this post was submitted on 26 Jul 2023
37 points (91.1% liked)

Privacy

32173 readers
494 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

For example, change your password regularly, use 2FA.

all 49 comments
sorted by: hot top controversial new old
[–] mholiv 40 points 1 year ago* (last edited 1 year ago) (2 children)

Security is not equal to privacy. Even if you do use 2FA and change your passwords all the time. You don’t gain any additional privacy.

Changing your google password and adding 2FA to your google account does nothing to make your life more private because google still can read all your emails, and sell your data regardless of 2FA.

The best habits to maintain privacy are to avoid using the services of companies that’s business model is violating your privacy.

Some pro privacy habits might be:

  • Avoid any google products or services.
  • Avoid and Meta products or services.
  • Don’t use any free software or services that are not community run / non profit. They make money from selling your data.

In a positive light these habits might be reflected as:

  • Using a google free phone. (i.e. GraphineOS or CalyxOS or /e/OS or even an iPhone as a last resort.)
  • Use Lemmy, mastodon and other alternatives to big social media corps.
  • Pay for reputable e-mail hosting with a reputable provider, (Ie Microsoft365 Business Account, Tutanota, or Proton Mail) or host your own.

Privacy isn’t all or nothing. Small steps are still improvements. Microsoft respects their business client’s privacy because that is what is demanded and Microsoft makes money by providing B2B services. Apple is in the business of selling expensive hardware and iCloud services so they don’t need to violate your privacy as much. These products while not perfect are leaps and bounds better then using any google or meta product.

Small steps are good steps.

If I had to choose one thing to do I would say to drop any phone that has the play store pre installed.

[–] mholiv 14 points 1 year ago (4 children)

One addition. People say to use a VPN but I would argue that this is virtually pointless if you continue to use privacy violating services from privacy violating companies.

If your connect to what’s app or Snapchat or gmail over a https collection inside a secure VPN you are still sending them your data. Just with an extra lawyer of encryption. Google doesn’t need your IP if you give them your complete email inbox.

[–] [email protected] 6 points 1 year ago

One thing a VPN does is prevent your ISP from selling your browsing data to third parties. If you have Comcast or Xfinity it's worth it just to deny them even a penny.

[–] hiire 2 points 1 year ago

Agreed. I'd still recommend a VPN in case your ISP is some sort of big company that sells or sends your traffic to other companies or the gov though, or if you want to torrent in the US, Germany or other countries where the copyright laws are super enforced.

Just make sure you choose a reliable VPN, not some random VPN from youtube. Read articles, reviews, investigate, ask in privacy-focused communities

[–] [email protected] 2 points 1 year ago

VPN is only about security against folks outside the two endpoints (ISPs, some governments, etc)

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

This is true, but you also gotta consider most people do browse and go to other websites than just ones they log-in to or social medias. I think using a VPN generally makes it harder for other websites (like news articles as an example) to track you across the web. (For instance, if I visit Website A with unique IP Address Y, and also visit Website B with unique IP Address Y, even without logging in or directly giving them any data, they could correlate those 2 things. That's where I think a VPN can really help things because it gives you a large pool of users in this case without using your unique IP).

Even besides this, you're missing another point. I'd argue the largest benefit to VPNs is just preventing your ISP from collecting and selling the websites you visit and metadata around them. That's a huge and undeniable benefit to using VPNs for privacy if you use a trustworthy and reputable one, just being able to prevent your ISP from seeing what you're doing, when you're doing it, etc, which is especially important with how dodgy ISPs are and how most collect and sell user data.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

Security is not equal to privacy, but security is absolutely a means of protecting privacy. They asked how to protect privacy which absolutely is in the realm of security.

You don't gain additional privacy from using 2FA, but your personal info is less likely to be stolen versus person info protected by less secure authentication methods.

Privacy uses security to protect itself. Security doesn't increase privacy. It increases privacy protection, which is what they asked about.

Edit: shout out to proton mail though. It has some quirks that might turn off some people (mainly not being readily compatible with IMAP clients without the use of the Proton Bridge. But it's there for a reason and works. And honestly, most of the other stuff you said is pretty good too. The Microsoft/iPhone stuff is obviously arguable (I fall on your side of it) but in the end the best practices is to limit exposure. The less your data is accessible by others, the better. Using email masks (I use Firefox Relay) to minimize email leaks is another good idea.

