Privacy

cross-posted from: https://lemmy.ca/post/57669143

I came across this video: They Asked For My Name. I Said No.

She had to do a purchase online and used a :

• Private mail box
• Privacy.com to create a virtual card just for that purchase
• SimpleLogin to create an email alias
• Cloaked to get a virtual phone number

This all seemed a bit excessive to me, but I wonder in general how do privacy enthusiasts purchase things online from: a) Sites that they can "trust" b) Sites that they can't "trust"

And what about offline? Do you guys use things like Google / Apple Wallet? Do you carry physical cards? Or do you not use cards at all and just pay by cash?

--

I used to use Google Wallet, but I have switched to GrapheneOS so that no longer works, I need to substitute it to curve pay but I'm kinda considering maybe I don't need it at all? Perhaps just carry the card with me, instead of adding yet another company that sees all of my purchases accepting all the downsides that this will give me. Or just use cash.

As far as online purchases go, honestly I don't do anything special other than creating a disposable virtual card just for that purchase, which made me think maybe I'm exposing myself too much, especially on smaller sites that I can't trust. That being said, I don't really know what I would do to change that.

Thoughts?

Sorry if this is yesterday's news to you all, but I just found out about this Android app that makes it easier - as in, less steps - to encrypt and send any message in a highlight-copy-paste fashion, with automatic integration in several e-mail front ends.

It still receives security updates and the repo is still maintained, but the app is no longer being actively developed to add new features. https://github.com/open-keychain/open-keychain

Earlier this year, both chambers of Congress passed the TAKE IT DOWN Act. This bill, while well-intentioned, gives powerful people a new legal tool to force online platforms to remove lawful speech that they simply don't like. The bill, sponsored by Senate Commerce Chair Ted Cruz (R-TX) and Rep....

Smart TVs with an internet connection: Lets grab screenshots and send them to cooperate analysis advertisement department.

The core insight here: privacy isn't this monolithic thing where you're either completely anonymous or completely exposed. The author breaks it down into these two approaches - tracking reduction and tracking evasion - and that distinction actually matters a ton in practice. Someone worried about targeted ads has completely different needs than someone trying to avoid state-level surveillance. Both are "privacy concerns" but they're worlds apart in terms of what you'd actually do about them.

The things that make you better at tracking reduction often make you worse at tracking evasion, and vice versa. It's not just that they're different approaches - they can actively undermine each other. This is the part that most privacy guides completely fail to explain, and it's why you see people with these Frankenstein browser setups that are actually less private than if they'd just picked one coherent strategy.

With the Chat Control bill entering its final stage, the EU Council has been busy thinking about what a new data retention framework could look like.

 With over 3 billion users globally, mobile instant messaging apps have become indispensable for both personal and professional communication. Besides plain messaging, many services implement additional features such as delivery and read receipts informing a user when a message has successfully reached its target. This paper highlights that delivery receipts can pose significant privacy risks to users. We use specifically crafted messages that trigger delivery receipts allowing any user to be pinged without their knowledge or consent. By using this technique at high frequency, we demonstrate how an attacker could extract private information such as the online and activity status of a victim, e.g., screen on/off. Moreover, we can infer the number of currently active user devices and their operating system, as well as launch resource exhaustion attacks, such as draining a user's battery or data allowance, all without generating any notification on the target side. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal) and the fact that any user can be targeted simply by knowing their phone number, we argue for a design change to address this issue. 

easy-to-use implementation of the attack: https://github.com/gommzystudio/device-activity-tracker

signal developers discussion about it https://github.com/signalapp/Signal-Android/pull/14463 (WONTFIX)

The GDPR is Europe’s defence against digital oligarchy and child harm. Deregulation plans are misguided, say Johnny Ryan and Georg Riekeles

https://xcancel.com/H1BeesNuts/status/2002194641551307199#m

https://en.wikipedia.org/wiki/Political_abuse_of_psychiatry_in_the_Soviet_Union?wprov=sfla1

PrivacyGuide.net mostly has US providers for these and given the current situation with the US, let's say using US services doesn't feel very private at all, regardless of how strong the claims are.

I'm not looking for total privacy, but just to start being more private until the EU gets its ducks a row regarding payment systems (VISA and Mastercard still dominate and make you transparent or at least translucid).

This is in India, but coming soon to a country near you (or the one you are in already).

I'm considering the switch to GrapheneOS, so I watched this interview with one of the members of the GrapheneOS team, and honestly, I feel it was a great general introduction to it and touched on common features and misconceptions.

For those who don't know, it's one of the most secure and private mobile operating systems out there. Some things that I took away:

1. They touched upon MAC randomization. I researched a bit on my own about what the need for it is. Apparently, it's standard practice to randomize MAC addresses when scanning WiFi connections. However, GrapheneOS (and Pixel firmware) are even better at this, as they make sure they don't leak any other identifiers when doing so. They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems). On a related note, even when WiFi/Bluetooth are "off," stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google's database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.

2. They have their own reverse proxies that they use to talk to Google on your behalf when needed.

3. Apparently, in the USA you can be compelled to provide a fingerprint or Face ID. Courts have ruled this doesn't violate the 5th Amendment because it's physical, not testimonial. BUT you cannot be compelled to provide a password/PIN. That's considered testimonial evidence, protected by the 5th Amendment. GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN, so it helps with this. They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase.

I haven't finished watching it, but it has some very interesting data points on privacy and how your privacy is being exposed even when you think it isn't.