Wizard Kit: How I Protect Myself from Surveillance
Ever since the Electronic Frontier Foundation’s Panopticlick initiative in 2010, I’ve been sensitized to the risks and potential harms that come from adtech’s tracking of consumers. Indeed, in the years since, it has gotten far far worse. People are only now discovering the bad stuff that has been going on. For example, iPhone apps have been secretly recording users' keystrokes (see ZDNet, Feb 8, 2019), and Android apps with more than 2 billion downloads were committing ad fraud on real humans’ devices behind their backs (see BuzzFeed News, Nov 2018). For many more examples of spying on consumers, documented over the years, see Know Who’s Spying on You at All Times.
The popular apps that many humans use continue to track then even if they are logged out, and they also track users who never created an account in the first place (see Facebook tracks both non-users and logged out users). And Google tracks users’ locations even if they turned off location and denied permissions to apps (see Google Tracks Location Even When Users Turn Service Off). Even good apps that never intended to track users may actually be doing so because the SDKs (software development kits) with which they were built may be tracking users and sending data off to others’ servers without their knowledge. Remember the story about the low cost bathroom scale that didn’t work if location was turned off on the smartphone and there was no internet connection? It turns out that the scale was sending data to bare IP addresses that could be traced back to China.
Given the state of surveillance, indeed a surveillance state, in which we live today, most consumers are not aware and don’t know how to protect themselves. They find it impossible to wean themselves off the free drugs that have been provided by big tech—free email (Gmail), free videos (YouTube), free social media (Facebook), free maps (Google Maps) and so on. All of these services, and the privacy policies they force users to agree to, are designed to help big tech collect data from users to make money and limit their liability if anything goes wrong, as in the Cambridge Analytica/Facebook scandal (see What Is “Surveillance Capitalism?” And How Did It Hijack the Internet?).
How do consumers protect themselves from surveillance and start to restore some semblance of privacy? Services like Google and Facebook have many settings where you can limit your privacy exposure. This article doesn’t cover those, however, as much already has been written about that. What follows is more like what Doc Searls calls a “wizard kit” of various open-source technologies that I have adopted and customized over the years to protect my own privacy. These are a suite of technology tools that I control, and that help me control my privacy, despite having to continue to use hardware (Android phones) and services (Gmail, Google Maps) provided by big tech. Collectively, they are a “privacy suite” of personal agents that help me increase my privacy.
Here’s what I have done, built, and learned over the years. I use a PC because I can select the hardware components and build it myself (as opposed to Apple hardware). I use an Android smartphone because I can load our own APKs on it without getting it approved in app stores and without having to root or jailbreak the device. I specifically use an Essential phone and a Pixel 2 XL as backup. Even though Apple protects its users more than other platforms, the power and control it has still means consumers are not in charge.
- Jan 30, 2019: Apple blocks Facebook from running its internal iOS apps
- Jan 30, 2019: Apple blocks Google from running its internal iOS apps
- Jan 31, 2019: Apple restores Facebook’s ability to run internal iOS apps
- Feb 1, 2019: Apple restores Google's internal iOS apps
For those who are already more savvy, various tools and techniques listed below can be used on Linux machines. And iOS devices can take advantage of DNS ad blocking and tracker blocking too.
Edit local hosts file. Years ago, I started editing and managing the hosts file on my computer (find the hosts file here: C:\Windows\System32\drivers\etc ). By adding ad serving and ad tracking domains to it, and pointing them all to 127.0.0.0, I could force those domains’ DNS not to resolve. This means that when ads and trackers are called by webpages, apps or other ads, they will quietly fail to load. Now I have nearly 200,000 domains in the hosts file to protect my computer. The following are lists of ad serving, tracking and malware domains maintained by others that you can use as a source list:
Use Brave Browser with PrivacyBadger. I use the open-source Brave Browser every day now. It's built on Chromium, but because the awesome @brave team stripped out bloatware, adware and surveillance tech, it protects me better than Chrome. It also has additional “shields up” features like “block fingerprinting”, which is how adtech tracks your unique device even if you delete cookies in a normal browser. HTTPS everywhere is also on by default, and no external extension is required. Tor is built in for when you need it—just open a “New Tab with Tor".
