- •
- 18d
- •
If there’s anything sensitive I’m communicating with someone digitally, I make sure that the person in question has basic tech security skills and knowledge about privacy, including telling them to stop using Windows. Including taking the time to teach them basic stuff (like full disk encryption, VPN and Tor usage, explaining E2EE, etc) myself. If you have a high threat model but are talking to non-techy people, you should be taking the time out of your day to do this.
If you’re thinking “wow I can’t be bothered to do all that”, your messaging is probably not sensitive enough for this to be a significant concern. Not that “if you have nothing to hide you have nothing to fear”, but just “the amount of time you put into security and privacy should be proportionate to your threat model and the cost of compromise”.
That’s fair. I just use it because it’s what everyone’s on. When I used Briar only one other person I spoke to used it, and I just use Matrix for some more techy communities I’m in. For my friends and non-tech-savvy comrades, they’re all on Signal, and I imagine trying to move people to something more decentralised/more in the spirit of foss/etc would lead to my social circles becoming very split in terms of how I talk to them. But I get your point.
Your friends who use spying social media platforms can share them there, if it’s a public blog. And if none of your target audience (friends and family) use Facebook, WhatsApp, Twitter, etc then there’s no need for them to be shared on those platforms?
Also, ime from when I had to use Facebook because of a group I was in, the group was very resistant to any privacy advice. I think the vast majority of people on these platforms are on those platforms specifically because they don’t care.
Yes, and there’s also the fact that some VPNs such as Mullvad let you be anonymous so even if Mullvad were keeping logs, if you pay privately they have no way of knowing whose logs they are (unless the content itself of your internet history reveals your identity). Meanwhile your ISP definitely knows who you are, and absolutely will collaborate with the police if asked to.
I’ve been on Mullvad with lemmy.ml and never had problems.
I think, when you explain things to people (i.e. in instances where it’s not an absence of knowledge that’s the problem), the vast majority of people know we’re correct, but are held back by convenience. They’re embedded into the Google ecosystem or whatever, and it is a pain in the ass to migrate. There are many popular services for which there isn’t a 1:1 private alternative. I can openly and confidently say that I sacrifice some convenience for privacy, and to me it is worth it. But other people, while they agree that they don’t like being spied on, are used to being spied on and therefore have a “if it ain’t broke don’t fix it” attitude. They’re already using spyware and it’s not had an immediately obvious acute consequence for them, so there’s not really any turning point at which they would go “this is enough” and change.
I think so long as they’re aware, if they do value privacy, over time they should slowly replace the things they use. Also, some of my friends get Signal just to speak to me since I’m not really on anything else (unless they want to email me lol), so that kind of effect may push them in the right direction.
If your brother doesn’t care though, he just doesn’t care. Privacy is actually very straightforward: it’s creepy for someone to be spying on me and watching my every move, therefore I take precautions to make that difficult for people wanting to spy on me. You don’t need to convince people that being spied on is creepy. They know that, and are stopped by inertia, which they can only overcome on their own. I don’t think it’s worth nagging them about it when they already know what is to be known.
For context, my threat model doesn’t need to account for real people breaking in and accessing my computer, the damage would be very contained.
I mean if you don’t have open ssh ports on your computer or whatever I don’t think you need a strong password, given that you’re not concerned about physical access. I would say that at the very least have a reasonably secure root password (/user password if you’re a sudoer/anyone else who can get root permissions with your user account) because if you end up with some malware on your computer that can, say, enter passwords, you don’t want it to be ridiculously easy to bruteforce.
The purpose of hiding the transaction would be to make it so that Mullvad couldn’t tie the transaction (or your identity) to your account even if they wanted to. I know they say they don’t log that data and I believe them, but they physically could if they wanted to, as opposed to paying in a private way, which Mullvad encourages anyway.
Of course, this then depends on what you’ll do with your VPN. If you’re using it to log into anything, unless that account is completely anonymised, the Mullvad servers could tie you to your account if they wanted to track you. Same goes for if you connect from your home network as opposed to eg public wifi. But there definitely exist threat models and use cases where what you’re doing on that VPN wouldn’t otherwise be tie-able to your real identity and therefore wanting to guarantee your VPN provider can’t know who you are may be something you’re interested in.
And some people just like anonymity for the sake of it 🤷♀️
Ultimately there are always going to be people who don’t have smartphones or computers, so society (including things which are currently almost mandatory to participate in society, like being able to bank) should be accessible to these people. If it’s accessible for them, it’s also accessible to people with smartphones or computers who have just removed the spyware from them.
I don’t do mobile banking; I just bank from my desktop browser. Not sure if this is an option for you or not, but I would have thought that online banking in the web browser should be even more common than having a mobile app for it.
Not sure what you mean by “home brokers” blocking you but if you mean their wifi blocks you, I’ve experienced that too on GrapheneOS but have found that VPNs allow me to use pretty much any public wifi.
Does your government app have a web alternative? If not that seems incredibly discriminatory against people who don’t have smartphones. If it has a web alternative but doesn’t work with any particular privacy settings, do you have a local library with computers you can use?
I’m ngl this is surprising to me, as GOS has always just worked out of the box the way I wanted it to for me.
But:
I’m facing the nearly insurmountable task of convincing my friends, family, and colleagues to download and use signal when they are all using encrypted iMessage.
