Contact me for feedback or questions! I reply to everyone.

Bypassing the privacy chase

- Introduction -
- What is privacy? -
- How do we lose our privacy? -
- Privacy in the digital age -
- Technology versus privacy -
- Things we can give up -
- History of providers -
- The privacy policy -
- Doing direct tests -
- Issues besides privacy -

Introduction

If you are anything like most people, you have ended up on this site because you've realized your privacy is being violated by governments and big corporations and you've been trying to do something about it. To accomplish that, you've likely traversed recommendation lists like the E-mail report or the Web browser rankings and modified your choices according to them. But is this the right approach?

What is privacy?

The first question we have to ask ourselves is what actually is privacy - or else we will fail in our quest to reach it. Simply, privacy is the default state of other people not knowing where you are, what you do or think. Though the violators are trying really hard to blur the lines - we're not born with tracking devices under our skins. In fact, our biology is designed with privacy in mind - we're individuals each with our own sets of brains, eyes and ears whose contents are not directly shared with anyone by default. Humans have an ingrained need for privacy:

Ralph Adolph and Daniel P. Kennedy, neurologists at the University of Caltech in the United States, discovered that there’s a structure in our brain which is responsible for telling us where the limits of our personal space lie. This structure is the amygdala, a small region associated with fear and the survival instinct.
This discovery reveals something essential. The brain measures the personal limits of each individual. It’s like a personal alarm which tells us when something or someone is bothering us. When something is invading our privacy or violating our integrity until it becomes a threat to our well-being.
It reminds us that one of our greatest sources of anxiety is witnessing how we feel more “crowded” every day in every way.

And so, the nothing to hide argument totally misses the mark, since privacy is the biologically necessitated default. This brings us to our next point:

How do we lose our privacy?

As stated above, we lose it whenever our brain detects another person (or a group of people) invading our personal space. However, this only works for people - we've spent over 99% of our time on this Earth in the wild, and that is what our brains are tuned to. There is no computers in the jungle, after all. Civilization has allowed privacy violators to hide behind devices (such as CCTV cameras) and avoid triggering our biological intrusion detection system. Does all this have anything to do with the article title? Sure does:

Privacy in the digital age

Just as privacy in the wild would entail getting away from the people who got inside your personal space - digital privacy works similarly except the person is replaced by an electronic device. Though CCTV makes this easy to see, the gadget in question could very well be the computer you use every day, your credit card, printer or even the IOT fridge. We have been so accustomed to a life full of electronics that this simple point eludes us. There can be no privacy loss with a tech-free life. Which of course I'm not recommending - only wanted to show the root of privacy issues. Clearly, the amount of data collected while avoiding all electronic devices would be zero - but then we'd lose all the advantages of those. How to balance this?

Technology versus privacy

A privacy newbie usually comes in with the attitude of replacing his current violators with privacy-respecting versions. And of course, there are a bunch of providers who are happy to fulfill (or pretend to) that need. You heard your Google Chrome browser spies on you? Mozilla Firefox to the rescue (or not)! Gmail? ProtonMail. Google Maps? Hmm, we're not doing too swell here...Anyway, this same person in 30 years will be asking how to replace Google Parent, Google Cook, Google Home Designer, etc. Is this the right approach? We've established there can be no privacy violations without electronic invaders. Therefore, the way to take control of your privacy seems to be minimizing device usage. And so, the right question for a newbie to ask is not how do I replace this service? but do I actually need it?

Google Maps has been invented in 2005. Amazon Alexa - in 2014. Siri - 2011. Smartphones - in the 2000s. And yet a lot of people today cannot imagine a life without those. But 20 years ago, we all did fine without them. What has changed? It's obvious technology modifies the way society works (for example, there's a higher requirement for cars or other transportation than a few decades ago), but many of those devices can be easily dumped today - and even the "required" ones can as well with more effort. It is the capitalist focus on shiny new gadgets and the slick marketing which keeps them alive; as well as people's increasing laziness. Real privacy, therefore, has to start with not being dependent upon the violators instead of trying to replace, modify or block them.

