In spite of my inclination towards cyber security from an early age (relative to when I 'discovered' the Internet), I never was a big fan of privacy over the web. I knew some bits here and there about it, like how my data is used to serve me targeted content, how tracking happens even after I close the browser tabs and how companies watch me visiting sites and track my habits. Heck, I found it fascinating that I saw adverts from third party companies about the products that I was currently researching about. Internet, to me, was like a close friend who knows everything about you, your habits and interests, your lifestyle and more. And when I say friend, it isn't metaphorical. I literally trusted the web for every bit of work-life thing that I got involved into. I liked that my email was always synced, that Google asked if I wanted to review the place I was at, that all my photos were automatically backed up to the cloud, that I got a 'This day 3 years ago' notifications every once in a while, that I received personalized notifications about the bills that were unpaid and the events that were due, like magic!
And all these years, I've heard about numerous leaks, activists exposing unethical government secrets and mass surveillance and I was always disconnected from it. When Airtel & BSNL were injecting adverts into my web pages, I was okay with it. When Google or Whatsapp changed their privacy policies, I readily accepted the new ones, after all I'm sure they value their users, and decide in their best interests, right? After all, what do I have to hide?
Now, I consider myself a huge fan of free and open source software, and in the open source world, you readily trust the software or content, not because you personally trust the people behind it, but because the code is subject to scrutiny by fellow community members and as a result, the chances of using an open source software that is a malware or a back-doored Trojan is essentially zero (such attempts are readily caught. (meta meta: is this a survivor bias?)). I remember the heavy criticism of Ubuntu for logging the search keywords of it's users for serving them targeted ads which eventually led to elite members of the open source community advising against using Ubuntu and RMS calling it a 'spyware'. But what Ubuntu did is only tiny bit as harmful (they did put an option to opt out of this 'shopping lens', or uninstall it altogether) as some of the tools and services we use everyday. And that is what I realized in the past month.
From here, it is about how I turned 180 degrees and started to care about privacy and anonymity more than ever, how I became paranoid about the data that I publish online and think twice before registering for an online service, or visiting untrusted websites without a VPN. If you feel this is of no interest to you, I urge you to close this tab after watching the following video. The message is very powerful and I'd like you to give yourself sufficient exposure to the problem before deciding if you want to care. You may continue reading if you would like to learn about my decision and what led me to it.
Let's start with the most obvious question...
The anticlimactic answer is, better late than never. This article isn't the result of a single blog post that I read or any specific incident. It is a cumulative result of the critical exposure I've had in the past month or two, and a subconscious exposure of the past few years. I had this on my mind from some time, but laziness is what I'd call it. Who wants to give away the convenience of synced devices and automatic backups! I'm fortunate enough to have a paranoid friend around who doesn't use many (any?) social networking sites and online services. All he has is probably a ProtonMail email address, and he's just as active on the Internet as I am. I always considered his view of privacy a personal preference, a subjective view of the world, not an objective truth about the Internet and companies based on Internet. But recently, the more exposure I'm getting about the way Internet giants collect and use my information, government surveillance etc, the more I'm moving away from using their services. It isn't about if someone is watching me while I use the Internet, which no one probably is, given my uninteresting Internet activities. It is the possibility that at any given moment someone/something could watch me, without my consent, store tonnes of meta data about me for use 15 years from now, and I might lose the basic right to privacy that I always took for granted, is what makes me uncomfortable.
However I don't expect anything to change when I make a switch. In most cases, nothing would change for me, as an individual who accesses and relies on the Internet everyday. Free and open source alternatives exist and it is a matter of hours (if not days) to make a complete switch from proprietary to open source software. But now, I'm leaving a lot less footprints in random server logs and by using open source whenever possible, I can narrow down the number of malwares and spywares I carry around with me in my phone or laptop. And something I really need to emphasis on, a spyware is not necessarily installed by just a third party malicious user. OEMs ship spywares all the time (tampering preinstalled TLS certificates and performing MITM attack to show ads, now that's dark). All this is without even mentioning the humongous quantities of crapware these OEMs ship their products with, widening the attack surface for a third party adversary. All of this can be mitigated if you control what's installed on your devices and choose what services to use.
If you want to know more about what sort of threats to privacy exist around you, you might want to check out this amazing course by Nathan House titled 'The Cyber Security Course - Hackers Exposed'. Don't get intimidated by the title, it is for anyone who wishes to understand the threat landscape so that he can take the necessary steps to ensure adequate security and privacy according to his needs. Nathan does a great job at putting the key points in front for you to decide rather than feeding you his opinions. Highly recommend his course.
Is the threat real?
This question arises in the minds of people when they hear about issues like Privacy and Global Warming (I was surprised to find a good number people think Global Warming isn't real). Is this real? Or is it one of those hyped-stories that would fade away and everything will get back to normal once media stops covering it. Let me start by confessing that it was in the last month that I read the terms of service of any company I used online for the first time, and boy I was surprised. I agree that reading ToS is boring, but it really is critical to ensure a peace of mind when you use a service. If you're still not sold, check out this amazing site called tosdr.org or Terms-of-service-didn't-read which summarizes the ToS of popular services and rates them from class A (good policy) to class E (bad policy) and the key reasons supporting the rating. The data is a bit outdated, but you do get a general sense of the corporation's privacy structure. And to be honest, you don't need any of this. All you need to do is keep your eyes and ears open and assess the data you're about to give to the next application you download from the market. Take Whatapp's ToS for example, the service which promises that the messages are end to end encrypted with Signal Protocol. Sure, they are. And there's no doubt in my mind that Whatsapp is one of the most secure messengers we have with us today. But privacy and security are two very different topics to discuss, both equally important (a good read here). And when it comes to privacy, it is not our messages or content that companies usually target. It is our meta-data. Here's what Snowden tweeted about it.
