In general it's a good thing that more and more people are aware of the necessity for good security practices for all online interactions - but the belief that individual technological efforts can defeat large-scale corporate and nation-state monitoring is pretty silly. At best you'll just have an added layer of security against things like theft of credit card information by criminal gangs.
If you actually want to do something like communicate with a journalist while hiding your own endpoint from exposure you have to go to fairly ridiculous lengths, such as acquiring a laptop used only for that purpose and which has no associated identifying information, use random open Wifi networks to log onto, and have a decent understanding of the concepts of public-key, asymmetric and symmetric cryptography.
Note that there is simply no way for two known parties on the internet to hide the fact that they are communicating with one another from government-corporate managers of the Internet - although it's possible to keep the content hidded, to some extent, unless your passwords get compromised, which seems fairly easy to accomplish for such actors via keylogger malware installed through backdoor attacks using secret zero-day exploits and so on.
The only real solution is the passage of data privacy laws that provide criminal penalities and which allow class-action lawsuits against corporations and governments that engage in warrantless mass surveillance or the retention and aggregation of customer's personal data in searchable databases.
This site and many guides like it are intended to help people avoid mass surveillance rather than targeted surveillance. Confounding the two threat models seems intended to confuse and exasperate people.
So, let's say the NSA is collecting data on every person on the web, and they're able to see who is using these 'mass surveillance avoidance tools' and who isn't. The former category then actually stands out and becomes targets of more intensive surveillance because they're using tools that allow them to hide surveillance to a limited extent. Using such tools would flag the 'strong-selector' metadata collection system for further (targeted) examination, i.e.
This is of course what an outfit like the STASI or Gestapo would do, isn't it? If you're actually trying to hide from surveillance, the best tactic is to hide in plain sight, maintaining a cover story consisting of bland normal online presence that doesn't draw extra attention.
Of course living in an authoritarian panopticon and having to hide in this manner is an undesirable situation, and the solution is not technological, but rather political in nature. One basic issue is transparency, i.e. the public should be able to see what the intelligence agencies and corporations are up to with their surveillance programs. This is why Snowden's exposure of PRISM, XKEYSCORE, TRAFFICTHIEF, etc. was in the public interest, i.e. legitimate whistleblowing.
I think the lesson to be learned from e.g. the Cambridge Analytica scandal is that given enough computational power, mass surveillance is indistinguishable from targeted surveillance.
I feel like I should be putting on my tinfoil hat saying all of that, but the reality is that these systems are less and less throttled by the availability of human brains to process the data the automated surveillance systems collect. We made a mistake in thinking that labor costs could ever be an effective guard rail for these tools.
> This site and many guides like it are intended to help people avoid mass surveillance rather than targeted surveillance. Confounding the two threat models seems intended to confuse and exasperate people.
The important thing to keep in mind - and one that I find most nontechnical people don't realize - is that over time mass surveillance and targeted surveillance trend to being the same thing.
Centuries, or even decades, ago mass surveillance was a dictators dream but merely a fantasy. There was no way to do it, not enough people or time, so it was impossible. You could only do targeted surveillance against selected groups or people.
With current technology these are starting to merge. You can actually spy on everyone all the time and store it for later perusal whenever you need to perform a dragnet search in the future.
We're not there 100% quite yet but every year more activities are online and more bandwidth and storage capacity makes it more and more viable to monitor everything and everyone all the time.
The legal and cultural framework to deal with this does not exist. Laws and mindsets are still focused only on targeted surveillance and cover things like search warrants.
> Note that there is simply no way for two known parties on the internet to hide the fact that they are communicating with one another from government-corporate managers of the Internet
Not entirely true. I could post a message on a popular forum like HN, where the message contains a hidden message.
Steganography is a real thing. I've often wondered about those meme powerhouses, like on Facebook.
I used to collect thousands of memes and just blast them to my mother indiscriminately. Then I wondered whether silly-looking memes could be carrying secret messages, or just nasty hidden stuff. I decided to stop helping traffick in that stuff.
Has anyone read/seen Mother Night? That's a real good example of how secret communication can hide in plain sight.
Maybe that explains some 'word-salad' speeches by our VP. She really is sending a hidden message to somebody who has the secret decoder ring. Then again, maybe not...
Most media now have secure drop and guides on usage.
In the UK atleast such as this BBC page[0]. As do the Guardian, Bloomberg and many more Im sure.
I appreciate that it is an involved process as you say but it doesn't seem excessive especially if you can use your smartphone now that tor browser is on android and iOS.
This might hinder small time criminals and companies at best from finding out who snitched on them. But in an authoritarian regime with state level resources or just a sufficient level of corruption or even just a media corp run by boomers that is vulnerable to phishing, you can't count on discretion for these things. Secure tunnels and end2end encryption are worthless if the endpoints are easy to compromise. The above comment is right that at the very least you should use bespoke hardware that was never associated with you or anyone you know in any shape or form (in addition to the things mentioned on that site). And even then you'd have to make sure that the info you leak can't be traced back to you, at which point it becomes a game of intelligence and counter intelligence. For example, if an organisation suspects their people are leaking info to the press, it could begin to place targeted (mis)information among employees to uncover them. This was done at Tesla last year to track and eventually bust leakers.