And because Brave is based on Chromium, I can add browser extensions of my choice. I use Privacy Badger from the EFF to help me block ads and trackers further. Most important, Privacy Badger learns and adapts to new trackers and threats. When it detects a new tracker, it sends a do not track (DNT) signal to it and determines whether it respects the signal. If it doesn’t, PrivacyBadger blocks the tracker. Another useful extension is DuckDuckGo (you can also use that browser on mobile). This extension further helps to prevent data leakage—for example, when you search on Google or Google Maps, Google can re-identify you and further compile the data they have on you. And finally, be sure to UNinstall all browser toolbars or extensions that you don’t use or don’t trust. When a browser extension or toolbar is installed into your browser, it can read everything you do in the browser, including all keystrokes—think about your logins on all sites. Do you trust that they are not logging all of that and sending it back to their servers?
Pro Tip: don't use Adblock Plus, because it will sell you out. Adblock Plus takes payments from adtech companies to let their ads and trackers through. It does not block ads and trackers to protect you.
The following are other tools that are useful to see who is tracking you and how much tracking there is:
- Ghostery- Privacy Ad blocker (pro tip: don’t leave it installed when you don't need it; they collect data and sell it too).
- Kimetrak- Chrome extension that shows you the trackers on each site and how they were called.
Uninstall apps on mobile. Some consumers have been using social-media apps for years, and it may have been convenient to have those apps on their smartphones. But those apps have access to device sensors, and consumers typically have given permission to apps during the install process, without even reading what permissions they were giving. Some malicious apps like flashlight apps that ask for permission to turn on microphone and camera, receive and send text messages, read all your contacts, turn on network connections and so on should have raised red flags and eyebrows. But even mainstream apps abuse permissions to track users. The best way to limit this is to uninstall the apps and log in to those services using a browser. The security built in to the browser means that device-level, sensor data is not accessed and abused by those services.
Use ProtonVPN. First thing to note is don’t use low-cost or free VPNs. Those services were not trying to do good for society; they were designed to collect your information and sell the data for profit. VPNs see every network IO in and out of your device, so they can see every website you visit, every app you use and possibly even more detail. I use ProtonVPN, and I pay for it, because the creators are privacy-oriented. There is a cost, but you should already know that nothing in life is truly free. So it is a way of saying thank you to the developers who built it, maintain it and evolve it. I leave it on the fastest available server, typically. But there are other useful features like “random” where it connects to a different server each time or “SecureCore”, which routes traffic through their secure network, and finally “DNS Leak Protection”, which uses secure DNS servers to prevent others from snooping what sites you visit via DNS resolution queries.
We built SafeBrowser. I have an inherent distrust of any app and what it can do when I load it on my smartphone. Even if I am vigilant about not giving it permissions that it doesn’t need to perform its job or that don’t make any sense at all, code in the app could still be doing things that I am not aware of. That is why I work with a mobile developer that I trust to build apps for me to use on my phone. One such app is SafeBrowser. This is a derivative work of the open-source Android Webview browser, found here https://github.com/chromium/chromium/tree/master/android_webview/browser.
We customized the webview browser by adding a blacklist and a greenlist to it. The blacklist contains ad serving, ad tracking, malware, porn and other domains that are blocked. This means that webpages or the ads that load on the page cannot call hidden trackers or redirect to malware, fake sweepstakes, or porn domains—as has happened with increasing frequency in recent years due to poor security in digital ads (see Confiant - Uncovering the Largest Malvertising Operation).
The browser history is also color-coded to show the domains called by each web page—the ones in red are blocked. The ones in green are ad-serving domains for sites that have been greenlisted. A greenlisted site is one that the user trusts and wants to support by letting the site make money in its normal way—by showing ads. So a site in the greenlist will see the ads come through, but malicious or non-malicious trackers of other adtech companies remain blocked.
