I like the article, but I wish the trend of presenting US-law as universal standard would stop. IMO it would really help fighting the "well there's nothing I can do anyways"-stance of many, many people (regarding their rights).
Example: The german agency for loan credibiltiy (Schufa) got the hammer put down on them a few years ago for using zip-codes in their credibility calculation - it's not impossible to fight on a society-level, too, given said society is motivated and informed!
Lending agencies in the USA have also had the hammer brought down on them for paying attention to postal codes in some jurisdictions, but I don't think it's been banned nationally.
Regardless, the spot where surveillance capitalism worries me is that it could serve to undercut any attempts at banning such practices, regardless of how consumer-friendly a legal jurisdiction tries to be in limiting how the data can be used.
Can't use your current postal code to decide what your interest rate will be? That's fine, we'll just buy a dataset that tells us what your favorite restaurants are, and infer where you live from that instead.
Oh, but we won't do it directly, either, because someone would just blow the whistle on that, too. Instead we'll feed it and several hundred or thousand other data points into a machine learning model. And we'll pick the most black box algorithm we can think of, so we can claim plausible deniability.
Or maybe we'll set up several different online loan companies, each of which offers slightly different rates. We won't explicitly say that only certain people are supposed to use one of them, but we will still engineer the client pools by carefully targeting the advertising based on what websites people tend to visit.
I'm coming to the opinion that we should consider this kind of dragnet collection and reselling of data about people to be abusive prima facie. The potential for misuse is just too great, and the ostensibly legitimate uses that people have been able to come up with are typically really lame and uncompelling.
I'm not an expert in any way so it was probably a bit inappropriate to just assume what the author stated to be true - however, I don't want to focus on the discussion whether, how and where Redlining is existing in the US, because I notice this trend a lot.
Another, (hopefully less controversial) example:
Recently, I read an /r/askreddit thread titled "What sucks most about getting old?"(paraphrasing here) and literally about two third of the top level answers were something along the lines of "how much medicare cost/ how you can't have that much nice things because of doctor's appointments". Hint: It's not getting old what sucks here and neither it have to be that way.
I'm not saying that other countries are flawless, or even that they're better, but it's usually prefaced with "Well here in India" or "As a citizen of Belgium" - Americans just seem to assume their experience is valid for everyone.
Well, people have been complaining about that continuously for the 30+ years I've been on the Internet, so have fun complaining, but you're not going to get anyone to change.
And it's clear from context: Almost everyone who does that is from the USA.
The United States has privacy laws also, including a lot of regulation of the credit rating business. The laws are just created on a case by case basis, there is no general right to privacy from other private actors.
For better or worse, American society chose to enshrine the First Amendment and its right to free speech over personal privacy. I personally believe speech is the more delicate right.
Maybe not “mutually exclusive”, but there are conflicts. For example, some EU countries media are traditionally more reticent about publishing identities of the arrested than the American media is.
The most obvious recent conflict is “Right to be Forgotten” laws in EU vs the U.S.
Well, can you name an example where the EU focus on privacy instead of free speech had an actual negative effect?
Because as I see it, witch hunting old people who fake recipes for their opiod addiction or adding "massive national fame" to the list of motives for school shooters doesn't seem to benefit anyone beside the infotainment industry - and anyone who doesn't like actual coverage instead of sensationalism.
The very essence of free speech seems to be equally there in the EU (if not more) as it is in the US, or am I mistaken?
The "right" of free speech really inst free when espousing unpopular views has many lasting damages.
You can get fired from a job. You can get evicted. You can have your mortgage cancelled. You can be denied service at stores.
Sure free speech is great and all, but it also means potentially subjecting yourself to poverty.
I recall the story where the lady said over twitter, " I'm going to africa, hope I don't get aids. Oh that's right I'm white". Justine Sacco, I think. Or dongle jokes....
(EDIT: already at -2. I figure people would understand what it means to be banned by faceless entities and the like over free speech. I know I don't have free speech - There's many topics in which if I discuss would have lasting job ramifications. I also refrain from many opinions about societal issues in which is republican vs democrat.
Tl;Dr. Free speech may mean government cant imprison me for complaints against politicians, but my fellow man can make sure I live under a bridge.)
The right to free speech in the USA concerns political speech, and the relationship between the people and their government. It is not a shield against punishment by society for controversial or ill-considered comments. Indeed, it likely would prove impossible to grant such protections without limiting freedom of political or religious expression.
Your first mistake is believing in the fiction that corporations are people. Just because judges said so, doesn't make it true.