[–] [email protected] 19 points 1 year ago (2 children)

I pepper my randomly generated passwords. For example, imagine you have a random string generated from your password manager. If the password manager's database is breached or your master password is leaked somehow, the attackers have access to all of your information.

Now think of a word or acronym or something.. Something simple (can be simpler than a normal password). When you add a login, save the generated string to the manager but use a combination of the string + unique word for the website login.

Let's assume CHEESE is my pepper word.

The generated string: hjifd;39Vq$7}

Saved to password manager: hjifd;39Vq$7}

Submitted to website: CHEESEhjifd;39Vq$7}

Now even if the database is leaked my passwords are still mostly useless.

[–] [email protected] 1 points 1 year ago

I do something similar (though less secure) for general purpose passwords; I have a couple of common “base” passwords that are decently secure that I commit to memory. Then for each website/service, I pick a pattern based on the name/url (maybe something like the first two and last three characters of the url), and append them to one of my “base” passwords, so each site gets a unique password, but I only have to remember a couple of them + the pattern

[–] [email protected] 10 points 1 year ago (1 children)

I don’t understand how changing your password or using 2FA enhances your privacy? I use a different fake name on each website I register, also use a different mail alias for every website I sign up to.

[–] Jat620DH27 -1 points 1 year ago (2 children)

Why do you think using 2FA doesn't improve privacy?

[–] [email protected] 5 points 1 year ago

Improves privacy protection, but not privacy. Similar, but important differences.

[–] mholiv 3 points 1 year ago (1 children)

Not OP but the reason 2FA does not help is because “hackers” who might be stopped by 2FA are not the people violating your privacy.

It’s the mega corps that you use 2FA to log into that violate your privacy.

This all being said everyone should turn on 2FA for security reasons. Just know that this does not help privacy.

[–] [email protected] -1 points 1 year ago (1 children)

Eh, I would say hackers absolutely do violate your privacy, but simply aren't the only ones. 2FA only protects against one threat vector, but not another.

[–] mholiv 2 points 1 year ago (1 children)

True “hackers” do. But the average person’s privacy is violated so frequently and at such depth but companies that the amount of “violation” done by “hackers” rounds to zero.

This being said 2FA is something everyone should use.

[–] [email protected] -1 points 1 year ago

Eh, the violation that hackers incur will tend to have a much higher impact (though lower probability) than others like Google though. Someone who has had their identity stolen will likely have more issues with hackers than with Google. You are correct about the breadth of privacy being violated "legally" but it's only gotten that bad because of how little it affects folks day to day lives to the point they don't really care (not defending it, just stating the observation). So, yeah, you're more likely to be violated by Google, but if you're violated by a malicious actors, it will hurt a lot more.

Both are bad and both need to be protected against. Both will violate your privacy and neither should be ignored.

[–] [email protected] 5 points 1 year ago (1 children)

Use Linux, a VPN, Firefox with containers and multiple privacy add-ons. I use Veracrypt volumes to store "private" information in the cloud.

[–] [email protected] 2 points 1 year ago (2 children)

Is there a distro you recommend? I’ve toyed around with Tails, but the lack of persistence and forcing all traffic through Tor instead of a VPN (I guess the whole point of Tails) is too inconvenient for daily use.

[–] [email protected] 2 points 1 year ago

I recommend Fedora for most people, its what I use. It has a great configuration out of the box for privacy, security, and usability, and is overall a really great option for both beginners and advanced users. Had no issues or complaints with it so far.

You can check out Privacy Guides for some other good options as well and more details, and just generally other recommendations and good resources.

[–] [email protected] 2 points 1 year ago (1 children)

Not to be one of those people, but I use Arch (btw) as a daily driver and I really like it, but also I'm a tinkerer. But TBH even just something Debian with a decent VPN would probably be a lot more private than just regular Windows 11 or whatever IMO.

[–] [email protected] 2 points 1 year ago

I'm a tinkerer as well, but I'm at a point in my life where I need to prioritize my tinkering haha. Like buying stir-fry takeout (Windows/MacOS), cooking it by buying a pre-packaged bag (packaged mainstream Linux distro), or starting from scratch, experimenting with literally everything from chopping technique to cooking temp for each ingredient, until you realize you're missing an ingredient you need, then you have to go back to the store (Arch lol).

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (2 children)

Yubikey, always on vpn, use mullvad browser when not logged into anything.

Mull on the phone, always on vpn.