The laws don't really stop it either. The 4th amendment in the United States hasn't prevented huge dragnet style data collection and partnerships with private entities to provide access to whatever data the government wants.
Laws like the Bank Secrecy Act where passed specifically to state that 4A doesn't apply if the data is collected from a third party and not the individual directly. Nonsense but we're here.
The expression of power is in who gets to decide the exception to the rules. Real power is rarely beholden to rules. That's why whistleblowers who call out illegal programs are treated like the criminal, because the laws essentially don't matter when dealing with things at that high of level.
Powerful people can lie, cheat, and steal and face zero repercussions. They hold institutional power so groups like the police will protect them regardless of laws being broken. It's not illegal for a corporation to either literally or metaphorically kill someone, because there is no body that will hold them accountable, but it is illegal to assassinate a CEO and systems will pull all stops to hold the assassin accountable.
Its the real reason why Western style democracy ends up being a busybox for people who like rules. The people who can grant endless exceptions have addresses and beds where they rest their heads but people without power cannot decide on an exception to the rules, regardless how dangerous and damaging that person is.
In the U.S. qualified immunity is a creation of the judicial system, and those decisions could presumably be reversed by statute if the political will comes to exist.
No need to invoke qualified immunity; the data privacy laws that have been passed (e.g. the GDPR) make explicit carveouts for government surveillance. Yes, the carveouts are for the jurisdiction's own government only, but that's the one you should be most worried about mass surveillance from in most cases.
> but the belief that individual technological efforts can defeat large-scale corporate and nation-state monitoring is pretty silly.
Nation states may have a lot of budget, but they still have a budget. Mass survelience needs to have low per user cost to succeed. It is entirely reasonable to assume small changes if widely adopted could make mass surveilence ecconomically unfeasible.
The only real solution is the passage of data privacy laws
Even your own example — a whistleblower talking to a journalist — illustrates that the fear is not of people who abide by laws, but people and organizations that don't care about the laws.
I'm not saying that there shouldn't be laws. But like almost everything involving human beings, the solution is not an if-then binary choice.
You mean you want the same government that is interested in putting back doors in phones and other surveillance techniques to pass laws that keep them from doing so?
Yes, our government is not a single homogenous entity. We can theoretically (and sometimes actually) use our legislative representatives to change the behavior of other parts.
We should push for laws and resist new acts that curtail our rights of privacy and free expression, but that is not a solution. We are generally on our own in making our choices of technology to use. If you go on using proprietary services and networks hoping that someday laws will suddenly fix all the problems, you are seriously deluded or naïve.
You mean... like some sort of a... a Constitution...
One with lines like:
"The Congress shall make no law..."
"The People shall..."
"...shall not be infringed."
"All powers not mentioned here are reserved for the States, or ultimately, the People."
We're beyond the point where good faith can be assumed, and we're down to brass tacks. Our judiciary has shown they are more than willing to creatively reinterpret precedent as they see fit. Our Executive is acting more and more like a dictator with an entire corpus of executive based lawmaking at his disposal (Administrative Law). The Legislature has abdicated responsibility for reigning in excesses in the interest of the little people rather than established incorporated interests and high value donors.
And the People are left with a choice. Amongst all this dysfunction, what should they do?
The main problem I see is that people are completely distracted by privacy from corporations - when what we really need to be worried about is privacy from our own governments.
So much ink is spilled talking about cookies, ads tracking, etc. But really what's the worst a corporation is going to do? Try to sell you something?
Meanwhile, we continue to allow our governments to regulate and legislate ever more intrusive invasions of our privacy. And they can put us in jail, or worse.
This also gets blurry as governments take increasing control of companies, to the point that some are just about arms of the government, surveilling us in ways that the government can't (yet) do on their own - and being forced to pass that data to the government under penalty of law themselves.
Until these companies turn around and sell that data to the government, which doesn't require a warrant since the company is volunteering to provide it, and if they don't want to sell it, the government will happily use one of it's loopholes around warrants to demand it anyway. The government does this constantly with location data[1], browsing history[2], license plate scanners[3], and more.
We should be pushing to close these warrantless search loopholes, but in the meanwhile the only pragmatic way for an individual to maintain privacy is to prevent any and all third parties from collecting the data to begin with. After it has been collected, you have no control and no reasonable expectations of how it will be used.
> prevent any and all third parties from collecting the data to begin with.
This is what I have been doing. What can you add to this?
On phone disable Bluetooth, disable precise location, disable location and infrequently turn that on for something like photo geotag, use carrier phone number for nothing and use phone numbers from googlevoice or others.
Put cars in LLCs or Trusts with address at POBox or UPS. Never use home address for mail unless it is from family. Put utilities in name of LLC or Trust.
> Until these companies turn around and sell that data to the government...
Yes, the larger issue is that the government has just outsourced a lot of the work to corporations to get around the Constitution. If there were any integrity left in the US government, there would be a reckoning about this. We worry about regulatory capture, but the bigger problem is deep state/military-industrial complex capture.