My primary complaint comes down to this country coming to an understanding of "right to life, liberty and pursuit of happiness" apply to actual people, and shouldn't apply to companies and capricious decisions. Things people do on their private time should have absolutely no bearing on where they work, where they live, or where they shop.
We already have laws on companies that restrict many different things. Companies can't violate the EEOC: they can't legally ask if you're married. Nor can they use your racial identity as a reason to hire/fire you. (they do, just under the guise of selective enforcement and firing for 'insubordination')
> The right to free speech in the USA concerns political speech, and the relationship between the people and their government. It is not a shield against punishment by society for controversial or ill-considered comments. Indeed, it likely would prove impossible to grant such protections without limiting freedom of political or religious expression.
And there was something that bothered me with your post... I've read similar kind of comments regarding desegregation in the South. Not that I'm calling you racist, mind you. But there were people who doubted similarly, and used that as an excuse to not make those changes. Fortunately, they were wrong.
> Things people do on their private time should have absolutely no bearing on where they work, where they live, or where they shop.
Yes, you are correct that the U.S. has passed laws that take a hard line against certain forms of discrimination, especially when it comes to employment and housing.
But even a law as accepted and adhered today as The Americans with Disabilities Act (one of the laws EEOC enforces [0]) is not even 30 years old. And in that brief time, into today, it has ongoing battles and controversies. The definition of "disabled" is most definitely not universally agreed upon [1]. Nor is there an easy consensus about the costs society should bear to follow the ADA. One example on HN that comes to my mind is this thread last year [2], in which many folks (perhaps the majority) argued that UC Berkeley should be allowed to continue producing online lectures without subtitles for the hearing-impaired.
You're probably aware even the most seemingly obvious consequence of the 1st Amendment -- that the government cannot censor people's free speech -- has been a continual matter of litigation and debate over the past century in every domain, from student protests to national security.
And yet you think that an expansive interpretation of the First Amendment -- such that no one in America should suffer negative consequences for expressing beliefs -- would have no complications or unintended consequences. How are you so wrapped up in your own predicament -- having to self-censor because you fear people may dislike and even shun you for your personal opinions -- that you can't see the obvious and immediate ways in which such a law would severely curtail the free speech of everyone, particularly the folks who do not have the resources to go to court?
If you believe the 1st Amendment stops the government from abridging free speech, isn't it also blatantly obvious how problematic it would be to enforce this law? (Hint: who do you think runs the regulators and courts who would be in charge of enforcing and passing judgement?)
Let's pretend we have the power to time travel and go back to rewrite the 1st Amendment; I challenge you to come up with just the words/phrases that would reasonably describe the free speech protection you want.
I disagree. You can do a lot to avoid mass surveillance. But you need to think like a smart criminal. Or a spy. And that comes hard for some.
I truly doubt that there's much hope for limiting mass surveillance in the US. The NSA does not respect the law. Because it's a military organization, and the US is always at war. At most, the NSA merely pretends to respect the law.
I think that you underestimate them... How often do you change your burner phones? Do you turn them off before you get back home? do you use different phones/computers for different purposes?, etc... if want to be truly untraceable, it is not practical at all.
I have just two phones, a smartphone for work, and an old dumb one for friends and family. Using those, I am entirely unremarkable.
I have occasionally used burner phones. Except when in use, I would remove the batteries and store them in an old steel paint can, with a charger. In the back of my vehicle, with tools. I never opened the can unless I was a few hundred km from my home and work. Supposedly on camping/fishing trips, and I lied about where I was going. Using an old vehicle, and keeping to back roads.
You might or might not be remarkable but even if what you do is of no interest to the NSA, they know a lot about you and you are not doing enough if you are trying to avoid the NSA net.
Few tricks to deal with those "if you have nothing to hide you shouldn't be concerned about surveillance" folks:
1. Tell them its not about hiding something, but its all about that you don't have anything to share with them. If they argue against (why?), ask them their favorite color and counter-argue trying to convince them to start liking some other color instead. Hopefully eventually they see stupidity of such discussion.
2. If 1 doesn't work, then hand them over a piece of paper and pencil and tell them to write their Gmail password. If they decline telling you "Well, I don't want you to read my emails", quickly answer "wow, now I truly wonder what you have to hide?!? What kind of emails are you sending and tho whom? I mean if you have nothing to hide then you should be okay with me reading your emails, no?".
