Online Security and Anonymity

An interesting discussion in a different thread prompted me to start a new topic on online security and anonymity.

I have not been always careful about my online presence and security. As an extreme example, my first Yahoo mail account which I created in 2000 had a 3 letter password until 2013 I think when Yahoo forced me to change after a huge hack at Yahoo. (I had silly sentimental attachment to the letters I choose back then as someone’s initials)

A few years ago I started to take my online privacy and security a bit more seriously. I started to remove myself off the social media sites. Deleted Facebook, removed or changed my email addresses and passwords wherever I could.

It’s a cliche but I became more aware of privacy and security implications when I turned 40.

I’m currently using following tools to help me stay as private as possible and as secure as possible:

• Proton Mail, Drive and VPN

• Simple Login for email alias

• 1Password, password manager plan to switch to Proton Pass. I also use Bitwarden as a backup password manager.

• Yubi Keys wherever possible to use as 2FA

• NextDNS on home router

• Synology NAS as a cloud storage backup

• MySudo app

• A prepaid SIM which is for those places where I need to give a mobile number but I don’t want to give my real number.

I am still using Google and Apple services but just limiting my exposure. I am not ‘Edward Snowdon’ or anything like him but just being mindful of what data is being collected and used.

AMA if you have questions and let’s hear from you to learn more and hopefully find new things which I can implement in my workflows.

I’ll probably chime in with more later, this is my kind of thread, but very quickly just for clarity:

Are you talking about anonymity or privacy? You mention anonymity a lot, and whilst often conflated with privacy, the two are not the same. Your toolbox and approach are more privacy oriented than anonymity really.

If you’re after anonymity you’ll want to ditch the VPN and use TOR. The prepaid sim is great for both anonymity (providing you paid in cash or crypto) and privacy.

NextDNS is great if you lack hardware to do that stuff locally instead of funnelling everything through a third party. Hardware that analyses that stuff within your local network before going out to the greater internet would be better. As a DNS provider though, unless you’re with someone like AAISP, it’s probably better for privacy, but I don’t think there’s any privacy gain between them over Cloudflare, and would just opt for theirs which is fast. NextDNS probably shines better on mobiles these days, but then you have a VPN. Each makes the other kinda redundant.

I do think the single biggest thing you can do though, is choose an ISP that respects your privacy, and choose a router/hardware firewall to keep your network secure and shut down trackers, which you can VPN into when away from home. If privacy (not anonymity) is the ultimate goal, that renders almost all those other tools and services unnecessary.

Home servers (not just NAS) are so underrated too, and definitely worth investing it. I use a headless Mac mini for mine.

Privacy ultimately comes down to trust, and there’s no one I trust more these days than my ISP, so I don’t use a VPN (for the purpose of privacy) or third party DNS services at all. My router does all the firewall tracker as blocking stuff, so no reliance on a third party service I’d need to send all my traffic through instead of my ISPs DNS. Out of the house, I’ll VPN into my own home network, which I trust far more than any third party VPN service.

I try not to worry too much about identity. I keep an eye on things but that’s enough for me.

I’ve used the same 6 char username for decades, you can see embarrassing contributions from when I was a teenager if you search about, and find my real name (probably not too surprising given the first 4 letters of my username) etc. Not too concerning to me.

I even had some goon cyberstalk me when he decided he didn’t like being challenged - I thought it was pretty hilarious to be honest.

I use a VPN occasionally to get at things which are geofenced or blocked in the UK (or I just need a different public IP to workaround a restriction). I have a semi-disposable phone number (mostly so I can easily identify recruiters, who can be pests!). Other than that, I’m open-web, Gmail, on social media for what little I use it for nowadays…

Cracking question! I’m not fussed about being a complete ghost online, you know, the vanish-without-a-trace type. What I’m after is being a bit more anonymous, especially from all those trackers and adverts. Don’t fancy being followed around the web with tailored news and ads, and I certainly don’t want the big boys like Google, Apple and Microsoft building a whole dossier on my life!

Sounds like privacy is the goal, in which case, you’ve got a solid toolset for that. I’d suggest looking into Signal too if you haven’t already.

DuckDuckGo is also a nice search engine to keep your queries away from Google. And because Google is probably still the best, when you do need their results, there’s a bang feature (prefix your search query with !g), and it’ll direct you to Google’s results whilst safe guarding you from their nefarious tracking.