Things we can give up

Now that we've cut off most of the violators, we can more thoroughly focus on managing the ones we do actually need - such as search engines, web browsers (though even this you can curb by avoiding bloated sites and downloading the ones you care about for offline reading) or communicators (hey, there's always carrier pigeons...). So let's end the privacy saga and learn how to choose privacy-respecting services so that you won't have to rely on recommendation lists anymore (which are prone to bribes, fanboyism, groupthink, low quality research, outdated information, etc):

History of providers

Respecting privacy means having it as the priority, instead of an afterthought. But to check for that, you often have to dig up information from long ago - such as in the case of DuckDuckGo. Briefly, the owner has run a data collecting operation for a few years until selling it (to an unethical company) and inventing DDG. He has then advertised it heavily as an alternative to Google, and it was of course much better - but eventually, he's started including anti-user stuff such as tracking cookies, pixel tags and Cloudflare; as well as playing fast-and-loose with the definition of personal data. As you can see, the spirit of his previous invention eventually started surfacing (and knowing the previous history would have allowed more cautious people to have predicted that).

You don't really need to follow a provider's every move to decide to avoid them - just a few pieces of history will usually suffice. Mozilla has for years been dependent upon the funds of a known violator, Google - do you think this is something a privacy-respecting company would be comfortable with? Then they started switching deals to other privacy-haters such as Yahoo. Or consider the saga about their horrible mistreatment of a long-time supporter - if they don't care about contributors, surely they won't about the users either. Iridium Browser is another case of a seemingly private project that included Google SafeBrowsing in it by default, and tried to justify it. Already then clearly we could see that privacy isn't something the devs truly took seriously - and they confirmed it later by enabling yet more spyware. One event where something else has been put over privacy is usually enough to become suspicious. Pretenders aside, can we find an opposite example? One that is actually focused on privacy as proven by their history? Sure:

Autistici - created at some hackmeeting in 2001(!), and they've been fully committed to their mission since then. No information has come out showing that they have ever violated their principles. There have been no shady deals with privacy violating companies, no compromises, no deceptive advertising, no lying in the privacy policy, no trying to sneak in tracking by pixel tags, Cloudflare or whatever. In fact, on occasions when their resolve was put to the test, they've passed it with flying colors. If you read the R Plan (written in 2005), I think it's obvious these guys are the real deal and have always been. Other examples include ungoogled-chromium where a short look at their repo is enough to prove them as privacy-respecting, unlike Iridium devs.

So, as you can see, history is the fundamental upon which we base everything else. However, putting it all together requires a combination of willpower, time, effort and skill which many people might not have. It also doesn't provide any insight if the provider is new. Can we find a more clear-cut and immediate way to rate a provider?

The privacy policy

Fortunately, the offenders almost always graciously tell us how they're violating us. It is often hidden behind weasel words and such - but if you carefully analyze a privacy policy, you can come out with a pretty clear picture of what a provider is all about. Though doing that properly also takes some skill, it is much less demanding than the above. Privacy policies are long, so let's learn how to speedrun them . The main things you'll be looking for in a privacy policy are what does it store and for how long. Let's do it now for the Nintendo privacy policy. Skipping the intro and moving on to the section Categories of information we collect. Let's go right to the subsection titled Information about your device since that's where the nitty-gritty is usually found:

When you use our services we may collect specific information about your device, and across your devices, such as the product model, serial number, operating system, device settings, device performance, device and advertising identifiers, Internet service provider, IP address and other unique personal or online identifiers. If you or your device experiences an error, we collect information about the error, the time the error occurred, the application or features being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred.

IP, unique ID, advertising ID. Across your devices likely means they combine all that info into a profile. Hey, we might have the next privacy giant around here, so let's dig a little further - Information about your use of our services:

We collect information about your use of and interaction with our services. This could include information about your gameplay, your online status, your service use history, your connections and interactions with other users, the content you share, the date and time of your visit, information about the links you click, pages you view, and advertising you interact with within our services, inferences used to create a profile about preferences and characteristics, standard server log information, and other information about how you use our services.