Companies are building surveillance infrastructure that is:
* way ahead of governments in terms of technical capability (NSA and top-level intelligence agencies are outliers, but your average government IT departments are too incompetent to be of any threat)
* widely accepted and not regarded as malicious - not even the NSA can get people to voluntarily include some malicious Javascript on the vast majority of public-facing webpages, yet Google Analytics managed exactly that
* profitable and self-sustaining - the government doesn't have to spend money on building and maintaining it, nor needs to justify its budget/spending
Those companies however are still at the mercy of governments, either via violence/coercion (in the US, they have to obey a national security letter by law, or armed goons will show up) or mutually-beneficial relationship (a lot of companies either outright sell this surveillance data to the highest bidder, or don't outright sell it but will be happy to let the government in on it in exchange for a good relationship and favors in the future).
I'm completely uninterested in the distinction you draw here.
Actually, several distinctions. What do you mean 'our OWN governments'? This is a world where hostile foreign governments can wreak absolute havoc… including by popularizing arguments literally the same as the one you're making, for the purpose of undermining that government and fomenting revolution for their own selfish, imperialist purposes.
I can think of two great powers (okay, one formerly great) actively doing this within my lifetime, and the formerly great one was doing it as hard as it possibly could, within the last ten years, and is still doing it.
I don't trust your argument at all. You're leaving out significant things, conveniently.
The difference between my own government and a foreign government is twofold:
1. It has always been illegal for a foreign state actor to surveil me, and in any case has no authority over me and can't put me in jail (as long as I'm not in their country).
2. My own government is legally entitled to surveil me and collect my personal data, and can indeed put me in jail.
>So much ink is spilled talking about cookies, ads tracking, etc. But really what's the worst a corporation is going to do? Try to sell you something?
Cooperate with domestic and remote governments, work with the deep state, influence elections and work with candidate teams, and so on. There are also companies with more reach and resources than entire countries.
Plus, corporations have been known to downright spy, threaten, beat up, and murder people when multi-billion interests are threatened (e.g. by local populations wanting clean water or better working conditions).
You write this as if corporations don't lobby on behalf of their owners, and as if 'trying to sell you something' couldn't be any more dystopian than someone at a store counter greeting a prospective customer.
Corporations lobby governments to provide security, in part because some corporations want to sell security products and governments (at multiple different scales) are the biggest customers for that. Those who do not themselves sell security sometimes demand security not so much for the safety of customers and staff as for the customers that they would like to have. Security is big business. Before dismissing this as some marginal phenomenon, you might want to reflect on the proportion of the economy that revolves around security. Though a few years old now, this article raises a number of surprising questions that I've yet to see effectively answered: https://www.brown.edu/Departments/Economics/Faculty/Glenn_Lo...
While corporations aren't as powerful as the government, they use data for more than "trying to sell you something."
Network effects cause society to coalesce around the same large corporations for social media, online shopping, payment processing, etc to the point that it can be hard to function in society without their services. Once their services are used by virtually everyone, their governance becomes governmental in its impact. On a weekly basis we see programs like the app stores, ad markets, search algorithms, and payment processors enforcing opaque policies that close businesses and end livelihoods, all based on an automated interpretation of the data we share with them.
> The main problem I see is that people are completely distracted by privacy from corporations - when what we really need to be worried about is privacy from our own governments
Governments have grown to rely on corporations to spy on their own citizens, so being worried about corporate surveillance is being worried about government surveillance.
However, between the two (for the vast majority of people), corporations pose a more realistic threat than governments do.
I did allude to the gap there closing. I still see them as distinct in most countries, including my own. But I fear we're allowing the gap to close further.
As an aside, I think a lot of people want this gap to close, but for entirely unrelated reasons more related to political and economic goals, with the loss of privacy and individual autonomy being an unconsidered consequence of this.
But Google built a surveillance machine much more advanced than the gov can even dream of, so the guys with guns just have to go to Google first to get your data and then they can go to your house.
But if your phone OS / cellular firmware is compromised then e2e or even at-rest encryption won't matter. Anything you can see on your phone can be seen.
I think a more rational alternative is to consider that everything except your unexpressed thoughts and emotions is already logged. At some point, this will become true (if it ain't already), so....then you at least will be ahead of that curve.
So if everything you do is monitored, how do you achieve privacy in such a world? That is the question, I think.
In fact, it's similar to how a corporation or nation needs to think about protecting their own secrets. They have to assume compromise (of people, systems, etc)...how do you confuse and compartmentalize what you want to protect?
Don't let perfect be the enemy of good. The likelihood and prevalence of deeply low level monitoring is orders of magnitude less than the likelihood of using modern apps and saas where is virtually guaranteed. It's an additive game and you can dramatically reduce invasions, even if you can't eliminate them.
1. It's completely possible to treat your phone as an insecure device. Maybe I'm naive, but I think it's possible to run a daily Linux system with a reasonable assumption of privacy.
2. When you act as if you are being monitored and judged for your words/actions, you begin to self govern them to be more acceptable to the presumed omnipresent agent. Sometimes the fear of being surveilled is as powerful as actual surveillance.