We built NetSafe. What about the trackers and ads that are called by other apps—that is, not on a web page in a browser? For that, we have to inspect every network IO in and out of the device. We made a derivative work of the open source project called NetGuard. We call our version NetSafe. We added in our own blacklist and whitelist functionality that is similar to the functions in SafeBrowser. The blacklist is continuously updated on our server and synced to the device when there are updates. When NetSafe is turned on, ads and trackers are blocked from all apps—including user-installed and system apps—because their DNS resolution fails quietly.
We maintain our own Pi-Hole Server. What about iOS devices that cannot run our SafeBrowser and NetSafe Android apps? We set up a Pi-Hole server based on this open-source project: https://github.com/pi-hole/. Routers like Google’s OnHub and others like DD-WRT can be set to point to our Pi-Hole server as the default DNS server. By doing so, all the devices in a home network can benefit from ad blocking and tracker blocking, even if nothing on the device has been altered or any apps installed. The Pi-Hole admin interface also gives useful stats about the enormous volumes of network requests coming from streaming devices like Amazon’s FireTV, Apple TV, Google Chromecast, Roku stick and so on, especially in overnight hours when humans are sleeping. Users can also edit their network connections (ethernet settings) to point to the Pi-Hole DNS server. This provides the ad blocking and tracker blocking without having to edit the hosts file locally. And updates to the block lists will be used automatically by any device pointed to the Pi-Hole server.
We built crpt.info. Finally, secure, ephemeral communications. By now, savvy privacy-oriented users will be using secure communications apps like Signal. But I’ve stopped using Signal because it leaks meta data, my phone number. It notifies me that my friends signed up for Signal and prompts me to connect to them. This is not secure enough. So we built our own, available at http://crpt.info. The high bar of security that I require is that every aspect of the tech can be disclosed, and it still remains secure. If any security relies on secrets, it can be compromised by pain or gain—meaning the secret holder can be tortured or paid off to reveal the secret. That point of failure makes it not secure.
For crpt.info, let me provide a layperson’s description of the security here. (For the more technically oriented, I can provide technical details upon request.) When a message is sent, the message is broken up into an unknown number of pieces; each piece is encrypted with one of a large library of encryption algorithms we created, and each piece is distributed to network of haystacks (servers) and placed in a temporary alphanumeric subdirectory of different lengths. We call this security paradigm “combinatorial security”.
We minimize the use of standard encryption, because we assume backdoors are already built in. We do not require strong encryption, because we assume attackers can apply unlimited computing power to overwhelm the strongest encryption. We do not require HTTPS, because we protect the pipe between the browser (end point) and the server. Each message is encrypted with the public key of the intended recipient; only the recipient has the private key to decrypt the message. Public key/private key pairs are unique to the message—that is, single use. Even if one message were compromised, it will not help the attacker with any other message. Once a message is seen, all pieces evaporate. Redundancy can be built in without reducing security. This would be useful in cases such as if the entire eastern seaboard is taken down. There will be enough duplicate pieces, distributed in other geographies to ensure the message gets through.
The platform has no meta data. Users are not required to log in to send a message. This is designed for journalists operating in hostile places. They go to cyber cafes, where all devices are surveilled, sit down, type in the SendToIt code, send the message and walk away. The analogy is a public phone booth—walk up, dial the recipient, leave message, walk away. The message is dropped into a one-way mailbox and encrypted with the recipient’s public key. Only the recipient can access the mailbox and can decrypt the message with their single-use private key.
Send me a secret message. My SendToit code is “augustinefou3” (no quotes).
Build your own “privacy suite”
The above is the “privacy agent suite” that I use to protect myself from “surveillance marketing”. I welcome all of you to try any or all of it to see if it can help protect you and increase your privacy.
For adventurous souls (who also run Android), I am happy to share the APKs so you can load and try the apps we built (no jailbreaking or rooting needed). DM me and I will share.