In short, absolutely everything you could imagine is stored, including inferences to create a profile - which means they (using all the collected data) try to predict what you'll like or what you're going to do next, etc. With the above, we have enough to throw Nintendo into the pile of the biggest violators, along with Facebook, Discord or Mozilla. But our speedrun was supposed to have two parts - data collection and duration - so let's check out the other. From section Information retention and information security:

Personal information will be retained only for so long as reasonably necessary for the purposes set out in this privacy policy, in accordance with applicable laws.

No specific figures - so assume that all the data collected in Section 1 is stored forever. Therefore - due to scoring terrible in both the collection and duration categories - we can conclude that Nintendo fails the privacy test. We could dig deeper, but it's pointless if we've already put them onto the Shit List (unless you're doing research trying to find the biggest violator out there - for which Nintendo could easily qualify). In summary: to speedrun a privacy policy, try to find a section called "data we automatically collect" or similar. Then Ctrl+F for "duration" until you reach the relevant info. If the service violates you in those, there's no need for further inspection. Some more examples of privacy policy analyses are in the E-mail report. Finally, you've found a good one. What do you do after?

Doing direct tests

THIS SECTION WILL BE MODIFIED

This is the most reliable way to prove or disprove privacy. For web browsers (as well as anything else that uses the HTTP protocol, such as package managers) you can use mitmproxy. For anything else, use netactview. It lacks the rich functionality of mitmproxy, but it works for any protocol. To use it, first go to the view menu and enable the command option. This will allow you to see what program actually makes a connection. Then turn on the application you want to test (or all of them). Now watch; if you see a program make a connection when it isn't even supposed to use the Internet (I haven't had that happen yet) - well, you have your proof. It is also possible to check for the actual hosts a process is connecting to; you might be surprised to learn that your favorite "private" service is going through Amazon servers or such...Wireshark is another program that can do this, but it's more complicated and netactview does what we need it to do.

The above method works for both closed and open source software. Of course, if source code is provided, you can read it; but for the vast majority of people, it requires too much skill. Assuming you do have that skill - most software still has so many lines of code you could not inspect it properly. Even in small programs, it is still easy to miss a connection or have a malicious developer hide it. Network monitors, though, will reveal all - so they are the most viable option. But what if we're trying to judge an online provider, instead of software?

Sometimes, services do show their source code but you can't verify that it's the same one they're running. Fortunately, many providers can still be tested. You can easily check (with uMatrix or just the browsers' in-built tools) if a search engine is setting tracking cookies, like DuckDuckGo used to do, or if it's behind Cloudflare. If Tor or VPNs are blocked, that pretty much disqualifies a provider from being privacy based. Servers can have insecure setups which are often testable, such as ProtonMail's redirection of onion domains to the clearnet or secmail's revealing of the operating system and PHP version on their server. This can refute the we really care about your security! claims; but what if the provider has made no obvious blunders? Well, it comes down to establishing trust through their history and privacy policy. You can search for previous breaches or their runs with governments etc (use terms such as name of VPN + government or + court to find ones that were keeping logs and ones that weren't). You can talk to the people behind a service directly - which can increase your trust in them or even reveal interesting information such as secmail not having time to implement SSL. But in the end - short of hacking the server - you cannot 100% prove a VPN's no-log policy, for example.

Issues besides privacy

Though it's great if a service or software has privacy, that alone is not enough for continued usage. What are some other things to care about?

We have to pick the issues that are the most important to us. I recommend starting with privacy - this is testable by all the ways I've given above. Then, moving on to censorship - which can be similarly tested. After that, check if the software or service actually does what you want it to do. Fortunately - even if we don't manage to tick all the boxes - many people have cared enough to create stuff that's private, freedom-supporting, and functional. By minimizing the amount of things we use and doing proper analyses, we can more easily fill our computing and lives with quality instead of quantity. Joining related communities is also a good way to get relevant advice.

Back to the front page