> 1. It's completely possible to treat your phone as an insecure device. Maybe I'm naive, but I think it's possible to run a daily Linux system with a reasonable assumption of privacy.
Your computer is running several operating systems under ring 0 that Linux has no idea about, same goes with many components and peripherals. Those operating systems have direct memory access.
So if everything you do is monitored, how do you achieve privacy in such a world?
I might put a physical paper notebook in a reporters pocket then meet with them and buy them a coffee or tea. Or I might give them a USB drive with a self-decrypting file and instructions for how to use it securely.
Or if I am feeling silly I might borrow a few hundred digital billboards and just broadcast the data to everyone and let the public sort it out. FoghornBlowing?
This, given these NSA programs have had 10 years to evolve and expand, and that the NSA can easily get access to effectively the entire planets’ mobile devices by showing up to just two American companies’ HQs with guns and gag orders, it seems almost a certainty that they’ll have OS-level access. So I’d highly doubt any standard mobile device is NSA-safe.
In terms of dimensionality, I actually do not think it would physically be possible for the NSA to warehouse all the raw data they could Hoover (haha get it) up, so that might be a bit comforting. And certainly whatever data they do Hoover up will mostly never be directly seen by a human due to physical constraints on eyeball time available to spy vs produce content. That yields one answer to your question which is to just not attract enough attention they decide to turn on full logging and comb through your life
> So if everything you do is monitored, how do you achieve privacy in such a world? That is the question, I think.
Proposals that suggests users get better at managing their own security are doomed. Most people don't understand the absolute insecurity of their door locks, let alone the state of their digital devices.
One possible answer is noise. There should be "digital noise generators" that create fake digital fingerprints for you everywhere. The goal isn't to make the landscape more pristine, it's to make it so "dirty" that it has no value to anyone anymore.
You are talking about targeted surveillance rather than mass surveillance. That is not the purpose of this guide and similar others. There are advanced guides for people in that threat model.
An important part of the problem is that super complex software and hardware stacks are required today for even basic tasks. This limits customer's chioce, essentially forcing customer to use these bloated, insecure, obscure products.
Even browsing the plain text Hacker News forum requires a web browser, so complex that only few companies in the world can produce it. And runs on super complex OS.
I wish we had something like "basic computing / commnication device" specification. Simple, limited and transparent, that everyone can produce. With small software, That would allow to exchange messages and browse information online. Not all data formats, but a limited set of formats, good enough for basic communications.
Better a frozen spec, not a moving target. (Or a very careful evolution, with very rare release of new versions)
Good publishers, web sites, etc, could test their systems against the "basic comp / comm device".
> Even browsing the plain text Hacker News forum requires a web browser, so complex that only few companies in the world can produce it.
This not take anything out of your point, but HN can be browsed with simpler browsers like lynx, w3m, Ladybird or NetSurf, which are all written by a small set of people.
(they do rely on quite complex operating systems though)
Maybe the main lock-in is in drivers for proprietary hardware. Platform software like bare bones Linux / Android and Firefox is probably not the root of the lock-in.
If so, maybe it's better to think of two devices: trusted device, and fancy device.
The trusted device is a simple, low power and cheap device, maybe without even a camera. Just touchscreen, wi-fi and mobile internet. Fully open drivers, and hardware spec. Running bare bones Linux / Android, Firefox. Easy to root and reinstall the full software stack. There can be an open specification for at, as a "basic comp / comm device": 1 GB memory, CPU of certain performance, etc.
The fancy device is a cutting edge proprietary flagman device. Great power, but risk of tracking.
Is it legal to have private conversations discussing actual plans for acts of terrorism?
I assume you have to pierce some veil of reality, make a purchase, buy a ticket, etc. before it becomes a crime.
My point is if we can make surveillance costly by filling the airwaves with false positives that are just a group of bots plotting a terrorist act? I assume that is legal to do.
Edit - ok, so it definitely seems like this is not clever at all and almost certainly a crime. Don't do this!
> (2) Falsely and maliciously to indict another for any crime, or to procure another to be charged or arrested for any crime.
So this means police informants in connection to the police are also committing a crime? Far too often people with recorded criminal activities are baited into getting another person caught for a more severe crime like terrorism, in exchange of being let go.
The problem with conspiratory talk is that while one person may fully not intend on action, it could inspire and/or manipulate others into committing acts. The blame is shared on all for conspiring and creating that environment where acts can emerge.
What if an unhinged language model generates all this noise talking to other language models, with no humans involved at all? The only human involvement would be an instruction to start spouting some believable bullshit on controversial topics, plus granting access to some private messaging tools and providing a contact list of other language models to talk to.
In general, you can discuss such ideas but agreeing to perform them brings you up against the line of committing crime. In the US, you have to commit some material act in furtherance of the conspiracy, but that can be almost anything.
For example, if you and your friends agree to rob a bank and decide you'll need gloves, ski masks, and some kind of weapon, buying 6 pairs of rubber gloves at the store the next day would qualify as a material act. You don't need to acquire all the expected tools or go anywhere near the bank you discussed robbing.
Only if you don't get caught; plenty of schools have been evacuated because people mentioned comitting a crime without actually intending to execute it.