Worth noting that Apple isn’t really in the whole big data tracking business like Google and Facebook are though. Request your data under the GDPR regulations and you’ll see a stark disparity. Apple don’t really have anything on you that you didn’t explicitly give them. Most things are confined to your device and are never shared with or stored by Apple anywhere. Apple Music is probably the most invasive tracking wise, but the stats there are more cool than they are nefarious.

Google recently honestly has pretty poor results I feel, Yandex, Baidu and Naver have somehow fended off the garbage results frequency increase.

Also, how does one escape the troubles of a VPN/Proxy? I’m currently routing all my data through a 200rmb (22 pounds) a year service ran illegally in China, knowing there’s a 50/50 chance the guy gets arrested at some point for illegally providing VPN services.

In China? Easier said than done.

What are you trying to achieve? Something that reliably works? Or the need to no longer use one?

I use Signal when other person has that, but as you know most people are on WhatsApp so most of the texting is via WhatsApp. I don’t want to ask people to use Signal just because I like it. I am Okay to use WhatsApp. It’s the only Mata service I use.

I been using DDG for a long time now I use StartPage/Ecocia when I need to check something on Google because these search engines can pull results from Google index.

Agree that they are not big in ad business yet so they don’t profile you as aggressively as Google.
While they’re not big on ads yet, that doesn’t mean they’re not collecting a fair whack of information. And controlling what Apple hoovers up can be a right pain in the backside compared to Google in some ways. Like, you can’t exactly use an Apple device without signing into an an Apple account, can you? But with most other gadgets, you can just use them without setting up an account first.

Another thing I’ve noticed, and this is just my own experience over the past five years, is that Apple seems to be cramming more and more trackers into their services. To show you what I mean, here’s a quick comparison of two devices my kids use for past 7 days. One’s an Apple iPad, the other’s a Samsung tablet. Both get used for roughly the same amount of time…

it’s all about personal preference. If you’re happy with how things are set up now and reckon you’ve got enough defences in place for any dodgy data leaks or security nightmares, then crack on! No need to go overboard just because some of us (ahem, me!) might be a bit paranoid. You don’t need all the bells and whistles if you feel comfortable with your set-up.

On NextDNS, I agree Cloudflare and NextDNS are probably no-par for privacy. I actually think Cloudflare 1.1.1.1 is faster than NextDNS but for my use case NextDNS gives me more control over the traffic and I can control what is allowed on my Kids devices from an easy to use interface.
I have Pihole installed on my NAS but just stopped using it because of an issue few months ago and couldn’t find the time to reenable that so went with NextDNS.

They’re not.

As I said, you’re free to request your data under GDPR. There’s nothing of substance there, even when you opt in (important because almost everything that produces data that Apple stores is opt in, not opt out). And from the data that is there, Apple aren’t in the business of selling it. If/when that happens I’ll be the first to change my tune and start screaming loudly about it.

The only telemetry tracking they do really is with respect to their services (tv, music, arcade). Anything private either isn’t collected or is end to end encrypted, so they can’t read it. As an example: Apple will know what fitness+ workouts you’ve done, but they’ll never see your fitness data that accompanies it. That stuff never leaves your device, unless iCloud sharing is on for health, where it gets synced but never stored.

Ad tracking (for personalised ads) is opt in, and you choose that during device setup, alongside analytics, and even then, Apple deploys differential privacy to safeguard your privacy as best as possible against de-anonymising techniques.

Is there meant to be a second screenshot there?

A large number of queries to Apple on an Apple device is not indicative of tracking. I’m not surprised to see so many. iCloud is constantly working in the background to sync and back stuff up. Apple are running a lot of services the device has to speak to, even when using third party apps. A lot of which is to do with safeguarding your privacy and security, not compromise it.

Honestly, the most illuminating thing you can do is go out to all these companies and request your data. It is the best thing about GDPR IMO. But it really paints a good picture of who is and who isn’t going to great lengths to profile you. And for those who think there’s nothing to worry about, the dossiers these companies have on you might shock you.