For logging into services use different chrome profiles, one set of cookies per profile in chrome.

Keep the phone in airplane mode, with wifi on, as much as possible use randomized mac address. Uninstall apps not in use.

Pay for as much as you can using cash or monero http://kycnot.me

[–] [email protected] 2 points 1 year ago (1 children)

Why not using Firefox instead of crome ?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Firefox profile management is clunky. Chrome multiple profiles are fast to switch between and the user interface is clear. You know which profile a window belongs too, you can see the name and the icon. Since I only use it to be logged in anyway, it's not a huge security concern. Consider if you have like 20 profiles and you want to switch between them.

[–] TechLich 5 points 1 year ago (1 children)

Firefox account containers are very clean and easy for this. The tabs get colour coded based on which account is logged in and you can configure certain sites to always open in certain containers.

[–] [email protected] 1 points 1 year ago (1 children)

I want to trust Firefox containers, but it's always been ambiguous to me. I like the very clean separation of profiles. The ability to change theme/colors of profiles.

If I have multiple Gmail accounts for instance, I don't think Firefox containers help me.

[–] TechLich 2 points 1 year ago

Yeah, that's what they're for. Having multiple accounts separated and not interfering with each other. So you can have eg. three different tabs of Gmail open or office or whatever in the same window with different accounts logged in. Each tab with a different colour. Great for separating work stuff from personal stuff or isolating bank logins etc.

Sounds like the same thing as you're describing in chrome (though I haven't tried the chrome implementation)

[–] Jat620DH27 1 points 1 year ago
[–] [email protected] 3 points 1 year ago

I use a password manager and a different password for each website/service/tool.

[–] [email protected] 3 points 1 year ago

I give a fake phone number to companies who ask for one. I also often sign up with temporary emails when possible.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Different password and email for each site (I pay for Firefox Relay, only has one instance of a site that blocked it so far). Edit to add: Firefox Relay can also provide a phone number (for a cost) that you can use on sites instead of your own. There are caveats to keep in mind for when to use it, but it helps.

Proton Mail instead of Gmail.

Proton Drive instead of Google Drive / OneDrive. More expensive, so keep this in mind.

Proton VPN when concerned about the security of my internet connection.

Hosted VPS in a cloud provider for photo storage using an open source photo focused content management system.

Pihole hosted in a VPS to help block various trackers (and ads too, but that's convenience, not privacy protection).

Wireguard to connect to VPS hosted services. Option to turn on full tunnel, but generally obsolete with Proton VPN as an option.

Proton is on here a bit mainly because they offer a decent suite of services. There are others that are available.

The thing is, none of this is free and protecting your privacy rarely will be. There are FOSS solutions to help, but you generally need to pay for hosting and access (even if it's buying a raspberry pi). Proton is more accessible to many than something like setting up services on a VPS behind Wireguard.

If you wanna go full paranoid, you can use tiered personal VMs for web browsing. High security ones for things like banking and what not can be destroyed and spun up on demand. And others where it's less important can be refreshed at longer intervals depending on your convenience requirements. Still need to ensure your host/base images are protected, but it will minimize exposure on the guest vm to malware. Less likely to have a keylogger get your bank login info if it's a brand new VM each time.

[–] [email protected] 1 points 1 year ago (3 children)

I don't divulge my security practices publicly, online. That would be incredibly dumb.

[–] [email protected] 1 points 1 year ago

Security by obscurity is not a recommended form of security.

[–] [email protected] 0 points 1 year ago (2 children)

Op didn't ask for security practices.

[–] [email protected] 3 points 1 year ago

I mean, they really did. They asked how does one protect privacy. Security practices is how you protect your privacy. Their two examples are literal examples of security practices. That being said, security by obscurity is security theater. It sounds like security, but it's not.

[–] [email protected] 3 points 1 year ago

They did and I'm perfectly prepared to double down.
If I told people I used a password manager, and which one, I give a bad actor a target. I give a social engineer a thread to pull.
If I told people I had a bitcoin at an exchange, secured using a certain method, I'd be painting a target on me.
If I told people about a rock with a key under it, then I've given out far too much info. Sure you don't know where I live, but small pieces of info can add up quickly. It's flat out dumb telling people the details of your security. What form it takes, and what products or procedures you use. Just telling them what you're protecting is too much. Don't. It's bad security practice. Like it or not, I'm actually trying to be helpful.