That said, flooding the systems with false positives is definitely possible, but it would be used as a cover for actual terrorist attacks.
it gets quickly less fun when all your family is woken up in the middle of the night by a SWAT team, your kids are yelled at, your equipment is seized and your partner ask for divorce.
I clicked the link and it was from Ubuntu 12.04. This is something more than 10 years ago and has been unmaintained for years. It becomes hard to take this seriously when they make it seem like it is an ongoing issue (or do not link to a newer article if it is).
I was surprised to find Authy in the "Avoid" column of the 2FA apps in Android. Anybody knows why? I prefer something open source like Aegis that I can backup myself but didn't hear anything bad about Authy in particular.
Yeah, kind of surprising. I guess it's a private company that manages your 2FA code backups, and they could theoretically lock you out.
I avoid Authy for a different reason: after upgrading phones, my backup password (which is 100% correct, trust me) is not unlocking my archive. I switched over to iCloud Keychain and will never look back.
I use google authenticator. I backup the QR code in the TrueCrypt vault when I add a new account to the google auth. I am not sure how secure it is, but I am very scared of losing access to google authenticator.
This seems great until you dig into some of the recommendations. A tool to save webpages is not an alternative to a news reader. A dynamic DNS service is a not an alternative to Google public DNS, etc, etc
I can't see the this making any kind of dent on the average person with these kinds of recommendations.
Word, I was a bit surprised by the "email" section as well. As a better alternative to Gmail, I would have expected to see e.g. protonmail or fastmail, but instead saw... thunderbird, an email client? Which doesn't make a lot of sense
On https://prism-break.org/en/all/#email, they state "For more email providers, take a look at Privacy-Conscious Email Services. Please decide for yourself whether if you trust them with your data. For more discussion about safe email providers, please see issue #461.".
They even state that Thunderbird is a "Extensible, cross-platform email client.". The implied idea being to use Thunderbird to access a "Privacy-Conscious Email Service".
I use Gmail as an email client more than than I use it as an email provider because it has an External Accounts function. I apply Google's "App Script" system to my email to do things that you could do in Outlook's full-fat client or maybe in Thunderbird with some extensions.
If it is actually a malicious site trying to herd people toward exploitable behaviors it'd be following the Nigerian Scammer tactic of pre-screening by allowing simple errors to scare off more savvy inquiries.
This would go along with the rather crude emotional appeal.
That said, it hardly seems an efficient way to exploit people… though there are useful points. If you can get somebody credulous to use something that's compromised, and you're acting like a baleen whale and accumulating whole populations of credulous government-suspicious folks whom you've steered towards some mechanism where YOU can surveil them, that's got to have some usefulness.
People absolutely don't take into account the effectiveness of loosely manipulating entire populations in selective ways. You never need to select an individual and 'make' them take any action at all. You only have to cultivate the conditions for the outcome you want. Facebook might have discovered this first, but the idea sure caught on quick.
I started going through the list and found several "wait, why is this to be avoided?" mentions. I started looking around for an explanation on their site and can't find anything.
There doesn't appear to be any clear explanation or rationale. There is however the every unhelpful libertarian mantra "... do your own research ...". Whenever I hear those words uttered I immediate question the legitimacy of the source.
Hiding your research (or lack of) and telling people to do their own is a manipulation. It's telling people to either take you at your word or invest a lot of time and energy into research which might yield a similar conclusion.
Research is meaningless unless it's documented and shared so others can evaluate it.
> Hiding your research (or lack of) and telling people to do their own is a manipulation
Yep. And even worse, since those people are also telling you what conclusion they want you to reach, they're encouraging people to engage in the illusion of research (starting with a conclusion and looking for confirming data points) rather than real research.
Readit News
If you actually want to do something like communicate with a journalist while hiding your own endpoint from exposure you have to go to fairly ridiculous lengths, such as acquiring a laptop used only for that purpose and which has no associated identifying information, use random open Wifi networks to log onto, and have a decent understanding of the concepts of public-key, asymmetric and symmetric cryptography.
Note that there is simply no way for two known parties on the internet to hide the fact that they are communicating with one another from government-corporate managers of the Internet - although it's possible to keep the content hidded, to some extent, unless your passwords get compromised, which seems fairly easy to accomplish for such actors via keylogger malware installed through backdoor attacks using secret zero-day exploits and so on.
The only real solution is the passage of data privacy laws that provide criminal penalities and which allow class-action lawsuits against corporations and governments that engage in warrantless mass surveillance or the retention and aggregation of customer's personal data in searchable databases.
https://en.wikipedia.org/wiki/Turbulence_(NSA)
This is of course what an outfit like the STASI or Gestapo would do, isn't it? If you're actually trying to hide from surveillance, the best tactic is to hide in plain sight, maintaining a cover story consisting of bland normal online presence that doesn't draw extra attention.
Of course living in an authoritarian panopticon and having to hide in this manner is an undesirable situation, and the solution is not technological, but rather political in nature. One basic issue is transparency, i.e. the public should be able to see what the intelligence agencies and corporations are up to with their surveillance programs. This is why Snowden's exposure of PRISM, XKEYSCORE, TRAFFICTHIEF, etc. was in the public interest, i.e. legitimate whistleblowing.