3. Finally, if 1 and 2 doesn't work, try a bathroom trick. Invite them over for some cookout at your house with beer or wine. Keep pouring drink as much as you can and keep them at least for an hour (watch movie, play some boardgame, etc). Eventually they will have to use bathroom. Follow them on their way and once they close the door, open them immediately before they have a chance to lock it and tell them: "no, no, no, no! I don't close or lock doors in my house! Look, I know you just going to pee, but still if you have nothing to hide, you shouldn't be closing and locking doors after yourself, don't you think so? Unless you know... you plan to build a bomb or answer some jihadist emails in my bathroom, but you are not, right? So keep them wide open please".
That's all I got. If someone has better ideas, please share!
Another one from a slightly different angle I use is:
Imagine we’re all having dinner, talking about a particular politician. We’re sharing our thoughts and opinions, likes and dislikes. In a parallel universe, we’re doing exactly the same, except the politician is sat at the table having dinner with us.
Are we going to say the exact same things in both universes?
No, you’ll change your behavior when you know someone is watching. Even if you have nothing at all to hide, knowing that you’re being monitored or observed or that there’s even a remote chance it will come to light - you don’t act with full autonomy.
> Maintaining many different personas over a long time can be psychologically taxing. Real spies have access to professionals helping to deal with the psychological issues that arise from compartmentalization.
> All this begs the question if privacy invasive tech itself is changing us for the worse and making us sick? Either we get sick by it’s potential for psychological addiction or we get sick from trying to outsmart the privacy invasion. In any case it’s a game we can’t win unless we radically rethink our relationship to technology for work and play. If you have ideas, rants or raves I’d be thrilled to hear them.
I think over time we will have professional level ghost writting for our social lives - including brands -like play like your pwediepie etc. Well hiddden behind that brand noise of these chatbots/ outsourced workers will be our actual social lifes.
I find it to be a great hobby! It's rathe like writing fiction, except that it's fiction that you get to live. A form of LARP, if you will. You can get the vibe in some of Doctorow's and Stross' work.
This is a pretty great article. We do a lot of this as standard status quo at my company (https://verygoodsecurity.com) and we're about to deploy a full suite of google pixelbooks as well as primary computers instead of macs.
If there's more interest here, email me and I'll write up a lot of what we do -- but this post is a great start! We are planning on open-sourcing a lot of the tools that we built to achieve SOC2, PCI DSS, HIPAA, etc.
The first question I would have would be: since you're about to be using Pixelbooks, what happens if someday your Google login get disabled for some random internal Google reason?
I'd love it actually if Pixelbooks could be de-googlized, or even better, if Qubes-OS could run on Chromebooks. One can dream. :-)
Just to clarify: I know many things can be done once you put your Chromebook in dev mode, however once in that mode, your Chromebook becomes a lot more vulnerable. As opposed to on Android, where you can unlock without compromising on security, particularly true on and only on Pixel phones, as can be seen with CopperheadOS.
>$> crontab -l
# start /etc/host blocking blocking social media every morning at 6 AM
0 6 * * 1-5 cd $HOME/src/host/ && /usr/bin/python ./updateHostFile.py --auto --extension social porn gambling fakenews
># reset /etc/host to allow social media after 8 PM
0 20 * * 1-5 cd $HOME/src/host/ && /usr/bin/python ./updateHostFile.py --auto --extension porn gambling faknews
I think this cron job is probably broken if it depends on this exact script working IRL.
The return to personal hours at 8 pm configuration has misspelled the "fakenews" filter list. Surely this generates an error.
Uhm, "uBlock origin" appears to link to "uBlock" [1] rather than "uBlock origin" [2]. I don't use Firefox myself, but aren't the two completely unrelated? (I was under the impression that [1] was basically an unmaintained hoax of [2]?)
I think it's really cool that this page exists, even if very, very few people will follow all the advice.
As far as web browsing, I feel that blocking javascript is simpler and as effective as many of these much more involved steps -- hosts files, pi-hole, adnauseum, etc.
It's pretty easy to setup a bunch of pfSense VMs as gateways for various VPN services. Then you can create nested VPN connections through local internal networks. So each workspace VM is compartmentalized at both OS and networking levels. IVPN published my how-to guides for that. They're a little out of date, but the basic design still works well.
The section on 2FA goes on about SMS, which has a very increasing history of being easily bypassed and is utterly terrible advice. You’re designating a helpdesk operator on minimum wage at T-mobile as your root of trust, to defend against number porting.
Also, if you’re this ultra paranoid you may want to reconsider using Firefox -the last of all the major browsers to get a sandbox by a margin of years- to defend you.
I like the idea of this article and think privacy & security are worthy endeavors, but if you’re putting this much effort in, maybe it’s worth taking a serious look at what precise threats you believe you have, then coming up with the best solutions to those, rather than enabling a ton of stuff and praying it all works.
