP can still track your communications with IP addresses. However, it offers a step in the right direction and much better security. DNScrypt is supported on Android, in the app Rethink. It's very quick, easy and free to set up.
Edit: while DNScrypt is still relevant, another DNS implementation that may be even better is DoH (DNS over HTTPS). I'm suggesting DoH because it effectively hides DNS traffic by making DNS traffic appear as regular web traffic. It would be more private, considering it would be much harder to tell your DNS is encrypted or that you care to do so.
Complete privacy in the online world is a myth. Even if you use an ultra-private Tor Network or I2P combined with a live USB OS like Tails and strictly adhere to a non-personal data policy, your system will eventually leak some data. The best you can get is Tor+Tails, but it's very inconvenient for regular usage.
Though I'm glad solutions like Tor+Tails exist, and I hope they are maintained and embraced in the future, I have only tried this setup for academic curiosity as it only applies to my goals of not being marketed to and tracked by big tech. The right balance is using a VPN when I can or even just enabling DNScrypt.
I'm no expert on hardware pen-testing or the complexities of firmware ecosystems, but I have read through some of the Libreboot, Replicant and Coreboot projects. To summarize the key takeaways from these great and enlightening projects is that hardware has a lot of privacy issues with limited mitigation on most devices.
The scope of Intel me (management engine) issues and like issues with AMD and Qualcomm platforms is really troubling for privacy and security concerns. If you don't already know Intel ME is a small SOC built directly into the processors die. It runs a entirely separate Minux operating system and is capable of accessing RAM and running commands without the main operating system knowing, being on, even if the device isn't fully powered on. There's limited mitigation for the vulnerabilities often involving complex setups and custom hardware. Furthermore, other firmware hosted on devices like SATA storage devices, NIC, GPUs, and embedded controllers (usually found in laptops), can use DMA (direct memory access; the ability to read and write to RAM) to help weaken your system and even directly monitor you with zero knowledge, is deeply troubling for the privacy movement.
The key takeaway is that big tech hardware is like big tech software; it's fully capable of spying. One mitigation for this is to use FOSS-orientated hardware such as the Librem and system76 hardware. I have never used this hardware, but I will support them in the future when I upgrade.
The Future of Privacy
Looking ahead, the advent of Advanced technologies, like advanced algorithms, high-performance computing, and AI, poses new challenges for privacy. In the movie "Don't Look Up," algorithms predict human behavior, individuals' health, and even causes of death. Though this is an exaggeration of Big Tech's models, they do have models that may be used to predict our behavior, spending habits, future locations, etc. I firmly believe that Big Tec has the technology to accurately predict your next purchase with incredible accuracy. I also believe there's also no hiding from it. For instance, even if you live in a log cabin in the woods, there are still going to be models of like-minded people that can be used to predict your behavior.
Instead of hiding completely hiding from Big Tech, I believe the future of privacy lies in sophisticated technologies like privacy cryptocurrencies. Monero](https://www.getmonero.org/) is not your average cryptocurrency. It implements ring signature, stealth addresses, ringCT, I2P, randomX, and other technology offering private transactions with fungible tokens and anti centralization properties, unlike BTC and Eth (which don't get me wrong do offer something just not privacy). Monero also has great and active community. To be clear, I'm not suggesting investing in Monero, I am suggesting that you use it as a currency (assuming you can do so legally).
Another area that shows promise is decentralized social media. Mastodon is a promising alternative to big tech. It's a decentralized microblogging platform that puts complete control over the server and moderation back in the hands of the users rather than one corporation or person with total control.
I also believe open-source hardware like RISC-V will be a huge game changer and see widespread adoption in the following years as it improves. For instance, check out Sifive, which is quickly gaining traction.
These projects rely on community support and more adoption by end users, so they help pave the way for a more private future by using and contributing.
My personal commitment to enhancing my privacy and your privacy is by using my phone less. I've found that placing my phone in a "phone jail" (see photo below) not only boosts my productivity but also benefits my health. I tried building one myself with my 3D printer (DM for the file if you want to work on it; I have both stl and the fusion360 file), but instead compromised for a great product off Amazon. It's a simple yet effective product that helps reclaim privacy and quality of life. If your think about buying it, please use my Amazon affiliate link for phone jail, thanks!
Another significant improvement to our collective privacy is that i want to start contributing to Arch Linux (and/or FOSS in general). By doing so, I support a free and open-source operating system that respects your privacy. I love this operating system for its elegance and the great experience it has given me over the years. If you're a developer, please consider supporting it as well.
Finally, I have got to stop using chatGPT so much. Local LLMs are more privacy-respecting than API-based LLMs may be, and I should take advantage of them when I can. I have another post about Local LLMs that I am currently working on.
As we conclude this exploration into privacy, it's essential to address when security justifiably takes precedence over privacy. While I advocate for personal privacy, I recognize that specific security measures are indispensable in maintaining our societal freedoms.
Some technologies are deeply troubling as they are often instruments for invading peoples' lives by for-profit organizations. However, certain aspects of national and public security are undeniably necessary. Living in a free country comes with the understanding that freedom is safeguarded by robust defense mechanisms. A strong military, effective airport security, and sophisticated surveillance systems are essential in protecting citizens from threats.
What's imperative is a clear societal consensus on the boundaries of acceptable surveillance and security measures. The lack of clarity and transparency in governmental decisions regarding privacy and security has historically led to overreach and abuse of power. As citizens, we must demand clear policies and robust oversight to ensure our rights are not infringed upon in the name of security.
Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. - Edward Snowden
I have nothing to hide, but I do give a shit for this exact reason.
In conclusion, we must remain vigilant, informed, and proactive in defining and defending the boundaries of our personal and collective privacy. Only through this ongoing effort can we strike a balance that respects both our need for security and our right to privacy.
The cover image is generated with the DALL·E prompt: "Let's generate an interesting image with a heavy Orwellian vibe. I want security cameras and retina scanners, helicopters, drones, all kinds of crazy cyberpunk security items in the style of Hieronymus Bosch painting except darker tones""