I feel like I should be putting on my tinfoil hat saying all of that, but the reality is that these systems are less and less throttled by the availability of human brains to process the data the automated surveillance systems collect. We made a mistake in thinking that labor costs could ever be an effective guard rail for these tools.
The important thing to keep in mind - and one that I find most nontechnical people don't realize - is that over time mass surveillance and targeted surveillance trend to being the same thing.
Centuries, or even decades, ago mass surveillance was a dictators dream but merely a fantasy. There was no way to do it, not enough people or time, so it was impossible. You could only do targeted surveillance against selected groups or people.
With current technology these are starting to merge. You can actually spy on everyone all the time and store it for later perusal whenever you need to perform a dragnet search in the future.
We're not there 100% quite yet but every year more activities are online and more bandwidth and storage capacity makes it more and more viable to monitor everything and everyone all the time.
The legal and cultural framework to deal with this does not exist. Laws and mindsets are still focused only on targeted surveillance and cover things like search warrants.
Not entirely true. I could post a message on a popular forum like HN, where the message contains a hidden message.
I used to collect thousands of memes and just blast them to my mother indiscriminately. Then I wondered whether silly-looking memes could be carrying secret messages, or just nasty hidden stuff. I decided to stop helping traffick in that stuff.
Has anyone read/seen Mother Night? That's a real good example of how secret communication can hide in plain sight.
In the UK atleast such as this BBC page[0]. As do the Guardian, Bloomberg and many more Im sure.
I appreciate that it is an involved process as you say but it doesn't seem excessive especially if you can use your smartphone now that tor browser is on android and iOS.
[0] https://www.bbc.co.uk/news/uk-60972903.amp
AFAIK governments empower specific agencies and groups with qualified immunity. How would such laws be enforced if an agency has immunity?
Powerful people can lie, cheat, and steal and face zero repercussions. They hold institutional power so groups like the police will protect them regardless of laws being broken. It's not illegal for a corporation to either literally or metaphorically kill someone, because there is no body that will hold them accountable, but it is illegal to assassinate a CEO and systems will pull all stops to hold the assassin accountable.
Its the real reason why Western style democracy ends up being a busybox for people who like rules. The people who can grant endless exceptions have addresses and beds where they rest their heads but people without power cannot decide on an exception to the rules, regardless how dangerous and damaging that person is.
>Huge stink and nationwide conversation ensues.
>High ranking member of political party 2 does the same damn thing.
>Crickets.
You can even reverse the order of the events or parties. It happens a lot. Such laws, unfortunately, simply become political tools.
Nation states may have a lot of budget, but they still have a budget. Mass survelience needs to have low per user cost to succeed. It is entirely reasonable to assume small changes if widely adopted could make mass surveilence ecconomically unfeasible.
Even your own example — a whistleblower talking to a journalist — illustrates that the fear is not of people who abide by laws, but people and organizations that don't care about the laws.
I'm not saying that there shouldn't be laws. But like almost everything involving human beings, the solution is not an if-then binary choice.
You have laws, but you also have mitigations.
Your view point sounds like we should give up on any form of legislation the rich and powerful would not like.
One with lines like:
"The Congress shall make no law..."
"The People shall..."
"...shall not be infringed."
"All powers not mentioned here are reserved for the States, or ultimately, the People."
We're beyond the point where good faith can be assumed, and we're down to brass tacks. Our judiciary has shown they are more than willing to creatively reinterpret precedent as they see fit. Our Executive is acting more and more like a dictator with an entire corpus of executive based lawmaking at his disposal (Administrative Law). The Legislature has abdicated responsibility for reigning in excesses in the interest of the little people rather than established incorporated interests and high value donors.
And the People are left with a choice. Amongst all this dysfunction, what should they do?
Deleted Comment
Even the GDPR with its huge impact and global implications does not apply to law enforcement agencies. So I wonder who would make such a law?
Dead Comment
Dead Comment
So much ink is spilled talking about cookies, ads tracking, etc. But really what's the worst a corporation is going to do? Try to sell you something?
Meanwhile, we continue to allow our governments to regulate and legislate ever more intrusive invasions of our privacy. And they can put us in jail, or worse.
This also gets blurry as governments take increasing control of companies, to the point that some are just about arms of the government, surveilling us in ways that the government can't (yet) do on their own - and being forced to pass that data to the government under penalty of law themselves.
We should be pushing to close these warrantless search loopholes, but in the meanwhile the only pragmatic way for an individual to maintain privacy is to prevent any and all third parties from collecting the data to begin with. After it has been collected, you have no control and no reasonable expectations of how it will be used.
[1]https://www.eff.org/deeplinks/2022/06/how-federal-government...
[2]https://www.nbcnews.com/tech/security/can-government-look-yo...
[3]https://arstechnica.com/tech-policy/2020/07/cbp-does-end-run...
This is what I have been doing. What can you add to this?