Are your readers having trouble understanding the term "metadata"? Replace it with "activity records." That's what they are. #clarity— Edward Snowden (@Snowden) November 2, 2015
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
This example should not imply Whatsapp is the only or worst offender, it is just one of them that I'm familiar with (and use personally). I assume that you can read and decide for yourself.
Why did I care?
"But Government Surveillance is a US problem!", "My nation doesn't come under 5, 9 or 14 eyes". Sure, but don't we all use the same Internet? I don't need to emphasis about the importance of Internet in matters of freedom of speech, how it has nullified international borders to connect people of similar interests and how many revolutions it has started. I don't need to mention that Internet is a second home to political (h)activists and dissidents, a place where they can express themselves to the masses. I certainly don't need to mention what I personally feel about the Internet which you probably know by now. And I'm not even getting started on how, even if you don't belong to any of these 'eye' nations, most of your traffic is still getting routed through them.
The way I think about it is, a full disclosure sometimes becomes necessary to bring about a change in the system that is broken and is resisting a fix. This was one of the highlights in Keren Elazari's TED talk on 'Hackers: Internet's immune system'
Precautionary measures I took
I adopted some defensive measures to try out this new Internet lifestyle, applying the learnings from the past couple of months, since it wouldn't make sense to not do it after this exposure. This is quite experimental, so try out what works for you, the way I'm doing. A word of caution though. This list would not cover you from threats and privacy breaches from third party adversaries like cyber criminals, who might choose targets more specifically (like sending a malware via email or infecting your local network). The best (and in many cases, only) defense against it is to keep your systems (laptops, mobile phones) up to date with the latest security patches. Did I make it sound important enough? KEEPING YOUR SYSTEM SOFTWARE UP TO DATE AND PATCHED IS THE BEST THING YOU CAN DO TO STAY SECURE. Sorry for screaming. Okay, now back to the measures I took.
- Flashed LineageOS on my Phone - Almost stock Android, plus more control over what I install (note: rooting, flashing, installing from unknown sources etc potentially opens a huge security hole in itself)
- No Google Play Services - The suite of Google apps such as Gmail, Youtube, Docs and Drive are optional, and I chose to not install them
- Gave up my G Suite subscription. So no synced devices and automatic photo backups. (Remember to 'Takeout' data before leaving)
- Turned off port forwarding, DMZ, UPnP and any other service on my router that might expose any of my internal devices to the Internet
- K-9 Mail as email client
- SkyTube for read-only tracking-free Youtube
- f-droid for free and open source Android apps, also there are plenty of closed source apk repositories that don't require a Google account.
- DuckDuckGo as the default search engine across all devices
- Debian or Arch linux on desktop, as recommended by Nathan House, provides a good mix of active development, security, support and speed, although you can pretty much choose any good distro depending on your taste and harden it.
- Signal Messenger on Android/iOS for Whatsapp like security and usability minus the meta data issues
- Firefox Focus as the primary browser on phone, except when explicitly wanting to store history, in which case Mozilla Firefox
- Mozilla Firefox on desktop, and Chromium as the secondary browser. Google Chrome is a better browser imho, for it supports a lot more content types than Chromium does out of the box. Not to mention better updates and security. Boils down to your personal preference, really
- Deluge for torrents
- LibreOffice for document/presentation editing needs
- VLC for pretty much everything multimedia
- And the rest of the goodies you get with any nice distro. (Must admit that I haven't found a Google Drive alternative yet)
- Lastly (and optionally), encrypted mail providers like ProtonMail for secure email and a good VPN (such as Mullvad, or Tor for that matter, but make sure you read the differences) for use when on public Wifi hotspots
Is any of this necessary?
"You are overdoing it!" as my friend exclaimed. I totally agree, and to be really honest, it is not just about privacy at this point, it is about enjoying the new world that I've found, exploring the corners and trying to fit in. I believe that open source shouldn't feel like a compromise. It should be a pleasant experience for everyone who uses it, whether or not they consciously care about it being free and open. I am sure not everyone is so willing to give away convenience for the sake of some principles and 'freedom of the web', and that is totally fine. As long as you take the decision of giving away your data and are okay with it for the rewards it comes with, and not let a corporation decide it for you, I'm no one to tell otherwise. I'm here to tell you that there's a world out there that represents the open and free nature of the Internet, and it is not at all difficult to convert. I did, and so can anyone.
Links from the post
Aggregating all the blog / additional information post links with their titles from the above text here.
- Shady Business: Airtel & MTNL injecting advertisements / js into websites you visit! - team-bhp.com
- Looking ahead for WhatsApp - whatsapp.com
- Nothing to hide argument - wikipedia.org
- Thwarted Linux backdoor hints at smarter hacks - securityfoucs.com
- Survivorship Bias - wikipedia.org
- Ubuntu Spyware: What to do? - fsf.org
- Right to privacy - wikipedia.org
- Lenovo caught installing adware on new computers - thenextweb.com
- Nobody hates software more than software developers - blog.codinghorror.com
- Terms of service; didn't read - tosdr.org
- Signal protocol - wikipedia.org
- WhatsApp's Signal Protocol integration is now complete - whispersystems.org
- Security vs Privacy - schneier.com
- Why I told my friends to stop using WhatsApp and Telegram - medium.freecodecamp.org
- Why metadata matters - eff.org
- Metadata - privacyinternational.org
- What's up with crypto in WhatsApp? - myshadow.org
- The five eyes - privacyinternational.org
- Google Chrome vs Chromium - chromium.googlesource.com
- Differences between using Tor browser and VPN - security.stackexchange.com