I should add: 2FA is indeed one of the best forward movements security has had in the last decade, it just SMS who’s time is limited: FIDO seems to be our next best bet.
"Another reason for taking this route is that extensions like TrackMeNot and AdNauseum obfuscate your existing data-sets stored by third parties. Using these extensions for a few months, we break Googles ability to understand and monetize your data. Because by then you have created havoc in the data-set they have. And the things they assume about you are invalid."
This is fascinating. Couldn't this technique of generating lots of random noise if it gained wide spread adoption completely destroy the surveillance business model?
> By default all DNS look-ups (that translate a human readable domain name to an IP address) are being conducted by the DNS servers of your ISP. I recommended you change this default behavior.
Even if your DNS servers are not your ISP's servers, your ISP will still know which IP addresses you connect to... I don't see how this increases privacy if you share it with a third party instead (https://www.opennic.org/ in his example).
I don't get this distrust of your ISP regarding DNS queries. They're one of the few parties we're actually paying. I don't see anyone paying 8.8.8.8 or most other alternatives people use. If we can't trust them, who the hell are you going to trust?
I'm quite nervous about installing a dozen extensions... doesn't this slow things down a lot? It feels like some of these things (uBlock Origin AND AdNauseum) feel redundant. Are these things good or bad ideas if your goal is both privacy and a reasonably snappy browser?
I'd guess the answer changes extension-by-extension. uBlock Origin and javascript blockers prevent a ton of things from ever actually loading, which makes for a much faster web experience -- win-win (although some pages are just blank until you enable enough JS). AdNauseum sounds much slower and more resource-intensive.
I like uMatrix (from the creator of uBlock Origin), which by default blocks almost everything from 3rd parties, especially javascript. Without javascript, privacy concerns are vastly diminished and the pages is much smaller and faster. I like uMatrix because it's relatively easy to load only the javascript you want, when you need it.
uMatrix's greatest gift, at least to me, is that in a small way it lets us turn the tables on monitoring. Government and city utility sites sending citizen's activity to FB and Google -- who'd have thought that could happen? uMatrix can flag each such occurrence for you.
The problem is, installing all these kinds of extensions breaks all kinds of things, some time in the future, when you've long forgotten everything you installed/configured;
In theory i'd rather use Firefox over Safari.
However in practise, a lot of stuff doesn't work properly in Firefox - because of some extension or some about:config setting i set after reading posts like this.
When that happens, i always revert to the trustworthy Safari which just always works (...and has proper pinch-to-zoom, which in my opinion is a very basic feature Firefox is lacking.)
> installing all these kinds of extensions breaks all kinds of things [...]
How odd, my experience is completely different.
I browse all the time in Firefox and Chrome with uBlock Origin and Pi-Hole. Not much is broken. In the rare case something is broken I flip DNSCrypt on and use Safari/Edge which don't have uBlock Origin installed. That happens like, what, once a year?
This is a valid point, perhaps more applicable to the parents or siblings we try to protect, but still valid.
It would be nice if Firefox had a page that listed every setting that is changed from a default value in one place. You'd still have to investigate extensions separately, but at least all those obscure hidden settings you've changed accessible and visible in one place.
I've definitely had my "let's switch browsers and see if this works in IE/Edge/etc." moments, but in general, things not working with Firefox with tracking protection enabled is rare.
And more importantly, when I need to bypass these safeties by using another browser, I'm doing so intentionally: I know this site is trying to move outside my security comforts, and can address it accordingly, rather than any given website abusing my privacy.
And of course, if I switch browsers just for sites that don't work in my Firefox setup, they're loading in a browser I use for little else... so they don't find much anyways.
IME, Safari lags horribly compared to Firefox WITH extensions. OSX just does not seem to provide intelligent ways to deal with memory management at the framework level. Not sure where the memory leaks are coming from, but on my 2013 iMac some process or processes hungrily eat up large chunks of memory. Forget about running Xcode, my system will just freeze because of swapping.
uBlock origin is an ad/tracking blocker. AdNauseam is an extension that pretends to be clicking on advertisements, thus poisoning the data for advertisers.
Using pseudonyms and sockpuppets will highly probably get them all locked out and suspended by social networks and internet services that have built strong countermeasures against it.
Do you mean Twitter doesn't represent all networks? I had a fake Facebook account for a couple of years... never had any trouble right up until I deleted it this year. So which network is doing this effectively?
Example: The german agency for loan credibiltiy (Schufa) got the hammer put down on them a few years ago for using zip-codes in their credibility calculation - it's not impossible to fight on a society-level, too, given said society is motivated and informed!