On phone disable Bluetooth, disable precise location, disable location and infrequently turn that on for something like photo geotag, use carrier phone number for nothing and use phone numbers from googlevoice or others. Put cars in LLCs or Trusts with address at POBox or UPS. Never use home address for mail unless it is from family. Put utilities in name of LLC or Trust.
Yes, the larger issue is that the government has just outsourced a lot of the work to corporations to get around the Constitution. If there were any integrity left in the US government, there would be a reckoning about this. We worry about regulatory capture, but the bigger problem is deep state/military-industrial complex capture.
Companies are building surveillance infrastructure that is:
* way ahead of governments in terms of technical capability (NSA and top-level intelligence agencies are outliers, but your average government IT departments are too incompetent to be of any threat)
* widely accepted and not regarded as malicious - not even the NSA can get people to voluntarily include some malicious Javascript on the vast majority of public-facing webpages, yet Google Analytics managed exactly that
* profitable and self-sustaining - the government doesn't have to spend money on building and maintaining it, nor needs to justify its budget/spending
Those companies however are still at the mercy of governments, either via violence/coercion (in the US, they have to obey a national security letter by law, or armed goons will show up) or mutually-beneficial relationship (a lot of companies either outright sell this surveillance data to the highest bidder, or don't outright sell it but will be happy to let the government in on it in exchange for a good relationship and favors in the future).
Actually, several distinctions. What do you mean 'our OWN governments'? This is a world where hostile foreign governments can wreak absolute havoc… including by popularizing arguments literally the same as the one you're making, for the purpose of undermining that government and fomenting revolution for their own selfish, imperialist purposes.
I can think of two great powers (okay, one formerly great) actively doing this within my lifetime, and the formerly great one was doing it as hard as it possibly could, within the last ten years, and is still doing it.
I don't trust your argument at all. You're leaving out significant things, conveniently.
Cooperate with domestic and remote governments, work with the deep state, influence elections and work with candidate teams, and so on. There are also companies with more reach and resources than entire countries.
Plus, corporations have been known to downright spy, threaten, beat up, and murder people when multi-billion interests are threatened (e.g. by local populations wanting clean water or better working conditions).
Corporations lobby governments to provide security, in part because some corporations want to sell security products and governments (at multiple different scales) are the biggest customers for that. Those who do not themselves sell security sometimes demand security not so much for the safety of customers and staff as for the customers that they would like to have. Security is big business. Before dismissing this as some marginal phenomenon, you might want to reflect on the proportion of the economy that revolves around security. Though a few years old now, this article raises a number of surprising questions that I've yet to see effectively answered: https://www.brown.edu/Departments/Economics/Faculty/Glenn_Lo...
Network effects cause society to coalesce around the same large corporations for social media, online shopping, payment processing, etc to the point that it can be hard to function in society without their services. Once their services are used by virtually everyone, their governance becomes governmental in its impact. On a weekly basis we see programs like the app stores, ad markets, search algorithms, and payment processors enforcing opaque policies that close businesses and end livelihoods, all based on an automated interpretation of the data we share with them.
Governments have grown to rely on corporations to spy on their own citizens, so being worried about corporate surveillance is being worried about government surveillance.
However, between the two (for the vast majority of people), corporations pose a more realistic threat than governments do.
As an aside, I think a lot of people want this gap to close, but for entirely unrelated reasons more related to political and economic goals, with the loss of privacy and individual autonomy being an unconsidered consequence of this.
I think a more rational alternative is to consider that everything except your unexpressed thoughts and emotions is already logged. At some point, this will become true (if it ain't already), so....then you at least will be ahead of that curve.
So if everything you do is monitored, how do you achieve privacy in such a world? That is the question, I think.
In fact, it's similar to how a corporation or nation needs to think about protecting their own secrets. They have to assume compromise (of people, systems, etc)...how do you confuse and compartmentalize what you want to protect?
Even at the hardware level we have real examples of exfiltration.
Not if we take the lore around mass survey into account (Snowden etc)
2. When you act as if you are being monitored and judged for your words/actions, you begin to self govern them to be more acceptable to the presumed omnipresent agent. Sometimes the fear of being surveilled is as powerful as actual surveillance.
Your computer is running several operating systems under ring 0 that Linux has no idea about, same goes with many components and peripherals. Those operating systems have direct memory access.
How would you hide in plain sight? That is the question.
Bruce Lee said: be water. But maybe you need to: Be Hamlet
I might put a physical paper notebook in a reporters pocket then meet with them and buy them a coffee or tea. Or I might give them a USB drive with a self-decrypting file and instructions for how to use it securely.
Or if I am feeling silly I might borrow a few hundred digital billboards and just broadcast the data to everyone and let the public sort it out. FoghornBlowing?
In terms of dimensionality, I actually do not think it would physically be possible for the NSA to warehouse all the raw data they could Hoover (haha get it) up, so that might be a bit comforting. And certainly whatever data they do Hoover up will mostly never be directly seen by a human due to physical constraints on eyeball time available to spy vs produce content. That yields one answer to your question which is to just not attract enough attention they decide to turn on full logging and comb through your life
Proposals that suggests users get better at managing their own security are doomed. Most people don't understand the absolute insecurity of their door locks, let alone the state of their digital devices.