Anyone who uses Android will experience this. I’ve never owned an iOS device in my life and I’ve always used SMS and Signal to talk to people. Have occasionally downloaded WhatsApp when a group of people insists on using it and I need to communicate with those people, but usually WhatsApp is uninstalled when I don’t need it. I think most Android users just use WhatsApp though.
Most of my banking apps just simply do not work.
Even with sandboxed Google Play? Again, surprising to me tbh. All the banking apps I’ve used in the past have worked fine on GOS without any Google Play services, though I don’t have any mobile banking apps installed atm. I second the other commenter who suggested switching banks if that’s possible for you.
There’s also a few features that I’m assuming are iPhone exclusive that it really sucks to have without. Double tapping the bottom of the screen to shift everything down so you can reach the top of the screen with your finger when using one hand. Holding down on the space bar to move the text cursor between characters. Maybe these exist on gos though?
I’m sure you’re not the only person who’s switched from iOS to an Android-based system and misses these features. A custom launcher might have the former feature, and there must be an Android keyboard that offers the latter. Maybe ask around on more mainstream Android forums, as they’ll probably have the most people switching from iOS to Android.
No clue about Yubikey, sorry. Never used it.
If you want to use an iPhone, you can. You don’t have to use GOS. I understand if you’ve invested heavily in the Apple ecosystem, it’s just inconvenient to stop using it all of a sudden. Ironically I sort of experienced something similar in reverse when I tried to daily drive Windows for a brief time because of gaming, and I found it so frustrating to not have access to a lot of the programs I used on Linux, and how things worked so differently (and in ways I thought were much worse) on Windows. Not quite the same since there’s definitely no such thing as a “Linux ecosystem” in the same sense as an “Apple ecosystem” (good! I don’t want to log into my online Linux account to boot my kernel…), but big changes to your tech workflow will be frustrating as you build up a new system that works the way you like from the ground up. I don’t think using GOS as a daily driver is a necessity for everyone. I would like to promote people using degoogled, FOSS, privacy-respecting OSes both mobile and desktop, but ultimately, you are an autonomous human being and can use iPhones if you prefer to do so and are fully aware of the privacy issues.
Presumably any degoogled OS would remove that kind of telemetry—it seems like quite an obvious oversight if they continue to send notification contents to Google’s servers? If the suggestion is that it’s through a backdoor, then that’s the responsibility of the open source community to spot the backdoor in the AOSP.
You can also just use a degoogled os which won’t be logging your notification content. But in any case you shouldn’t have notifications as notifications are exclusive with at-rest encryption (or I guess you could have at-rest encryption but just have the db constantly decrypted whenever your phone is on? Seems to defeat the point then)
Yeah that’s fair. And my pitch-shifting is not for a particularly well-resourced/dedicated threat model, literally just “would I recognise this as my voice if I heard it”—obviously insufficient if your adversary is going to put effort into identifying your voice.
I’m a bit surprised that no one has made a good preset for voice disguising. I might just keep layering effects for further obfuscation.
The suggestions people are making are good but I want to point out that GrapheneOS has good defaults so you don’t need to do much except use your phone. If you don’t have a particularly high threat model you shouldn’t need to make any other considerations (beyond just what software you use on your phone, like if you use something like discord or whatever)
Yeah you’re right that’s not a useful answer. This question in particular was also prompted by being linked a public resource, so even if I got someone else to download it for me and send it to me as a .ods file (it was a Google Sheets link specifically), that would just be offloading who visits the google site to someone else. Ie using your friend as a proxy. Which may be fine if you just don’t want to visit the site yourself and that’s your only objection, but I am pretty easily traceable to the type of friend who would send me a google docs link, and it definitely doesn’t offer the same anonymity as a proxy like Piped which is used by a lot of people (as opposed to a proxy like my friend, a proxy which is only used by one person…)
Thats fine if you value the warranty over your privacy (not trying to be sarcastic, everyone has a different threat model and I mean it when I say that’s fine for some people), but personally I would prefer the computer were not traceable to me, including at the cost of having to buy replacements when they otherwise come with warranty. I have turned down various things that electronics come with that require leaving your details. I understand why people leave their details to get the extra stuff but i am willing to spend more to be anonymous.
Afraid they almost definitely are actively monitoring all my above-ground activities lol, I’m in a country getting quite a bit of international flak for cracking down on political dissidents. Won’t say any more than that, tbh that doesn’t narrow down my location much with the current state of things anyway. But yeah I agree, I want to minimise the amount of data accessible about me.
I also want to pay more in cash to reward businesses for still allowing you to pay in cash as I’m noticing more are going cashless. I’m occasionally reliant on cash so I don’t want to end up stranded on those occasions where I can only pay cash, so definitely want to ensure the option remains open. The privacy is a benefit too of course.
I think at the moment I mostly buy “important” stuff in cash and everyday stuff with card. Important like a new computer or something, because I’d plan to have that computer for a while and don’t want it easily traced to me. Everyday stuff like food because, while I completely understand not wanting the state/banks/etc to know anything about you, I personally don’t care too much if the state knows what I eat. Would be nice to eventually become one of those people with no footprint at all though.
I found that Proton always had connectivity issues tbh. Frequently had to disable my vpn just to use the internet which defeated the purpose. Never had this issue with Mullvad; I’ve found it very reliable. Also Mullvad is absolutely more privacy oriented. They don’t require any kind of personal data. Proton will be tied to your Proton account so possibly your email, proton drive, etc.
Seems like a huge oversight in privacy communities, which are frequented by people with state actor level threat models.