I’m sure you’re correct but I am not as trusting to any of the big tech. Here is a screenshot of requests which are blocked by my current DNS blocking set-up, this is in about an hour an half use last night. iCloud is disabled on the device btw…

image405×879 19.1 KB

Blocking cdn-apple is a strange one. It makes Safari faster, as well as hosted apps that need to fetch content. That subdomain is just a query upon app launch to verify the cdn is available. It just returns ok . Doesn’t do anything else. The clue is in the name cstat. stat being status. Perhaps something in their algorithms have determined it to mean statistics? But it’s just the app checking the CDN connection.

iadsdk.apple.com is pretty self explanatory. That’s your ad blocker working to block connections to Apple’s iAd SDK. Unless you opted in to personalised ads, there’s no tracking. That simply means the App Store, or a third party app tried to fetch and display an Apple ad and your ad blocker blocked it. The vast majority of free games and apps in the App Store that your kids will likely play use this, so that’s why you’re seeing it a lot. If they were using another’s as network, like Google’s, you’d be seeing a lot of blocked trackers too.

For reference, Apple’s tracking and analytics domains are:

metrics.apple.com
securemetrics.apple.com
apple.comscoreresearch.com

But you shouldn’t be seeing any queries to these if you haven’t opted in to that stuff.

I’m sure you know more than me about Apple trackers, so my settings could be a bit off.

I’ve turned off Stats collection for myself. No point giving Apple all my usage info if I can avoid it.

Agreed, Apple might not be that fussed about tracking for ads… yet. But there are definitely signs they could use all that data they’ve been collecting to show you personalised ads in the future. Didn’t they already start sticking targeted ads and analytics in their News app?

They haven’t started collecting the data (yet) to do that so I wouldn’t be too worried about that yet. For as long as Tim (or Craig) is there, I think we’re in pretty good hands in that regard.

I don’t know if it’s the Apple One subscription, or the ad blocking on my router, but I haven’t seen ads in News for a really long time. From what I remember, they were never targeted either though.

They probably did start doing it, but it will live behind that same analytics and tracking you have to opt in to when you first set up the device. So if you don’t opt in, they don’t track or collect any data to serve you targeted ads.

That’s good to know.

I had seen somewhere that they provide analytical data to publishers but wasn’t sure about tracking.

Any recommendations for privacy-oriented ISPs and hardware firewall/routers? I’ve just started to look at Netgate 1100/2100 which look like really good bits of kit.

Easy. AAISP. Think @MikeZ uses them too.

I like the Unifi Dream Machine stuff. The new cloud gateways too.

Apple recently struck a deal with Taboola to provide its ads on the Stocks and News apps, so things may change soon. However, they’re normally pretty good about privacy-related issues and you can still turn tracking off in the settings.
https://www.reuters.com/business/media-telecom/taboola-scores-apple-advertising-deal-shares-surge-2024-07-16/

I’m fairly ambivalent about my name being out there, as I still have a personal webpage which has my name on it, but as long as I retain control of what I put out there, I’m happy.

What I’m not so keen on advertising and the tracking that normally comes with it. As a result I’ve closed the accounts I’ve had with surveillance capitalists --Google, Facebook, Twitter, Microsoft etc and try to do as much as I can through Apple and Proton. I’ve also ditched Adobe recently for its misuse of assets stored in Creative Cloud.

For socials I just use Mastodon now, as there’s no algorithm, no ads or tracking and each instance is moderated by a human.

Apple gets a pass from me because they mostly just want me to buy Apple products and are arguably the least worst option when it comes to mobiles. I’d like a genuine third option (besides a feature phone), whether that is de-Googled Android or one of the growing number of Linux phone OSs, but the iPhone will have to do for now.

Proton VPN has a great feature called Netshield which blocks malware, ads and trackers. I have that running as much as I can.

I use Obsidian for notes, as it just runs from any folder on my hard drive or NAS folder and it just creates Markdown documents rather than some proprietary format (like Evernote or OneNote).

I also still buy CDs --I don’t want my access to music to be predicated on streaming services and the copyright holders continuing to get along. I’ve had one too many albums disappear from Apple Music over licensing disputes. I look for new stuff on Apple Music before buying the CD if it is going to stay in my collection.

I’ve thought about going down the hardware key route as well, a Yubikey or similar, but will give it further thought.

It is interesting that people are starting to take more notice of their privacy now. Hopefully the biggest violators will start to take notice.

I do