One possible answer is noise. There should be "digital noise generators" that create fake digital fingerprints for you everywhere. The goal isn't to make the landscape more pristine, it's to make it so "dirty" that it has no value to anyone anymore.
Even browsing the plain text Hacker News forum requires a web browser, so complex that only few companies in the world can produce it. And runs on super complex OS.
I wish we had something like "basic computing / commnication device" specification. Simple, limited and transparent, that everyone can produce. With small software, That would allow to exchange messages and browse information online. Not all data formats, but a limited set of formats, good enough for basic communications.
Better a frozen spec, not a moving target. (Or a very careful evolution, with very rare release of new versions)
Good publishers, web sites, etc, could test their systems against the "basic comp / comm device".
This not take anything out of your point, but HN can be browsed with simpler browsers like lynx, w3m, Ladybird or NetSurf, which are all written by a small set of people.
(they do rely on quite complex operating systems though)
If so, maybe it's better to think of two devices: trusted device, and fancy device.
The trusted device is a simple, low power and cheap device, maybe without even a camera. Just touchscreen, wi-fi and mobile internet. Fully open drivers, and hardware spec. Running bare bones Linux / Android, Firefox. Easy to root and reinstall the full software stack. There can be an open specification for at, as a "basic comp / comm device": 1 GB memory, CPU of certain performance, etc.
The fancy device is a cutting edge proprietary flagman device. Great power, but risk of tracking.
Every user can have both types of devices.
I assume you have to pierce some veil of reality, make a purchase, buy a ticket, etc. before it becomes a crime.
My point is if we can make surveillance costly by filling the airwaves with false positives that are just a group of bots plotting a terrorist act? I assume that is legal to do.
Edit - ok, so it definitely seems like this is not clever at all and almost certainly a crime. Don't do this!
https://leginfo.legislature.ca.gov/faces/codes_displaySectio...
So this means police informants in connection to the police are also committing a crime? Far too often people with recorded criminal activities are baited into getting another person caught for a more severe crime like terrorism, in exchange of being let go.
Not in most countries, no.
The problem with conspiratory talk is that while one person may fully not intend on action, it could inspire and/or manipulate others into committing acts. The blame is shared on all for conspiring and creating that environment where acts can emerge.
For example, if you and your friends agree to rob a bank and decide you'll need gloves, ski masks, and some kind of weapon, buying 6 pairs of rubber gloves at the store the next day would qualify as a material act. You don't need to acquire all the expected tools or go anywhere near the bank you discussed robbing.
Deleted Comment
So, no actual act is necessary.
That said, flooding the systems with false positives is definitely possible, but it would be used as a cover for actual terrorist attacks.
Well, that's true for any crime tho, so doesn't answer the parent's question.
https://github.com/emacs-mirror/emacs/blob/master/lisp/play/...
> Canonical’s Ubuntu is not recommended by PRISM Break because it contains Amazon ads and data leaks by default
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-am...
I clicked the link and it was from Ubuntu 12.04. This is something more than 10 years ago and has been unmaintained for years. It becomes hard to take this seriously when they make it seem like it is an ongoing issue (or do not link to a newer article if it is).
I avoid Authy for a different reason: after upgrading phones, my backup password (which is 100% correct, trust me) is not unlocking my archive. I switched over to iCloud Keychain and will never look back.
I can't see the this making any kind of dent on the average person with these kinds of recommendations.
On https://prism-break.org/en/all/#email, they state "For more email providers, take a look at Privacy-Conscious Email Services. Please decide for yourself whether if you trust them with your data. For more discussion about safe email providers, please see issue #461.".
They even state that Thunderbird is a "Extensible, cross-platform email client.". The implied idea being to use Thunderbird to access a "Privacy-Conscious Email Service".
I use Gmail as an email client more than than I use it as an email provider because it has an External Accounts function. I apply Google's "App Script" system to my email to do things that you could do in Outlook's full-fat client or maybe in Thunderbird with some extensions.
This would go along with the rather crude emotional appeal.
That said, it hardly seems an efficient way to exploit people… though there are useful points. If you can get somebody credulous to use something that's compromised, and you're acting like a baleen whale and accumulating whole populations of credulous government-suspicious folks whom you've steered towards some mechanism where YOU can surveil them, that's got to have some usefulness.
People absolutely don't take into account the effectiveness of loosely manipulating entire populations in selective ways. You never need to select an individual and 'make' them take any action at all. You only have to cultivate the conditions for the outcome you want. Facebook might have discovered this first, but the idea sure caught on quick.
There doesn't appear to be any clear explanation or rationale. There is however the every unhelpful libertarian mantra "... do your own research ...". Whenever I hear those words uttered I immediate question the legitimacy of the source.
Hiding your research (or lack of) and telling people to do their own is a manipulation. It's telling people to either take you at your word or invest a lot of time and energy into research which might yield a similar conclusion.
Research is meaningless unless it's documented and shared so others can evaluate it.
Yep. And even worse, since those people are also telling you what conclusion they want you to reach, they're encouraging people to engage in the illusion of research (starting with a conclusion and looking for confirming data points) rather than real research.